Email infrastructure improvements #2
Description
Create new users and aliases from a unique link
The static user configuration allowed by simple-nixos-mailserver is impractical.
Some of my friends have requested an @normie.dev email address.
As such I will need to look into other technologies that will allow me to create users on demand.
I don't want to run and configure an LDAP server. I am also not sure whether there is any integration around LDAP that would allow me to create users by sharing a unique link.
I found mokey for FreeIPA but I'm not interested in learning and investing in that tech stack.
Another option is to use an oauth/oidc setup with a self-hosted identity management platform.
| Service | Link |
|---|---|
| Roundcube (Oauth2) | https://web.archive.org/web/20211007091147/https://github.com/roundcube/roundcubemail/wiki/Configuration%3A-OAuth2 |
| Ory (Kratos) | https://www.ory.sh/docs/kratos |
| Ory (Hydra ) | https://github.com/ory/hydra |
| Ory Frontend | https://github.com/ory/kratos-selfservice-ui-node |
| Postfix & Dovecot guide | https://web.archive.org/web/20211014135455/https://documentation.open-xchange.com/7.10.2/middleware/mail/dovecot/oauth_2.0_with_postfix_and_dovecot.html |
Backup to backblaze
This should have been setup long ago.
There are two options:
- Dovecot can be made to write directly to an S3 storage
- Restic can write to an S3 storage
I don't receive and send much emails from this host so I don't think the first solution will use too many API calls (pricing here: https://www.backblaze.com/b2/b2-transactions-price.html).
- Backups
- Test backup recovery method
Add DANE/TLSA records
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources#221-deployment-and-monitoring
https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md#configuring-postfix
- DANE/TLSA records
Testing websites:
Rspamd, Greylist, ManagedSieve
- Rspamd
- Accessible web interface for rspamd
- ManagedSieve
- Greylisting (requires Redis)
Monitoring improvements
- Whether the host is reachable
- Whether my LE certificates are about to expire
- Whether my domain is about to expire
- Whether roundcube, postfix, dovecot, rspamd, etc. are running (and healthy?)
- Whether my DNS records exists (MX, DKIM, SPF, MTA-STS, PTR for the MX) and are valid
- Whether backups have been made, their age, the last time they were done
- General system metrics (cpu and memory usage, disk quotas, etc.)
- Whether backups are being made (with time since last run / age)
Quis monitoriet ipsos monitores?
Who will monitor the monitors themselves?
Autodiscovery
- autoconfig
- autodiscover
-
z-push/activesync