Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
I
infrastructure
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 137
    • Issues 137
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge Requests 9
    • Merge Requests 9
  • Requirements
    • Requirements
    • List
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • Arch Linux
  • infrastructure
  • Issues
  • #50

Closed
Open
Opened Jun 29, 2020 by Sven-Hendrik Haase@svenstaroOwner12 of 38 tasks completed12/38 tasks

Modernize mail server setup

Prelude

  • Switch SPF to softfail (6278f668)
  • Remove Postgrey (!43 (merged))
  • Setup SPF for HELO name (RFC 7208 section 10.1.3) (!122 (merged))
  • Switch to Rspamd (!42 (merged))
  • Use Rspamd DKIM signing module for signing instead of OpenDKIM (#213 (closed), !147 (merged))
  • Stop relaying of luna via mail.
  • create main opensmtpd config (#215)
  • create opensmtpd config for relayhosts (#216)
  • Prepare virtual user setup for dovecot and OpenSMTPD (#214)
  • Store the (virtual) mail password in keycloak (#217)
  • harden used IMAP and SMTP ports (RFC 8314, #219)
  • migrate existing services to use implicit TLS for SMTP Submission (!207 (merged))
  • store alias and sender file in Ansible (encrypted in the vault)
  • store keycloak UUID -> arch mail address mapping in ansible (encrypted in the vault)
  • write export tool to automatically pull password hashes from keycloak (#218)
  • create keycloak client with minimal permissions for the export tool (mail-credential-syncer#3)
  • Setup MTA-STS in testing mode and SMTP TLS Reporting (RFC 8460) (!191 (merged), !231 (merged))
  • Setup monitoring (!206 (merged))

Main part

  • Rollout the export tool from #218
  • Replace Postfix by OpenSMTPD on our relaying hosts
  • Switch Dovecot to virtual users
  • Replace Postfix by OpenSMTPD on our main mail server

Aftermath

  • Switch DMARC to reject
  • Add archlinux.org to rspamd whitelistes: https://github.com/rspamd/maps/tree/master/rspamd (spf_dkim + dmarc)
  • Setup ARC
  • Cleanup OpenSMTPD and Dovecot config if possible
  • remove ssh access for users on the mail host
  • Cleanup SPF record (#197 (closed), !229 (merged))
  • Deprecate STARTTLS on Port 587
  • use floating IPs to keep the spam reputation case we need to migrate the mail server
  • Remove old ip addresses from DNSWL
  • Process DMARC and TLS-RPT reports automatically (#241)
  • Switch MTA-STS to enforce mode
  • Setup blacklist monitoring
  • Setup mails sent, received, bounced monitoring
  • Deprecate POP3

removed Tasks

  • Pull users from Keycloak (somehow)
  • Dovecot: Switch passdb from pam to passwd-file

Original description:

Our mail server isn't ansibled and it's fairly opaque how everything is setup. Ansible the whole thing, put it on a separate box and modernize it in the process.

Some guides to follow along with a similar stack: https://prefetch.eu/blog/2020/email-server/ and https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/

There's also this: https://wiki.dovecot.org/PasswordDatabase/oauth2

@foxboron mentioned that perhaps OpenSMTPD is inadvisable due to its fairly bad security track record.

Edited Jan 25, 2021 by Kristian Klausen
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: archlinux/infrastructure#50