Differences between revisions 1 and 6 (spanning 5 versions)
Revision 1 as of 2009-12-20 10:38:32
Size: 1019
Editor: DavidAdam
Comment:
Revision 6 as of 2009-12-23 11:37:04
Size: 2600
Editor: 130
Comment:
Deletions are marked like this. Additions are marked like this.
Line 7: Line 7:
Gmail signs all its outgoing mail with DKIM. Gmail and the other big providers sign all outgoing mail with DKIM.
Line 11: Line 11:
Checking DKIM on incoming messages? Job of MTA or MUA? The outgoing filters also do incoming verification. Signatures that sign the Received-SPF header (e.g. Google Groups messages) break because antivirus.uwa drops the Received-SPF header - we need to follow up with ITS and/or not verify on mail from UWA hosts.
Line 13: Line 13:
Mailman breaking existing signatures At this stage we don't drop any messages.

Mailman breaking existing signatures - possibly a non-issue, will poke.
Line 17: Line 19:
There's a few milters, need to pick one. Debian has dkim-filter ([http://sourceforge.net/projects/dkim-milter/ dkim-milter]) in stable and both dkim-filter and [http://www.opendkim.org/ OpenDKIM] in testing. OpenDKIM is a fork of dkim-milter, and is actively maintained, but would need backporting to stable (the testing packages require a new version of OpenSSL) or compiling from source.

Mooneye now has opendkim 1.1.0 (backported from testing) installed. It does verification on all mail (including ext-mx) and signing on outgoing mail. The conditions for signing outgoing mail are a) the mail must come over SMTP and either b) the client is authenticated or c) the client is from the machine room network.

Because all mail delivered over unauthenticated SMTP is checked by the spam filter, which reinjects the messages using the local delivery method, messages sent via the local delivery method on Mooneye do not get signed. This largely only affects cron mail (mailman uses SMTP).
Line 29: Line 35:
No mail goes out RESNET, so could publish 130.95/16 with SOFTFAIL (or even hard FAIL?) No mail goes out RESNET, so could publish 130.95/16 with SOFTFAIL (or even hard FAIL?) Hard FAIL actually seems preferable in some ways; users will get a bounce from their local server rather than the message being filtered into "probable spam".
Line 31: Line 37:
Should we start doing SRS on .forward files? Apparently we should be doing [http://www.libsrs2.org SRS] on mail sent through .forward files. This will need bigtime testing.
Line 33: Line 39:
Does anyone use their personal mail server to send mail with a UCC from address? Gmail doesn't matter because that uses the Sender header and a sensible envelope header. Does anyone use their personal or ISP mail server to send mail with a UCC from address? Gmail doesn't matter because that uses the Sender header and a sensible envelope header. Mailman overwrites Sender from Gmail.

We should publish instructions on how to do SMTP AUTH to UCC regardless.

It is probably a good idea to start implementing some of the antispam tools usable by domains; e.g. DKIM, SPF.

DKIM

[http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail]

Gmail and the other big providers sign all outgoing mail with DKIM.

Incoming

The outgoing filters also do incoming verification. Signatures that sign the Received-SPF header (e.g. Google Groups messages) break because antivirus.uwa drops the Received-SPF header - we need to follow up with ITS and/or not verify on mail from UWA hosts.

At this stage we don't drop any messages.

Mailman breaking existing signatures - possibly a non-issue, will poke.

Outgoing

Debian has dkim-filter ([http://sourceforge.net/projects/dkim-milter/ dkim-milter]) in stable and both dkim-filter and [http://www.opendkim.org/ OpenDKIM] in testing. OpenDKIM is a fork of dkim-milter, and is actively maintained, but would need backporting to stable (the testing packages require a new version of OpenSSL) or compiling from source.

Mooneye now has opendkim 1.1.0 (backported from testing) installed. It does verification on all mail (including ext-mx) and signing on outgoing mail. The conditions for signing outgoing mail are a) the mail must come over SMTP and either b) the client is authenticated or c) the client is from the machine room network.

Because all mail delivered over unauthenticated SMTP is checked by the spam filter, which reinjects the messages using the local delivery method, messages sent via the local delivery method on Mooneye do not get signed. This largely only affects cron mail (mailman uses SMTP).

SPF

SPF seems a bit more likely to cause Issues. None of the big providers seem to have hard FAIL policies yet.

Incoming

Do we want to add verification checks to incoming mail? Does it matter? Would have to be on ext-mx only (or maybe whitelist 130.95/16).

Outgoing

No mail goes out RESNET, so could publish 130.95/16 with SOFTFAIL (or even hard FAIL?) Hard FAIL actually seems preferable in some ways; users will get a bounce from their local server rather than the message being filtered into "probable spam".

Apparently we should be doing [http://www.libsrs2.org SRS] on mail sent through .forward files. This will need bigtime testing.

Does anyone use their personal or ISP mail server to send mail with a UCC from address? Gmail doesn't matter because that uses the Sender header and a sensible envelope header. Mailman overwrites Sender from Gmail.

We should publish instructions on how to do SMTP AUTH to UCC regardless.