Because mail is difficult to setup, we use Proxmox Mail Gateway as a relay to all servers. It ensure correct SPF, but also it adds DKIM signature.
No server receive mail, but they should be able to send them.
📝Note: We ONLY support emails address on primary domain (openfoodfacts.org) and we DO NOT support emails on sub domains (aka xxx.openfoodfacts.org).
We use Gmail for email boxes and groups.
We have a DKIM record configured for google domain and sub-domains in the DNS, we also take into account in SPF rule. You can find the public key in google workspace admin console, under gmail.
We use Brevo to send newsletters.
We have a DKIM record configured for the Brevo domain in the DNS, we also take into account in SPF rule. You can find the public key if you are logged as admin in Brevo.
This is the pmg lxc VM (aka 102) currently on ovh1.openfoodfacts.org.
The install follows
procedure starting from a debian distribution.
You can access the administration of pmg by using a tunnel on ovh1:
ssh -L 8006:10.1.0.102:8006 ovh1.openfoodfacts.org -N
then connect to https://localhost:8006 (beware the s of https !)
You must have an account to connect to the service.
The most important tools you will find is Administration where you can see queues of deferred mails or logs (on the administration entry).
See https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_administration
First bare in mind that even if proxmox mail gateway is built to handle outgoing and incoming emails, we want to use it only for outgoing emails.
We registered an letsencrypt account with [email protected]
Administrator email is [email protected]
Relay is set to smtp-relay.gmail.com, although we should not need it (this is for incoming mails).
SMTP private port is set to 25 and public port to 26
In networks tab, there are all servers ips, though because of redirects,
PMG sees each incoming request as issued by 10.1.0.1.
TLS (TLS tab) is enabled
DKIM is configured with label pmg-openfoodfacts, with a key size of 2048,
the public key was reported in DNS configuration
see also installation report
On DNS:
pmg.openfoodfacts.orgis a CNAME toovh1.openfoodfacts.orgovh1ip address is reported in the spf entry of the DNS- there is an entry for the dkim key
An iptable rule on host (ovh1) redirects our server incoming ips to the VM smtp port (25).
Private network address (corresponding to VM and docker ranges) are also redirected.
To add a new machine
sudo iptables -t nat -A PREROUTING -s 213.36.253.206,213.36.253.208,146.59.148.140,51.210.154.203,1.210.32.79 -d pmg.openfoodfacts.org -p tcp --dport 25 -j DNAT --to 10.1.0.102:25
don't forget to save iptables
(a generic masquerading rule for VM also exists)
Note that the port 25 is in fact the private (trusted) port (not the public one, as we are not receiving emails). This is a tweak in default config.
Also the nginx reverse proxy (VM 101 on ovh1) proxies requests to pmg.openfoodfacts.org on port 80,
to the proxmox mail gateway VM (102),
this is needed for certificate generation through letsencrypt by the gateway.
To do a simple test, you may use:
echo "Subject: mail gateway test" | sudo sendmail -f [email protected] -v [email protected]directly on the pmg server.
To test quality of the configuration we can send a mail to a service such as https://www.mail-tester.com/
To test using this service:
- I temporarily added an iptables rule to enable my personal ip address to be forwarded to the mail gateway (as for servers)
- I added pmg.openfoodfacts.org as an smtp server in thunderbird and configured my personal address to use it
- I sent a mail as requested by the service
- I could then check the result
- I undo iptables and thunderbird config
On client servers (be it a VM, a host or a standalone server), we use either exim4 or postfix.
We normally keeps a standard /etc/aliases.
We have specific groups to receive emails: [email protected] and [email protected]
You may add some redirections for non standard users to one of those groups.
Do not forget to run newaliases, and etckeeper.
Run: dpkg-reconfigure postfix:
-
configuration type : satellite system
-
mail name: openfoodfacts.org
-
relayhost: pmg.openfoodfacts.org
(with an exception for ovh1/ovh2/ovh3: 10.1.0.2)
-
mail for root: [email protected]
-
other dest: blank
-
sync: no
-
local network: leave default
-
use procmail: no
-
default for the rest
IMPORTANT:
On some system, the real daemon is not postfix.service but [email protected]
(so eg., if you touch /etc/alias (with after sudo newaliases) you need to systemctl reload [email protected]
Run: dpkg-reconfigure exim4-config:
- mail sent by smarthost; no local mail
- mail name: openfoodfacts.org
- listen: 127.0.0.1
- other dest: off1.free.org
- visible domain name : openfoodfacts.org
- IP address smarthost: pmg.openfoodfacts.org
- keep DNS queries minimal (dial-up): no
- local: maildir format in home
- split config : no
To test that mail is well configured, you can use:
echo "Subject: sendmail test xxx" | sudo sendmail -f [email protected] -v rootor, with the bsd-mailx package installed 1:
echo "test message from xxx" |mailx -s "test root xxx" -r [email protected] rootIf you do not receive the email on expected group, here are some checks:
- look at logs on your server:
/var/log/exim/if you useexim4/var/log/mail*if you use postfix
- look at logs on pmg VM:
/var/log/mail*
ping pmg.openfoodfacts.orgto verify networknc -vz pmg.openfoodfacts.org 25suceed, else you might have firewall problems: verify iptables on your machine and on ovh1. (nc command belongs tonetcat-traditionalornetcat-openbsdpackages)- you can even try to send a mail manualy using smtp protocol using
nc pmg.openfoodfacts.organd following a tutorial about sending email with netcat If it suceed this may mean you have a problem in username to email address translation. /etc/mailnamecontainsopenfoodfacts.org(see also debian wiki)- check
/etc/aliasesand/etc/email-adressesif you use exim4
Note that we use bsd-mailx and not the alias from mailutils as it does not behave the same. Noticabely it won't use /etc/mailname to complete email address which leads to problems.