For the GrapheneOS mail server, we enforce strict SPF (reject on hard or soft fail), DKIM (reject on errors such as DKIM signed but missing record) and DMARC along with only accepting mail via TLS. Eliminates nearly all spam. Fine with missing mail from broken servers.
Conversation
Occasionally some marketing spam making it through and if it appears to be in an official capacity, I add their domain to a list of entirely rejected ones.
Also, enforcing some basic rules on header / HELO validity, etc.
Haven't needed PTR checks, graylisting, spam filtering.
2
1
Replying to
I still have to figure out how to set a lot of this up for Grapl. We're all GSuite.
1
Replying to
postfix + dovecot + opendkim + opendmarc + python-postfix-policyd-spf
It's a whole bunch of configuration. Can optionally put nginx in front as a reverse proxy with the mail modules to provide denial of service resistance and better TLS configuration (optionally BoringSSL too).
1
Can use internet.nl/mail/grapheneo and havedane.net for testing that stuff, then something else for testing inbound MTA-STS. Outbound MTA-STS is too painful. The available implementation for outbound weakens DANE by not preferring DANE over MTA-STS when available.
1
It's a huge pain to set up compared to other things. A lot of the defaults are pretty bad. I have some of our configurations published but not the Postfix and Dovecot ones because that's a mess. Most of the work is Postfix configuration.
1
This is the only particularly aggressive configuration for anti-spam (reject mail with DKIM failures from key not found):
github.com/GrapheneOS/mai
I don't find rejecting mail without TLS to really ever cause any issues, but I guess normal people would consider that aggressive.
1
Oh, also, need unbound to provide DNSSEC unless you actually want to use systemd-resolved which has unfortunately been a quite sketchy part of systemd.
1
If you sent an email to me via Gmail or G Suite, they'd authenticate our server using a weaker form of WebPKI without CT due to MTA-STS. MTA-STS support is rare though.
A major advantage to your own mail server aside from usual self-hosting advantages is inbound/outbound DANE.
1
1
You can actually have DNSSEC by using the alternate set of G Suite addresses:
mx1.smtp.goog
mx2.smtp.goog
mx3.smtp.goog
mx4.smtp.goog
They don't have TLSA records though, so still no inbound DANE and they don't do outbound DANE either.
1
2
There are actually a lot of mail servers with DANE support, particularly in the EU. More likely than not there's DANE available for emails to/from *.nl addresses.
Maybe Google will give in and admit it's a good thing after Microsoft has finished deploying it as they announced.
MTA-STS is actually trash... the Gmail domain only has a 1 day max-age too, so if your server doesn't send email to Gmail for a day it loses the MTA-STS enforcement. I'd set it up for outbound if it didn't downgrade DANE security for domains with both. :\
1
It doesn't. MTA-STS is designed not to interfere with DANE deployments when the two overlap.
1
Show replies