Line 6: |
Line 6: |
| | smtp.sugarlabs.org || smtp || 25 || Local delivery (plain SMTP) | | | smtp.sugarlabs.org || smtp || 25 || Local delivery (plain SMTP) |
| |- | | |- |
− | | smtp.sugarlabs.org || [http://www.faqs.org/rfcs/rfc2476.html submission] || 587 || Email relay (SMTP with STARTTLS, password authentication required) | + | | smtp.sugarlabs.org || [http://www.faqs.org/rfcs/rfc2476.html submission] || 587 || SMTP with STARTTLS, legacy |
| |- | | |- |
− | | smtp.sugarlabs.org || smtps || 465 || Email relay (SMTP with SSL, password authentication required) | + | | smtp.sugarlabs.org || [https://tools.ietf.org/html/rfc6409 submissions] || 465 || Email relay (SMTP with SSL, password authentication required) |
| |} | | |} |
| | | |
Line 22: |
Line 22: |
| | | |
| * [[User:Bernie|Bernie Innocenti]] | | * [[User:Bernie|Bernie Innocenti]] |
| + | * (add yourself here if you tend to the postmaster [[Machine/rt|RT]] queue) |
| | | |
| == Notes == | | == Notes == |
| | | |
− | * Users with a shell account on [[Service/shell.sugarlabs.org]] can use our SMTP relay for personal email submission. Any abuse will be prosecuted. | + | * Users with a Sugar Labs [[Service/shell|shell account]] on [[Machine/sunjammer|sunjammer]] can use our SMTP relay for personal email submission. ''Any abuse will be prosecuted.'' |
| | | |
− | * Preferably use the [http://www.faqs.org/rfcs/rfc2476.html submission] port for email relay. Unauthenticated and unencrypted connections are not allowed to relay. | + | * The [https://tools.ietf.org/html/rfc6409 submissions] port (465) is preferred for email relay. Unauthenticated and unencrypted connections are not allowed to relay. |
| | | |
− | * smtp.sugarlabs.org is *not* the MX for the sugarlabs.org. | + | * All email originating from the sugarlabs.org domain must be submitted through our SMTP server. '''Failure to do so may result in your email being blocked by spam filters.''' |
− | Google Apps handles our domain and forwards to smtp.sugarlabs.org for unknown users
| |
| | | |
| == SPF == | | == SPF == |
| | | |
− | Our domains use a non-strict (~all) SPF record. | + | Our domains use a non-strict (~all) [http://en.wikipedia.org/wiki/Sender_Policy_Framework SPF] records. |
| + | |
| + | You can add an spf record in the zone file in the form |
| + | |
| + | hostname TXT "v=spf1 redirect=_spf.hostname.sugarlabs.org" |
| + | _spf.hostname TXT "v=spf1 ip4:IPv4_of_hostname/mask ip6:IPv6_of_hostname/mask a:hostname.sugarlabs.org mx:hostname.sugarlabs.org ~all" |
| + | |
| + | The '''a''' and '''mx''' values are authorized mail server by domain name and authorized server by domain MX record, the MX record should also be defined |
| + | for hostname. |
| + | |
| + | Also maintain spacing and formatting for each section you add in the zone file. |
| | | |
| == DKIM == | | == DKIM == |
| | | |
− | Our domains advertise a '''test''' DKIM key. All outgoing email is signed, but for now verifiers | + | Our domain publishes a [http://en.wikipedia.org/wiki/DKIM DKIM] key. |
− | will ignore our DKIM signature.
| |
| | | |
| To test DKIM, send an email to autorespond+dkim@dk.elandsys.com | | To test DKIM, send an email to autorespond+dkim@dk.elandsys.com |
| + | |
| + | |
| + | To generate an ed25519 key to use for DKIM, you can use openssl |
| + | |
| + | # Generate ed25519 key |
| + | $ openssl genpkey -algorithm ed25519 -out dkim_private.pem |
| + | # Generate public key from private key |
| + | $ openssl pkey -in dkim_private.pem -pubout -out dkim_public.pem |
| + | |
| + | For ed25519 keys, the p value in the DKIM record must only contain the BASE64 encoded public key, without an ASN.1 structure |
| + | |
| + | $ openssl asn1parse -in dkim_public.pem -offset 12 -noout -out /dev/stdout | openssl base64 |
| + | VGhpcyBpcyBqc3V0ZSBhc29ka2ZvYXNrZWpkZmtsc2pkZgo= |
| + | |
| + | Your entry would look like this |
| + | |
| + | selector1._domainkey.hostname TXT "v=DKIM1; g=*; k=ed25519; p=VGhpcyBpcyBqc3V0ZSBhc29ka2ZvYXNrZWpkZmtsc2pkZgo=" |
| + | _adsp._domainkey.hostname TXT "dkim=unknown" |
| + | |
| + | When using an ed25519 key, you'll need to add a fallback RSA key for backward compatibility. |
| + | |
| + | # Generate rsa key |
| + | $ openssl genrsa -out rsa_private.key 2048 |
| + | # Generate public key from private key |
| + | $ openssl rsa -in rsa_private.key -pubout -outform der 2>/dev/null | openssl base64 -A |
| + | |
| + | You can then add a KeyTable and SigningTable to your opendkim.conf |
| + | |
| + | KeyTable refile:/etc/opendkim/KeyTable |
| + | SigningTable refile:/etc/opendkim/SigningTable |
| + | |
| + | # Contents of KeyTable with both keys |
| + | selector1._domainkey.hostname.sugarlabs.org hostname.domain-name:selector1:/path/to/selector1/private/*.key |
| + | selector2._domainkey.hostname.sugarlabs.org hostname.domain-name:selector2:/path/to/selector2/private/*.key |
| + | |
| + | # Contents of SigningTable |
| + | *@hostname.domain-name selector1._domainkey.hostname.sugarlabs.org |
| + | *@hostname.domain-name selector2._domainkey.hostname.sugarlabs.org |
| + | |
| + | Then add a DKIM record for the second selector |
| + | |
| + | w-mail._domainkey.weblate IN TXT ("v=DKIM1; h=sha256; k=rsa; p="*") |
| + | |
| + | The value of p is the public key of the generated RSA key above. |
| + | |
| + | Ensure your private keys are on hostname. |
| | | |
| == See also == | | == See also == |
| | | |
− | [[Service/imap]] | + | * [[Service/imap]] |
| + | * [[Service/webmail]] |
| + | * [[Service/email]] |
| | | |
| [[Category:Service|imap]] | | [[Category:Service|imap]] |