Op vrijdag 1 september 2023 18:12:51 CEST schreef mh@mike.franken.de:
On Freitag, 1. September 2023 13:54:47 CEST Freek de Kruijf wrote:
In your case I assume you have one or more servers, more or less directly connected to the internet. The measures I wrote about are only necessary on
The postfix can't be reached from the internet, incoming mail is fetched via uucp. The dovecot server is available from the internet via vpn, but not directly. Outgoing mail can be sent via the postfix server - in this direction by smtp, not by uucp. Everything is protected by pfSense routers *and* additionally by a Fritz!Box firewall.
But the server that delivers the email via uucp receives it from the internet, so that's the server that needs to do the checking I talked about (checks using SPF, DKIM and DMARC).
this/these server(s). The server of your computer club? It is a requirement that outgoing email to the internet is presented on port 587 (submission), obviously authenticated.
This is how my postfix server is delivering mail to the smtp server of my computer club.
And this server is sending the email onto the internet. So this one could sign these messages with the DKIM signature. Depending on the number of domain names in the from addresses, you need to have several DKIM keys and several SPF and DMARC entries in the DNSes for these domains. Once you have it setup for one domain name, it is rather straight forward to support more domain names. -- fr.gr. member openSUSE Freek de Kruijf