Conversation
|
This looks good but what about installing the "firewall" scripts with cmdeploy-run? Something like /use/local/bin/chatmail-* commands? Would be nicer and we can also adapt.it if needed. |
| type filter hook output priority filter; | ||
| } | ||
| } | ||
| ``` |
There was a problem hiding this comment.
how about we add a cmdeploy run --disable-mx switch that makes sure the server is setup but not reachable/accepting SMTP/IMAP? (not sure if simply not running postfix/dovecot might be enough?)
There was a problem hiding this comment.
I agree with @hpk42's idea of stopping the services instead of adjusting the firewall. Not everyone knows how to adjust nftables. Admins will find an existing configuration at /etc/nftables.conf, modified by the ISP, their past self, or a team member. Adjusting nftables will much more easily lead to misconfiguration than simply stopping postfix + dovecot directly after initial setup in a cmdeploy run --disable-mx command.
If we leave out step 1 in favor of cmdeploy run --disable-mx, we could also swap (current) step 2 & 3 to keep the "registration doesn't work" timespan shorter.
There was a problem hiding this comment.
If we leave out step 1 in favor of
cmdeploy run --disable-mx, we could also swap (current) step 2 & 3 to keep the "registration doesn't work" timespan shorter.
no we can't, as step 2 is required for step 3's acmetool setup to work.
There was a problem hiding this comment.
Hm, if we simply copy /var/lib/acme in the beginning it should work.
| but new users will fail to create new profiles | ||
| with your chatmail server. | ||
|
|
||
| 3. Setup the new server with `cmdeploy`. |
There was a problem hiding this comment.
| 3. Setup the new server with `cmdeploy`. | |
| 3. On new server: setup with "cmdeploy run" |
| } | ||
| ``` | ||
| Execute `nft -f /etc/nftables.conf` as root to apply the changes. | ||
|
|
There was a problem hiding this comment.
i'd add a
step 7. Switch off old server and maybe advise for "cmdeploy test" to run successfully first, and wait to hear from users if they are any issues.
hpk42
left a comment
hpk42
left a comment
There was a problem hiding this comment.
this all looks good -- would be fine to merge preferably after addressing/accepting some of my suggested changes.
link2xt
force-pushed
the
link2xt/document-networking
branch
from
9205b34 to
d96c922
Compare
link2xt
changed the title
missytake
left a comment
missytake
left a comment
There was a problem hiding this comment.
I left some comments to argue why I'd recommend stopping/starting services over firewall adjustments... but not a merge blocker.
| type filter hook output priority filter; | ||
| } | ||
| } | ||
| ``` |
There was a problem hiding this comment.
I agree with @hpk42's idea of stopping the services instead of adjusting the firewall. Not everyone knows how to adjust nftables. Admins will find an existing configuration at /etc/nftables.conf, modified by the ISP, their past self, or a team member. Adjusting nftables will much more easily lead to misconfiguration than simply stopping postfix + dovecot directly after initial setup in a cmdeploy run --disable-mx command.
If we leave out step 1 in favor of cmdeploy run --disable-mx, we could also swap (current) step 2 & 3 to keep the "registration doesn't work" timespan shorter.
| but normally email servers will retry delivering messages | ||
| for at least a week, so messages will not be lost. | ||
|
|
||
| 4. Firewall all ports except `ssh` (22) on the old server. |
There was a problem hiding this comment.
Same here, I think just stopping dovecot + postfix is easier for admins than adjusting nftables and achieves the same result. And the know-how is more wide-spread among self-taught admins than adjusting firewalls.
| 6. Unblock ports used by Delta Chat and SMTP message exchange. | ||
| For that you can modify `/etc/nftables.conf` as follows: |
There was a problem hiding this comment.
Again here, simply starting the services is much easier. Recommending firewall settings assumes a lot about the environment the chatmail server is running in; it might run on the same OS as other services which require custom configuration, it might be co-managed by other people, ...
|
While working on a |
|
superceded by #429 :) |
3 participants
No description provided.