openSUSE admin

mx1 & mx2 are.ready. Thanks to Marco!

I forgot we had this ticket - adding my update:

• mx[12].o.o are both ready to relay email for “opensuse.org”, with TLS support and with spam and virus filtering. (see below).
• TLS: I borrowed the certificates from pontifex, but of course they should be automagically distributed instead. (from crtmgr.i.o.o)
• Member aliases are being retrieved from connect.o.o (thanks for the hint Christian) once a day, with a consistency check.
• Mailing list aliases copied from baloo based on existing lists.
• Firewall is open for smtp traffic only.
• Freshclam – updated to log to own logfile, and notify admin-auto when software is outdated. (which it is).
• Spam- and virus-filtering: I am unable to get rspamd to work. "milter unix:/run/rspamd/worker-proxy.socket: can't read SMFIC_BODYEOB reply packet header". Instead I have set up postgrey to do greylisting (selectively) and spampd to use spamassassin for spam-filter. I'm calling clamd from within spamassassin, it seems to work quite well.

There is some fine-tuning still be done on the spam- and virus filter, but I suggest we plan to go "live" some time in August (I'm back on 3 August. )

Sounds good :-) - thanks for your work!

AFAIK in the current setup, the aliases are fetched hourly - if it doesn't cause too much load ;-) it would be nice to keep that so that changes go live faster.

I also have a (maybe crazy?) idea for going live: in the first days, enable soft_bounce and keep mx*.suse.de as backup MX. This has the advantage that we don't break anything if something goes wrong (for example if we missed to setup an address or two, which would't surprise me too much with the "grown" setup). After running the parallel setup for some days and checking the logs for "user unknown" messages, we can drop mx*.suse.de from the MX entries and disable soft_bounce.

Oh, and most important - enjoy your vacation!

cboltz wrote:

AFAIK in the current setup, the aliases are fetched hourly - if it doesn't cause too much load ;-) it would be nice to keep that so that changes go live faster.

Yup, I know what you mean - there is no reason why not, I just figured it would be better to be a little conservative.

I also have a (maybe crazy?) idea for going live: in the first days, enable soft_bounce and keep mx*.suse.de as backup MX. This has the advantage that we don't break anything if something goes wrong (for example if we missed to setup an address or two, which would't surprise me too much with the "grown" setup). After running the parallel setup for some days and checking the logs for "user unknown" messages, we can drop mx*.suse.de from the MX entries and disable soft_bounce.

I agree with the idea, "better safe than sorry".

JFYI, we have three categories of forwarding -

• member aliases
• mailing lists
• static addresses (postmaster, abuse, webmaster etc etc ).

I feel it would be difficult to actually miss anyone, but it does not hurt to use soft_bounce and keep mx*.suse.de for a while.