Provision a mail server
Open, Needs TriagePublicEpic
Actions

Assigned To

Authored By

	dereckson
	Oct 30 2018, 18:23

Description

Plan

Provision a server on hyper-001 hypervisor with the mail server. Could be combined with the DNS server (see T1218).

A similar installation than in T405 is welcome, at working and stable. That would mean a Postfix one.

A qmail installation is frowned upon as the software isn't really maintained anymore (writing that I noticed qmailtoaster last release is well maintained with last CentOS 7 release end September 2018).

Naming

We received the following propositions from P27:

Ganscerel (shangri-l)
Oort
~~Apsile (Ehair)~~ (already taken by a Jenkins PHP node)
Hervil (Ehair)

Current state of mail

With T405, mail services were provisioned as a LXC container.

This lxc container is currently available on Dwellers for reference.

Some edited configuration files are already in rOPS in the mailserver/ role:

certificates: a script to copy Let's Encrypt files in the LXC container, probably not really interesting, but contains at least the postfix configuration expected paths
dkim: DKIM scripts and config set is valuable and works fine (probably a cleanup of the symlinks is welcome)
systemd-unit: a unit to add to iptables the rules to forward mail ports, then run container, useful mainly to know useful ports: 25 110 143 465 587

Other configuration files can be extracted from the lxc container directory, /var/lib/lxc/mailserver/rootfs on Dwellers.

Revisions and Commits

rOPS Nasqueron Operations
	D3400	rOPS5bd2b4da053b Cleanup LXC-specific mailserver units
	D3363	rOPSee6002ea2288 Install mail clients on devserver and shellserver roles
	D3213	rOPS5b39f9eb1c1d Install Hervil server configuration

Related Objects
Search...

Status	Subtype	Assigned	Task
Wontfix		dereckson	T4 Setup fauve services
Open		None	T1476 Host @wolfplex.be mail
Open	Epic	DorianWinty	T1475 Provision a mail server
Resolved		dereckson	T1215 Provision a new hypervisor
Resolved		dereckson	T1216 Purchase a new dedicated server for an hypervisor
Resolved		dereckson	T1265 Provision equatower, new Docker engine as a containerized OS
Wontfix		dereckson	T1266 Upgrade Mastodon to last 1.x version on Equatower
Resolved		dereckson	T1280 Install a SSL certificate
Resolved		dereckson	T1911 Order a new /30 IP block
Resolved		DorianWinty	T1929 Prepare a database for Postfix
Resolved		DorianWinty	T1930 Postfix Provisioning
Open		DorianWinty	T1990 Export metrics for Postfix
Open		DorianWinty	T1931 Dovecot Provisioning
Resolved		DorianWinty	T1987 Dovecot Metrics
Resolved		dereckson	T2047 Dovecot :stats listen to world on port 9900
Open		DorianWinty	T1932 ViMbAdmin Provisioning
Open		None	T1973 ViMbAdmin Security Issue
Open		None	T1933 Roundcube Provisioning
Open		dereckson	T1934 Install Snappymail
Wontfix		DorianWinty	T1970 Configure Mailbox thugh salt
Resolved		dereckson	T2066 Deploy DKIM
Resolved		DorianWinty	T2073 [Deployment] Enable DKIM on Hervil
Open		None	T2078 Create static website for mail.nasqueron.org

Event Timeline

dereckson created this task.Oct 30 2018, 18:23

dereckson updated the task description. (Show Details)Oct 30 2018, 18:54

dereckson removed a project: Operations sprints (The Dreadnought will produce new officers).

dereckson mentioned this in T405: Test Flockport mail server.Oct 30 2018, 18:56

dereckson added a parent task: T4: Setup fauve services.

dereckson mentioned this in T1476: Host @wolfplex.be mail.Oct 30 2018, 19:00

dereckson added a subtask: T1476: Host @wolfplex.be mail.

dereckson removed a subtask: T1476: Host @wolfplex.be mail.

dereckson added a parent task: T1476: Host @wolfplex.be mail.

dereckson removed a parent task: T1215: Provision a new hypervisor.Oct 30 2018, 19:03

dereckson added a subtask: T1215: Provision a new hypervisor.

dereckson updated the task description. (Show Details)Oct 30 2018, 19:12

dereckson closed subtask T1215: Provision a new hypervisor as Resolved.Jun 29 2023, 16:34

DorianWinty updated the task description. (Show Details)Jun 29 2023, 17:19

DorianWinty added a project: Restricted Project.

DorianWinty added a subscriber: DorianWinty.

DorianWinty moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jun 29 2023, 17:43

dereckson assigned this task to DorianWinty.Jun 29 2023, 18:02

DNS configuration

hervil.nasqueron.org. 86400 IN A 178.32.70.108

Network configuration

For public second card:

IP public: 178.32.70.108
MAC address: 00:50:56:0c:37:9b

Internal IP :
172.27.27.3/28

DorianWinty added a revision: D3213: Install Hervil server configuration.Jun 29 2023, 21:43

DorianWinty added a commit: rOPS5b39f9eb1c1d: Install Hervil server configuration.Jun 29 2023, 22:30

dereckson closed subtask T1911: Order a new /30 IP block as Resolved.Jul 2 2023, 19:09

[ 2023 plan from T405 for T1475. ]

Phase I

Per https://pad.wolfplex.be/p/mail:

Install Postfix as part of mailserver role
Deploy webserver-core role (to add to top.sls) to get nginx
Install PHP too
1. To be moved from webserver-alkane into webserver-core? (if mailserver or webserver-alkane in roles)
Create a PostgreSQL database in db-A ~~MariaDB database for ViMbAdmin in db-B~~
Install ViMbAdmin to allow to manage virtual domains and mailboxe
Install IMAP and POP capability (Dovecot or Cyrus IMAP)
Install webmails locally if needed, on Docker PaaS if not
1. Roundcube, the 2010s contender
2. ~~Squirrelmail, the legacy one with still a lot of fans~~
3. Rainloop, the 2020s new one -> it uses IMAP to get mail instead of reading local mailboxes => can be installed on docker-002
Determine where data is stored so we know what to backup

PostgreSQL is supported by ViMbAdmin, Postfix and Dovecot

Reference: https://github.com/opensolutions/ViMbAdmin/wiki/Install-Database-PostgreSQL

dereckson added a project: Mail.Jul 2 2023, 19:33

dereckson moved this task from Backlog - On hold pending T1475 to Working on on the Mail board.

dereckson mentioned this in T1196: Automate the mailserver lxc container through Salt.Jul 2 2023, 19:38

DorianWinty added a revision: D3242: Install postfix.Jul 24 2023, 20:48

A certificate for mail.nasqueron.org and hervil.nasqueron.org has been generated successfully after D3248 has been deployed:

Certificate generation on Hervil

$ certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d mail.nasqueron.org -d hervil.nasqueron.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for mail.nasqueron.org and hervil.nasqueron.org
Hook '--manual-auth-hook' for hervil.nasqueron.org ran with output:
 Please add the following CNAME record to your main DNS zone:

 _acme-challenge.hervil.nasqueron.org CNAME d6d7a113-6476-4a4c-bd83-dd4d7d89fd06.acme.nasqueron.org.
Hook '--manual-auth-hook' for mail.nasqueron.org ran with output:
 Please add the following CNAME record to your main DNS zone:

 _acme-challenge.mail.nasqueron.org CNAME 4461a761-d230-4f08-b7ea-351d2a99f074.acme.nasqueron.org.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/mail.nasqueron.org/fullchain.pem
Key is saved at:         /usr/local/etc/letsencrypt/live/mail.nasqueron.org/privkey.pem
This certificate expires on 2024-03-15.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

DNS change

Per the authentication hook instructions, the following DNS records have been added:

_acme-challenge.hervil.nasqueron.org CNAME d6d7a113-6476-4a4c-bd83-dd4d7d89fd06.acme.nasqueron.org.
_acme-challenge.mail.nasqueron.org CNAME 4461a761-d230-4f08-b7ea-351d2a99f074.acme.nasqueron.org.

DorianWinty closed subtask T1929: Prepare a database for Postfix as Resolved.Dec 17 2023, 20:30

DorianWinty removed a revision: D3242: Install postfix.Dec 18 2023, 21:03