Wow, just checked my spam for my Grapl email and it's wild. I wonder if all of these companies offering their services realize that their emails are being automatically sent to spam.
Conversation
Replying to
For the GrapheneOS mail server, we enforce strict SPF (reject on hard or soft fail), DKIM (reject on errors such as DKIM signed but missing record) and DMARC along with only accepting mail via TLS. Eliminates nearly all spam. Fine with missing mail from broken servers.
2
4
Occasionally some marketing spam making it through and if it appears to be in an official capacity, I add their domain to a list of entirely rejected ones.
Also, enforcing some basic rules on header / HELO validity, etc.
Haven't needed PTR checks, graylisting, spam filtering.
2
1
Replying to
I still have to figure out how to set a lot of this up for Grapl. We're all GSuite.
1
Replying to
postfix + dovecot + opendkim + opendmarc + python-postfix-policyd-spf
It's a whole bunch of configuration. Can optionally put nginx in front as a reverse proxy with the mail modules to provide denial of service resistance and better TLS configuration (optionally BoringSSL too).
1
Can use internet.nl/mail/grapheneo and havedane.net for testing that stuff, then something else for testing inbound MTA-STS. Outbound MTA-STS is too painful. The available implementation for outbound weakens DANE by not preferring DANE over MTA-STS when available.
1
It's a huge pain to set up compared to other things. A lot of the defaults are pretty bad. I have some of our configurations published but not the Postfix and Dovecot ones because that's a mess. Most of the work is Postfix configuration.
This is the only particularly aggressive configuration for anti-spam (reject mail with DKIM failures from key not found):
github.com/GrapheneOS/mai
I don't find rejecting mail without TLS to really ever cause any issues, but I guess normal people would consider that aggressive.
1
Oh, also, need unbound to provide DNSSEC unless you actually want to use systemd-resolved which has unfortunately been a quite sketchy part of systemd.
1
Show replies