Mail on Open Food Facts infrastructure#
Because mail is difficult to setup, we use Proxmox Mail Gateway as a relay to all servers. It ensure correct SPF, but also it adds DKIM signature.
The DKIM and spf records are configured on main domain openfoodfacts.org.
While DKIM is specific (because Brevo and Google keys are distinct by construction), main SPF rule includes brevo and google servers.
No server receive mail, but they should be able to send them.
📝Note: We ONLY support emails address on primary domain (openfoodfacts.org
) and we DO NOT support emails on sub domains (aka xxx.openfoodfacts.org
).
Google Workspace#
We use Gmail for email boxes and groups.
We have a DKIM record configured for google domain and sub-domains in the DNS, we also take into account in SPF rule. You can find the public key in google workspace admin console, under gmail.
Brevo#
We use Brevo to send newsletters.
We have a DKIM record configured for the Brevo domain in the DNS, we also take into account in SPF rule. They use the hello.openfoodfacts.org subdomain.
You can find the public key if you are logged as admin in Brevo, in the top right corner menu, going in "Senders, domains and dedicated IPs". Clicking on domains, and then the hello.openfoodfacts.org domain, you can see the needed DNS records.
Proxmox Mail Gateway#
This is the pmg
lxc VM (aka 102
) currently on ovh1.openfoodfacts.org
.
The install follows
procedure starting from a debian distribution.
Administration#
You can access the administration of pmg by using a tunnel on ovh1:
ssh -L 8006:10.1.0.102:8006 ovh1.openfoodfacts.org -N
You must have an account to connect to the service.
The most important tools you will find is Administration where you can see queues of deferred mails or logs (on the administration entry).
See https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_administration
Notable configurations options#
First bare in mind that even if proxmox mail gateway is built to handle outgoing and incoming emails, we want to use it only for outgoing emails.
We registered an letsencrypt account with tech@openfoodfacts.org
Administrator email is tech@openfoodfacts.org
Relay is set to smtp-relay.gmail.com, although we should not need it (this is for incoming mails).
SMTP private port is set to 25
and public port to 26
In networks tab, there are all servers ips, though because of redirects,
PMG sees each incoming request as issued by 10.1.0.1
.
TLS (TLS tab) is enabled
DKIM is configured with label pmg-openfoodfacts
, with a key size of 2048,
the public key was reported in DNS configuration
see also installation report
redirects#
On DNS:
pmg.openfoodfacts.org
is a CNAME toovh1.openfoodfacts.org
ovh1
ip address is reported in the spf entry of the DNS- there is an entry for the dkim key
An iptable rule on host (ovh1
) redirects our server incoming ips to the VM smtp port (25).
Private network address (corresponding to VM and docker ranges) are also redirected.
To add a new machine
sudo iptables -t nat -A PREROUTING -s 213.36.253.206,213.36.253.208,146.59.148.140,51.210.154.203,1.210.32.79 -d pmg.openfoodfacts.org -p tcp --dport 25 -j DNAT --to 10.1.0.102:25
(a generic masquerading rule for VM also exists)
Note that the port 25 is in fact the private (trusted) port (not the public one, as we are not receiving emails). This is a tweak in default config.
Also the nginx reverse proxy (VM 101
on ovh1
) proxies requests to pmg.openfoodfacts.org
on port 80,
to the proxmox mail gateway VM (102
),
this is needed for certificate generation through letsencrypt by the gateway.
Testing that the gateway is well configured#
To do a simple test, you may use:
echo "Subject: mail gateway test" | sudo sendmail -f alex@openfoodfacts.org -v alex@openfoodfacts.org
pmg
server.
To test quality of the configuration we can send a mail to a service such as https://www.mail-tester.com/
To test using this service:
- I temporarily added an iptables rule to enable my personal ip address to be forwarded to the mail gateway (as for servers)
- I added pmg.openfoodfacts.org as an smtp server in thunderbird and configured my personal address to use it
- I sent a mail as requested by the service
- I could then check the result
- I undo iptables and thunderbird config
Servers#
On client servers (be it a VM, a host or a standalone server), we use either exim4 or postfix.
Email aliases#
We normally keeps a standard /etc/aliases
.
We have specific groups to receive emails: root@openfoodfacts.org
and off@openfoodfacts.org
You may add some redirections for non standard users to one of those groups.
Do not forget to run newaliases
, and etckeeper
and restart the postfix service (postfix.service
and/or postfix@-.service
).
Postfix configuration#
Run: dpkg-reconfigure postfix
:
- configuration type : satellite system
- mail name: openfoodfacts.org
-
relayhost: pmg.openfoodfacts.org
(with an exception for ovh1/ovh2/ovh3: 10.1.0.2)
- mail for root: tech@openfoodfacts.org
- other dest: blank
- sync: no
- local network: leave default
- use procmail: no
- default for the rest
IMPORTANT:
On some system, the real daemon is not postfix.service
but postfix@-.service
So, for example, if you touch /etc/alias
(with after sudo newaliases
) you need to systemctl reload postfix@-.service
Exim4 configuration#
Run: dpkg-reconfigure exim4-config
:
- mail sent by smarthost; no local mail
- mail name: openfoodfacts.org
- listen: 127.0.0.1
- other dest: off1.free.org
- visible domain name : openfoodfacts.org
- IP address smarthost: pmg.openfoodfacts.org
- keep DNS queries minimal (dial-up): no
- local: maildir format in home
- split config : no
Testing#
To test that mail is well configured, you can use:
echo "Subject: sendmail test xxx" | sudo sendmail -f alex@openfoodfacts.org -v root
or, with the bsd-mailx
package installed 1:
echo "test message from xxx" |mailx -s "test root xxx" -r alex@openfoodfacts.org root
If you do not receive the email on expected group, here are some checks:
- look at logs on your server:
/var/log/exim/
if you useexim4
/var/log/mail*
if you use postfix
- look at logs on pmg VM:
/var/log/mail*
ping pmg.openfoodfacts.org
to verify networknc -vz pmg.openfoodfacts.org 25
suceed, else you might have firewall problems: verify iptables on your machine and on ovh1. (nc command belongs tonetcat-traditional
ornetcat-openbsd
packages)- you can even try to send a mail manualy using smtp protocol using
nc pmg.openfoodfacts.org
and following a tutorial about sending email with netcat If it suceed this may mean you have a problem in username to email address translation. /etc/mailname
containsopenfoodfacts.org
(see also debian wiki)- check
/etc/aliases
and/etc/email-adresses
if you use exim4
References#
-
Note that we use bsd-mailx and not the alias from mailutils as it does not behave the same. Noticabely it won't use /etc/mailname to complete email address which leads to problems. ↩