Sysadmin Documentation/cadmium

From UGCS
Jump to: navigation, search

Return to Server Setup

Cadmium is the email server. It provides smtp, imap, and storage for emails

Stats

Rackable Systems 2U Intel server, dual Xeon processors, 16 GB RAM, 4x 1 TB drives.

Roles

  • Mail Server

Configuration

The config is loosely based off of this guide [1]


High level overview

Incoming mail is either authorized outgoing mail that will be relayed, or it's incoming mail.

Relayed mail is restriced with smtpd_relay_restrictions and either needs sasl authentication, or to originate from the ip whitelist of other ugcs core servers. sasl auth uses some black magic with dovecot

Incoming mail is checked against dns blocklists and must also have a valid recipient in the ldap to be accepted

Mail is sent to amavis by the content_filter setting, and gets scanned. amavis then sends the email back to mailman on a different port. The transport on this port overrides content_filter, so the mail will continue along untouched.

local delivery is done with dovecot. Forwarding happens when postfix checks homedirs for the .forward file. Local delivery is done with dovecot


Mailman

We use mailman for mailing list management. It might be sexier to use something like sympa, but mailman has a nice distro-provided config that doesn't really touch anything else that's part of the configuration for the rest of postfix.

We start by installing mailman from the debian package.

Q: What about mailman 3? A: fuck mailman 3

If we're gonna have to migrate to something, it'll probably be sympa or something. Then again mailman 2.1 has been around for 10 years so it probably doesn't even need maintainers anymore.

Apache Setup

This part doesn't have many steps, but figuring it out is pita

Apache doesn't have mod_cgi enabled by default, so that needs to be added. If it's not, then failfox will cache the bullshit and things get really sucky. The allow part is also different in the latest apache, so those need to be changed up.

Otherwise, just symlink the given apache config and uncomment the correct lines.

MTA Integration

We follow the postfix-to-mailman.py instructions basically exactly. These are reproduced here

# INSTALLATION:
#
# Install this file as /var/lib/mailman/bin/postfix-to-mailman.py
#
# To configure a virtual domain to connect to mailman, edit Postfix thusly:
#
# /etc/postfix/main.cf:
#    relay_domains = ... lists.example.com
#    relay_recipient_maps = ... hash:/var/lib/mailman/data/virtual-mailman
#    transport_maps = hash:/etc/postfix/transport
#    mailman_destination_recipient_limit = 1
#
# /etc/postfix/master.cf
#    mailman unix  -       n       n       -       -       pipe
#      flags=FR user=list
#      argv=/var/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
#
# /etc/postfix/transport:
#   lists.example.com   mailman:
#
# /etc/mailman/mm_cfg.py
#    MTA = None # So that mailman skips aliases generation
#    POSTFIX_STYLE_VIRTUAL_DOMAINS = ['lists.example.com']
#    # alias for postmaster, abuse and mailer-daemon
#    DEB_LISTMASTER = 'postmaster@example.com'
#
# Replace lists.example.com above with the name of the domain to be
# connected to Mailman. Note that _all_ mail to that domain will go to
# Mailman, so you don't want to put the name of your main domain
# here. Typically a virtual domain lists.domain.com is used for
# Mailman, and domain.com for regular email.
#
# The recipient map allows Postfix to know which addresses exists.
# Thus, if someone tries to send a (spam?) message to an undefined
# address in the domain connected to Mailman, Postfix will just refuse
# it instead of sending a (backscatter?) bounce.
#
# When you are done, restart Postfix, and run /usr/lib/mailman/bin/genaliases
# to generate the initial recipient map for the existing mailing-lists.


We also need to run postmap on /etc/postfix/transport, which isn't mentioned in the guide.

We now have to create the requrired "mailman" list, so we do that

sudo newlist mailman

Once this is done we can start the postfix daemon. Since systemd is dumb, it might think it's already alive, but it's not, so slap it in the ass with a nice restart.

Finally once everything is done, set the master password

mmsitepass <your-site-password>