Mail » History » Version 6
Marc Dequènes, 2021-05-29 10:58
1 | 1 | Marc Dequènes | h1. Mail |
---|---|---|---|
2 | |||
3 | h2. MTA-STS |
||
4 | |||
5 | We support MTA-STS (RFC8461): we publish a generated policy and hooked a resolver to Postfix. |
||
6 | |||
7 | h2. DANE |
||
8 | |||
9 | 2 | Marc Dequènes | Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates. Postfix is configured to validate if the records are available. |
10 | 1 | Marc Dequènes | |
11 | h2. SPF / DKIM / DMARC |
||
12 | |||
13 | These are flawed: |
||
14 | * https://lwn.net/Articles/187736/ |
||
15 | * http://david.woodhou.se/why-not-spf.html |
||
16 | * https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Weaknesses |
||
17 | |||
18 | The world did not deploy SRS massively, mailing-lists are still common and often altering the mail, we do support SMTP SUBMISSION for roaming users but many providers or companies still block legitimate ports, mail forwarding and redirections on another domain are also useful features, so we decided to not implement these. |
||
19 | |||
20 | h2. Checks |
||
21 | |||
22 | 3 | Marc Dequènes | * "Hardenize":https://www.hardenize.com/ does extensive checks for mail; it is a bit excessive about accepted ciphers: it's still better to do opportunistic TLS with a medium strengh cipher than go encrypted |
23 | * "HaveDANE":https://havedane.net/ is our SMTP server properly validating DANE? |
||
24 | 4 | Marc Dequènes | * *posttls-finger* tool |
25 | 5 | Marc Dequènes | |
26 | h2. Mailing-Lists |
||
27 | |||
28 | 6 | Marc Dequènes | We are using Mailman 3. Users may create an account on the UI but that's not compulsory unless they wish to set specific delivery settings. LDAP auth is missing at the moment (see #724). |
29 | 5 | Marc Dequènes | |
30 | To manage lists one need an account with superuser rights but the UI does not provide such feature; it can be created on the command line though: |
||
31 | <pre> |
||
32 | django-admin createsuperuser --pythonpath /usr/share/mailman3-web --settings settings --username <user> --email <mail-addr> |
||
33 | </pre> |
||
34 | A normal account can be upgraded or downgraded by changing the flags in the database. The _is_superuser_ flag gives access too all list creation and editing feature for the whole instance. To manage Sites and maybe also Mail Domains the _is_staff_ flag is needed. |
||
35 | |||
36 | Certain shell commands are available to manage: |
||
37 | * the mailman 3 core (routing daemon): mailman-wrapper <command> <options> |
||
38 | * the UI: django-admin --pythonpath /usr/share/mailman3-web --settings settings <command> <options> |