add IMAP server, seems like there's no way around

74516c23 · anarcat · 690e7cb6 · 74516c23
Verified Commit 74516c23 authored 2 years ago by anarcat
--- a/policy/tpa-rfc-15-email-services.md
+++ b/policy/tpa-rfc-15-email-services.md
@@ -4,11 +4,16 @@ title: TPA-RFC-15: email services

 [[_TOC_]]

-Summary: deploy incoming and outgoing SPF/DKIM/DMARC checks on
-torproject.org infrastructure (forcing the use of the submission
-server for outgoing mail), alongside end-to-end deliverability
-monitoring and a rebuild of legacy mail services to get rid of legacy
-infrastructure. possibility of hosting mailboxes as a stretch goal.
+Summary: deploy incoming and outgoing [SPF][], [DKIM][], [DMARC][],
+and (possibly) [ARC][] checks and records on torproject.org
+infrastructure. Deployment of an IMAP service, alongside the
+enforcement of the use of the submission server for outgoing
+mail. Establish end-to-end deliverability monitoring. Rebuild mail
+services to get rid of legacy infrastructure.
+
+[DMARC]: https://en.wikipedia.org/wiki/DMARC
+[DKIM]: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
+[SPF]: http://www.open-spf.org/

 # Background

@@ -195,11 +200,11 @@ will start to degrade some time or before Q3 2022.
    * decide key rotation policy (how frequently, should we [publish
      private keys][])

- d. enforcement of the submission service for outgoing mail, possibly
-    includes setting up a dummy IMAP server
+ d. IMAP server deployment and enrolment of all users in the IMAP
+    service

 e. deployment of SPF and DMARC DNS records, which will impact users
-    not on the submission server, which includes users with plain
+    not on the submission and IMAP servers, which includes users with plain
    forwards and without an LDAP account, possible solutions:

    1. aliases are removed or,
@@ -305,14 +310,14 @@ process follows the [Kaplan-Moss estimation technique](https://jacobian.org/2021
 | a. e2e deliver. checks     | 3 days   | medium      | access to other providers uncertain           | 4.5          |
 | b. DMARC reports           | 1 week   | high        | needs research                                | 10           |
 | c. DKIM signing            | 3 days   | medium      | expiration policy and per-user keys uncertain | 4.5          |
-| d. mandatory submission    | 3 days   | medium      | may require training                          | 4.5          |
+| d. IMAP deployment         | 1 week   | medium      | may require training to onboard users         | 7.5          |
 | e. SPF/DMARC records       | 3 days   | high        | impact on forwards unclear, SRS               | 7            |
 | f. incoming mail filtering | 1 week   | high        | needs research                                | 10           |
 | g. new MX                  | 1 week   | high        | key part of eugeni, might be hard             | 10           |
 | h. new mail relay          | 3 days   | low         | similar to current submission server          | 3.3          |
 | i. Puppet refactoring      | 1 week   | high        |                                               | 10           |

-This amounts to a total estimate time of 63.5 days, or about 13 weeks
+This amounts to a total estimate time of 65.5 days, or about 13 weeks
 or three months, full time. At 50EUR/hr, that's about 25,000EUR of
 work.