Tech:Mail

From Meta
Jump to navigation Jump to search

Mail is currently running on mail2 under mail.miraheze.org. The install makes use of Postfix and Dovecot along with LDAP modules for authentication.

Add new email accounts[edit | edit source]

In order to add a new email account, it is a requirement that an LDAP account exists first. You can read the documentation for this here.

In order to enable email on an LDAP account you need to add the following lines to the LDAP entry:

objectClass: postfixUser

maildrop: <cn>@mail.miraheze.org

mailacceptinggeneralid: <cn>@miraheze.org

Remove email accounts[edit | edit source]

There are two ways to remove an email account:

  1. Delete the LDAP account by using the documentation here,
  2. Remove the 'maildrop' line from the LDAP entry.

Aliases[edit | edit source]

Aliases are now handled inside LDAP. To enable an alias for an individual account, e.g. to redirect johnflewis at miraheze.org to john at miraheze.org you would add the line mailacceptinggeneralid: johnflewis at miraheze.org to the LDAP account 'John'.

However, not all aliases will be for individual people - sometimes there will be groups of people which you might want to manage as a single entity or may be associated with an already existing LDAP group. For this, you can add the following code to a LDAP group;

objectClass: postfixGroup

mailacceptinggeneralid: <alias>@miraheze.org

All mail would then be sent to either;

  1. All users who are a member of that group if they have a maildrop attribute, or
  2. You need to specify a maildrop: <email> attribute to have the emails sent to.

There can be multiple maildrop and mailacceptinggeneralid attributes.


Anti-spoofing[edit | edit source]

We use following standard techniques to combat email address spoofing.

DKIM[edit | edit source]

DKIM is used to sign all emails out-going from mail1. The public key is stored in DNS (in TXT format) and the private key is stored in private git. It can be generated by doing opendkim-genkey -s mail -d miraheze.org.

This generates a public and private key pair. The private key should be stored in private git while the public key should be added to the DNS repo in order allow the world to verify emails.

SPF[edit | edit source]

SPF records are set to only accept mails from mail1.

DMARC[edit | edit source]

Our DMARC policy informs to reject If above techniques fails: incoming mail servers are instructed to not accept any mails that does not pass the requirements.

See also[edit | edit source]