Opened 4 years ago

Closed 3 years ago

#2511 closed task (fixed)

Mail accounts (no alias) for FOSS4G domain

Reported by: Delawen Owned by: sac@…
Priority: critical Milestone: Unplanned
Component: SysAdmin Keywords:
Cc:

Description

Hi!

Coming from https://lists.osgeo.org/pipermail/sac/2020-September/012618.html

The current FOSS4G LOC wants to have FOSS4G.org emails for official communications as the ones from buying tickets and sending proposals to the Call for Papers. This means being able to send up to 2000 emails on one day (high limit just in case).

Can OSGeo SAC configure the FOSS4G domain on a mail server with SMTP (no alias) so we can send emails?

We will need:

  • SMTP configuration
  • Email account: tickets@…
  • Email account: cfp@…

Also, it would be good to have an estimated time for this, to plan the ticket sales start and, if needed, setting up ourselves a temporary mail server to work in the meantime.

Thank you very much for your work!

Change History (61)

comment:1 by Delawen, 4 years ago

Priority: normalcritical

comment:2 by cvvergara, 4 years ago

This are my thoughts I find the idea interesting, not only for the 2020 FOSS4G but for future FOSS4Gs I've never been part of a LOC but maybe something like this: tickets@… callforpapers@… atendees@… workshops@… and for next year's LOC tickets@… callforpapers@… atendees@… workshops@…

Then having the "know how" a step would be simpler for the years to come of FOSS4G

Version 0, edited 4 years ago by cvvergara (next)

comment:3 by Delawen, 4 years ago

That would be awesome.

And if we split into more emails, probably a "sponsors@" would make also sense.

Even... not using the subdomain, just pass the access from one LOC to the next (so there are no emails lost from people writing to an old foss4g email).

Last edited 4 years ago by Delawen (previous) (diff)

comment:4 by Delawen, 4 years ago

Aaand I forgot to add a mail to use for the marketing. Updating the description.

comment:5 by Delawen, 4 years ago

Can't update the description :)

  • tickets at 2021.foss4g.org
  • callforpapers at 2021.foss4g.org
  • sponsors at 2021.foss4g.org
  • info at 2021.foss4g.org
  • news at 2021.foss4g.org

comment:6 by codrina, 4 years ago

Hi, Maria! For FOSS4G2019, we had the following email addresses:

foss4g2019@… - the general email address;
students.foss4g2019@… - for the interaction with students;
foss4g2019.volunteers@… - for the interaction with volunteers;
travelgrant.foss4g2019@… - TGP interactions;
visa.foss4g2019@… - all questions related to VISA issues;
bucharest.tours.foss4g2019@… - for the free tours of Bucharest we organised;
register.foss4g2019@… - for all questions regarding registration, tickets, invoices, discounts etc.

We had no sponsors@ email address. The communication was handled by people from the Sponsorship committee, using their own email addresses and I think that is better. For CfP, we used pretalx for communication, through the foss4g2019@… address.

A good idea is to have one person from the LOC responsable for one specific email address. It doesn't have be the one that answers, but the one that redirects the email to someone who can, the one that makes sure no email goes unanswered.

Hope this helps!

Codrina

comment:7 by Delawen, 4 years ago

The idea of the sponsors email is more to have a centralized point of contact they can use.

Updating the list then :)

  • register@...
  • callforpapers@...
  • sponsors@...
  • info@...
  • news@...
  • students@...
  • volunteers@...
  • travelgrant@...
  • visa@...

comment:8 by cvvergara, 4 years ago

What I think can be done:

Basically this structure: e-mail at foss4g.org

For example:

  • register.2021 at foss4g.org
  • callforpapers.2021 at foss4g.org
  • sponsors.2021 at foss4g.org
  • info.2021 at foss4g.org
  • etc

other example:

  • register.foss4g2021 at foss4g.org
  • callforpapers.foss4g2021 at foss4g.org
  • sponsors.foss4g2021 at foss4g.org
  • info.foss4g2021 at foss4g.org
  • etc

Note: these would not be mailing lists like the ones on https://lists.osgeo.org/mailman/listinfo

comment:9 by Delawen, 4 years ago

The more we talk about these, the more I think that adding the year doesn't make sense.

Once we "close" each FOSS4G, the LOC is not going to reuse those emails. And the new LOC need the same (or similar) set of emails. So, why have a new one and confuse people's contact list with a new email every year?

comment:10 by cvvergara, 4 years ago

That would simplify administration a lot, I like the idea

comment:11 by codrina, 4 years ago

I don't think that transferring FOSS4G email addresses from one LOC to the next is a good idea. It could be considered a breach of confidentiality and I doubt that it would be inline with European privacy regulations.

comment:12 by Delawen, 4 years ago

I guess it depends if you see the sharing of data between OSGeo and OSGeo or LOCs as independent organizations.

Private details and inboxes should be cleaned up anyway, right?

comment:13 by Delawen, 4 years ago

In any case, not something current LOC has a problem to do. We can have separated accounts.

in reply to:  12 comment:14 by codrina, 4 years ago

Replying to Delawen:

I guess it depends if you see the sharing of data between OSGeo and OSGeo or LOCs as independent organizations.

Private details and inboxes should be cleaned up anyway, right?

It's not only about OSGeo and LOCs, it's about private conversations with individuals and even companies, maybe even sponsorship negotiations - who knows?

comment:15 by Delawen, 4 years ago

But still, according to privacy laws, you have to remove all data once you finish needing it. So the inbox will be empty for the new LOC.

comment:16 by robe, 4 years ago

Some questions

1) Do you need to keep the emails you sent? -- if you do I think you need a POP account which is what GMAIL provides along side with the SMTP.

2) If you are already using GMAL have you considered just queuing your mail (that is what I have done before to stay under GMAIL limits - like send 50 every minute.

3) I presume since you are using GmAil you already have script to send these emails? or are you using gmail mailbox and putting lots in the TO/CC

3) If someone replies to email then makes sense all designated will get it. - this Vicky has already started doing -- setting up Group accounts on our Pairs DNS so that way the mail when replied to will be sent to people on mailer.

I'm assuming 1) No 2) you have not tried doing that 3) Yes 4) Yes

So my proposal is the following

Plan A (assumes you don't need to keep track of the actual email sent)

1) Use mail.osgeo.org for smtp and will put in an SPF record on foss4g so that mail.osgeo.org can send on behalf of foss4g domain

2) Set up mail groups in foss4g pairs -- that Vicky has started doing but she doesn't want to do any more if that is not going to be used.

3) Have some script to send via SMTP that has from: and reply-to go back to the group email a simple php script would work for this.

Plan B:

1) Use Gmail continue to.

2) Add SPF for foss4g to allow mail to be sent by GMAIL

3) Set up mail groups in foss4g pairs -- that Vicky has started doing but she doesn't want to do any more if that is not going to be used.

4) PHP script and job scheduler like cronjob to send emails only X mails per minute. This will keep your mailings under Gmail limit. The PHP script would set the reply-to to the foss4g group email so if someone replies it gets sent to designated person

Last edited 4 years ago by robe (previous) (diff)

comment:17 by Delawen, 4 years ago

I'm worried that sending through GMail has a limit of 500 per day: https://support.google.com/mail/answer/22839?hl=en

I hope we don't reach that except on peak days. But there will be days in which we reach that.

comment:18 by Delawen, 4 years ago

The emails are mostly going to be sent through Pretix and Pretalx.

If we have the sponsors, travelgrant,etc... too, those will be "manual". But the callforpapers and tickets are going to be triggered by events.

comment:19 by Delawen, 4 years ago

I think plan A makes sense.

comment:20 by Delawen, 4 years ago

While Plan A is deployed... can we have at least the forwarding of emails so we can use some temporary mail server sending emails in the name of foss4g.org?

Forwarding everything to foss4g2021ba@…

in reply to:  17 comment:21 by robe, 4 years ago

Replying to Delawen:

I'm worried that sending through GMail has a limit of 500 per day: https://support.google.com/mail/answer/22839?hl=en

I hope we don't reach that except on peak days. But there will be days in which we reach that.

Just thought of a Plan C.

I think if we have a paid account for gmail, you can send up to 2,000 a day or more. I think the cost for paid account is something like $5/mth per mailbox. I have to double-check what the cost is, but that's what I've done for clients I have to send bulk mail for, I buy a domain (we've already got foss4g.org) and set gmail as the mail authority.

So 2 things you get with that

  1. Can have real something@… mailboxes, which you can log into using gmail.
  2. Can send way more email (I think the limits are per mailbox)

I think it's so cheap SAC can pay for it and I can set it up if we are okay with the cost.

For each mailbox you could set up multiple aliases and I think also setup mail groups (which would replace the Pair mail group we have right now).

Alex - you see any issue with that.

I'm thinking that would also allow easy transfer of contacts/mailboxes from year to year foss4g.

comment:22 by robe, 4 years ago

one more benefit I thought of with using gmail as authority. When sending email using gmail smtp, the sent email gets stored in sent items of gmail mailbox. That way you have full visibility into everything sent and received.

comment:23 by robe, 4 years ago

Here is link to gmail send limits

https://support.google.com/a/answer/166852?hl=en

IN short trial (free) = 500 per day Paid = 2000 per day

comment:24 by Delawen, 4 years ago

Maybe GMail is not an option.

See https://docs.pretalx.org/faq.html

We run into issues when using Gmail. In Google’s eyes, pretalx is a less secure app, which you’ll have to grant special access. Even then, Gmail is known to unexpectedly block your SMTP connection with unhelpful error messages if you use it to send out too many emails in bulk (e.g. all rejections for a conference) even on GSuite, so using Gmail for transactional email is a bad idea

It is the only FAQ they have, so it must be important :)

comment:25 by Delawen, 4 years ago

If we are thinking on a third party mail server, I think Amazon SES makes more sense, as it is designed for this bulking email.

https://aws.amazon.com/es/ses/pricing/

Prices are cheap and, hopefully, we will not have to send hundreds of thousands of emails per month, so it will be even cheaper than the gmail option.

comment:26 by Delawen, 4 years ago

Sorry, that was in Spanish.

This is the English version: https://aws.amazon.com/ses/pricing

in reply to:  26 comment:27 by robe, 4 years ago

Replying to Delawen:

Sorry, that was in Spanish.

This is the English version: https://aws.amazon.com/ses/pricing

Okay I used their pricing calculator with these assumptions

    10,000 messages per month x 0.0001 USD = 1.00 USD (Messages sent from email client cost)
    1 GB per month x 0.12 USD = 0.12 USD (Email client data cost)
    10,000 messages per month x 0.0001 USD = 1.00 USD (Messages received cost)
    100 KB / 256 chunk size factor = 0.390625 chunk size in 256KB
    1.00 USD + 0.12 USD + 1.00 USD = 2.12 USD (SES usage cost)

    SES usage cost (monthly): 2.12 USD

So at a glance does seem cheaper as long as we don't need to lease dedicated IPS, which I presume is optional. I always feel like there is some hidden cost in Amazon I'm missing as my bills on Amazon always seem to be much higher (for bandwidth) than I think they should be.

I've never used it before though so not sure how it works. Like will it keep record of sent emails like GMail does (they are in sent box for Gmail).

So on bright side, seems like we could send as many as we want at any time vs. the gmail 2000/day limit.

comment:28 by Delawen, 4 years ago

I'm also very suspicious of Amazon in general but on this case I think this is an accomodating service for EC2. Trying to lure people into using EC2 because you have this fancy free service if you do the requests from an EC2 instance. I don't think they see SES as a sales focus.

The inbox is not needed, as long as we have an SMTP (which Amazon offers) and a forwarding service to receive emails (which Amazon offers).

In fact, not having an inbox is a feature in our case, not a bug :) Because of the previously discussed privacy concerns: After each FOSS4G, the old LOC has to remove all data before giving the accounts/services to the new LOC. This way, there will be nothing to remove regarding email.

The only data we are allowed to keep from one FOSS4G to the next is the one from the mailing list, which is the one that is right now stored on mailchimp. And we can keep it because we explicitly ask to keep it and we have the footer on each email that allows them to unsubscribe.

comment:29 by Delawen, 4 years ago

Also, the amount of messages will be much much lower than your calculations as by now we will still use mailchimp to send messages.

These will be used for Pretalx, Pretix and, now that we will have this up, interaction with individuals. Which I hope is not going to be thousands of emails per month because that means we will have to read and answer to all of them :)

comment:30 by cvvergara, 4 years ago

While this gmail/amazon mail gets resolved and thinking in the future.

I can create the following mail forwarding: @ foss4g.org

  • register@...
  • callforpapers@...
  • sponsors@...
  • info@...
  • news@...
  • students@...
  • volunteers@...
  • travelgrant@...
  • visa@...

Maybe it can allow you to make tests while the definitive set up is done Do you have a particular mail(s) to forward to for this current temporarily setup?

comment:31 by Delawen, 4 years ago

Please, redirect them to foss4g2021ba@…

comment:32 by cvvergara, 4 years ago

Temporary workaround done.

comment:33 by Delawen, 3 years ago

On the last board meeting there was a passed motion that OSGeo will use a credit card/bank account to pay for this.

comment:34 by robe, 3 years ago

As noted on IRC osgeo-sac channel, I plan to create an osgeo alias account called

amazon@…

Notes from IRC

We need a mail account (I guess it can be an alias) to use for creating amazon account. What do you propose?
I'm going to create one called amazon@osgeo.org which will be an alias and have Vicky and me and Alex on it.  IF I don't hear any issue in 1 hr I will push forward.

Even though this is for foss4g, I think it's best we just have one Amazon account and delegate permissions to other groups as needed for services. So it should be under osgeo.org domain.

comment:35 by cvvergara, 3 years ago

amazon@… alias for:

  • Vicky
  • Regina
  • Alex

done

comment:36 by cvvergara, 3 years ago

Will add Micheal as the account can not be created without a credit card

comment:37 by robe, 3 years ago

FYI I believe this is where Michael has to go to setup

https://portal.aws.amazon.com/billing/signup#/start

Mike - you can use the amazon@… email Vicky set up.

comment:38 by cvvergara, 3 years ago

Michael has been added to the amazon@… alias

Last edited 3 years ago by cvvergara (previous) (diff)

comment:39 by msmitherdc, 3 years ago

Do i need to add the credit card to the account? If you want to email me a login, I can set it up. It looks like the email is already registered with AWS so i assume the account has been created.

comment:40 by robe, 3 years ago

Okay looks like it did create the account. I've emailed msmitherdc the login credentials. I don't think the SES is offered in the free tier to can't use until credit card is put in place by Mike.

I have recorded the password on osgeo7-secure in the access/aws.amazon.com file.

comment:41 by wildintellect, 3 years ago

Best practices for AWS,

  • We should create IAM accounts for people needing access, the main account should only be used in emergencies (so we can create an account for Treasurer specifically to handle billing). These accounts should be per individual, so it's easy to manage permissions.
  • Billing Alerts, please setup an alert, say $20/month (We expect it to be less than that?), and write up a plan for how to disable the mail if something goes awry.
  • The Sendy agent should get it's own account that only gives it access to SES, probably using keys. I suspect the setup guide talks about this.

comment:42 by Delawen, 3 years ago

Once @msmitherdc finished configuring it, if you create an IAM account for me (delawen at osgeo.org) I can do the rest of the Amazon SES configuration. As we have the redirection of the emails, I think I can do most of the work.

Maybe at the end I need some DNS change, but I will let you know then.

comment:43 by robe, 3 years ago

I have created Administrative IAM accounts for robe, cvvergara, and wildintellect.

I don't see SES as an option of role so held off on that until @mssmitherdc is done before I create delawen.

wildintellect and cvvergara can you confirm you can log in?

comment:44 by cvvergara, 3 years ago

Confirmed: I am in

comment:45 by robe, 3 years ago

@Delawen,

I created a group called SESAdmins which has rights arn:aws:iam::aws:policy/AmazonSESFullAccess

and created delawen which is a member of that group.

I sent you the credentials to your osgeo.org account. Can you confirm you can log in. Should prompt you to change your password.

comment:46 by robe, 3 years ago

@msmitherdc I created an account msmitherdc for you that has access to all Billing. So you can use this to handle billing instead of using the root account.

comment:47 by Delawen, 3 years ago

I'm missing a password to enter.

I created an account with that email and a password before, but it looks like the account will be different if I am a non root user?

Can you send me a password?

comment:48 by Delawen, 3 years ago

Hi

I didn't receive any password. Amazon says that only my admin can reset my password. Did I miss something?

comment:49 by robe, 3 years ago

Delawen,

I had sent you a password in a separate email with subject line Amazon -- I just resent again to your osgeo.org address.

comment:50 by Delawen, 3 years ago

I'm in, thank you!

I need you to do one last thing on the DNS:

To verify that the domain is ours, add one these entries:

"_amazonses.foss4g.org","TXT","/W2AZWMDVua9HIQOAgSX+pQ1HvPwYl82EVIsxjMB1w0="

or

"foss4g.org","TXT","amazonses:/W2AZWMDVua9HIQOAgSX+pQ1HvPwYl82EVIsxjMB1w0="

And also to be able to receive emails, we need the following:

"foss4g.org", "MX", "10 inbound-smtp.us-east-1.amazonaws.com"

comment:51 by cvvergara, 3 years ago

I updated the records

But I had to delete all the forwardings will create the forwardings as: @ osgeo.org

  • register-foss4g2021@...
  • callforpapers-foss4g2021@...
  • sponsors-foss4g2021@...
  • info-foss4g2021@...
  • news-foss4g2021@...
  • students-foss4g2021@...
  • volunteers-foss4g2021@...
  • travelgrant-foss4g2021@...
  • visa-foss4g2021@...
Last edited 3 years ago by cvvergara (previous) (diff)

comment:52 by Delawen, 3 years ago

It seems that I still lack some privileges on Amazon to fully configure the email.

User: $MYUSER is not authorized to perform: iam:GetAccountSummary on resource: User: $MYUSER is not authorized to perform: iam:ListAccountAliases on resource:

I replaced my user with $MYUSER in case there is some security concern.

comment:53 by Delawen, 3 years ago

And also, Vicky, if you could add these other DNS registries (for DKIM signature[1]):

Name Type Value
mtz2qzrcqn24m43vyibnrjwklfs2whtq._domainkey.foss4g.org CNAME mtz2qzrcqn24m43vyibnrjwklfs2whtq.dkim.amazonses.com
ett37z42k7lzxu5txsm4ghqpceynhgfr._domainkey.foss4g.org CNAME ett37z42k7lzxu5txsm4ghqpceynhgfr.dkim.amazonses.com
f2jlihsywycdwtpqgslcl6qhvzhldeh7._domainkey.foss4g.org CNAME f2jlihsywycdwtpqgslcl6qhvzhldeh7.dkim.amazonses.com

[1] https://es.wikipedia.org/wiki/DomainKeys_Identified_Mail

comment:54 by cvvergara, 3 years ago

  • CNAME Record for 'mtz2qzrcqn24m43vyibnrjwklfs2whtq._domainkey' has been added.
  • CNAME Record for 'ett37z42k7lzxu5txsm4ghqpceynhgfr._domainkey' has been added.
  • CNAME Record for 'f2jlihsywycdwtpqgslcl6qhvzhldeh7._domainkey' has been added.

comment:55 by Delawen, 3 years ago

Hello again!

Sending emails is working, thanks! The SMTP credentials are good.

But I think I still miss some privileges to configure the receiving/forwarding emails as described in https://aws.amazon.com/es/blogs/messaging-and-targeting/forward-incoming-email-to-an-external-destination/

Issues I'm facing:

  • I cannot create Email Receiving rule sets (it is disabled on my user interface).
  • Can't create buckets (access denied)
  • Can't create/see lambdas
  • And probably I won't be able to create IAM Policy and Roles either

How do we proceed?

I think it makes sense that at least I have access to the lambda that forwards the email so we can redirect email quickly to different forwarding emails if we need. But as you think it is wiser.

comment:56 by robe, 3 years ago

Delawen, I added you to administrators group for now. Let me know when you are done with it and I can take the permissions away. No rush since Amazon was setup to get SES up and running.

comment:57 by Delawen, 3 years ago

We created everything on us-east-2 but we need to be on us-east-1 to be able to receive emails. Because Amazon does not support receiving emails on us-east-2.

So, Vicky, we have to replace the DNS entries we setup last week for these ones:

Type Name Value
TXT _amazonses.foss4g.org /lB3HwHS+bmh1kqKAnlVoO59Wfytx/LLrkFqdyUEPJg=
CNAME 42ipgzpmdo3vvl4clw7wyxb4ifk7cdua._domainkey.foss4g.org 42ipgzpmdo3vvl4clw7wyxb4ifk7cdua.dkim.amazonses.com
CNAME beub2havv6i6wrtxsrsvans7h55c5ezy._domainkey.foss4g.org beub2havv6i6wrtxsrsvans7h55c5ezy.dkim.amazonses.com
CNAME autxxcs52lsgt763uo4bxpsuetpze2b4._domainkey.foss4g.org autxxcs52lsgt763uo4bxpsuetpze2b4.dkim.amazonses.com

The MX one is the same (see the us-east-1?).

Type Name Value
MX foss4g.org 10 inbound-smtp.us-east-1.amazonaws.com

I am going to re-create everything on the new Amazon region us-east-1 as soon as we have the DNS entries.

I think this is really really the last thing I'm going to ask you. Because the rest of the steps are ok (on the wrong region, sure).

comment:58 by cvvergara, 3 years ago

Removed:

Name Type Value
mtz2qzrcqn24m43vyibnrjwklfs2whtq._domainkey.foss4g.org CNAME mtz2qzrcqn24m43vyibnrjwklfs2whtq.dkim.amazonses.com
ett37z42k7lzxu5txsm4ghqpceynhgfr._domainkey.foss4g.org CNAME ett37z42k7lzxu5txsm4ghqpceynhgfr.dkim.amazonses.com
f2jlihsywycdwtpqgslcl6qhvzhldeh7._domainkey.foss4g.org CNAME f2jlihsywycdwtpqgslcl6qhvzhldeh7.dkim.amazonses.com

comment:59 by cvvergara, 3 years ago

The following are the messages received after adding the records

  • TXT Record for '_amazonses' has been added.
  • CNAME Record for '42ipgzpmdo3vvl4clw7wyxb4ifk7cdua._domainkey' has been added.
  • CNAME Record for 'beub2havv6i6wrtxsrsvans7h55c5ezy._domainkey' has been added.
  • CNAME Record for 'autxxcs52lsgt763uo4bxpsuetpze2b4._domainkey' has been added.

comment:60 by Delawen, 3 years ago

Closing this.

Let me retain the admin privileges for a while while we finish configuring which emails goes to where.

comment:61 by Delawen, 3 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.