Page MenuHomeDevCentral
Create Task
Maniphest T1475

Provision a mail server
Open, Needs TriagePublic
Actions

Description

Plan

Provision a server on hyper-001 hypervisor with the mail server. Could be combined with the DNS server (see T1218).

A similar installation than in T405 is welcome, at working and stable. That would mean a Postfix one.

A qmail installation is frowned upon as the software isn't really maintained anymore (writing that I noticed qmailtoaster last release is well maintained with last CentOS 7 release end September 2018).

Naming

We received the following propositions from P27:

  • Ganscerel (shangri-l)
  • Oort
  • Apsile (Ehair) (already taken by a Jenkins PHP node)
  • Hervil (Ehair)

Current state of mail

With T405, mail services were provisioned as a LXC container.

This lxc container is currently available on Dwellers for reference.

Some edited configuration files are already in rOPS in the mailserver/ role:

  • certificates: a script to copy Let's Encrypt files in the LXC container, probably not really interesting, but contains at least the postfix configuration expected paths
  • dkim: DKIM scripts and config set is valuable and works fine (probably a cleanup of the symlinks is welcome)
  • systemd-unit: a unit to add to iptables the rules to forward mail ports, then run container, useful mainly to know useful ports: 25 110 143 465 587

Other configuration files can be extracted from the lxc container directory, /var/lib/lxc/mailserver/rootfs on Dwellers.

Revisions and Commits

rOPS Nasqueron Operations
D3213rOPS5b39f9eb1c1d Install Hervil server configuration

Related Objects
Search...

Event Timeline

dereckson created this task.Oct 30 2018, 18:23
dereckson updated the task description. (Show Details)Oct 30 2018, 18:54
dereckson removed a project: Operations sprints (The Dreadnought will produce new officers).
dereckson mentioned this in T405: Test Flockport mail server.Oct 30 2018, 18:56
dereckson added a parent task: T4: Setup fauve services.
dereckson mentioned this in T1476: Host @wolfplex.be mail.Oct 30 2018, 19:00
dereckson added a subtask: T1476: Host @wolfplex.be mail.
dereckson removed a subtask: T1476: Host @wolfplex.be mail.
dereckson added a parent task: T1476: Host @wolfplex.be mail.
dereckson removed a parent task: T1215: Provision a new hypervisor.Oct 30 2018, 19:03
dereckson added a subtask: T1215: Provision a new hypervisor.
dereckson updated the task description. (Show Details)Oct 30 2018, 19:12
dereckson closed subtask T1215: Provision a new hypervisor as Resolved.Jun 29 2023, 16:34
DorianWinty updated the task description. (Show Details)Jun 29 2023, 17:19
DorianWinty added a project: Restricted Project.
DorianWinty added a subscriber: DorianWinty.
DorianWinty moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jun 29 2023, 17:43
dereckson assigned this task to DorianWinty.Jun 29 2023, 18:02
dereckson added a comment.Jun 29 2023, 18:21

DNS configuration

hervil.nasqueron.org. 86400 IN A 178.32.70.108

Network configuration

For public second card:

IP public: 178.32.70.108
MAC address: 00:50:56:0c:37:9b

DorianWinty added a comment.Jun 29 2023, 18:44

Internal IP :
172.27.27.3/28

DorianWinty added a revision: D3213: Install Hervil server configuration.Jun 29 2023, 21:43
DorianWinty added a commit: rOPS5b39f9eb1c1d: Install Hervil server configuration.Jun 29 2023, 22:30
dereckson closed subtask T1911: Order a new /30 IP block as Resolved.Jul 2 2023, 19:09
dereckson added a comment.EditedJul 2 2023, 19:32

[ 2023 plan from T405 for T1475. ]

Phase I

Per https://pad.wolfplex.be/p/mail:

  1. Install Postfix as part of mailserver role
  2. Deploy webserver-core role (to add to top.sls) to get nginx
  3. Install PHP too
    1. To be moved from webserver-alkane into webserver-core? (if mailserver or webserver-alkane in roles)
  4. Create a PostgreSQL database in db-A MariaDB database for ViMbAdmin in db-B
  5. Install ViMbAdmin to allow to manage virtual domains and mailboxe
  6. Install IMAP and POP capability (Dovecot or Cyrus IMAP)
  7. Install webmails locally if needed, on Docker PaaS if not
    1. Roundcube, the 2010s contender
    2. Squirrelmail, the legacy one with still a lot of fans
    3. Rainloop, the 2020s new one -> it uses IMAP to get mail instead of reading local mailboxes => can be installed on docker-002
  8. Determine where data is stored so we know what to backup

PostgreSQL is supported by ViMbAdmin, Postfix and Dovecot

Reference: https://github.com/opensolutions/ViMbAdmin/wiki/Install-Database-PostgreSQL

dereckson added a project: Mail.Jul 2 2023, 19:33
dereckson moved this task from Backlog - On hold pending T1475 to Working on on the Mail board.
dereckson mentioned this in T1196: Automate the mailserver lxc container through Salt.Jul 2 2023, 19:38
DorianWinty added a revision: D3242: Install postfix.Jul 24 2023, 20:48
dereckson added a comment.Dec 16 2023, 14:49

A certificate for mail.nasqueron.org and hervil.nasqueron.org has been generated successfully after D3248 has been deployed:

Certificate generation on Hervil
$ certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d mail.nasqueron.org -d hervil.nasqueron.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for mail.nasqueron.org and hervil.nasqueron.org
Hook '--manual-auth-hook' for hervil.nasqueron.org ran with output:
 Please add the following CNAME record to your main DNS zone:

 _acme-challenge.hervil.nasqueron.org CNAME d6d7a113-6476-4a4c-bd83-dd4d7d89fd06.acme.nasqueron.org.
Hook '--manual-auth-hook' for mail.nasqueron.org ran with output:
 Please add the following CNAME record to your main DNS zone:

 _acme-challenge.mail.nasqueron.org CNAME 4461a761-d230-4f08-b7ea-351d2a99f074.acme.nasqueron.org.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/mail.nasqueron.org/fullchain.pem
Key is saved at:         /usr/local/etc/letsencrypt/live/mail.nasqueron.org/privkey.pem
This certificate expires on 2024-03-15.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

DNS change

Per the authentication hook instructions, the following DNS records have been added:

  • _acme-challenge.hervil.nasqueron.org CNAME d6d7a113-6476-4a4c-bd83-dd4d7d89fd06.acme.nasqueron.org.
  • _acme-challenge.mail.nasqueron.org CNAME 4461a761-d230-4f08-b7ea-351d2a99f074.acme.nasqueron.org.
DorianWinty closed subtask T1929: Prepare a database for Postfix as Resolved.Dec 17 2023, 20:30
DorianWinty removed a revision: D3242: Install postfix.Dec 18 2023, 21:03
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator