balug:mail_and_lists
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
balug:mail_and_lists [2017-09-17T19:02:56+0000] michael_paoli status updates |
balug:mail_and_lists [2017-09-25T01:07:01+0000] michael_paoli completed SPF related updates |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| BALUG's email and lists are still hosted on DreamHost.Com. | BALUG's email and lists are still hosted on DreamHost.Com. | ||
| For numerous reasons we wish to | For numerous reasons we wish to | ||
| - | - migrate off of DreamHost.Com as soon as feasible | + | - [done] migrate off of DreamHost.Com as soon as feasible |
| - | - make transition as painless as reasonably feasbible | + | - [done] make transition as painless as reasonably feasible |
| Where those two objectives may conflict, in general the former will take precedence over the latter. | Where those two objectives may conflict, in general the former will take precedence over the latter. | ||
| - | Lists - lists are presently on lists.balug.org. | + | Lists - lists on lists.balug.org. [were, and shall return to] |
| There is also some mail on balug.org. | There is also some mail on balug.org. | ||
| + | [Migration was fully completed off of DreamHost.com on 2017-09-18] | ||
| High-level of migration strategy off of DreamHost.Com (to be implemented as feasible, but we do need to get off of DreamHost.Com): | High-level of migration strategy off of DreamHost.Com (to be implemented as feasible, but we do need to get off of DreamHost.Com): | ||
| * create temp.balug.org (done - implemented for now as fully delegated sub-domain) | * create temp.balug.org (done - implemented for now as fully delegated sub-domain) | ||
| Line 17: | Line 18: | ||
| * fully prepare email infrastructure on @balug.org (e.g. for various aliases there) for migration (and test as feasible, etc.) | * fully prepare email infrastructure on @balug.org (e.g. for various aliases there) for migration (and test as feasible, etc.) | ||
| * copy/migrate any remnant bits from DreamHost.Com if/as feasible | * copy/migrate any remnant bits from DreamHost.Com if/as feasible | ||
| - | * pull the plug on DreamHost.Com (remove DNS delegation from it), move forward to cancell any releant DreamHost.Com account(s) or services thereof | + | * pull the plug on DreamHost.Com (remove DNS delegation from it), move forward to cancel any relevant DreamHost.Com account(s) or services thereof |
| * temp.balug.org is intended to be //temporary// - transitional - it will be migrated back to lists.balug.org (once we're done with DreamHost.Com and we can make that self-hosted), then we'll slowly phase out temp.balug.org (for some fair while we'll allow both to work, but lists.balug.org will be the canonical). | * temp.balug.org is intended to be //temporary// - transitional - it will be migrated back to lists.balug.org (once we're done with DreamHost.Com and we can make that self-hosted), then we'll slowly phase out temp.balug.org (for some fair while we'll allow both to work, but lists.balug.org will be the canonical). | ||
| Note also that presently much of BALUG's content is already self-hosted - e.g. [www.]balug.org is mostly just rsynced from "master" that's self-hosted; primary traffic can be put to that master with some DNS changes - when that and anything else that needs/ought be migrated/pulled from DreamHost.Com is done, then it's safe to pull/cut the cord / flip the switch, and move off of DreamHost.Com. | Note also that presently much of BALUG's content is already self-hosted - e.g. [www.]balug.org is mostly just rsynced from "master" that's self-hosted; primary traffic can be put to that master with some DNS changes - when that and anything else that needs/ought be migrated/pulled from DreamHost.Com is done, then it's safe to pull/cut the cord / flip the switch, and move off of DreamHost.Com. | ||
| ===== List migration step-by-step ===== | ===== List migration step-by-step ===== | ||
| - | (Work-in-progress), and may be mostly documented as we go along the way) | + | (Work-in-progress, and may be mostly documented as we go along the way) |
| * temp.balug.org [created] | * temp.balug.org [created] | ||
| * temp.balug.org - any DNS records we need to create/add there? - notably not only what we need but implement as soon as feasible to avoid any DNS negative caching TTL issues [checked, done, more than sufficient] | * temp.balug.org - any DNS records we need to create/add there? - notably not only what we need but implement as soon as feasible to avoid any DNS negative caching TTL issues [checked, done, more than sufficient] | ||
| Line 34: | Line 35: | ||
| </file>\\ | </file>\\ | ||
| changed from Yes to No (BALUG-Announce was already set to No).\\ | changed from Yes to No (BALUG-Announce was already set to No).\\ | ||
| - | From walking the admin menus, the above seems the only setting of relevance to unobfuscate email addresses, but since they're obfuscated on the BALUG-Announce list, where that settings isn't and wasn't set, and where the email addresses in the archive are obfuscated anyway, seems we don't have a setting we can access to turn off that behavior. | + | From walking the admin menus, the above seems the only setting of relevance to unobfuscate email addresses, but since they're obfuscated on the BALUG-Announce list, where that settings isn't and wasn't set, and where the email addresses in the archive are obfuscated anyway, seems we didn't (on DreamHost) have a setting we could access to turn off that behavior. |
| - | * for our currently installed operating system (Debian GNU/Linux 8.8 (jessie) amd64) to work with our desired anti-spam software/configuration, we'll want package exim4-daemon-heavy - have that installed, but need to more suitably configure that (hasn't really been used, but with very low setting on priority of questions asked when installed, probably not so close to default - we want (much) closer to default for baseline/reference before we start integrating the other pieces). | + | * for our at migration time target operating system (Debian GNU/Linux 8.8 (jessie) amd64) to work with our desired anti-spam software/configuration, we'll want package exim4-daemon-heavy - have that installed, but need to more suitably configure that (hasn't really been used, but with very low setting on priority of questions asked when installed, probably not so close to default - we want (much) closer to default for baseline/reference before we start integrating the other pieces). |
| * So, for clean reinstall of exim4-daemon-heavy, temporarily installed another (conflicting) MTA (sendmail) and purged the exim4 packages, then purged the sendmail packages and reinstalled the exim4 packages thusly for a nice clean base install:\\ | * So, for clean reinstall of exim4-daemon-heavy, temporarily installed another (conflicting) MTA (sendmail) and purged the exim4 packages, then purged the sendmail packages and reinstalled the exim4 packages thusly for a nice clean base install:\\ | ||
| <file> | <file> | ||
| Line 88: | Line 89: | ||
| o Y (fixed) SMTP TLS - should offer working STARTTLS on receiving with CA signed cert for applicable domain(s) | o Y (fixed) SMTP TLS - should offer working STARTTLS on receiving with CA signed cert for applicable domain(s) | ||
| o Y SMTP TLS - set up separate cert for MTA to have read access to private key with just {temp.,}balug.org (and later to add lists.balug.org, and eventually drop temp.balug.org) | o Y SMTP TLS - set up separate cert for MTA to have read access to private key with just {temp.,}balug.org (and later to add lists.balug.org, and eventually drop temp.balug.org) | ||
| - | o [requested 2017-09-17] outbound IPv6 SMTP to TCP port 25 should be open and operational (blocked by the (IPv6) tunnel provider by default) | + | o Y [requested 2017-09-17, granted and made open 2017-09-18] outbound IPv6 SMTP to TCP port 25 should be open (blocked by the (IPv6) tunnel provider by default) |
| - | o Y (implemented, need to verify) if outbound IPv6 SMTP to TCP port 25 is not open, apply workaround: | + | o Y outbound IPv6 SMTP to TCP port 25 should be made fully operational for MTA & configurations thereof |
| + | o N/A (was earlier implemented as work-around and verified) if outbound IPv6 SMTP to TCP port 25 is not open, apply workaround: | ||
| changed config line in /etc/exim4/eximconfig/config/ignore_target_hosts to: | changed config line in /etc/exim4/eximconfig/config/ignore_target_hosts to: | ||
| <; 127.0.0.1/8 ; 0.0.0.0/32 ; 192.168.0.0/16 ; 172.16.0.0/12 ; 10.0.0.0/8 ; 2000::/3 | <; 127.0.0.1/8 ; 0.0.0.0/32 ; 192.168.0.0/16 ; 172.16.0.0/12 ; 10.0.0.0/8 ; 2000::/3 | ||
| + | and when no longer applicable, set it to: | ||
| + | <; 127.0.0.1/8 ; 0.0.0.0/32 ; 192.168.0.0/16 ; 172.16.0.0/12 ; 10.0.0.0/8 | ||
| + | The above not quite matching the original, but much more friendly for including any IPv6 | ||
| o Y relevant list user URLs should generally work: info/subscribe/unsubscribe/archive (need more complete list) | o Y relevant list user URLs should generally work: info/subscribe/unsubscribe/archive (need more complete list) | ||
| o Y relevant list admin URLs should generally work: per-list and overall admin, roster, etc. (need more complete list) | o Y relevant list admin URLs should generally work: per-list and overall admin, roster, etc. (need more complete list) | ||
| Line 107: | Line 112: | ||
| for existing lists, toggling archive from public to private and back again seems sufficient to then create the needed link | for existing lists, toggling archive from public to private and back again seems sufficient to then create the needed link | ||
| o N full mbox archive should be publicly available via public rsync | o N full mbox archive should be publicly available via public rsync | ||
| - | o ? should be able to completely reload archive, add/drop messages from archive, etc. & document procedure thereof | + | o Y should be able to completely reload archive, add/drop messages from archive, etc. & document procedure thereof (basically uses mailman command arch, with --wipe option, and run it as id list) |
| o Y (working or mostly working?) mailman commands should work via email: subscribe/unsubscribe/help (need more complete list) | o Y (working or mostly working?) mailman commands should work via email: subscribe/unsubscribe/help (need more complete list) | ||
| - | o ? (untested) mailman admin commands should work via email (need more complete list) | + | o Y (untested) mailman admin commands should work via email (need more complete list) |
| - | o (partially staged) should accept legitimate email for legitimate @balug.org addresses | + | o Y should accept legitimate email for legitimate @balug.org addresses |
| - | o N (future) default sending domain of host: @balug.org | + | o Y default sending domain of host: @balug.org (for non-list email, list email updated to user @lists.balug.org) |
| - | o N (future) add appropriate SPF records for @lists.balug.org, @balug.org | + | o Y add/update appropriate SPF records for @lists.balug.org, @balug.org, @temp.balug.org |
| - | o (http://lists.balug.org/ staged, remainder pending DNS & SSL cert, etc.) lists should use URLs starting with: https://lists.balug.org/ | + | o Y lists should use URLs starting with: https://lists.balug.org/ |
| - | o (MTA partially staged, remainder pending DNS, SSL certs, reconfigurations) lists should use email addresses ending with: @lists.balug.org | + | o Y lists should use email addresses ending with: @lists.balug.org |
| o Y get raw mbox of archives from DreamHost.Com (completed 2017-09-16) | o Y get raw mbox of archives from DreamHost.Com (completed 2017-09-16) | ||
| o Y (emailed request of primary account holder 2017-08-20, reminder sent 2017-08-24 & 2017-08-30; I called and left voicemail message 2017-09-06; 2017-09-13: called and left voicemail again, sent email again, also sent cellular text message; 2017-09-14 called and left voicemail again and sent email again also gave additional option to have primary user transfer DreamHost primary user and billing to Michael Paoli; 2017-09-16: Dreamhost primary user opened ticket with DreamHost, DreamHost made the files available to us, I transferred files from DreamHost and ran sanity checks on the files (appears to be good set of the expected data)) above requires DreamHost support ticket opened requesting such from primary account holder | o Y (emailed request of primary account holder 2017-08-20, reminder sent 2017-08-24 & 2017-08-30; I called and left voicemail message 2017-09-06; 2017-09-13: called and left voicemail again, sent email again, also sent cellular text message; 2017-09-14 called and left voicemail again and sent email again also gave additional option to have primary user transfer DreamHost primary user and billing to Michael Paoli; 2017-09-16: Dreamhost primary user opened ticket with DreamHost, DreamHost made the files available to us, I transferred files from DreamHost and ran sanity checks on the files (appears to be good set of the expected data)) above requires DreamHost support ticket opened requesting such from primary account holder | ||
| o Y DreamHost primary account holder to open support ticket with DreamHost.com to get raw archives in mbox format (done 2017-09-16). | o Y DreamHost primary account holder to open support ticket with DreamHost.com to get raw archives in mbox format (done 2017-09-16). | ||
| - | o N (future) http[s]://temp.balug.org/robots.txt - set up appropriately | + | o Y http[s]://temp.balug.org/robots.txt - set up appropriately |
| o Y http[s]://lists.balug.org/robots.txt - set up appropriately | o Y http[s]://lists.balug.org/robots.txt - set up appropriately | ||
| o Y http[s]://lists.balug.org/[mailman-prefix]/ should only use https (redirect http to https) | o Y http[s]://lists.balug.org/[mailman-prefix]/ should only use https (redirect http to https) | ||
| o Y http[s]://lists.balug.org/{,cgi-bin{,/{,mailman{,/}}}} should redirect to https://lists.balug.org/cgi-bin/mailman/listinfo | o Y http[s]://lists.balug.org/{,cgi-bin{,/{,mailman{,/}}}} should redirect to https://lists.balug.org/cgi-bin/mailman/listinfo | ||
| - | o N (future) all of http[s]://temp.balug.org/ should 301 redirect to corresponding https://lists.balug.org/ URLs | + | o Y all of http[s]://temp.balug.org/ should permanent (301) redirect to corresponding https://lists.balug.org/ URLs |
| o Y legacy http://lists.balug.org URLs should 301 redirect to new locations (where different) | o Y legacy http://lists.balug.org URLs should 301 redirect to new locations (where different) | ||
| - | o Y http[s]://{temp,www}.balug.org/lists/balug-announce-do-not-auto-add.html update to use temp.balug.org | + | o [superceded] http[s]://{temp,www}.balug.org/lists/balug-announce-do-not-auto-add.html update to use temp.balug.org |
| o Y http[s]://{temp,www}.balug.org/lists/balug-announce-do-not-auto-add.html update to exclude BALUG-Test list | o Y http[s]://{temp,www}.balug.org/lists/balug-announce-do-not-auto-add.html update to exclude BALUG-Test list | ||
| - | o N (future) http[s]://{lists,temp,www}.balug.org/lists/balug-announce-do-not-auto-add.html update to use lists.balug.org | + | o Y http[s]://{lists,temp,www}.balug.org/lists/balug-announce-do-not-auto-add.html update to use lists.balug.org |
| o N (future) http[s]://{lists,temp,www}.balug.org/lists/balug-announce-do-not-auto-add.html canonicalize to https://lists.balug.org/lists/balug-announce-do-not-auto-add.html | o N (future) http[s]://{lists,temp,www}.balug.org/lists/balug-announce-do-not-auto-add.html canonicalize to https://lists.balug.org/lists/balug-announce-do-not-auto-add.html | ||
| - | o ? (future) decommission temp.balug.org domain? | + | o ? (future ~2017-11-30) decommission temp.balug.org domain |
| + | o Y add IPv6 to {www.,lists.,}balug.org | ||
| + | o [pending] review/fix/verify Mailman mailman-loop and other Mailman lists bounce processing | ||
| + | o [pending] Mailman - review/use/configure VERP - for better bounce/backscatter processing/identification | ||
| + | o Y add DNSSEC for balug.org. | ||
| </file> | </file> | ||
balug/mail_and_lists.txt · Last modified: 2018-05-22T22:10:41+0000 by michael_paoli
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
