[tech] Untangling UCC email, start of an ansible SOE for UCC and next steps ...

Wed Apr 8 15:06:22 AWST 2020

Hi folks

With the assistance of Nick have been starting on untangling UCC's email setup. Ultimately, this is in aid of upgrading mooneye and the UCC mailman installation, but there'll be some diversions along the way.

Diagram
-------------

To that end, so far I've created a diagram of the current setup (attached). Let me know if you'd like me to run through it with you via a teleconf on meetings.ucc.asn.au

New DNS entries and haproxy
--------------------------------------------

In anticipation of the upcoming hijinx with UCC DNS, have created a set of new DNS names for:
 IMAPS (port 993) - imaps.ucc.asn.au
 POP3S (port 995) - pop3s.ucc.asn.au
 SMTP AUTH/submission (port 587) - submission.ucc.asn.au

These all point at a new host VM running haproxy, which proxies these services to motsugo and mooneye.
This host is a new VM called mailauesi.ucc.asn.au and set up with ansible (more on that below)

I've also added SRV records, and an autodiscovery website to enable email clients to configure themselves automatically for UCC email. I've tested with Thunderbird and Evolution. More wider testing is needed with other clients, let me know if you can help.

I intend to email (probably tomorrow) the current users of IMAP and POP and get them to start using the new DNS entries.
diagram.

Ansible SOE
------------------

So to create this new VM host, I've generated a set of ansible roles reflecting UCC's SOE as documented on the wiki

These are in the repo at https://gitlab.ucc.asn.au/ucc-systems/ucc-ansible-soe

So far it has/uses roles to set up:
    - roles/ucc_vm_guest              (Guest agents for VM) 
    - roles/ucc_sshd_config           (UCC sshd standard settings)
    - roles/ucc_ad_client             (Join the UCC AD)
    - weareinteractive.sudo           (Enable sudo for wheel)
    - roles/ucc_mounts_machineroom    (/home, /away and /services NFS mounts)
    - roles/ucc_server_base_packages  (UCC standard packages)
    - roles/ucc_central_syslog_client (UCC syslog)
    - roles/ucc_motd                  (UCC motd setup)
    - roles/ucc_postfix_smarthost     (UCC host postfix smarthost setup)
    - roles/ucc_security_harden       (Security hardening)
    - roles/ucc_wheel_only            (Restrict logins to wheel only on this host)
    - roles/ucc_mail_agents_haproxy   (haproxy setup for imaps/pop3s/submission)

The majority of these roles can be reused for the next host to be set up with ansible. There was still some manual configuration on the server hosts needed for this machine.

Next Steps
----------------

 1. Email IMAPS/POP3 users to ask them to use new names
 2. Look at moving the wikis off of mooneye. (Question is where to?)
 3. Tidy up mooneye's apache config
 4. Remove broken LDAP config on motsugo's dovecot
 5. Move roundcube and SoGO to their own DNS/virtualhost name (remaining on the same host)
 6. Look at imapproxy on mussel
 7. Look more broadly at UCC web config and draw a diagram?
 8. More work on UCC mailman setup - look at existing data/files that need to be migrated...
 9. More yak shaving

Mark

--

Mark Tearle <mtearle at ucc.asn.au>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20200408/b718af8b/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UCC-mail-subsystem v5.pdf
Type: application/pdf
Size: 242992 bytes
Desc: not available
Url : https://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20200408/b718af8b/attachment-0001.pdf 