Skip to content
Snippets Groups Projects
Commit 04ba9622 authored by groente's avatar groente
Browse files

add some basic documentation on the new mx and srs servers

parent 1c591e8a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 64 additions and 0 deletions
service/email.md
+ 64
0
View file @ 04ba9622
......@@ -1050,6 +1050,70 @@ This service was setup following some or all of those documents:
* [first discussion of the submission service](meeting/2019-06-03#new-mail-service-requests), the project was
actually agreed upon at the Stockholm meeting in 2019
# New mail setup as per 2024-11-25
Our new MX (mx-dal-01.torproject.org) and SRS (srs-dal-01.torproject.org) servers try to fit into the picture presented in TPA-RFC-44:
![](../policy/tpa-rfc-44-email-emergency-recovery/architecture-post.png)
SRS would classify as 'other TPA mail server' in this picture. It notably *does* send mail to internet non-TPO mail hosts.
### Routing
Our main domain name is torproject.org. There are numerous subdomains and domain variants (e.g., nevii.torproject.org, torproject.net, etc.). These are all alias domains, meaning all addresses will be aliased to their torproject.org counterpart.
Lacking mailboxes, a torproject.org e-mail address can either be defined as an alias or as a forward.
Aliases are defined in hiera.
Domain aliases are defined in hiera and through puppet exported resources.
Forwards are defined in hiera and in LDAP.
The MX resolves all aliases. It does *not* resolve forwards, but transports them to the SRS server(s). It does *not* deliver mail to internet non-TPO mail servers.
The SRS server resolves all forwards, applies sender rewriting when necessary, and sends the mail out into the world.
### DNS
MX servers need to be part of the torproject.org MX record.
SRS servers need to be part of the srs.torproject.org MX record.
SRS servers need to be added to the torproject.org SPF record.
SRS servers need to have their DKIM keys added to torproject.org DNS.
All mail servers need reverse DNS records.
All mail servers need a TLSA record.
### SSL
All mail servers need a valid public CA (letsencrypt) certificate.
All mail servers implement DANE (both in terms of publishing a TLSA record and checking for TLSA records when delivering mail).
### DMARC
DMARC checks are performed on the MX servers and Authentication-Results are added as header. DMARC is not strictly enforced, but failure to pass results in penalties to the spam score.
The SRS servers add DKIM signatures for all mail that has a From: header with a torproject.org address (header From, not envelope From). It does so using rspamd.
### Antispam/virus
The MX server checks incoming mail for spam and virusses using rspamd and clamav.
Viruses and very obvious spam get rejected straightaway.
Suspicion of possible spam results in greylisting, with spam results added as headers when the mail does go through.
### SRS
SRS servers perform sender rewriting, changing the envelope From to a torproject.org address where needed.
The MX servers translate rewritten torproject.org addresses back to their original to process bounce mails.
# Discussion
The mail services at Tor have been rather neglected,
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment