going-flying.com gemini git repository
af22f6cbf9765d1eed7b3b64ecb2b9a4145645b3 - Matthew Ernisse - 1657035006
new post
diff --git a/users/mernisse/articles/29.gmi b/users/mernisse/articles/29.gmi new file mode 100644 index 0000000..b403839 --- /dev/null +++ b/users/mernisse/articles/29.gmi @@ -0,0 +1,157 @@ +--- +Title: Sysadmining: E-Mail +Date: 7/5/2022 11:00 + + +## Background +E-mail is one of the oldest user applications on the Internet, only +slightly younger than news and in this day and age most people leave +it up to either Microsoft or Google to provide them with an e-mail address. +There are real privacy concerns about giving up what has become a core +of your online identity to a company like Google but that's not in scope +for this article. One of the lesser known facts about e-mail is how +important it is when taking care of UNIX-y infrastructure at any scale. + +=> https://www.going-flying.com/blog/e-mail-security-use.html More on security and privacy as it relates to your public e-mail + +## Why should you care? +At some point if you end up in something like systems administration at +any scale you will find yourself taking care of computers that do things +without user intervention. More often than not this is done by using +a facility called cron(8). The default notification method of any errors +in running jobs is for cron to send e-mail to the job owner's username +at the system's hostname, though in most cases you can specify a variable +in the cron job configuration file (called a crontab(5)) to override the +destination address. There are other system features (such as sudo(8)) that +will send e-mail alerts out as well so it is critical to make sure you see +them. For this to happen at the very least you need a functioning MTA +on the system. + +## Some Terms to Start +E-mail flow can be complex. There are several parts to the system with +which you should understand. Mail flow typically starts and ends at a +MUA or Mail User Agent. This is what you use to compose and read e-mail. +Think Outlook, or Mail (macOS / iOS), or the GMail app. Once you have +composed a message it gets handed off to a MSA or Mail Submission Agent. +This is often built in to the MUA but doesn't have to be (in the case of +an MUA like mutt for example it is not). In the case of automated +administrative alerts the system will call an installed MSA binary to +send the message. The MSA's job is to get the e-mail into an MTA or +Mail Transport Agent. This is Exim, or Postfix or Sendmail (or others). +It's job is to take the message and get it to wherever it is addressed +to. Typically there is an MTA responsible for each domain name. +Finally a MDA or Mail Delivery Agent takes mail handed off from an MTA +and puts it into some form of storage so a user can get it. Often +this is a file on disk somewhere. Some MUAs like mutt can read those +directly while others use a protocol like IMAP or POP to interface with +the mailbox. In many cases the MDA (like Dovecot) will provide both +the ability to write messages to storage AND access them over IMAP/POP. + +## Aliases +So with the basic terms out of the way, we will start at the beginning +of our hypothetical cron alert. The system is going to generate the +destination e-mail address by taking the job owner's username and +stuffing the system's hostname on the end. The system that I'm writing +this on would send mail to mernisse@kitsune.internal.ub3rgeek.net +for example. Not all users wish to have e-mail sitting on every system +they interact with though so every system has a concept of e-mail aliases. +This is a mapping of usernames to e-mail addresses that the system can use +to look up where to deliver mail. This is usually stored in /etc/aliases +and is documented in the aliases(5) manpage. At the very least you should +map the root user on any system you control to an address you will check. +In my case root@ goes to a mailing list so all the people involved in +maintenance of the systems gets a copy of the notices. + +Upon reviewing the aliases manpage you may also notice that the +aliases file can be used to make a rudimentary e-mail list. This +can be extremely useful if for example you want to notify yourself +at multiple addresses (say your regular e-mail and one that alerts +your phone). + +## Simple MTA +There are several popular MTA packages out there. Postfix, Sendmail and +Exim are the most popular. These days I maintain a hub and spoke model +for Internet e-mail. My hosts (all Debian Linux) run the default install +of Exim configured to smarthost e-mail to my main Internet facing mail server +which is running Postfix. The Exim setup is straightforward enough, when +the package installs it asks you what mode you want to run it in and +you select 'mail sent by smarthost'. This essentially says that the local +system delegates all mail handling for some other host. If you have already +configured exim on your Debian system you can simply run +`dpkg-reconfigure exim4-config` to get back to the initial install questions. + +## Smarthost or hub +Now that you have systems pointed to a central mail server you have some +decisions to make. Exim is a perfectly capable Internet MTA so you could +configure it to relay mail or you could use Postfix like I do. There are +pros and cons to both, I ended up using Postfix mostly out of inertia. +At the time it was more flexible and I wanted a robust anti-SPAM system +in place because I use it for not just administrative notifications but +to run several mailing lists and provide Internet e-mail for several +domains that I own. The specifics of configuration are left up to the +reader in this case as each use-case is going to be different. + +=> http://www.postfix.org/docs.html Postfix Documentation +=> https://www.exim.org/docs.html Exim Documentation +=> https://wiki.debian.org/Exim Exim Debian Documentation + +At the very least I'd suggest getting mail setup well enough that you +can deliver alerts to somewhere that you will check. That may mean +keeping them in a mailbox on your smarthost and then using a MDA +like Dovecot to provide an IMAP interface to the mailbox and then picking +it up with your MUA. You could even get fancy at this point and use one +of the fine programming languages like Python that provide IMAP and POP +capability to poll your mailbox and convert the messages into alerts using +a service like Twilio or Pagerduty or bridge them into IRC, Discord, +or Slack. + +## My Use Case +Because I provide my own mail as well as wanting all the administrative mail +working I have a slightly more complex system than many will need but it +may serve as a useful illustration of what you can build starting with +these simple building blocks. + +``` + - ++------+ +------+ +------+ \ +| host | | host | | host | | +| exim | | exim | | exim | | ++------+ +------+ +------+ | + | | | \ + v v v / x3 + +---------------+ | + | site-hub | | + | exim | | + +---------------+ / + | - + v + +---------------------+ +---------------+ + | Internet hub |->| Mailing Lists | + | Postfix + rspamd |->| mailman | + +---------------------+ +---------------+ + ^ | + | v + _v _ +-----------+ + ( ` )_ | Mailboxes | + ( INTERNET `) | dovecot | +(_ (_ . _) _) +-----------+ + +``` + +The only hard part is managing delivery to the big e-mail providers these +days. You will need to learn technologies like DMARC, DKIM and SPF to +make that work. You will also need to understand DNS as that is how +e-mail federates in the wider Internet world. If you start doing mailing +lists you will need to learn ARC as well. Thankfully there are tools like +rspamd and mailman that can help you on your way and will integrate with +the pieces we've talked about. + +## Conclusion +Understanding e-mail flow and making sure your systems can use it is an +important component of the infrastructure in any UNIX-like world. Many +people have pushed e-mail into a dark corner of their lives, but if you +are going to take responsibility for caring for the machines you will +need to rediscover one of the oldest user-facing applications on the +Internet. In the long term you can gain enough knowledge and experience +to take back control of your e-mail from the centralized service that +likely owns it today.