SMTP server configuration: Difference between revisions

From Woozle Writes Code
Jump to navigation Jump to search
No edit summary
No edit summary
Line 45: Line 45:
| TXT
| TXT
| toot_cat._domainkey.toot.cat
| toot_cat._domainkey.toot.cat
| style="overflow:scroll;" | v=DKIM1; h=sha256; k=rsa;p=MIIBIjAN''{{faint|[..long string..]}}''4yQIDAQAB
| v=DKIM1; h=sha256; k=rsa;p=MIIBIjAN''{{faint|[..long string..]}}''4yQIDAQAB
| 1800
| 1800
|-
|-
Line 56: Line 56:
| v=spf1 mx ip4:143.244.160.92 ip6:2604:a880:400:d0::2354:2001 -all
| v=spf1 mx ip4:143.244.160.92 ip6:2604:a880:400:d0::2354:2001 -all
| 1800
| 1800
|}
===wooz.dev===
{| class="wikitable"
|-
| TXT
| toot.cat._report._dmarc.wooz.dev
| v=DMARC1
| 3600
|-
| TXT
| wooz.dev
| v=spf1 mx mx:hypertwins.org mx:ownedbycats.org mx:woozalia.com a    -all
| 3600
|}
===woozalia.com===
{| class="wikitable"
|-
| TXT
| woozalia.com
| v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net  ~all
| 3600
|}
|}

Revision as of 13:34, 19 August 2022

This page is, for now, notes towards trying to configure our outgoing email servers so that at least GMail won't bounce notifications from apps like phpBB. The primary return-address domains I want to configure are:

  • hypertwins.org
  • woozalia.com
  • wooz.dev

There seem to be several necessary anti-spam protocols: SPF, DKIM, and DMARC.

For clues, I can look at the configuration of TootCat -- I'm pretty sure we configured it with all three.

Protocols

The DNS records for of these are TXT records. DKIM and DMARC use only name=value tags separated by semicolons (SPF is a little different). There appears to have been a lot of controversy around the adoption of these standards, and it seems likely that the unofficial standard of using these particular three is largely defined by what the major players (especially Google) choose to use and support.

SPF (Sender Policy Framework)

SPF is relatively simple, I think? Last I remember, there's a web tool to help build the necessary TXT records... but I think those domains may already be configured. Will check that.

DKIM (DomainKeys Identified Mail)

This has two parts:

  • public key in domain's DNS record
  • public key attached to email somehow (shouldn't that be "email signed by private key"?

DMARC (Domain-based Message Authentication, Reporting and Conformance)

This also requires a DNS entry. (I started to document here how it works, but decided to move the generally-applicable stuff to HTYP. It looks like it can be very simple, but also can be quite complex depending on how you want it to work.

This is also the protocol which lets you request reports from other SMTP servers (like GMail) regarding compliance -- so that looks like a powerful tool for finding out if your configuration passes muster with them.

Domains

Relevant DNS entries for relevant domains include:

hypertwins.org

MX hypetwins.org mail.vbz.net. 10 14400
TXT hypertwins.org v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net ~all

toot.cat

MX toot.cat toot.cat. 10 14400
TXT toot_cat._domainkey.toot.cat v=DKIM1; h=sha256; k=rsa;p=MIIBIjAN[..long string..]4yQIDAQAB 1800
TXT _dmarc.toot.cat v=DMARC1; p=reject; rua=mailto:tootmaster2021@wooz.dev
TXT toot.cat v=spf1 mx ip4:143.244.160.92 ip6:2604:a880:400:d0::2354:2001 -all 1800

wooz.dev

TXT toot.cat._report._dmarc.wooz.dev v=DMARC1 3600
TXT wooz.dev v=spf1 mx mx:hypertwins.org mx:ownedbycats.org mx:woozalia.com a -all 3600

woozalia.com

TXT woozalia.com v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net ~all 3600