... | ... | @@ -62,16 +62,33 @@ the email providers they were using before this service was deployed. |
|
|
|
|
|
## Installation
|
|
|
|
|
|
TODO: how to setup the service from scratch. puppet role and DNS?
|
|
|
|
|
|
_submission._tcp.example.com. SRV 0 1 587 mail.example.com.
|
|
|
To setup a new mail server, create a machine with the
|
|
|
`email::submission` role in Puppet. Ideally, it should be on a network
|
|
|
with a good IP reputation.
|
|
|
|
|
|
In `letsencrypt.git`, add an entry for that host's specific TLS
|
|
|
certificate. For example, the `submit-01.torproject.org` has a line
|
|
|
like this:
|
|
|
certificate. For example, the `submit-01.torproject.org` server has a
|
|
|
line like this:
|
|
|
|
|
|
submit-01.torproject.org submit.torproject.org
|
|
|
|
|
|
Those domains are glued together in DNS with:
|
|
|
|
|
|
submission IN CNAME submit-01
|
|
|
_submission._tcp IN SRV 0 1 587 submission
|
|
|
|
|
|
This implies there is only *one* `submission.torproject.org`, because
|
|
|
one cannot have multiple `CNAME` records, of course. But it should
|
|
|
make replacing the server transparent for end-users.
|
|
|
|
|
|
The latter SRV record is actually specified in [RFC6186](https://datatracker.ietf.org/doc/html/rfc6186), but may
|
|
|
not be sufficient for all automatic configuration. We do *not* go
|
|
|
deeper into auto-discovery, because that typically implies IMAP
|
|
|
servers and so on. But if we would, we could consider using [this
|
|
|
software which tries to support all of them](https://github.com/Monogramm/autodiscover-email-settings) (e.g. [Microsoft](https://docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019),
|
|
|
[Mozilla](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration/FileFormat/HowTo), [Apple](https://developer.apple.com/library/archive/featuredarticles/iPhoneConfigurationProfileRef/index.html)). For now, we'll only stick with the SRV
|
|
|
record.
|
|
|
|
|
|
## SLA
|
|
|
|
|
|
<!-- this describes an acceptable level of service for this service -->
|
... | ... | |