uccwiki

It is probably a good idea to start implementing some of the antispam tools usable by domains; e.g. DKIM, SPF.

DKIM

http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

Gmail and the other big providers sign all outgoing mail with DKIM.

Incoming

The outgoing filters also do incoming verification. Signatures that sign the Received-SPF header (e.g. Google Groups messages) break because antivirus.uwa drops the Received-SPF header - we need to follow up with ITS and/or not verify on mail from UWA hosts.

At this stage we don't drop any messages.

Mailman breaking existing signatures - possibly a non-issue, will poke.

Outgoing

Debian has dkim-filter (dkim-milter) in stable and both dkim-filter and OpenDKIM in testing. OpenDKIM is a fork of dkim-milter, and is actively maintained, but would need backporting to stable (the testing packages require a new version of OpenSSL) or compiling from source.

Mooneye now has opendkim 1.1.0 (backported from testing) installed. It does verification on all mail (including ext-mx) and signing on outgoing mail. The conditions for signing outgoing mail are a) the mail must come over SMTP and either b) the client is authenticated or c) the client is from the machine room network.

Because all mail delivered over unauthenticated SMTP is checked by the spam filter, which reinjects the messages using the local delivery method, messages sent via the local delivery method on Mooneye do not get signed. This largely only affects cron mail (mailman uses SMTP).

SPF

SPF seems a bit more likely to cause Issues. None of the big providers seem to have hard FAIL policies yet.

Incoming

Incoming DKIM is checked by spamassassin with its DKIM plugin module. The UWA mail filter doesn't seem to mangle the DKIM signatures. There's no hard fail when the DKIM check fails, but it does increase the spam score. SPF is checked, but it seems to be poorly implemented externally (there are very few SPF_PASS entries in the logs) so again, we don't hard fail on it. Conversely, passes on these checks reduce the spam score.

Outgoing

No mail goes out RESNET, so could publish 130.95/16 with SOFTFAIL (or even hard FAIL?) Hard FAIL actually seems preferable in some ways; users will get a bounce from their local server rather than the message being filtered into "probable spam".

Apparently we should be doing SRS on mail sent through .forward files. This will need bigtime testing.

Does anyone use their personal or ISP mail server to send mail with a UCC from address? Gmail doesn't matter because that uses the Sender header and a sensible envelope header. Mailman overwrites Sender from Gmail.

We should publish instructions on how to do SMTP AUTH to UCC regardless.

uccwiki: MailAuth (last edited 2014-11-05 00:20:04 by BobAdamson)