Difference between revisions of "Moving off Google Apps"

From Wiki | LUG@UCLA
Jump to: navigation, search
Line 15: Line 15:
 
* storage redundancy: Tahoe-LAFS
 
* storage redundancy: Tahoe-LAFS
 
* storage backup: duplicity to NFS share, duplicity to VTLUUG, etc.
 
* storage backup: duplicity to NFS share, duplicity to VTLUUG, etc.
 +
* user directory: LDAP
 +
* user authentication: Kerberos
  
 
=== Mail transfer ===
 
=== Mail transfer ===

Revision as of 01:12, 11 December 2013

LUG@UCLA plans to move all mail services (including lists) off Google apps. This is a long term project, but the ETA is before Summer 2014.

Design

KISS. Try to use the least amount of components, and don't overcomplicate the configuration. For example, don't use Maildrop if Dovecot already has an MDA/LDA. Don't use the high-performance sdbox format if Maildir is well supported and tested.

Overview

  • MTA: Exim
  • MDA/LDA: Dovecot LDA
  • MSS: Dovecot
  • MUA: Roundcube
  • lists: Mailman
  • storage format: Maildir
  • storage redundancy: Tahoe-LAFS
  • storage backup: duplicity to NFS share, duplicity to VTLUUG, etc.
  • user directory: LDAP
  • user authentication: Kerberos

Mail transfer

  • set up two MTA servers (at most one in the lounge), each with its own MDA and MSS.
  • configure BIND to broadcast two mx records (multihomed A record?)

Mail delivery

  • configure one MDA for each MTA server.
  • MDA shall deliver to a Maildir located under a mounted Tahoe-LAFS share.

Online storage

  • Make the MDA store the Maildir under the Tahoe-LAFS $BASEDIR directory on the mail server so it can be accessed from multiple different MSSs and MUAs.
  • Set up Tahoe-LAFS "dumb" storage servers at the mail site and the lounge. Configure additional storage servers wherever possible (e.g. members can volunteer their server). Tahoe-LAFS storage servers contain only encrypted data, so it doesn't matter who volunteers their space. Only the Tahoe-LAFS gateways (MSS and MUA servers) can decrypt the mails and securely hand them to authenticated/authorized users.

Offline storage

Occasionally copy the Maildir directory out of the Tahoe-LAFS share since we don't actually trust Tahoe-LAFS. We respect people's privacy, so don't just rsync it out to a 3rd party. Easiest solution would be to use Duplicity to automatically perform encrypted, incremental backups to the 3rd party.

Access

  • MSS will provide POP3 and IMAPS access
  • MSS uses LDAP for authentication/authorization (Dovecot + LDAP tutorial).
  • each MSS should utilize separate replicas of the LDAP directory, so configure periodic synchronization of LDAP servers.

ports:

  • POP3 over SSL: 995 tcp/udp
  • IMAP over SSL: 993 tcp/udp
  • HTTP over SSL: 443 tcp

Transitional details

  • How to migrate emails from Google Groups to Maildir readable by Mailman?
    • fetch all mails using fetchmail, dump into Maildir.
    • delete all my personal mails that got pulled in.
  • How to migrate users of @linux.ucla.edu emails to the internal system (e.g. login access to POP3/IMAP/Roundcube)?
    • look for a way to export a list of users from Google Apps.
    • make use of LDAP/Kerberos to authenticate.
  • How to migrate subscribers to the GNU Mailman mailing list?
    • export a CSV list of users from the Google Groups members page.
    • grep/sed the list for the following information: Full Name, subscribed email,

For users with LUG emails

For subscribers to the mailing lists

External links