SMTP server configuration: Difference between revisions
No edit summary |
|||
Line 60: | Line 60: | ||
| 1800 | | 1800 | ||
|} | |} | ||
===vbz.net=== | |||
<code>mail.vbz.net</code> is (I think) how the SMTP server identifies itself, and also what we use as the identifier for who is allowed to send email from our domains. | |||
{| class="wikitable" | |||
|- | |||
| TXT | |||
| vbz.net | |||
| v=spf1 a mx ~all | |||
| 3600 | |||
|} | |||
===wooz.dev=== | ===wooz.dev=== | ||
{| class="wikitable" | {| class="wikitable" |
Revision as of 15:07, 19 August 2022
This page is, for now, notes towards trying to configure our outgoing email servers so that at least GMail won't bounce notifications from apps like phpBB. The primary return-address domains I want to configure are:
- hypertwins.org
- woozalia.com
- wooz.dev
There seem to be several necessary anti-spam protocols: SPF, DKIM, and DMARC.
For clues, I can look at the configuration of TootCat -- I'm pretty sure we configured it with all three.
Protocols
The DNS records for of these are TXT records. DKIM and DMARC use only name=value
tags separated by semicolons (SPF is a little different). There appears to have been a lot of controversy around the adoption of these standards, and it seems likely that the unofficial standard of using these particular three is largely defined by what the major players (especially Google) choose to use and support.
SPF (Sender Policy Framework)
SPF is relatively simple, I think? Last I remember, there's a web tool to help build the necessary TXT records... but I think those domains may already be configured. Will check that.
DKIM (DomainKeys Identified Mail)
This has two parts:
- public key in domain's DNS record
- public key attached to email somehow (shouldn't that be "email signed by private key"?
DMARC (Domain-based Message Authentication, Reporting and Conformance)
This also requires a DNS entry. (I started to document here how it works, but decided to move the generally-applicable stuff to HTYP. It looks like it can be very simple, but also can be quite complex depending on how you want it to work.
This is also the protocol which lets you request reports from other SMTP servers (like GMail) regarding compliance -- so that looks like a powerful tool for finding out if your configuration passes muster with them.
Domains
Relevant DNS entries for relevant domains include:
hypertwins.org
MX | hypetwins.org |
|
14400 | ||
TXT | hypertwins.org | v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net ~all | 3600 |
toot.cat
MX | toot.cat |
|
14400 | ||
TXT | toot_cat._domainkey.toot.cat | v=DKIM1; h=sha256; k=rsa;p=MIIBIjAN[..long string..]4yQIDAQAB | 1800 | ||
TXT | _dmarc.toot.cat | v=DMARC1; p=reject; rua=mailto:tootmaster2021@wooz.dev | |||
TXT | toot.cat | v=spf1 mx ip4:143.244.160.92 ip6:2604:a880:400:d0::2354:2001 -all | 1800 |
vbz.net
mail.vbz.net
is (I think) how the SMTP server identifies itself, and also what we use as the identifier for who is allowed to send email from our domains.
TXT | vbz.net | v=spf1 a mx ~all | 3600 |
wooz.dev
TXT | toot.cat._report._dmarc.wooz.dev | v=DMARC1 | 3600 |
TXT | wooz.dev | v=spf1 mx mx:hypertwins.org mx:ownedbycats.org mx:woozalia.com a -all | 3600 |
woozalia.com
TXT | woozalia.com | v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net ~all | 3600 |