This service is now operational behind mail-submit.debian.org (AKA stravinsky.debian.org). Documentation about how to use this service can
be accessed via [1].
If you have any question or issue, please don't hesitate to reach out.
At this point, what about SPF? Ignoring potential whitelists on mail receivers, I think using this service doesn't provide extra
advantages than signing on our own servers.
Since there is now this system in place, I think it's fair that after
a transition period we kind of force DDs to relay their email through
Debian infrastracture to properly authenticate outgoing emails.
tl;dr: DKIM-signed mail is verifiable, but only the headers; the body
can be tampered with;
Mails sent via this server will be DKIM-signed if the from is a
debian.org, debconf.org or ftp-master.debian.org address. If any
additional domain should be considered, feel free to ask.
On Sun, 2022-07-17 at 10:02 +0200, Mattia Rizzolo wrote:
At this point, what about SPF? Ignoring potential whitelists on mail receivers, I think using this service doesn't provide extra
advantages than signing on our own servers.
Why SPF? It doesn't provide any extra advantages over DKIM.
tl;dr: DKIM-signed mail is verifiable, but only the headers; the body can be tampered with
The Signer/Verifier MUST compute two hashes: one over the body of the message and one over the selected header fields of the message.
Dear developers,
In the past months, it's been clear that sending mails from an
@debian.org address to some mail providers, including GMail, has become harder and harder. While user DKIM feature (documented on [0]) can help,
we thought providing a relay server for our users to send their Debian
mail was a more long-term solution.
This service is now operational behind mail-submit.debian.org (AKA stravinsky.debian.org). Documentation about how to use this service can
be accessed via [1]. The page behind [0] will be updated on the next
release we make of userdir-ldap-cgi.
Mails sent via this server will be DKIM-signed if the from is a
debian.org, debconf.org or ftp-master.debian.org address. If any
additional domain should be considered, feel free to ask.
This server requires an active Debian Account, and that one sets their mailPassword up (again, see [1]) to be able to use the service. I've
tried to provide some useful tips on the doc.
If you have any question or issue, please don't hesitate to reach out.
Cheers!
In the past months, it's been clear that sending mails from an
@debian.org address to some mail providers, including GMail, has become harder and harder. While user DKIM feature (documented on [0]) can help,
we thought providing a relay server for our users to send their Debian
mail was a more long-term solution.
This service is now operational behind mail-submit.debian.org (AKA stravinsky.debian.org). Documentation about how to use this service can
be accessed via [1]. The page behind [0] will be updated on the next
release we make of userdir-ldap-cgi.
Mails sent via this server will be DKIM-signed if the from is a
debian.org, debconf.org or ftp-master.debian.org address. If any
additional domain should be considered, feel free to ask.
This server requires an active Debian Account, and that one sets their mailPassword up (again, see [1]) to be able to use the service. I've
tried to provide some useful tips on the doc.
If you have any question or issue, please don't hesitate to reach out.
On 2022-07-16 23:49, Pierre-Elliott Bécue wrote:
In the past months, it's been clear that sending mails from an
@debian.org address to some mail providers, including GMail, has become
harder and harder. While user DKIM feature (documented on [0]) can help,
we thought providing a relay server for our users to send their Debian
mail was a more long-term solution.
This service is now operational behind mail-submit.debian.org (AKA
stravinsky.debian.org). Documentation about how to use this service can
be accessed via [1]. The page behind [0] will be updated on the next
release we make of userdir-ldap-cgi.
Mails sent via this server will be DKIM-signed if the from is a
debian.org, debconf.org or ftp-master.debian.org address. If any
additional domain should be considered, feel free to ask.
This server requires an active Debian Account, and that one sets
their
mailPassword up (again, see [1]) to be able to use the service. I've
tried to provide some useful tips on the doc.
If you have any question or issue, please don't hesitate to reach
out.
Hey!
Would it be possible to also make it available on port 465 without
STARTTLS? I am using smtp_tls_security_level=secure and smtp_tls_wrappermode=yes with my other providers and having mail-submit.debian.org on top of that is adding a bit of complexity
that I would like to avoid if possible.
Would it be possible to also make it available on port 465 without
STARTTLS?
Dear developers,Thanks for this hard work, however it seems that some mail client consider these mail as invalid, whereas gmail and other verifier service consider ok...
In the past months, it's been clear that sending mails from an
@debian.org address to some mail providers, including GMail, has become harder and harder. While user DKIM feature (documented on [0]) can help,
we thought providing a relay server for our users to send their Debian
mail was a more long-term solution.
This service is now operational behind mail-submit.debian.org (AKA stravinsky.debian.org). Documentation about how to use this service can
be accessed via [1]. The page behind [0] will be updated on the next
release we make of userdir-ldap-cgi.
Mails sent via this server will be DKIM-signed if the from is a
debian.org, debconf.org or ftp-master.debian.org address. If any
additional domain should be considered, feel free to ask.
This server requires an active Debian Account, and that one sets their mailPassword up (again, see [1]) to be able to use the service. I've
tried to provide some useful tips on the doc.
If you have any question or issue, please don't hesitate to reach out.
Cheers!
Le samedi 16 juillet 2022, 21:49:31 UTC Pierre-Elliott Bécue a écrit : Thanks for this hard work, however it seems that some mail client consider these mail as invalid, whereas gmail and other verifier service consider ok...
Any idea for debugging?
Bastien
I would like to bring up the issue of providers with strict SPF
record, for example disroot.org
dig -t TXT disroot.org has the relevant line, disroot.org. 3600 IN TXT "v=spf1 a mx -all"
which means people using disroot.org to receive debian.org forwarded
mails cannot receive any mails sent from other disroot.org users. I
have also seen rejections with some other mail servers with strict
SPF enforced.
Can we enable SRS [1] on the forwarding mail server to mitigate this?
This would also be relevant for @debconf.org aliases too.
To not look like forged mail, the "From" header field (not theNot exactly. DMARC validation requires that at least one of DKIM or SPF
envelope) has to be validated with either DKIM or SPF. disroot.org
says this is supposed to be the case for mail from their domain:
Bastien Roucariès <rouca@debian.org> writes:
Le samedi 16 juillet 2022, 21:49:31 UTC Pierre-Elliott Bécue a écrit : Thanks for this hard work, however it seems that some mail client consider these mail as invalid, whereas gmail and other verifier service consider ok...
Any idea for debugging?
Bastien
Hi Bastien;
I'm not involved with the service (even as a user), but I am interested
in mail clients. Can you be more specific about what is failing and on
what client?
A sample message is typically needed to debug these things.I'm not sure there is any sensible way to report issues (RT? BTS?) but
if someone knows, that would be useful to mention.
d
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 307 |
Nodes: | 16 (2 / 14) |
Uptime: | 45:32:44 |
Calls: | 6,910 |
Files: | 12,377 |
Messages: | 5,429,451 |