Modernize mail server setup

Prelude

• Switch SPF to softfail (6278f668)
• Remove Postgrey (!43 (merged))
• Setup SPF for HELO name (RFC 7208 section 10.1.3) (!122 (merged))
• Switch to Rspamd (!42 (merged))
• Use Rspamd DKIM signing module for signing instead of OpenDKIM (#213 (closed), !147 (merged))
• Stop relaying of luna via mail.
• create main opensmtpd config (#215 (closed))
• create opensmtpd config for relayhosts (#216 (closed))
• Prepare virtual user setup for dovecot and OpenSMTPD (#214)
• Store the (virtual) mail password in keycloak (#217)
• harden used IMAP and SMTP ports (RFC 8314, #219 (closed))
• migrate existing services to use implicit TLS for SMTP Submission (!207 (merged))
• store alias and sender file in Ansible (encrypted in the vault)
• store keycloak UUID -> arch mail address mapping in ansible (encrypted in the vault)
• write export tool to automatically pull password hashes from keycloak (#218)
• create keycloak client with minimal permissions for the export tool (mail-credential-syncer#3)
• Setup MTA-STS in testing mode and SMTP TLS Reporting (RFC 8460) (!191 (merged), !231 (merged))
• Setup monitoring (!206 (merged))
• https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/365

Main part

• Rollout the export tool from #218
• Replace Postfix by OpenSMTPD on our relaying hosts
• Switch Dovecot to virtual users
• Replace Postfix by OpenSMTPD on our main mail server

Aftermath

• Switch DMARC to reject
• Add archlinux.org to rspamd whitelistes: https://github.com/rspamd/maps/tree/master/rspamd (spf_dkim + dmarc)
• Setup ARC
• Cleanup OpenSMTPD and Dovecot config if possible
• remove ssh access for users on the mail host
• Cleanup SPF record (#197 (closed), !229 (merged))
• Deprecate STARTTLS on Port 587 (0ae67c4a)
• use floating IPs to keep the spam reputation case we need to migrate the mail server
• Remove old ip addresses from DNSWL
• Process DMARC and TLS-RPT reports automatically (#241)
• Switch MTA-STS to enforce mode (0b87cbfd)
• Setup blacklist monitoring
• Setup mails sent, received, bounced monitoring
• Deprecate POP3 (cf9c92fd)

---

removed Tasks

• Pull users from Keycloak (somehow)
• Dovecot: Switch passdb from pam to passwd-file

Original description:

Our mail server isn't ansibled and it's fairly opaque how everything is setup. Ansible the whole thing, put it on a separate box and modernize it in the process.

Some guides to follow along with a similar stack: https://prefetch.eu/blog/2020/email-server/ and https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/

There's also this: https://wiki.dovecot.org/PasswordDatabase/oauth2

@foxboron mentioned that perhaps OpenSMTPD is inadvisable due to its fairly bad security track record.