Project

General

Profile

Mail » History » Version 4

Marc Dequènes, 2019-10-01 21:43

1 1 Marc Dequènes
h1. Mail
2
3
h2. MTA-STS
4
5
We support MTA-STS (RFC8461): we publish a generated policy and hooked a resolver to Postfix.
6
7
h2. DANE
8
9 2 Marc Dequènes
Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates. Postfix is configured to validate if the records are available.
10 1 Marc Dequènes
11
h2. SPF / DKIM / DMARC
12
13
These are flawed:
14
* https://lwn.net/Articles/187736/
15
* http://david.woodhou.se/why-not-spf.html
16
* https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Weaknesses
17
18
The world did not deploy SRS massively, mailing-lists are still common and often altering the mail, we do support SMTP SUBMISSION for roaming users but many providers or companies still block legitimate ports, mail forwarding and redirections on another domain are also useful features, so we decided to not implement these.
19
20
h2. Checks
21
22 3 Marc Dequènes
* "Hardenize":https://www.hardenize.com/ does extensive checks for mail; it is a bit excessive about accepted ciphers: it's still better to do opportunistic TLS with a medium strengh cipher than go encrypted
23
* "HaveDANE":https://havedane.net/ is our SMTP server properly validating DANE?
24 4 Marc Dequènes
* *posttls-finger* tool