Changes

Page history
minor tweaks to email docs authored by anarcat's avatar anarcat 
We do a pass to comply with Harper's complaints, fix a mdlint warning
and generally try to match our style used elsewhere.
Show whitespace changes
Inline Side-by-side
service/email.md
View page @ 614fe861
......@@ -1050,7 +1050,7 @@ This service was setup following some or all of those documents:
* [first discussion of the submission service](meeting/2019-06-03#new-mail-service-requests), the project was
actually agreed upon at the Stockholm meeting in 2019
# New mail setup as per 2024-11-25
## New mail setup as per 2024-11-25
Our new MX (mx-dal-01.torproject.org) and SRS (srs-dal-01.torproject.org) servers try to fit into the picture presented in TPA-RFC-44:
......@@ -1060,15 +1060,15 @@ SRS would classify as 'other TPA mail server' in this picture. It notably *does*
### Routing
Our main domain name is torproject.org. There are numerous subdomains and domain variants (e.g., nevii.torproject.org, torproject.net, etc.). These are all alias domains, meaning all addresses will be aliased to their torproject.org counterpart.
Our main domain name is `torproject.org`. There are numerous subdomains and domain variants (e.g., `nevii.torproject.org`, `torproject.net`, etc.). These are all alias domains, meaning all addresses will be aliased to their `torproject.org` counterpart.
Lacking mailboxes, a torproject.org e-mail address can either be defined as an alias or as a forward.
Lacking mailboxes, a `torproject.org` e-mail address can either be defined as an alias or as a forward.
Aliases are defined in hiera.
Aliases are defined in Hiera.
Domain aliases are defined in hiera and through puppet exported resources.
Domain aliases are defined in Hiera and through puppet exported resources.
Forwards are defined in hiera and in LDAP.
Forwards are defined in Hiera and in LDAP.
The MX resolves all aliases. It does *not* resolve forwards, but transports them to the SRS server(s). It does *not* deliver mail to internet non-TPO mail servers.
......@@ -1076,21 +1076,21 @@ The SRS server resolves all forwards, applies sender rewriting when necessary, a
### DNS
MX servers need to be part of the torproject.org MX record.
MX servers need to be part of the `torproject.org` MX record.
SRS servers need to be part of the srs.torproject.org MX record.
SRS servers need to be part of the `srs.torproject.org` MX record.
SRS servers need to be added to the torproject.org SPF record.
SRS servers need to be added to the `torproject.org` SPF record.
SRS servers need to have their DKIM keys added to torproject.org DNS.
SRS servers need to have their DKIM keys added to `torproject.org` DNS.
All mail servers need reverse DNS records.
All mail servers need a TLSA record.
### SSL
### TLS
All mail servers need a valid public CA (letsencrypt) certificate.
All mail servers need a valid public CA (Let's Encrypt) certificate.
All mail servers implement DANE (both in terms of publishing a TLSA record and checking for TLSA records when delivering mail).
......@@ -1098,21 +1098,21 @@ All mail servers implement DANE (both in terms of publishing a TLSA record and c
DMARC checks are performed on the MX servers and Authentication-Results are added as header. DMARC is not strictly enforced, but failure to pass results in penalties to the spam score.
The SRS servers add DKIM signatures for all mail that has a From: header with a torproject.org address (header From, not envelope From). It does so using rspamd.
The SRS servers add DKIM signatures for all mail that has a From: header with a `torproject.org` address (header `From`, not envelope From). It does so using rspamd.
### Antispam/virus
### Spam and virus checks
The MX server checks incoming mail for spam and virusses using rspamd and clamav.
The MX server checks incoming mail for spam and virus using rspamd and clamav.
Viruses and very obvious spam get rejected straightaway.
Suspicion of possible spam results in greylisting, with spam results added as headers when the mail does go through.
Suspicion of possible spam results in gray listing, with spam results added as headers when the mail does go through.
### SRS
SRS servers perform sender rewriting, changing the envelope From to a torproject.org address where needed.
SRS servers perform sender rewriting, changing the envelope `From` to a `torproject.org` address where needed.
The MX servers translate rewritten torproject.org addresses back to their original to process bounce mails.
The MX servers translate rewritten `torproject.org` addresses back to their original to process bounce mails.
# Discussion
......
......