Saving time and hassle setting up new email accounts

Transcript

1. Saving time and hassle setting up new email accounts

2. Hello! I AM DOMINIC LÜCHINGER Working for cyon in Basel,

   CH Head of Software Engineering @drdol

3. 1

4. None
5. None
6. None

7. RECOMMEND A HOSTNAME banana.shop s087.hoster.host SSL ✔⚡ ✔ Transfer resistant

   ✔⚡ ✖ Easy to communicate ✔ ✖ Multiprovider ✖ ✔

8. PROBLEMS REPORTED TO CUSTOMER SUPPORT CERT WARNING Email client shows

   SSL certificate warning. \_( ¯ ツ )_/ ¯ WRONG PASSWORD My password is not working anymore. I changed nothing™ MISCELLANEOUS • Over quota • POP3 missing mails • Missconfigured DNS • Antivirus/Firewall • Provider change • Not your customer • ...

9. AUTOMATION IS KING 2

10. SOLUTIONS AUTODISCOVER Outlook HTTPS/SRV DNS AUTOCONFIG Thunderbird HTTP MOBILECONFIG Apple

    Mail File based configuration

11. LET‘S IMPLEMENT THIS Ready to ship Autodiscover, Autoconfig and mobileconfig

    (Q2 2013) Roll out never happend due to major issue Support agent started implementation (Q1 2013)
12. None

13. RECOMMEND A HOSTNAME banana.shop s087.hoster.host SSL ✔⚡ ✔ Transfer resistant

    ✔⚡ ✖ Easy to communicate ✔ ✖ Multiprovider ✖ ✔
14. None
15. None

16. RECOMMEND A HOSTNAME [RELOADED] banana.shop s087.hoster.host mail.hoster.host SSL ✔⚡ ✔

    ✔ Transfer resistant ✔⚡ ✖ ✔ Easy to communicate ✔ ✖ ✔ Multiprovider ✖ ✔ ✔

17. CONCEPT <mail.hoster.host> Mailproxy + SSL/TLS termination Client POP3 / IMAP

    / SMTP Server 001 Dynamic routing

18. PROTOTYPE <mail.hoster.host> Mailproxy + SSL/TLS termination Client POP3 / IMAP

    / SMTP Server 001 Authentication + Domain to server registry

19. NGINX AS MAILPROXY mail { server_name mail.example.com; auth_http localhost:9000/cgi-bin/nginxauth.cgi; imap_capabilities

    IMAP4rev1 UIDPLUS IDLE LITERAL+ QUOTA; pop3_auth plain apop cram-md5; pop3_capabilities LAST TOP USER PIPELINING UIDL; smtp_auth login plain cram-md5; smtp_capabilities "SIZE 10485760" ENHANCEDSTATUSCODES 8BITMIME DSN; xclient on; server { listen 25; protocol smtp; } server { listen 143; protocol imap; } server { listen 587; protocol smtp; } server { listen 993; protocol imap; ssl on; starttls off; ssl_certificate ...; } }

20. PROTOTYPE <mail.hoster.host> Mailproxy + SSL/TLS termination Client POP3 / IMAP

    / SMTP Server 001 Authentication + Domain to server registry

21. Authentication • Checks User/Pass • Login check :2096 • Abuse

    detection AUTHENTICATION + DOMAIN TO SERVER REGISTRY Domain registry • Translation/routing domain to cP server • Internal registry • DNS fallback • Returns internal IP • Caching is key

22. NGINX AUTH HTTP Request: GET /auth HTTP/1.0 Host: localhost Auth-Method:

    plain # plain/apop/cram-md5/external Auth-User: user Auth-Pass: password Auth-Protocol: imap # imap/pop3/smtp Auth-Login-Attempt: 1 Client-IP: 50.205.201.20 Client-Host: client.example.org Good response: HTTP/1.0 200 OK Auth-Status: OK Auth-Server: 10.20.30.87 Auth-Port: 143

23. PRODUCTION READY / HA SETUP Client POP3 / IMAP /

    SMTP Server 001 <mail.hoster.host> Mailproxy + SSL/TLS termination <mail.hoster.host> Mailproxy + SSL/TLS termination Virtual IP DNS round robin

24. MISSION ACCOMPLISHED banana.shop s087.hoster.host mail.hoster.host SSL ✔⚡ ✔ ✔ Transfer

    resistant ✔⚡ ✖ ✔ Easy to communicate ✔ ✖ ✔ Multiprovider ✖ ✔ ✔

25. MISSION ACCOMPLISHED [FUTURE] banana.shop s087.hoster.host mail.hoster.host SSL ✔ ✔ ✔

    Transfer resistant ✔ ✖ ✔ Easy to communicate ✔ ✖ ✔ Multiprvovider ✖ ✔ ✔ Provider change ✔ ✖ ✖

26. EASY SETUP Point configuration to mail.hoster.host

27. DEMO

28. SECURITY SSL/TLS ONLY Non encrypted connections are dropped ANTI-ABUSE •

    Intelligent Bruteforce detection • Block list NGINX TRAFFIC The traffic from the nginx server to the cPanel server is unencrypted. Traffic goes over internal network

29. PITFALLS HEAVY TRAFFIC Burned by old network equipment LIABILITY Don‘t

    screw with mail NGINX REALIP cP maillogs are useless without real client IP CP SERVER DOWN Licence problem = no login PROXY SUBDOMAINS Hard to replace. DNS mass edit UMLAUTE PASS Thunderbird and no UTF-8 support

30. 35‘000‘000 logins Per day 2 servers In cluster and are

    mostly idle 30‘000 Connected mail clients at peak time

31. UPCOMMING IMPROVEMENTS Extend stats InfluxDB or Prometheus exporter Distributed Anti-

    Abuse Deploy PowerDNS weakforced cPanel data hub Replace domain to server lookup registry. Avoid single point of failure. Expand cluster Add more server to the cluster Containerization Package the software as container Open source Share software components with the rest of the world.

32. Thanks! ANY QUESTIONS? You can find me at @drdol [email protected]

    Please provide feedback: go.cpanel.net/wednesday
33. None