Difference between revisions of "Service/smtp"

From Sugar Labs
Jump to navigation Jump to search
(Instructions for set up in Thunderbird)
 
(13 intermediate revisions by 2 users not shown)
Line 6: Line 6:
 
| smtp.sugarlabs.org || smtp      || 25  || Local delivery (plain SMTP)
 
| smtp.sugarlabs.org || smtp      || 25  || Local delivery (plain SMTP)
 
|-
 
|-
| smtp.sugarlabs.org || [http://www.faqs.org/rfcs/rfc2476.html submission] || 587  || Email relay (SMTP with STARTTLS, password authentication required)
+
| smtp.sugarlabs.org || [http://www.faqs.org/rfcs/rfc2476.html submission] || 587  || SMTP with STARTTLS, legacy
 
|-
 
|-
| smtp.sugarlabs.org || smtps      || 465  || Email relay (SMTP with SSL, password authentication required)
+
| smtp.sugarlabs.org || [https://tools.ietf.org/html/rfc6409 submissions]  || 465  || Email relay (SMTP with SSL, password authentication required)
 
|}
 
|}
  
Line 22: Line 22:
  
 
* [[User:Bernie|Bernie Innocenti]]
 
* [[User:Bernie|Bernie Innocenti]]
 +
* (add yourself here if you tend to the postmaster [[Machine/rt|RT]] queue)
  
 
== Notes ==
 
== Notes ==
Line 27: Line 28:
 
* Users with a Sugar Labs [[Service/shell|shell account]] on [[Machine/sunjammer|sunjammer]] can use our SMTP relay for personal email submission. ''Any abuse will be prosecuted.''
 
* Users with a Sugar Labs [[Service/shell|shell account]] on [[Machine/sunjammer|sunjammer]] can use our SMTP relay for personal email submission. ''Any abuse will be prosecuted.''
  
* We prefer to use the [http://www.faqs.org/rfcs/rfc2476.html submission] port for email relay. Unauthenticated and unencrypted connections are not allowed to relay.
+
* The [https://tools.ietf.org/html/rfc6409 submissions] port (465) is preferred for email relay. Unauthenticated and unencrypted connections are not allowed to relay.
  
* smtp.sugarlabs.org is *not* the MX for the sugarlabs.org.
+
* All email originating from the sugarlabs.org domain must be submitted through our SMTP server. '''Failure to do so may result in your email being blocked by spam filters.'''
Google Apps handles our domain and forwards to smtp.sugarlabs.org for unknown users
 
  
* Just for those of you wanting to use just one email client (namely gmail in this case), you can simply add a second account to run through gmail (say user@activitiycentral.com or user@sugarlabs.org) and it will then allow you to choose which account you'd like to send from.
+
== SPF ==
 +
 
 +
Our domains use a non-strict (~all) [http://en.wikipedia.org/wiki/Sender_Policy_Framework SPF] records.
  
To do this you need to login to your gmail account and then go the following url (it is not easy to spot): https://mail.google.com/mail/?tab=om#settings/accounts
+
You can add an spf record in the zone file in the form
Choose '''send mail from another address'''; follow the instructions for sending out via smtp.sugarlabs.org
 
  
== SPF ==
+
  hostname        TXT    "v=spf1 redirect=_spf.hostname.sugarlabs.org"
 +
  _spf.hostname    TXT    "v=spf1 ip4:IPv4_of_hostname/mask ip6:IPv6_of_hostname/mask a:hostname.sugarlabs.org mx:hostname.sugarlabs.org ~all"
  
Our domains use a non-strict (~all) [http://en.wikipedia.org/wiki/Sender_Policy_Framework SPF] record.
+
The '''a''' and '''mx''' values are authorized mail server by domain name and authorized server by domain MX record, the MX record should also be defined
 +
for hostname.
  
If you send email with sugarlabs.org in the From: header, then you '''must''' submit it to our
+
Also maintain spacing and formatting for each section you add in the zone file.
SMTP server.
 
  
 
== DKIM ==
 
== DKIM ==
  
Our domain publishes a '''test''' [http://en.wikipedia.org/wiki/DKIM DKIM] key. All outgoing email
+
Our domain publishes a [http://en.wikipedia.org/wiki/DKIM DKIM] key.
is signed, but at this time verifiers will ignore our DKIM signature.
 
  
 
To test DKIM, send an email to autorespond+dkim@dk.elandsys.com
 
To test DKIM, send an email to autorespond+dkim@dk.elandsys.com
  
In anticipation of switching on strict DKIM verification, all email for the sugarlabs.org domain
+
 
must be submitted to our SMTP server. Failure to do so may result in your email being occasionally
+
To generate an ed25519 key to use for DKIM, you can use openssl
blocked by spam filters.
+
 
 +
  # Generate ed25519 key
 +
  $ openssl genpkey -algorithm ed25519 -out dkim_private.pem
 +
  # Generate public key from private key
 +
  $ openssl pkey -in dkim_private.pem -pubout -out dkim_public.pem
 +
 
 +
For ed25519 keys, the p value in the DKIM record must only contain the BASE64 encoded public key, without an ASN.1 structure
 +
 
 +
  $ openssl asn1parse -in dkim_public.pem -offset 12 -noout -out /dev/stdout | openssl base64
 +
  VGhpcyBpcyBqc3V0ZSBhc29ka2ZvYXNrZWpkZmtsc2pkZgo=
 +
 
 +
Your entry would look like this
 +
 
 +
  selector1._domainkey.hostname      TXT    "v=DKIM1; g=*; k=ed25519; p=VGhpcyBpcyBqc3V0ZSBhc29ka2ZvYXNrZWpkZmtsc2pkZgo="
 +
  _adsp._domainkey.hostname          TXT    "dkim=unknown"
 +
 
 +
When using an ed25519 key, you'll need to add a fallback RSA key for backward compatibility.
 +
 
 +
  # Generate rsa key
 +
  $ openssl genrsa -out rsa_private.key 2048
 +
  # Generate public key from private key
 +
  $ openssl rsa -in rsa_private.key -pubout -outform der 2>/dev/null | openssl base64 -A
 +
 
 +
You can then add a KeyTable and SigningTable to your opendkim.conf
 +
 
 +
  KeyTable                refile:/etc/opendkim/KeyTable
 +
  SigningTable            refile:/etc/opendkim/SigningTable
 +
 
 +
  # Contents of KeyTable with both keys
 +
  selector1._domainkey.hostname.sugarlabs.org hostname.domain-name:selector1:/path/to/selector1/private/*.key
 +
  selector2._domainkey.hostname.sugarlabs.org hostname.domain-name:selector2:/path/to/selector2/private/*.key
 +
 
 +
  # Contents of SigningTable
 +
  *@hostname.domain-name selector1._domainkey.hostname.sugarlabs.org
 +
  *@hostname.domain-name selector2._domainkey.hostname.sugarlabs.org
 +
 
 +
Then add a DKIM record for the second selector
 +
 
 +
  w-mail._domainkey.weblate      IN      TXT    ("v=DKIM1; h=sha256; k=rsa; p="*")
 +
 
 +
The value of p is the public key of the generated RSA key above.
 +
 
 +
Ensure your private keys are on hostname.
 +
 
 +
== Set up ==
 +
 
 +
=== Thunderbird ===
 +
 
 +
These are the settings for setting up SMTP with Thunderbird. Note that you use your LDAP username and password, and that the username __'''does not'''__ have "@sugarlabs.org" at the end.
 +
 
 +
{|class=wikitable
 +
! Server name        !! Port      !! Connection security !! Authentication method !! User name
 +
|-
 +
| smtp.sugarlabs.org || 587      || STARTTLS  || Normal Password || your LDAP username -- AND WITHOUT @SUGARLABS.ORG AT THE END!
 +
|}
 +
 
 +
Example:
 +
 
 +
[[File:Screenshot from 2024-06-13 22-45-20.png|thumb|left|example of smtp set up in thunderbird ]]
  
 
== See also ==
 
== See also ==
  
 
* [[Service/imap]]
 
* [[Service/imap]]
 +
* [[Service/webmail]]
 
* [[Service/email]]
 
* [[Service/email]]
* [[Service/webmail]]
 
  
 
[[Category:Service|imap]]
 
[[Category:Service|imap]]

Latest revision as of 21:53, 13 June 2024

Hostnames

hostname service port function
smtp.sugarlabs.org smtp 25 Local delivery (plain SMTP)
smtp.sugarlabs.org submission 587 SMTP with STARTTLS, legacy
smtp.sugarlabs.org submissions 465 Email relay (SMTP with SSL, password authentication required)

Hosted on

Machine/sunjammer

Administrative contact

  • postmaster AT sugarlabs DOT org

Sysadmins

Notes

  • Users with a Sugar Labs shell account on sunjammer can use our SMTP relay for personal email submission. Any abuse will be prosecuted.
  • The submissions port (465) is preferred for email relay. Unauthenticated and unencrypted connections are not allowed to relay.
  • All email originating from the sugarlabs.org domain must be submitted through our SMTP server. Failure to do so may result in your email being blocked by spam filters.

SPF

Our domains use a non-strict (~all) SPF records.

You can add an spf record in the zone file in the form

 hostname         TXT     "v=spf1 redirect=_spf.hostname.sugarlabs.org"
 _spf.hostname    TXT     "v=spf1 ip4:IPv4_of_hostname/mask ip6:IPv6_of_hostname/mask a:hostname.sugarlabs.org mx:hostname.sugarlabs.org ~all"

The a and mx values are authorized mail server by domain name and authorized server by domain MX record, the MX record should also be defined for hostname.

Also maintain spacing and formatting for each section you add in the zone file.

DKIM

Our domain publishes a DKIM key.

To test DKIM, send an email to autorespond+dkim@dk.elandsys.com


To generate an ed25519 key to use for DKIM, you can use openssl

 # Generate ed25519 key
 $ openssl genpkey -algorithm ed25519 -out dkim_private.pem
 # Generate public key from private key
 $ openssl pkey -in dkim_private.pem -pubout -out dkim_public.pem

For ed25519 keys, the p value in the DKIM record must only contain the BASE64 encoded public key, without an ASN.1 structure

 $ openssl asn1parse -in dkim_public.pem -offset 12 -noout -out /dev/stdout | openssl base64
 VGhpcyBpcyBqc3V0ZSBhc29ka2ZvYXNrZWpkZmtsc2pkZgo=

Your entry would look like this

 selector1._domainkey.hostname      TXT     "v=DKIM1; g=*; k=ed25519; p=VGhpcyBpcyBqc3V0ZSBhc29ka2ZvYXNrZWpkZmtsc2pkZgo="
 _adsp._domainkey.hostname          TXT     "dkim=unknown"

When using an ed25519 key, you'll need to add a fallback RSA key for backward compatibility.

 # Generate rsa key
 $ openssl genrsa -out rsa_private.key 2048
 # Generate public key from private key
 $ openssl rsa -in rsa_private.key -pubout -outform der 2>/dev/null | openssl base64 -A

You can then add a KeyTable and SigningTable to your opendkim.conf

 KeyTable                refile:/etc/opendkim/KeyTable
 SigningTable            refile:/etc/opendkim/SigningTable
 # Contents of KeyTable with both keys
 selector1._domainkey.hostname.sugarlabs.org hostname.domain-name:selector1:/path/to/selector1/private/*.key
 selector2._domainkey.hostname.sugarlabs.org hostname.domain-name:selector2:/path/to/selector2/private/*.key
 # Contents of SigningTable
 *@hostname.domain-name selector1._domainkey.hostname.sugarlabs.org
 *@hostname.domain-name selector2._domainkey.hostname.sugarlabs.org

Then add a DKIM record for the second selector

 w-mail._domainkey.weblate       IN      TXT     ("v=DKIM1; h=sha256; k=rsa; p="*")

The value of p is the public key of the generated RSA key above.

Ensure your private keys are on hostname.

Set up

Thunderbird

These are the settings for setting up SMTP with Thunderbird. Note that you use your LDAP username and password, and that the username __does not__ have "@sugarlabs.org" at the end.

Server name Port Connection security Authentication method User name
smtp.sugarlabs.org 587 STARTTLS Normal Password your LDAP username -- AND WITHOUT @SUGARLABS.ORG AT THE END!

Example:

example of smtp set up in thunderbird

See also