Mail¶

MTA-STS¶

We support MTA-STS (RFC8461): we publish a generated policy and hooked a resolver to Postfix.

DANE¶

Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates. Postfix is configured to validate if the records are available.

SPF / DKIM / DMARC¶

These are flawed:

• https://lwn.net/Articles/187736/
• http://david.woodhou.se/why-not-spf.html
• https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Weaknesses

The world did not deploy SRS massively, mailing-lists are still common and often altering the mail, we do support SMTP SUBMISSION for roaming users but many providers or companies still block legitimate ports, mail forwarding and redirections on another domain are also useful features, so we decided to not implement these.

Checks¶

• Hardenize does extensive checks for mail; it is a bit excessive about accepted ciphers: it's still better to do opportunistic TLS with a medium strengh cipher than go encrypted
• HaveDANE is our SMTP server properly validating DANE?
• posttls-finger tool

Mailing-Lists¶

We are using Mailman 3. Users may create an account on the UI but that's not compulsory unless they wish to set specific delivery settings.

To manage lists one need an account with superuser rights but the UI does not provide such feature; it can be created on the command line though:

django-admin createsuperuser --pythonpath /usr/share/mailman3-web --settings settings --username <user> --email <mail-addr>

A normal account can be upgraded or downgraded by changing the flags in the database. The is_superuser flag gives access too all list creation and editing feature for the whole instance. To manage Sites and maybe also Mail Domains the is_staff flag is needed.

Certain shell commands are available to manage:

• the mailman 3 core (routing daemon): mailman-wrapper <command> <options>
• the UI: django-admin --pythonpath /usr/share/mailman3-web --settings settings <command> <options>