|
Size: 2600
Comment:
|
Size: 2608
Comment: converted to 1.6 markup
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 5: | Line 5: |
| [http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail] | [[http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail]] |
| Line 19: | Line 19: |
| Debian has dkim-filter ([http://sourceforge.net/projects/dkim-milter/ dkim-milter]) in stable and both dkim-filter and [http://www.opendkim.org/ OpenDKIM] in testing. OpenDKIM is a fork of dkim-milter, and is actively maintained, but would need backporting to stable (the testing packages require a new version of OpenSSL) or compiling from source. | Debian has dkim-filter ([[http://sourceforge.net/projects/dkim-milter/|dkim-milter]]) in stable and both dkim-filter and [[http://www.opendkim.org/|OpenDKIM]] in testing. OpenDKIM is a fork of dkim-milter, and is actively maintained, but would need backporting to stable (the testing packages require a new version of OpenSSL) or compiling from source. |
| Line 37: | Line 37: |
| Apparently we should be doing [http://www.libsrs2.org SRS] on mail sent through .forward files. This will need bigtime testing. | Apparently we should be doing [[http://www.libsrs2.org|SRS]] on mail sent through .forward files. This will need bigtime testing. |
It is probably a good idea to start implementing some of the antispam tools usable by domains; e.g. DKIM, SPF.
DKIM
http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
Gmail and the other big providers sign all outgoing mail with DKIM.
Incoming
The outgoing filters also do incoming verification. Signatures that sign the Received-SPF header (e.g. Google Groups messages) break because antivirus.uwa drops the Received-SPF header - we need to follow up with ITS and/or not verify on mail from UWA hosts.
At this stage we don't drop any messages.
Mailman breaking existing signatures - possibly a non-issue, will poke.
Outgoing
Debian has dkim-filter (dkim-milter) in stable and both dkim-filter and OpenDKIM in testing. OpenDKIM is a fork of dkim-milter, and is actively maintained, but would need backporting to stable (the testing packages require a new version of OpenSSL) or compiling from source.
Mooneye now has opendkim 1.1.0 (backported from testing) installed. It does verification on all mail (including ext-mx) and signing on outgoing mail. The conditions for signing outgoing mail are a) the mail must come over SMTP and either b) the client is authenticated or c) the client is from the machine room network.
Because all mail delivered over unauthenticated SMTP is checked by the spam filter, which reinjects the messages using the local delivery method, messages sent via the local delivery method on Mooneye do not get signed. This largely only affects cron mail (mailman uses SMTP).
SPF
SPF seems a bit more likely to cause Issues. None of the big providers seem to have hard FAIL policies yet.
Incoming
Do we want to add verification checks to incoming mail? Does it matter? Would have to be on ext-mx only (or maybe whitelist 130.95/16).
Outgoing
No mail goes out RESNET, so could publish 130.95/16 with SOFTFAIL (or even hard FAIL?) Hard FAIL actually seems preferable in some ways; users will get a bounce from their local server rather than the message being filtered into "probable spam".
Apparently we should be doing SRS on mail sent through .forward files. This will need bigtime testing.
Does anyone use their personal or ISP mail server to send mail with a UCC from address? Gmail doesn't matter because that uses the Sender header and a sensible envelope header. Mailman overwrites Sender from Gmail.
We should publish instructions on how to do SMTP AUTH to UCC regardless.
