|
Size: 1745
Comment:
|
Size: 2451
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 11: | Line 11: |
| The outgoing filters also do incoming verification; we should probably turn this on for final delivery (and possibly ext-mx if it can do rejections rather than bounces). | The outgoing filters also do incoming verification; we should probably turn this on for final delivery (and possibly ext-mx if it can do rejections rather than bounces). According to [MSH] the signature validates with ext-mx then breaks after it goes through antivirus. |
| Line 13: | Line 13: |
| Mailman breaking existing signatures | Mailman breaking existing signatures - possibly a non-issue, will poke. |
| Line 18: | Line 18: |
Mooneye now has dkim-filter 2.6.0 installed. It does verification on all mail (including ext-mx) and signing on outgoing mail. The conditions for signing outgoing mail have been left as the defaults (i.e. only mail from mooneye and authenticated SMTP). Because all mail delivered over unauthenticated SMTP is checked by the spam filter, any messages with "@ucc.asn.au" in the from line are signed. This is bad. The other problem is that if you send mail from UCC that then gets redirected to your UCC address, it gets signed twice. This is due to the same problem. |
It is probably a good idea to start implementing some of the antispam tools usable by domains; e.g. DKIM, SPF.
DKIM
[http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail]
Gmail and the other big providers sign all outgoing mail with DKIM.
Incoming
The outgoing filters also do incoming verification; we should probably turn this on for final delivery (and possibly ext-mx if it can do rejections rather than bounces). According to [MSH] the signature validates with ext-mx then breaks after it goes through antivirus.
Mailman breaking existing signatures - possibly a non-issue, will poke.
Outgoing
Debian has dkim-filter ([http://sourceforge.net/projects/dkim-milter/ dkim-milter]) in stable and both dkim-filter and [http://www.opendkim.org/ OpenDKIM] in testing. OpenDKIM is a fork of dkim-milter, and is actively maintained, but would need backporting to stable (the testing packages require a new version of OpenSSL) or compiling from source.
Mooneye now has dkim-filter 2.6.0 installed. It does verification on all mail (including ext-mx) and signing on outgoing mail. The conditions for signing outgoing mail have been left as the defaults (i.e. only mail from mooneye and authenticated SMTP). Because all mail delivered over unauthenticated SMTP is checked by the spam filter, any messages with "@ucc.asn.au" in the from line are signed. This is bad.
The other problem is that if you send mail from UCC that then gets redirected to your UCC address, it gets signed twice. This is due to the same problem.
SPF
SPF seems a bit more likely to cause Issues. None of the big providers seem to have hard FAIL policies yet.
Incoming
Do we want to add verification checks to incoming mail? Does it matter? Would have to be on ext-mx only (or maybe whitelist 130.95/16).
Outgoing
No mail goes out RESNET, so could publish 130.95/16 with SOFTFAIL (or even hard FAIL?) Hard FAIL actually seems preferable in some ways; users will get a bounce from their local server rather than the message being filtered into "probable spam".
Should we start doing SRS on .forward files?
Does anyone use their personal or ISP mail server to send mail with a UCC from address? Gmail doesn't matter because that uses the Sender header and a sensible envelope header. Mailman overwrites Sender from Gmail.
We should publish instructions on how to do SMTP AUTH to UCC regardless.
