Hi @ll I finally want to start with the new Email setup for openSUSE - and I'm currently looking for volunteers... :-) Planned short term: * set SPF records for openSUSE domains * install mx1 and mx2.opensuse.org as incoming servers ** use postfix and rspamd ** integrate clamav (and reject messages seen as spam directly) ** integrate the alias table for members Planned mid term: * enable DCIM on all outgoing mail servers Something I missed? Regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Lars Vogdt wrote:
Hi @ll
I finally want to start with the new Email setup for openSUSE - and I'm currently looking for volunteers... :-)
Planned short term: * set SPF records for openSUSE domains * install mx1 and mx2.opensuse.org as incoming servers ** use postfix and rspamd ** integrate clamav (and reject messages seen as spam directly) ** integrate the alias table for members
Planned mid term: * enable DCIM on all outgoing mail servers
Something I missed?
Probably not :-) Some comments: Doing spam-filtering and virus-detection in-line (i.e. without queueing) will likely lead to time-outs. Mail-servers don't like to wait :-) rspamd is very picky wrt standards. We had some issues last year. For our member aliases, I would suggest tagging is better than rejecting (will always lead to more support cases). Unfortunately, it also means forwarding spam and virus, which the receiving server might not appreciate. Use different outbound address for member forwarding, if we have, even a different range. (in case we get blacklisted). Wrt DKIM - do we actually send out much email originating from 'opensuse.org' ? (other than automatic stuff). -- Per Jessen, Zürich (8.8°C) Member, openSUSE Heroes -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On 28/03/2020 10.26, Per Jessen wrote:
Lars Vogdt wrote:
Hi @ll
I finally want to start with the new Email setup for openSUSE - and I'm currently looking for volunteers... :-)
Planned short term: * set SPF records for openSUSE domains * install mx1 and mx2.opensuse.org as incoming servers ** use postfix and rspamd ** integrate clamav (and reject messages seen as spam directly) ** integrate the alias table for members
Planned mid term: * enable DCIM on all outgoing mail servers
Something I missed?
Probably not :-)
Some comments:
Doing spam-filtering and virus-detection in-line (i.e. without queueing) will likely lead to time-outs. Mail-servers don't like to wait :-)
rspamd is very picky wrt standards. We had some issues last year.
I remember. Please don't use it.
For our member aliases, I would suggest tagging is better than rejecting (will always lead to more support cases). Unfortunately, it also means forwarding spam and virus, which the receiving server might not appreciate. Use different outbound address for member forwarding, if we have, even a different range. (in case we get blacklisted).
Instead of scanning for viruses, which is slow, we could scan for executables, which is fast. Unfortunately, that would also block sending scripts as attachments, which I think is relatively common in this community. Separating the forwarding from the sending would allow different policies. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
Hello, Am Samstag, 28. März 2020, 10:26:34 CEST schrieb Per Jessen:
Lars Vogdt wrote:
I finally want to start with the new Email setup for openSUSE - and I'm currently looking for volunteers... :-)
Planned short term: * set SPF records for openSUSE domains
I hope you'll set them to "?ALL" aka "don't care about the broken-by- design SPF" ;-) Background: We don't have a way for our members to send out mails with @opensuse.org sender using an openSUSE server, therefore mails from @opensuse.org basically can/have to be sent from random servers around the world.
* install mx1 and mx2.opensuse.org as incoming servers ** use postfix and rspamd ** integrate clamav (and reject messages seen as spam directly) ** integrate the alias table for members
Agreed, and don't forget the mailinglist aliases and a few others like admin@ ;-)
Planned mid term: * enable DCIM on all outgoing mail servers
Something I missed?
Probably not :-)
Some comments:
Doing spam-filtering and virus-detection in-line (i.e. without queueing) will likely lead to time-outs. Mail-servers don't like to wait :-)
I tend to disagree ;-) I use pre-queue spam blocking (with amavis) since years without noticable problems. Maybe my server is bored (~2000 incoming mails per day), but I'd expect similar or even lower numbers on the openSUSE mailservers. Besides that, pre-queue is the only way to block/reject (!= bounce) spam and viruses without causing backscatter (bounces to faked sender addresses).
rspamd is very picky wrt standards. We had some issues last year.
For our member aliases, I would suggest tagging is better than rejecting (will always lead to more support cases). Unfortunately, it also means forwarding spam and virus, which the receiving server might not appreciate.
I remember some complaints that we forward spam, and adding a tag doesn't make it much better ;-) Personally, I'd prefer to have spam mails rejected instantly, even if that comes with the risk of a few false positives. (The perfect solution would be to make it configurable in self-service, but we'll probably need a replacement for connect.o.o before doing that.) Legally, we might (IANAL) have to ask our members if they want to have spam blocked. Maybe "just" informing them would also be good enough, but that's something for a lawyer to answer.
Use different outbound address for member forwarding, if we have, even a different range. (in case we get blacklisted).
Right, forwarding spam is funny[tm].
Wrt DKIM - do we actually send out much email originating from 'opensuse.org' ? (other than automatic stuff).
All mailinglist posts have an envelope sender $ML+bounces-$number-$subscriber_address@opensuse.org ;-) Regards, Christian Boltz -- I hope and intend to make the unclear situation even a bit more unclear. ;) [Lars Müller in opensuse-factory] -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Christian Boltz wrote:
Hello,
Am Samstag, 28. März 2020, 10:26:34 CEST schrieb Per Jessen:
Lars Vogdt wrote:
I finally want to start with the new Email setup for openSUSE - and I'm currently looking for volunteers... :-)
Planned short term: * set SPF records for openSUSE domains
I hope you'll set them to "?ALL" aka "don't care about the broken-by- design SPF" ;-)
Background: We don't have a way for our members to send out mails with @opensuse.org sender using an openSUSE server, therefore mails from @opensuse.org basically can/have to be sent from random servers around the world.
Good point. I wonder if an SPF record is worth bothering with, but maybe it is good to just announce "no policy".
Some comments:
Doing spam-filtering and virus-detection in-line (i.e. without queueing) will likely lead to time-outs. Mail-servers don't like to wait :-)
I tend to disagree ;-)
No problem :-)
I use pre-queue spam blocking (with amavis) since years without noticable problems. Maybe my server is bored (~2000 incoming mails per day), but I'd expect similar or even lower numbers on the openSUSE mailservers.
Just to establish credentials: I have been doing spam-filtering as a business since 2006, and we currently process towards 10'000 messages/per second. The key delay contributors are DNS, the virus scan, a PDF scan and our fuzzy image matching.
Besides that, pre-queue is the only way to block/reject (!= bounce) spam and viruses without causing backscatter (bounces to faked sender addresses).
Yes, that is correct. A pre-queue filter is much better.
For our member aliases, I would suggest tagging is better than rejecting (will always lead to more support cases). Unfortunately, it also means forwarding spam and virus, which the receiving server might not appreciate.
I remember some complaints that we forward spam, and adding a tag doesn't make it much better ;-)
Correct, I agree.
Personally, I'd prefer to have spam mails rejected instantly, even if that comes with the risk of a few false positives.
We'll just assign all the support tickets to you then :-) That is the only reason I don't like the reject - people wondering what happened to their email.
(The perfect solution would be to make it configurable in self-service, but we'll probably need a replacement for connect.o.o before doing that.)
Legally, we might (IANAL) have to ask our members if they want to have spam blocked. Maybe "just" informing them would also be good enough, but that's something for a lawyer to answer.
Having thought about it, I strongly suggest we skip spam & virus filtering altogether. Filtering is a bit of a luxury, but it needs maintenance and tuning, regularly. Will we offer whitelisting and blacklisting to our members? -- Per Jessen, Zürich (1.2°C) Member, openSUSE Heroes -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Per Jessen wrote:
Having thought about it, I strongly suggest we skip spam & virus filtering altogether. Filtering is a bit of a luxury, but it needs maintenance and tuning, regularly. Will we offer whitelisting and blacklisting to our members?
I forgot one thing - I would use greylisting, but ISTR some critical voices when I brought this up at our last meeting in Nürnberg? For me, selective greylisting is very efficient and requires only minimum maintenance and support. -- Per Jessen, Zürich (-0.1°C) Member, openSUSE Heroes -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On 3/30/20 3:39 AM, Christian Boltz wrote:
Hello,
Planned mid term: * enable DCIM on all outgoing mail servers
Something I missed?
Probably not :-)
Some comments:
Doing spam-filtering and virus-detection in-line (i.e. without queueing) will likely lead to time-outs. Mail-servers don't like to wait :-)
I tend to disagree ;-)
I use pre-queue spam blocking (with amavis) since years without noticable problems. Maybe my server is bored (~2000 incoming mails per day), but I'd expect similar or even lower numbers on the openSUSE mailservers.
I'd be surprised if it was this low, personally i'm not using an openSUSE alias for any of these things but it is reasonable that someone might. On average obs sends me 15,000 emails a month (joy of being on the review team), github can send out a significant number of emails a day especially if your in the openSUSE group, i'm also subscribed to mailing lists that are one email per commit that can get up to a couple of hundred emails some days. It probably only takes a few members to be using there openSUSE addresses for some of these things to get well over that number. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
participants (5)
-
Carlos E. R. -
Christian Boltz -
Lars Vogdt -
Per Jessen -
Simon Lees