Hello, Am Samstag, 28. März 2020, 10:26:34 CEST schrieb Per Jessen:
Lars Vogdt wrote:
I finally want to start with the new Email setup for openSUSE - and I'm currently looking for volunteers... :-)
Planned short term: * set SPF records for openSUSE domains
I hope you'll set them to "?ALL" aka "don't care about the broken-by- design SPF" ;-) Background: We don't have a way for our members to send out mails with @opensuse.org sender using an openSUSE server, therefore mails from @opensuse.org basically can/have to be sent from random servers around the world.
* install mx1 and mx2.opensuse.org as incoming servers ** use postfix and rspamd ** integrate clamav (and reject messages seen as spam directly) ** integrate the alias table for members
Agreed, and don't forget the mailinglist aliases and a few others like admin@ ;-)
Planned mid term: * enable DCIM on all outgoing mail servers
Something I missed?
Probably not :-)
Some comments:
Doing spam-filtering and virus-detection in-line (i.e. without queueing) will likely lead to time-outs. Mail-servers don't like to wait :-)
I tend to disagree ;-) I use pre-queue spam blocking (with amavis) since years without noticable problems. Maybe my server is bored (~2000 incoming mails per day), but I'd expect similar or even lower numbers on the openSUSE mailservers. Besides that, pre-queue is the only way to block/reject (!= bounce) spam and viruses without causing backscatter (bounces to faked sender addresses).
rspamd is very picky wrt standards. We had some issues last year.
For our member aliases, I would suggest tagging is better than rejecting (will always lead to more support cases). Unfortunately, it also means forwarding spam and virus, which the receiving server might not appreciate.
I remember some complaints that we forward spam, and adding a tag doesn't make it much better ;-) Personally, I'd prefer to have spam mails rejected instantly, even if that comes with the risk of a few false positives. (The perfect solution would be to make it configurable in self-service, but we'll probably need a replacement for connect.o.o before doing that.) Legally, we might (IANAL) have to ask our members if they want to have spam blocked. Maybe "just" informing them would also be good enough, but that's something for a lawyer to answer.
Use different outbound address for member forwarding, if we have, even a different range. (in case we get blacklisted).
Right, forwarding spam is funny[tm].
Wrt DKIM - do we actually send out much email originating from 'opensuse.org' ? (other than automatic stuff).
All mailinglist posts have an envelope sender $ML+bounces-$number-$subscriber_address@opensuse.org ;-) Regards, Christian Boltz -- I hope and intend to make the unclear situation even a bit more unclear. ;) [Lars Müller in opensuse-factory] -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org