Difference between revisions of "Mail server"

From OSGeo
Jump to navigation Jump to search
(→‎SSL certificates: add the friday night fun)
 
(46 intermediate revisions by 4 users not shown)
Line 1: Line 1:
'''Osgeo6''' is a Debian 8 machine administered by [[SAC]], hosted on [[SAC_Service_Status#Servers_at_OSL|OSU OSL servers]] since August 2015 (see also [[Infrastructure Transition Plan 2014#Hardware|Hardware plan 2014]]).  
+
The production mail server is a Debian 10 LXD container administered by [[SAC]], hosted on [[osgeo9]].
  
It hosts several '''critical resources''', projects web sites mail-transport and -lists, it is the successor of the [[ProjectsVM]] and the [[MailVM]] (this machine runs NO VMs instead).
+
See [[SAC#Communication]] in case of troubles or quick questions
  
The host is reachable by ssh at '''osgeo6.osgeo.osuosl.org'''.
+
= Services hosted on the mail container =
  
= Shell access =
+
== Postfix SMTP server ==
  
Anyone in the https://www.osgeo.org/cgi-bin/auth/ldap_shell.py has ssh access, and anyone in this group can add new people via the link. Sudo access can be provided by existing sudoer's by adding folks to the sudoers group in /etc/group, though it is normal practice to try and only extend sudo access to one user per project.
+
Handles [[SAC:Message Submission Agent|outgoing]] and [[SAC:Message Transport Agent|incoming]] email
  
It is a shared environment and it is important that folks making changes on the system be aware of the impact they might have on other hosted services. Apache changes should be made carefully and needfully. Think about '''security'''!
+
== Mailman ==
  
See [[SAC#Communication]] in case of troubles or quick questions
+
* [[SAC:Mailing Lists]] - mailman configuration for lists.osgeo.org.
 
 
= Services hosted on osgeo6 =
 
  
 
== Websites ==
 
== Websites ==
Line 26: Line 24:
 
! [[SAC:Backups|backup]]
 
! [[SAC:Backups|backup]]
 
! comments
 
! comments
|-
 
| grass.osgeo.org
 
| /var/www/grass/grass-cms
 
| admined by [[User:Neteler]], martinL
 
| BackupOg6 bacula job
 
| based on CMSMS; GRASS GIS infrastructure explained [https://trac.osgeo.org/grass/browser/grass/trunk/doc/infrastructure.txt here], also enabled [https://www.ssllabs.com/ssltest/analyze.html?d=grass.osgeo.org&latest LetsEncrypt]
 
|-
 
| grasswiki.osgeo.org
 
| /var/www/grass/grass-wiki
 
| admined by [[User:Neteler]], martinL
 
| BackupOg6 bacula job
 
| own MediaWiki
 
|-
 
| www.geotools.org
 
| /var/www/geotools/web
 
| SAC !?
 
| BackupOg6 bacula job
 
| /home/geotools/ available, but corresponding OSGeo LDAP user account missing
 
|-
 
| docs.geotools.org
 
| /var/www/geotools/docs
 
| SAC !?
 
| BackupOg6 bacula job
 
| /home/geotools/ available, but corresponding OSGeo LDAP user account missing
 
|-
 
| old.geotools.org
 
| /var/www/geotools/wiki
 
| SAC !?
 
| BackupOg6 bacula job
 
| /home/geotools/ available, but corresponding OSGeo LDAP user account missing
 
|-
 
| www.featureserver.org
 
| /var/www/featureserver/website
 
| admined by [[User:Warmerda]]
 
| BackupOg6 bacula job
 
| Not yet active, pending Python/GEOS issues
 
|-
 
| geos.osgeo.org
 
| /var/www/geos/geos-web
 
| admined by [[User:Warmerda]]
 
| BackupOg6 bacula job
 
| Just a redirect to Trac
 
 
|-
 
|-
 
| www.tilecache.org
 
| www.tilecache.org
Line 75: Line 31:
 
|  
 
|  
 
|-
 
|-
| www.gdal.org
+
| lists.osgeo.org
| /var/www/gdal/gdal-web/
+
|
| admined by [[User:Warmerda]]
 
| BackupOg6 bacula job
 
| CRON-job migrated as well, also enabled [https://www.ssllabs.com/ssltest/analyze.html?d=gdal.org&latest LetsEncrypt]
 
|-
 
|-
 
| www.mapserver.org
 
| /var/www/mapserver.org/
 
| admined by [[Jeff McKenna]]
 
| BackupOg6 bacula job
 
| also enabled [https://www.ssllabs.com/ssltest/analyze.html?d=mapserver.org&latest LetsEncypt]
 
|-
 
| drone.osgeo.org
 
| /var/www/drone.osgeo.org
 
| admined by [[User:Strk]]
 
| Continuous Integration for [[SAC:Gitea|Gitea]]
 
| reverse-proxy to [[#Drone service|Drone server]] server
 
|-
 
| https://lists.osgeo.org
 
 
| admin
 
| admin
 +
|
 
| Web interface for managing Mailman
 
| Web interface for managing Mailman
|
 
| also enabled [https://www.ssllabs.com/ssltest/analyze.html?d=lists.osgeo.org&latest LetsEncypt]
 
 
 
|-
 
|-
 
|}
 
|}
Line 105: Line 41:
 
== MySQL server ==
 
== MySQL server ==
  
* used for GRASS GIS Wiki (maintained by Martin Landa and Markus Neteler)
+
'''TODO''': review/cleanup
* used for GRASS CMS ? (to be confirmed)
+
 
 
* backed up via [[SAC:Backups|bacula]] in BackupOg6 job (see /osgeo/backup)
 
* backed up via [[SAC:Backups|bacula]] in BackupOg6 job (see /osgeo/backup)
 
* admin user credentials found in ~root/.my.cnf
 
* admin user credentials found in ~root/.my.cnf
 
== Postfix SMTP server ==
 
 
* Central OSGeo MX running Postfix (includes @osgeo.org aliases in /etc/aliases)
 
# '''''edit''''' /etc/aliases
 
# git diff # and git commit (please set GIT_AUTHOR_NAME/GIT_AUTHOR_EMAIL envs)
 
# newaliases
 
# postfix reload
 
 
== Mailman ==
 
 
* [[SAC:Mailing Lists]] - mailman configuration for lists.osgeo.org.
 
* monthly cronjob "OSGeo mailman server unique subscribers", run as root user with scripts in /home/neteler/osgeo_mailman_stats/*.sh
 
 
== PostgreSQL server ==
 
 
As of April 2017 PostgreSQL 9.6 is installed from pgdg packages and a new cluster was added
 
to host the database for the Drone service (in progress)
 
 
== Drone service ==
 
 
See [[SAC::Drone]]
 
  
 
= SSL certificates =
 
= SSL certificates =
  
* LetsEncrypt was configured by [[Jeff McKenna]] on 2018-07-27 for mapserver.org, gdal.org, grass.osgeo.org, and lists.osgeo.org using certbot-auto
+
* LetsEncrypt is configured using certbot-auto
** careful: check the conf files in /etc/apache2/sites-enabled/ to make sure that the VirtualHost settings do not include something like:
+
** careful: check the conf files in /etc/apache2/sites-enabled/ to make sure that the VirtualHost settings do not include something like ''<VirtualHost _default_:443>'' and instead should point to the IP such as ''<VirtualHost 140.211.15.14:443>'' or else the certificate loaded will always default to mapserver.org
    <blockquote><VirtualHost _default_:443></blockquote>
 
  and instead should point to the IP such as:
 
    <blockquote><VirtualHost 140.211.15.3:443></blockquote>
 
  or else the certificate loaded will always default to mapserver.org
 
 
** certbot-auto lives in /usr/local/sbin.
 
** certbot-auto lives in /usr/local/sbin.
 
** to add more sites, run the command:<blockquote>certbot-auto --apache -d mapserver.org -d www.mapserver.org</blockquote>
 
** to add more sites, run the command:<blockquote>certbot-auto --apache -d mapserver.org -d www.mapserver.org</blockquote>
** a cronjob (certbot-auto renew) was not yet created, to renew automatically
+
** a cronjob (certbot-auto renew) was created to check for renewal twice a day
 +
** also enabled for geos.osgeo.org on by [[Jeff McKenna]] on 2018-10-01
  
 
= Backup strategy =
 
= Backup strategy =
  
As of Feb 2017 backup is performed by bacula, with the BackupOg6 job,
+
See [[SAC:Backups]] for general info about backup strategies for containers.
which includes the whole /var/www, /etc, /osgeo, /var/lib/mysql and more
 
files (see [[SAC:Backups]] for info about figuring out more).
 
  
 
A dump of each mysql database is also stored as a separate file under /osgeo
 
A dump of each mysql database is also stored as a separate file under /osgeo
 
(created during the backup phase).
 
(created during the backup phase).
 
= Hardware =
 
 
Details:
 
    CPU:  2 x Intel Xeon E5-2620v3, 2.4 GHz (6-Core, HT, 15MB Cache, 85W) 22nm
 
    RAM:  128GB (8 x 16GB DDR4-2133 ECC Registered 2R 1.2V DIMMs) Operating at 2133 MT/s Max
 
    NIC:  Dual Intel i210 Gigabit Ethernet Controllers - Integrated
 
    Management:  Integrated IPMI 2.0 & KVM over LAN
 
    Controller:  10 Ports 6Gb/s SATA (Intel C612 Chipset)
 
    PCIe 3.0 x8:  No Item Selected
 
    NOTE:  Hot-swap and fixed drives will be connected to SATA3 controller (C612) unless otherwise specified
 
    Hot-Swap Drive - 1:  80GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD
 
    Hot-Swap Drive - 2:  80GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD
 
    Hot-Swap Drive - 3:  480GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD
 
    Hot-Swap Drive - 4:  480GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD
 
    Hot-Swap Drive - 5:  480GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD
 
    Hot-Swap Drive - 6:  480GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD
 
    Optical Drive:  No Item Selected
 
 
3 year warranty starting on May 4,2015 ending on May 4,2018
 
 
[[Category:Infrastructure]]
 

Latest revision as of 09:39, 2 October 2025

The production mail server is a Debian 10 LXD container administered by SAC, hosted on osgeo9.

See SAC#Communication in case of troubles or quick questions

Services hosted on the mail container

Postfix SMTP server

Handles outgoing and incoming email

Mailman

Websites

All websites are served by Apache

site path contact backup comments
www.tilecache.org /var/www/tilecache/docs SAC !? BackupOg6 bacula job
lists.osgeo.org admin Web interface for managing Mailman

MySQL server

TODO: review/cleanup

  • backed up via bacula in BackupOg6 job (see /osgeo/backup)
  • admin user credentials found in ~root/.my.cnf

SSL certificates

  • LetsEncrypt is configured using certbot-auto
    • careful: check the conf files in /etc/apache2/sites-enabled/ to make sure that the VirtualHost settings do not include something like <VirtualHost _default_:443> and instead should point to the IP such as <VirtualHost 140.211.15.14:443> or else the certificate loaded will always default to mapserver.org
    • certbot-auto lives in /usr/local/sbin.
    • to add more sites, run the command:

      certbot-auto --apache -d mapserver.org -d www.mapserver.org

    • a cronjob (certbot-auto renew) was created to check for renewal twice a day
    • also enabled for geos.osgeo.org on by Jeff McKenna on 2018-10-01

Backup strategy

See SAC:Backups for general info about backup strategies for containers.

A dump of each mysql database is also stored as a separate file under /osgeo (created during the backup phase).

Retrieved from "http://wiki.osgeo.org/w/index.php?title=Mail_server&oldid=134558"