Chatting to Loopia support.

The trivial solution to the problem is to delete all @wikimedia.se redirects in Loopia.

Investigating if there is a way of keeping them.

So there seems to be no way of solving this which retains our current system and allows Loopia e-mail servers to reach us

Transcript of support chat:

09:45 Niklas Ö Hej, hur kan jag hjälpa dig?/Hello, how may I help you?
09:46 André Hej. Vi har problem med leverans av mail till en av de domäner vi har registrerade i Loopia.
09:47 André Specifikt har vi problem med mail som härstammar från mailservrar hos Loopia.
09:47 Niklas Ö Handlar det om wikimedia.se?
09:47 André yes
09:47 Niklas Ö Problemet grundar sig i att du har dubbla mailstöd idag, du har e-postadresser uppsatta hos oss samtidigt som ni kör e-posten externt, detta är dock en väldigt enkel lösning
09:48 Niklas Ö Du behöver ta bort alla e-postadresser i kundzonen som slutar på wikimedia.se så kommer problemet att vara avklarat inom 5 minuter
09:49 André Problemet är att den lösning som finns idag funkar rätt bra för oss. Vi hanterar anställda och styrelsemail i GSuite, de som inte matchar konton där skickas vidare till Loopia som distribuerar dem enligt de alias som finns här (volontärer). Det tillåter oss att lagra vissa e-post per GDPR men undvika att lagra andra.
09:50 André Systemet funkar bra för alla mail som kommer utifrån. Men mail som härstammar från Loopia skickas aldrig "ut" och skippar därmed GSuite steget.
09:57 Niklas Ö Det stämmer, det är dessvärre inte möjligt att ha det uppsatt på det sättet, det handlar om att mailen försöker levereras internt, de mailadresserna som faktiskt finns hos oss kommer motta dessa (hos oss) men de som inte finns kommer att generera ett felmeddelande, det är ingenting vi kan ändra på från våran sida dessvärre
09:59 André Ok. Då får jag tacka för hjälpen.
10:00 Niklas Ö Ingen fara, ha en toppendag och återkom om du har fler frågor eller funderingar

@Jopparn looks like the following are our options.

Possible solutions:

1. Stop using GSuite
2. Ignore all e-mail from Loopia users
3. Migrate all remaining @wikimedia.se accounts¹ in Loopia into GSuite
   • It should be possible to create these without needing to create corresponding accounts
   • We can investigate if there is a way of redirecting them from within GSuite without storing the contents or metadata of the communication. I believe it is possible thorugh this (should set up a second address map) but it needs to be verified that a) the domain does not need to be the same, b) no metadata is stored in the Email logs. Note that this solution is buried in the bowls of GSuite and (if it works) will make handling new/changed addresses more complicated.
4. Migrate all remaining @wikimedia.se accounts¹ in Loopia to another domain (e.g. @wikipedia.se, a subdomain of wikimedia.se or one of our other domains not handled in GSuite).
   • This makes it easy to keep offering e-mail adresses to volunteers while ensuring we log non of the communications and making it clear which we manage and which we don't.
   • For the addresses that exist today we could set up redirects from the old to the new domain to ensure continuity. That caries the same tracking uncertainty as mentioned in solution 3 though.

¹ With förtroendevalda and functional accounts migrated to GSuite anyway what remains are (per this doc) 7 volunteer addresses, 1 functional address which redirects to volunteers and a couple of alias address which redirect to external domains (e-mail lists and press otrs).

@Jopparn. What is the timeline for informing and migrating the förtroendevalada addresses?

A temporary mitigating solution would be to ensure info@ at least is always reachable by setting up an alias in GSuite and then creating a duplicate info@ in Loopia which redirects to the new alias. This does however not scale so it can only be done for a few addresses.

In T206596#4653966, @Lokal_Profil wrote:

3. Migrate all remaining @wikimedia.se accounts¹ in Loopia into GSuite
   • It should be possible to create these without needing to create corresponding accounts
   • We can investigate if there is a way of redirecting them from within GSuite without storing the contents or metadata of the communication. I believe it is possible thorugh this (should set up a second address map) but it needs to be verified that a) the domain does not need to be the same, b) no metadata is stored in the Email logs. Note that this solution is buried in the bowls of GSuite and (if it works) will make handling new/changed addresses more complicated.

I've investigated this a bit and it is possible to create a "Recipient address map" redirecting an @wikimedia.se address (for a non-user) to a non-@wikimedia.se address.

• All mail sent through this route ends up in the e-mail log meaning administrators can see: who sent the email, who recieved it (incl. cc:ed), the subject line, when it was sent etc. See attached image.

• Contents do not get stored, but I cannot say if Gmail does some processing of the contents on the way.
• Adding, and more so maintaining, addresses using this mechanism is undesirable and bound to lead to mistakes. While it is doable for the existing volunteer @wikimedia.se accounts (and our mailing list and OTRS redirects) we should not add any new addresses to it later. I recommend that we set up corresponding addresses on a different domain, managed through Loopia, and offer addresses on that domain (the old addresses can be redirected there).

This will not get done before I leave :(

The permanent solution is blocked by:

• announcing the new email policy to the Förtroendevalda and migrating them. (@Jopparn. Is there a timeline for this?)
• migrating function addresses to groups in GSuite (the dificulties in determining what type of group).

A temporary mitigating solution would be to ensure info@ at least is always reachable by setting up an alias in GSuite and then creating a duplicate info@ in Loopia which redirects to the new alias. This does however not scale so it can only be done for a few addresses.

I would recommend this is set up in the coming one or two weeks at the latest. We likely only need info@ to utilise this work around. Once function addresses start being migrated the work around should also be enabled for drift@.

Apparently this might be a problem for other Loopia addresses too. We were told by littlesister.se they couldn't reach our info or @Lokal_Profil.

I got an email saying that a person can't email me, that the email is impossible to send, and that that's a problem that he has never encountered before. The email itself was quite important, so in this case it turned out to be quite a problem.

In T206596#5100214, @Eric_Luth_WMSE wrote:

I got an email saying that a person can't email me, that the email is impossible to send, and that that's a problem that he has never encountered before. The email itself was quite important, so in this case it turned out to be quite a problem.

Was this also from a Loopia address?

If I understand things correctly, we need to remove all @wikimedia.se addresses in Loopia. For volunteers who have these, it means they need to choose what to do with their address:

1. Stop using the it
2. Have it moved to Gsuite
   • This means that we are technically able to read their emails
3. Have it moved to another domain
   • Something like @volontär.wikimedia would could work and would make it clear what roles they have
4. Have it moved to another domain and redirect the old address in Gsuite
   • The old (@wikimedia.se) address won't work unless we set up an alias in Gsuite, which logs some things, see T206596#4670520

Judging by this document, some sort of email has been sent concerning this, but what was actually asked isn't clear. Note that every address needs to be removed for this to be fixed, so we need to have a deadline for when people have to respond.

@Jopparn, do you see any problem with the options above? I'm guessing that we will need to have some sort of agreement for 2 and 4.

We will move forward with option 2 to consolidate the systems. Sebastian will email all email owners and inform them about the change.

The "Styrelse", "revisor", and "valberedning" need to have a login on Gsuite so that we can go through their communications if GDPR demands it. For volunteers a redirect to their personal email is okay.

There are no more @wikimedia.se addresses handled by Loopia. According to the chat log above, the problem should be fixed now.

@AxelPettersson_WMSE or @Eric_Luth_WMSE, could either of you ask the people that you've been in contact with, who had this problem, to send a test email to you, to confirm that it works now?

Test email via Loopia arrived as intended.

Changed routing rules in Gsuite to only forward e-mails to subdomains of wikimedia.se to Loopia