### Prelude - [x] Switch SPF to softfail (https://gitlab.archlinux.org/archlinux/infrastructure/-/commit/6278f6688a5c4ecdf74a4b1fd4b5bbfa69ce4b01) - [x] Remove Postgrey (!43) - [x] Setup SPF for HELO name ([RFC 7208 section 10.1.3](https://tools.ietf.org/html/rfc7208#section-10.1.3)) (!122) - [x] Switch to Rspamd (!42) - [x] Use Rspamd DKIM signing module for signing instead of OpenDKIM (#213, !147) - [x] Stop relaying of luna via mail. - [ ] create main opensmtpd config (#215) - [ ] create opensmtpd config for relayhosts (#216) - [ ] Prepare virtual user setup for dovecot and OpenSMTPD (#214) - [ ] Store the (virtual) mail password in keycloak (#217) - [x] harden used IMAP and SMTP ports ([RFC 8314](https://tools.ietf.org/html/rfc8314), #219) - [x] migrate existing services to use implicit TLS for SMTP Submission (!207) - [ ] store alias and sender file in Ansible (encrypted in the vault) - [ ] store keycloak UUID -> arch mail address mapping in ansible (encrypted in the vault) - [ ] write export tool to automatically pull password hashes from keycloak (#218) - [ ] create keycloak client with minimal permissions for the export tool (https://gitlab.archlinux.org/archlinux/mail-credential-syncer/-/issues/3) - [x] Setup MTA-STS in testing mode and SMTP TLS Reporting ([RFC 8460](https://tools.ietf.org/html/rfc8460)) (!191, !231) - [x] Setup monitoring (!206) - [ ] https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/365 ### Main part - [ ] Rollout the export tool from #218 - [ ] Replace Postfix by OpenSMTPD on our relaying hosts - [ ] Switch Dovecot to virtual users - [ ] Replace Postfix by OpenSMTPD on our main mail server ### Aftermath - [ ] Switch DMARC to reject - [ ] Add archlinux.org to rspamd whitelistes: https://github.com/rspamd/maps/tree/master/rspamd (`spf_dkim` + `dmarc`) - [ ] Setup ARC - [ ] Cleanup OpenSMTPD and Dovecot config if possible - [ ] remove ssh access for users on the mail host - [x] Cleanup SPF record (#197, !229) - [x] Deprecate STARTTLS on Port 587 (https://gitlab.archlinux.org/archlinux/infrastructure/-/commit/0ae67c4a64e2892eef58285f39e9575bdbe38268) - [ ] use floating IPs to keep the spam reputation case we need to migrate the mail server - [x] Remove old ip addresses from DNSWL - [ ] Process DMARC and TLS-RPT reports automatically (#241) - [x] Switch MTA-STS to enforce mode (https://gitlab.archlinux.org/archlinux/infrastructure/-/commit/0b87cbfd062d31814c877614a5c2e388ee5eb416) - [ ] Setup blacklist monitoring - [ ] Setup mails sent, received, bounced monitoring - [x] Deprecate POP3 (https://gitlab.archlinux.org/archlinux/infrastructure/-/commit/cf9c92fd346a6f832e5057e305759c35d59692e8) --- **removed Tasks** - [ ] Pull users from Keycloak ([somehow](https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/50#note_2248)) - [ ] Dovecot: Switch passdb from [pam](https://doc.dovecot.org/configuration_manual/authentication/pam/) to [passwd-file](https://doc.dovecot.org/configuration_manual/authentication/passwd_file/) **Original description:** Our mail server isn't ansibled and it's fairly opaque how everything is setup. Ansible the whole thing, put it on a separate box and modernize it in the process. Some guides to follow along with a similar stack: https://prefetch.eu/blog/2020/email-server/ and https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ There's also this: https://wiki.dovecot.org/PasswordDatabase/oauth2 @foxboron mentioned that perhaps OpenSMTPD is inadvisable due to its fairly bad security track record.