Skip to content

GitLab

Projects
Groups
Snippets
Help

Loading...
Help
Sign in

Project overview
Repository
Issues 62
Merge Requests 7
- Merge Requests 7
Requirements
CI / CD
Security & Compliance
Packages & Registries
Analytics
Wiki
- Wiki
Members
- Members

Collapse sidebar

Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards

Arch Linux
infrastructure
Issues
#50

Closed

Open

Opened Jun 29, 2020 by Sven-Hendrik Haase @svenstaro1 of 11 tasks completed1/11 tasks

Report abuse
New issue

Report abuse New issue

Modernize mail server setup

Plan (not in any particular order):

Remove Postgrey (!43 (merged))
Switch to Rspamd (!42)
Use Rspamd DKIM signing moldule for signing instead of OpenDKIM
Dovecot: Switch passdb from pam to passwd-file
Pull users from Keycloak (somehow)
Setup MTA-STS in testing mode and SMTP TLS Reporting (RFC 8460)
Switch SPF to softfail and DMARC to reject
Setup SPF for HELO name (RFC 7208 section 10.1.3)
Setup ARC
Switch submission port to 465 (RFC 8314)
Cleanup Postfix and Dovecot config if possible

Original description:

Our mail server isn't ansibled and it's fairly opaque how everything is setup. Ansible the whole thing, put it on a separate box and modernize it in the process.

Some guides to follow along with a similar stack: https://prefetch.eu/blog/2020/email-server/ and https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/

There's also this: https://wiki.dovecot.org/PasswordDatabase/oauth2

@foxboron mentioned that perhaps OpenSMTPD is inadvisable due to its fairly bad security track record.

Plan (not in any particular order):
- [x] Remove Postgrey (!43)
- [ ] Switch to Rspamd (!42)
- [ ] Use [Rspamd DKIM signing moldule](https://rspamd.com/doc/modules/dkim_signing.html) for signing instead of OpenDKIM
- [ ] Dovecot: Switch passdb from [pam](https://doc.dovecot.org/configuration_manual/authentication/pam/) to [passwd-file](https://doc.dovecot.org/configuration_manual/authentication/passwd_file/)
- [ ] Pull users from Keycloak ([somehow](https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/50#note_2248))
- [ ] Setup MTA-STS in testing mode and SMTP TLS Reporting ([RFC 8460](https://tools.ietf.org/html/rfc8460))
- [ ] Switch SPF to softfail and DMARC to reject
- [ ] Setup SPF for HELO name ([RFC 7208 section 10.1.3](https://tools.ietf.org/html/rfc7208#section-10.1.3))
- [ ] Setup ARC
- [ ] Switch submission port to 465 ([RFC 8314](https://tools.ietf.org/html/rfc8314))
- [ ] Cleanup Postfix and Dovecot config if possible

---
**Original description:**

Our mail server isn't ansibled and it's fairly opaque how everything is setup. Ansible the whole thing, put it on a separate box and modernize it in the process.

Some guides to follow along with a similar stack: https://prefetch.eu/blog/2020/email-server/ and https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/

There's also this: https://wiki.dovecot.org/PasswordDatabase/oauth2

@foxboron mentioned that perhaps OpenSMTPD is inadvisable due to its fairly bad security track record.

Edited Aug 04, 2020 by Kristian Klausen

To upload designs, you'll need to enable LFS. More information

Linked issues

Assignee

Assign to

None

Milestone

None

Assign milestone

Time tracking

None

Due date

None

2

Labels

migration security

Assign labels

View project labels

Reference: archlinux/infrastructure#50