Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate away from ImprovMX for mailing lists #485

Open
3 of 10 tasks
jfly opened this issue Sep 30, 2024 · 9 comments
Open
3 of 10 tasks

Migrate away from ImprovMX for mailing lists #485

jfly opened this issue Sep 30, 2024 · 9 comments

Comments

@jfly
Copy link
Contributor

jfly commented Sep 30, 2024
edited
Loading

We currently use ImprovMX to handle mail sent to @nixos.org (see relevant dns entries).

  • We only use ImprovMX for mail forwarding (teams like infra@, marketing@, etc). Today, nobody sends mail from @nixos.org, and nobody has any inboxes.
  • You need a web account with ImprovMX to see and to update these mail forwards. The Nix community can't see/audit any of this.
  • There are various limits (number of forwards, perhaps the number of emails an address can forward to?). See https://improvmx.com/pricing/. I don't know if we're currently paying for ImprovMX. I think I heard that we've run into some of these limits.

The plan

A few weeks ago, @Mic92 asked me to look into self hosting this instead. He recommended Simple NixOS Mailserver (SNM). I've played with it a bit, and it does seem like a good fit here.

  1. Install SNM on umbriel.
  2. Verify this server can successfully send mail (target: 10/10 on https://www.mail-tester.com/). Either by temporarily adding a login account, or speaking directly to postfix via the cli.
  3. TBD (see below): configure a metrics/alerting solution. Intentionally break emailing somehow and confirm that the infra team gets notified about stale mail stuck in queues.
  4. Talk to t-online and outlook to tell them we exist
  5. Wait until the Nix Steering Committee Election is done: https://nixos.org/blog/announcements/2024/sc-election-2024/.
  6. Rollout the change (ETA: early December 2024)
    • Check that listsWithSecretFiles is up to date
    • Switchover the MX records from ImprovMX to umbriel.nixos.org.
    • After the MX record change has propagated everywhere (check with https://www.whatsmydns.net/), verify that email forwards still work. If not, switch the MX records back.
    • Cleanup: shut down our ImprovMX account, or do whatever we can to reduce confusion about this

Open questions/TBD:

  1. Monitoring
    • Ideally, the infra team would get alerted if emails have been sitting in a postfix queue for a long time. Are there any best practices for this? We use Prometheus, perhaps https://github.com/kumina/postfix_exporter is a good pick? It's packaged in nixpkgs =)
    • Anything else?
  2. Backups
    • Arguably not necessary. This service is pretty much stateless (except for the mail stuck in queues, which perhaps we can live with?)

Alternatives considered

  • I don't know if there's been any serious discussion about paying someone (ImprovMX or something else) to handle this for us. Since declarative management and audit-ability are important to us, it would either have to be a provider that has a Terraform provider, or we could build one ourselves.
  • @Mic92, can you shed any light on this?
jfly added a commit to jfly/infra that referenced this issue Sep 30, 2024
@jfly
Give myself access to non-critical infra
8eb0cc7 
I'm going to be working on <NixOS#485>.
This will give me the power to do most of the work there, except for
deploying the relevant DNS changes with Terraform.
@jfly jfly mentioned this issue Sep 30, 2024
Merged
jfly added a commit to jfly/infra that referenced this issue Sep 30, 2024
@jfly
Give myself access to non-critical infra
7699672 
I'm going to be working on <NixOS#485>.
This will give me the power to do most of the work there, except for
deploying the relevant DNS changes with Terraform.
@SuperSandro2000
Copy link
Member

I just want to make awareness that you probably need to write a mail to t-online and outlook (none 356) to whitelist your IP otherwise mails cannot be delivered.

@mweinelt
Copy link
Member

mweinelt commented Oct 1, 2024
edited
Loading

After the leak of the existing email mappings I would be interested in discussing the privacy aspect of the email mappings. What other organization publishes those? The current set of addresses were not given to us by its recipients with the intent to make them public.

@jfly
Copy link
Contributor Author

jfly commented Oct 1, 2024

I just want to make awareness that you probably need to write a mail to t-online and outlook (none 356) to whitelist your IP otherwise mails cannot be delivered.

I hear you on this. I've never run a mailserver before, and honestly have no idea what our deliverability is going to be like. I believe the current set of emails is quite tiny, and may not even include any t-online or outlook. My personal opinion on this is that we should make sure we've solved the monitoring story: if we get notified for email stuck in queues, then we can tackle these allowlists as necessary, or we can give up and pay someone to handle this for us.

After the leak of the email mappings I would be interested in discussing the privacy aspect of the email mappings.

Sorry about that. I asked one person about this, but should have talked to more people before posting.

Ideas:

  1. We could encrypt the email addresses. This would be hard to code review.
  2. We could seek consent from all the relevant people. I don't know how hard this would be. I don't have the list anymore, but it didn't seem like an insurmountable number.
  3. Do this behind some self-hosted (or paid) webapp with a login. That's basically what we do today with ImprovMX.

@Mic92
Copy link
Member

Mic92 commented Oct 2, 2024
edited
Loading

I just want to make awareness that you probably need to write a mail to t-online and outlook (none 356) to whitelist your IP otherwise mails cannot be delivered.

For T-Online at least this is just one email after setting up reverse DNS and everything up correctly.

Overall I also don't expect the NixOS foundation to have to handle large volume of email. The vote was the first time, we had to do this actually.

@Mic92
Copy link
Member

Mic92 commented Oct 2, 2024

  1. We could encrypt the email addresses. This would be hard to code review.
  2. We could seek consent from all the relevant people. I don't know how hard this would be. I don't have the list anymore, but it didn't seem like an insurmountable number.
  3. Do this behind some self-hosted (or paid) webapp with a login. That's basically what we do today with ImprovMX.

@zimbatm started to ask existing users of email addresses about that.

@Mic92
Copy link
Member

Mic92 commented Oct 2, 2024

I hear you on this. I've never run a mailserver before, and honestly have no idea what our deliverability is going to be like. I believe the current set of emails is quite tiny, and may not even include any t-online or outlook. My personal opinion on this is that we should make sure we've solved the monitoring story: if we get notified for email stuck in queues, then we can tackle these allowlists as necessary, or we can give up and pay someone to handle this for us.

Some DMARC and reading the mail logs in case there are delivery problems. I didn't had any big issues with emails for the NixOS wiki and that looks more like bulk messages compared to what I expect to be sent from nixos.org.

@zimbatm
Copy link
Member

zimbatm commented Oct 2, 2024

@jfly Is it possible to move the email addresses into sops-encoded secrets, or is this part only configurable with plain Nix code?

@SuperSandro2000
Copy link
Member

For T-Online at least this is just one email after setting up reverse DNS and everything up correctly.

And you need to have a proper imprint on the TLD of the rDNS entry and contact means via I think telephone and e-mail that is not going over the mail server.

I have recently done it and it took me a few back and forths but it is doable.

@jfly
Copy link
Contributor Author

jfly commented Oct 2, 2024
edited
Loading

@jfly Is it possible to move the email addresses into sops-encoded secrets, or is this part only configurable with plain Nix code?

It currently requires plain Nix code:

Adding support for encrypted emails seems like it might actually not be too hard:

  • We could adjust the nixpkgs service to allow for multiple virtual_alias_maps (currently it supports exactly 0 or 1), and then we could add a new entry to that array to point at a virtual alias map generated with a sops-nix template.
    • I think the nixpkgs change I have in mind will look weird. We might need a more generic solution that has a satisfying answer to this question: "why does virtual_alias_maps get this special escape hatch but not other maps like alias_maps?"
  • Adding a new entry is a little tricky because you actually need to run postmap to "compile" these mappings, but I think the existing services.postfix.mapFiles option is flexible enough to do this for us without changes.

tl;dr:

  • It's possible, but requires changes to nixpkgs, and perhaps SNM, depending on how we want to expose this.
  • I'm willing to do this work, but would prefer to wait until we know if it's necessary first.
    • If it makes sense to do this work, I could use a brainstorm partner on the nixpkgs change.

@fricklerhandwerk fricklerhandwerk mentioned this issue Oct 18, 2024
Open
@jfly jfly mentioned this issue Oct 29, 2024
Merged
This was referenced Nov 5, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zimbatm @Mic92 @mweinelt @jfly @SuperSandro2000