summaryrefslogtreecommitdiffstats
path: root/e-post/doman.mdwn
blob: 2cce8d60fd9d3b15006b94d45570cc678c785f5f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
[[!meta title="Egen domän"]]

Om att använda ett eget domännamn
==============

Alla kan koppla sitt eget domännamn till fripost.org. Man får då ett obegränsat antal alias som kan kopplas till inkorgen.

Det betyder att om jag exempelvis äger domännamnet `skangas.se` så kan jag koppla det till mitt fripost-konto. På skangas.se kan jag sedan ha flera olika adresser som går till samma ställe:

    skangas@skangas.se -> stefan@fripost.org
    kontakt@skangas.se -> stefan@fripost.org
    info@skangas.se -> stefan@fripost.org

Man kan då nå mig på flera olika adresser som sedan samlas upp i min inkorg för `stefan@fripost.org`.

Proceduren för att fixa detta involverar just nu en del manuellt arbete men vi jobbar på att göra det enklare.


Hur gör man?
============

 1. Skicka ett e-brev till [admin@fripost.org](mailto:admin@fripost.org) från ditt fripost-konto med det önskade domännamnet. Inkludera alla eventuella alias i ett rimligt format, t.ex. en lång lista med en e-postadress per rad, eller ännu hellre alla på en lång rad separerade med komma och mellanrum. Detta gör att det blir möjligt att skicka e-brev från Fripost med de önskade adresserna som avsändare.

 2. Invänta en bekräftelse på att ditt domännamn har lagts till på Friposts system.

 3. När bekräftelsen har inkommit ska [MX-posterna](https://en.wikipedia.org/wiki/MX_record) (MX records) i DNS-tabellen för domännamnet uppdateras så att de refererar till Friposts e-postservrar. I de flesta fall kan det göras hos det ombud där domännamnet köptes. Det gör att e-post som skickas till den önskade adressen hamnar hos Fripost.

    Friposts e-postservrar har de här adresserna:

        mx1.fripost.org
        mx2.fripost.org

    Ett förslag på prioritet för de olika servrarna är `5`, `10` och `15`.

    Det resulterar i att de fullständiga MX-posterna ser ut så här som standard (observera punkterna efter serveradresserna):

        Subdomän   Typ   TTL    Data
        @          MX    7200   5 mx1.fripost.org.
        @          MX    7200   10 mx2.fripost.org.
   
    Ombudet där domänen köptes har troligen detaljerade instruktioner för hur just deras tjänst ska konfigureras på sin hemsida. Det kan dröja upp till 48 timmar efter att man har ändrat sina MX-poster innan de propagerats över hela Internet.

 4. Till sist måste man i webbmejlen eller sitt e-postprogram ställa in att den nya adressen ska användas.

    I webbmejlen gör du det genom att logga in, gå till `Inställningar -> Identiteter`, klicka på `+`-tecknet nere till vänster, fylla i namn och ny adress samt klicka på Spara. Du kan sedan välja den nya adressen som avsändare när du skriver ny e-post.

   I e-post-programmet Icedove/Thunderbird gör du det under `Inställningar -> Kontoinställningar`. Under rubriken `Standardidentitet`, ändra fältet `E-postadress` till den nya adressen. Därefter kommer framtida e-post att skickas med den nya adressen som avsändare.

Klart!


Vanliga frågor
==============

Får jag ha fler än ett domännamn?
---------------------------------

Ja, om du vill koppla på fler än ett domännamn skicka ett e-brev till
[admin@fripost.org](mailto:admin@fripost.org) så ska vi se vad vi kan
göra. Men tänk på att administratörerna gör detta på sin fritid :-)

Några medlemmar har valt att donera extra pengar till Fripost som tack
för att administratörerna varit så vänliga och lagt till deras extra
domännamn.

Om man är flera som är medlemmar, kan man få olika adresser från samma domän till olika konton hos er?
------------------------------------------------------------------------------------------------------

Ja, det finns ingenting som hindrar det. Dock kan vi ha max en person som står som ägare per domännamn. Alla ändringar av eventuella alias måste göras av dess ägare.


Tekniska frågor (på engelska)
=============================

What about the reserved `postmaster@` and `abuse@` addresses?
-------------------------------------------------------------

According to [RFC 822 Section 6.3](https://tools.ietf.org/html/rfc822#section-6.3) and
[RFC 2142 Section 4](https://tools.ietf.org/html/rfc2142#section-4), the
addresses `postmaster@yourdomain.se` and `abuse@yourdomain.se` are both
reserved and required, and *must* be routed to the person(s) responsible
for your domain's mail system, i.e., [admin@fripost.org](mailto:admin@fripost.org).
For convenience they are also automatically forwarded to the domain
owner(s), but *beware that the Fripost admin team will also receive and
read them*!

On a related note, we encourage domain owners to create aliases for
common roles and services such as `root@`, `hostmaster@`, `webmaster@`,
etc.  See [RFC 2142](https://tools.ietf.org/html/rfc2142) for details.

For [technical reasons](http://www.postfix.org/postconf.5.html#double_bounce_sender),
messages to `double-bounce@` are silently discarded.
Furthermore a virtual domain `discard.fripost.org` is available on the
MX:es, for which all messages are silently discarded.  Hence you can
define your own `noreply@` alias by routing it to `noreply@discard.fripost.org`.

I want my domain `example.net` to mirror my other domain `example.org`, but only add addresses under the later.
---------------------------------------------------------------------------------------------------------------

What you want is to make `example.net` a *domain alias* and point it
to `example.org`.  You won't be able to configure `example.org` directly
(you won't be able to create `my-alias@example.net` for instance);
instead any message to say, `whatever@example.net` will be routed to
`whatever@example.org` (if it exists; the message will bounce otherwise).
Just drop us a line at [admin@fripost.org](mailto:admin@fripost.org) if
you want a domain alias, and tell us its destination (just like with
regular aliases, the destination doesn't have to be hosted at Fripost).

I want to receive messages sent to `anything@example.org`, but I can't create an infinite number of aliases!
------------------------------------------------------------------------------------------------------------

No problem, we can add a catch-all address on your domain; catch alls
have the lowest priority, so you can still have regular aliases and
point them to
another address (`anything@example.org` will be delivered to the
catch-all address *only* if `anything@example.org` is not an explicity
existing address).  Beware that you may receive a lot of Junk on your
catch-all address, though! (Spammer like to shoot randomly, as it's a
way to discover what are the valid recipients under a given domain.)
Also, don't forget that the reserved addresses `postmaster@` and
`abuse@` have a special treatment and will always bypass your catchall
address (see above).

Why are my outgoing emails signed with Fripost's DKIM key?
----------------------------------------------------------

When you're using our Mail Submission Agent (`smtp.fripost.org`, see our
[wiki page](https://wiki.fripost.org/konfigurera/) on the subject) or our
[webmail](https://mail.fripost.org) to send an email, you might have
noticed a "DKIM-Signature" field in the mail header on the receiver side:

    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fripost.org; …; s=8f00fb94ec6c37aacb48bd43e073f9b7; …

This field was added just before your mail left Fripost's infrastructure.  The
selector and signing domain, respectively given by "s=" and "d=", provide a way
for the receiver to fetch the public part of the key used to sign the message
from the signing domain's DNS zone:

    $ dig 8f00fb94ec6c37aacb48bd43e073f9b7._domainkey.fripost.org TXT +short \
        | sed 's/" "//g' | tr -d '"' \
        | fold -w64 | sed '1s/.*/  ( "&"/; 1!s/.*/    "&"/; $s/$/ )/'
      ( "v=DKIM1; k=rsa; t=s; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
        "MIIBCgKCAQEApmCWIVZt+L/bJ5+abvdmFm6Er/9g6e4WX2HKyeIfC5eDaPbUyHqH"
        "SY7xzWNiU+cbBvny8BASkdWsclLdoiuMJ6Yes5VSzkH6j2gp9Uuy7d6p61Jbrizi"
        "7/CQzCZfhi5uGKiGtV2g+V/sIuXekm9Q+Q2eqjj/6hUHGDPTTKEFlgruyaS6y+Ke"
        "s+sJYjMG62lbTOKL5TjY6z0Gr2AMfglBUj9QWD5jm+bH0clE1HZq51mxXQbV2v/7"
        "JEHjznR0nSB+jY2EV7g/MXM8DwJCDH4ZcknoH0NrcJRjuRt8ndufnx4Qh0t7qqWw"
        "mGF0jZOcZxHeODfkUlLxQ4SCMVeqV/SSTwIDAQAB" )

(Where the Resource Record is formatted as a parentheses-enclosed list
of chunks, cf. [RFC 1035 sec. 5.1](https://tools.ietf.org/html/rfc1035#section-5.1).)
The public part of our DKIM keys can also be found
[there](https://git.fripost.org/fripost-ansible/tree/certs/dkim).

See RFCs [6376](https://tools.ietf.org/html/rfc6376) and
[7001](https://tools.ietf.org/html/rfc7001) for references. The 
[Wikipedia page](https://en.wikipedia.org/wiki/Dkim) might be another
good read.

Your email is being signed with fripost.org's key whenever you use our
machines to send it, regardless of the identity you used ("From:" header
or enveloppe sender address), because Fripost is stamping your message
the last time it sees it, just before throwing it in the wild, and can
guaranty its integrity on your behalf.

If you use your own domain for outgoing mail, note however that the
receiver's mail client  might emphasize that your messages are signed by
Fripost's key and not your own
(GMail [surely does](https://support.google.com/mail/answer/1311182), for
instance).  This doesn't really disclose anything as our domain can be
found in the mail header anyway, but if you prefer to have your own key
drop us a line, we will find something out.

Should I publish a SPF (Sender Policy Framework) record for my domain?
----------------------------------------------------------------------

The [Wikipedia page](https://en.wikipedia.org/wiki/Sender_policy_framework)
has a nice introduction to SPF; other references include the
"official" [SPF page](http://www.openspf.org) and RFCs
[6652](https://tools.ietf.org/html/rfc6652) and
[7208](https://tools.ietf.org/html/rfc7208).

`fripost.org` currently uses the following policy:

    $ dig +short fripost.org TXT
    "v=spf1 redirect=outgoing.fripost.org"
    $ dig +short outgoing.fripost.org TXT
    "v=spf1 a ?all"

This essentially says that `outgoing.fripost.org` is authorized to send mails
from `@fripost.org` addresses (more precisely, that the authorized sending hosts' IPs
can be found in the A and AAAA records for `outgoing.fripost.org`).
This host is used whenever you use our Mail Submission agent or webmail
for instance; if a message from a `@fripost.org` address is being sent
from another host, the `?all`
(aka [NEUTRAL](http://www.openspf.org/SPF_Record_Syntax)) says that we
don't know whether the host is authorized or not, and that the receiver
should proceeed as if there wasn't any SPF policy. With that information
at hand, the recipient may decide to classify the message as SPAM or HAM
for instance.

If you have your own domain and use Fripost's infrastructure to send
mails, you can point your domain to our policy, too.  Here are a few
possible senarios:

    example.org IN TXT "v=spf1 redirect=outgoing.fripost.org"

Here `example.org` is merely copying Fripost's policy.

    example.org IN TXT "v=spf1 include:outgoing.fripost.org -all"

Here the policy says that mails `@example.org` should PASS if they're
being accepted by Fripost's policy, that is if the sender host is
`outgoing.fripost.org` and FAIL otherwise (where Fripost's policy would
return NEUTRAL).  Note however that DNS is spoofable, and as
unfortunately Fripost doesn't use DNSSEC at the moment, an attacker
could for instance poison the DNS cache and fake the reply for
`outgoing.fripost.org`'s TXT record.

    example.org IN TXT "v=spf1 a include:outgoing.fripost.org -all"

Here the policy is similar to the one before, but in addition the A and
AAAA records for `example.org` are also allowed to send mails for that
domain.  (For instance you have your own mail server, and use that of
Fripost as a backup; or vice-versa.)


Whichever SPF policy you choose, be sure to test it!  Please read
OpenSPF's [FAQ](http://www.openspf.org/FAQ),
[Common Mistakes](http://www.openspf.org/FAQ/Common_mistakes) and
[Best Practices](http://www.openspf.org/Best_Practices) pages.
There are e-mail based SPF testers; unfortunately the "official"
one [spf-test@openspf.net](mailto:spf-test@openspf.net) doesn't work
anymore, but you can use
[Port25.com](https://www.port25.com/support/authentication-center/email-verification/)'s
for instance.