Page MenuHomePhabricator

Investigate switching internal mailing list over to GSuite group
Open, HighPublic

Description

As part of our T195596: WMSE e-mail restructure we should also investigate switching internal mailing list over to GSuite group. Currently we have three active internal/closed e-mail lists for staff, board and staff+board handled by mailman. (for all lists see T198457: Look over usage of @styrelse.wiklimedia.se mailing lists)

With our switch to GSuite it is worth investigating if these could be swapped over to closed groups instead. The benefit is that access would be directly controlled from one place and more strongly tied to the users @wikimedia.se accounts whilst also potentially removing our need for maintaining the mailman instance.

We should look into what, if any, features are gained/lost as well as if there are any other factors which may affect the choice.

Results

Benefits

  • One system less to maintain
  • Guaranteed overlap between Drive-access and e-mail list access
  • Security - Our mailman instance is unlikely to be as secure as GSuite [both mailman and the OS of the server are outdated]

Disadvantages

  • FLOSS - This is one of the FLOSS tools that we currently use. That said not switching would not mean dropping GSuite.
  • Google would gain access to the communications

No difference

  • Access - GSuite admins would gain access to board communications. Server admins (actually a larger group) have however had access to these already. This can be handled by T196334: Assign appropriate admin roles in Google Workspace
  • Quarantined messages - non-list members can e-mail the list after an admin has approved the message.
  • Archives - While the archives are closed they can be browsed by current members. (It also looks possible to migrate the old archives.)

Unclear

  • Exportability/Compatibility - Would it be as easy to switch back/to a third option in the future?
    • It looks possible to download the google groups contents as mbox (how mailman archives are stored) using e.g. google-group-crawler

Event Timeline

I've added a quick initial analysis. It would be good with more usage scenarios which we could compare.

@Historiker If the board has any special needs/thoughts about this that would also be good to capture.

Lokal_Profil updated the task description. (Show Details)Jul 3 2018, 7:54 AM

@Historiker per your questions.

  • E-mails from users outside of the group: It is possible to allow e-mails from outside of the group. You can further set it up so that such e-mails have to be handled by a moderator before being sent to the whole group.
  • Access: Basic access would be set to the styrelse group. Out of this group of users one or two users would be given moderation rights (to check emails from the outside).
    • Super-admins (me+Sebastian+john) will always be able to view the messages by going to the web interface via the settings menu. It also looks as though we can create messages in the group using the same interface. I've sent a message to support to see if it is either possible to limit access further or if it's at least possible to monitor when/if admins view the messages.
    • Note that in practice this doesn't change things significantly compared to how it works today. The users with server access can likely read through all the e-mails directly on the server.

Got a reply from Google.

There is no way of preventing a super-admin from having access, nor is there a way of monitoring if they use that access.

What we can do is reduce the number of superadmins and instead create an admin role without that particular access. There would always be (at least) one such account though.

Theoretically we could have a setup where there is a superadmin account that ia separate to any user account. It might then be possible to monitor any login to that account, but of course once logged in it still comes down to trust since you cannot se if they read any messages.

Lokal_Profil triaged this task as High priority.Jan 17 2020, 2:04 PM
Lokal_Profil added a project: User-LokalProfil.

@Jopparn @Historiker I'm increasing the priority of this one after having seen the status of the server where this is currently running.

We should either move forwards with migrating this to gsuite (my recommendation) or migrate it to bahnhof (and upgrade to the latest mailman)

An aside on non-internal mailing lists can not easily be made joinable and searchable by non-members (people without gsuite accounts) without us changing the global access setting for the whole domain. Which we should not do.

The good thing is that the only such list we have left is wlm-se, which doesn't seem to be in use (ping @AxelPettersson_WMSE )

I suggest we go with Gsuite, despite the problem you pointed at.

The good thing is that the only such list we have left is wlm-se, which doesn't seem to be in use (ping @AxelPettersson_WMSE )

Axel replied that it is no longer in use

I suggest we go with Gsuite, despite the problem you pointed at.

I agree. I checked with WMDE and they use the same setup. As for SuperAdmins being able to access that is covered by a combination of contractual clauses and criminal law.

I suggest we go with Gsuite, despite the problem you pointed at.

I agree. I checked with WMDE and they use the same setup. As for SuperAdmins being able to access that is covered by a combination of contractual clauses and criminal law.

What we should do at the same time is review who has this access and if any should be removed (I would still want at least two people for bus factor reasons)

Lokal_Profil added a comment.EditedJan 22 2020, 7:48 PM

Next steps (to be turned into tasks)

  1. Look into archive migration (a quick search suggests it's definitely doable)
  2. Look at what suitable new list names will be. [Since we are switching from @styrelse.wikimedia.org anyway and there has been some confusion around the naming of two of the lists in the past.]
    1. Look if any of those are already aliases and if so remove them from the routing mappings [I know styrelse@ is]
  3. Switch over the office list to use groups. [Less traffic than board group with a natural fallback (hangout) should everything go tits up]
  4. Look into adding the old mailing list as a recipient in a group (to maintain an archive should we decide this works badly) [not needed for office list but rather for the board list]
  5. Look into forwarding e-mails directed at the old addresses to the new mailinglists [also ok if this only happens when board gets switched over, likely needed since gsuite will take over routing of that subdomain]
  6. Revise who has super-admin access [also ok to happen after office gets switched over but before board gets it][might already be a task for this]

Also update T195596: WMSE e-mail restructure to remove potential overlaps with that list