Articles in this section

Configure a new Email Signature Server in Kubernetes

Updated

This article uses the provided Terraform scripts to configure and create a Kubernetes cluster and resources required to run the Email Signature Server.

  Prerequisites

  • Global Admin account in the Enterprise type Azure subscription. The account needs to have either the Owner role in the subscription or the Contributor role and the permissions to create service principals and assign roles.

  • While it's not necessary to execute the deployment, the account must be a RBAC Cluster Admin for any future configuration and monitoring purposes.
  • Available Azure vCPU Compute Quota in the region the cluster will be implemented in.
  • Client-Hosted ESS Implementation steps 1 & 2 completed.

What do the Terraform scripts below create?

  • Service principal: this is required for the Kubernetes cluster to access the azure resources.
  • Resource group: the Kubernetes cluster, Storage account, and Log analytics resources will be created here.
  • Node resource group: MC_<Original Resource Group Name>_<Kubernetes Cluster Name>_<Location>
  • Kubernetes cluster: this is required to host the email signature server component.
  • Log analytics: from here the performance of the Kubernetes cluster can be monitored.
  • Storage account: this is where the email signature generated from Templafy will be stored.

ESS Configuration

  1. Navigate to https://portal.azure.com.

  2. Start Cloud Shell (the terminal icon in the top right). 

    • The first time you use Cloud Shell, you need to create a storage account. 
    • When prompted, choose Bash.
  3. Verify subscription where the AKS cluster should reside:az account show

    • Set the default subscription to the one all resources should be created under:
      az account set --subscription <subscription name or id>

  4. Navigate to the clouddrive directory: cd clouddrive

  5. Create a new directory which will host the terraform files: mkdir terraform

  6. Change to this directory: cd terraform

  7. Download the terraform-root.zip file:

    curl -O https://templafydownload.blob.core.windows.net/delivery/ESS/terraform-root.zip
  8. Extract the file: unzip terraform-root.zip.

  9. Open the editor: code .

  10. Select the configuration file variables.tfvars and edit the variables based on your environment.

      Note

    • office365ApplicationId is the Application Id assigned in the App Registration.

    • office365SmtpServerHostname can be retrieved from the Microsoft Admin Center selecting the default domain. From here you can select the DNS records tab to find the MX entry

      • Alternatively, to find this variable, you can run nslookup -type=mx <your primary domain>.

    • office365AuthenticationUrl is https://login.microsoftonline.com/<your Primary Domain or Tenant ID>.

  11. Save the variables.tfvars file.
  12. Run the first set of terraform scripts:./tf-run-azure-config.bat

      Note

    In order to troubleshoot any errors that arise, please follow the links specified by Microsoft in the error message.

    • Common issues include incorrect licensing, inadequate vCPU quota, and improper permissions.

  13. The output result will display the cluster_public_ip on which the Email Signature Server is listening.

    • Click the mxtoolbox_blacklist_ip_check URL in the output result and verify the IP address issued by Microsoft is not on any SMTP blacklist.

        Important

      If you find the Microsoft issued public IP address is on any of the blacklists, you will need to delete the public IP address and re-run the ./tf-run-azure-config.bat from step 12. Repeat the steps below until the output gives a cluster_public_ip that is not on any blacklists.

        1. source init.env
        2. az network public-ip delete --ids $ess_cluster_public_ip_resource_id
  14. Update your SPF record for all email sending domains with this cluster_public_ip. Save this IP for use in Step 4 of the Implementation.
  15. Set the environment variables for your cluster that will be used by the rest of the commands: source init.env

  16. Since the cluster uses Azure RBAC, we need to go through an authentication process to gain access to the cluster.

    • Run the following command to authenticate: ./ess-get-credentials.bat
    • This will trigger an SSO Microsoft authentication process. Follow the instructions on screen and after successful authentication the output will be the namespaces of the cluster. Now you have a valid session with the cluster to run the next terraform deployment.
  17. Run the second set of terraform scripts: ./tf-run-kubernetes-config.bat
  18. Set the load balancer configuration in the deployment to the cluster_public_ip: ./ess-set-standard-load-balancer.bat
  19. Upload the certificate files created earlier to the Cloud Shell by clicking on the Upload/Download files icon.                                                                                    2022-12-07_10-24-53.png
    • Click the Manage file share link.
    • Navigate to the terraform/ directory.
    • Navigate to the certs/ directory.
    • Click the Upload button and select the certificates (2 certificates and 2 passwords).
  20. Run the command to upload the certificates to the secrets in the cluster: ./ess-upload-certs.bat.
  21. Activate the replica set and create the email-signature-server pods: ./ess-activate-replicas.bat
  22. Show the generated Azure Blob storage Shared Access Signature URL: ./ess-show-sas-url.bat
  23. Copy the Blob SAS URL and save it for use in Step 5 of the Implementation.
security email signatures roaming Graph API tech_role
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.