Postmaster Summary

This e-mail service will do the following verifications for incomming e-mails:

  • DNS RBLs
  • virus scanning
  • RFC compatibilities
  • valid reverse DNS lookup
  • recommendations of the MAAWG
  • verify of SPF DNS records and DKIM signatures
  • for some remote e-mail services TLS is mandatory
  • different plausibility checks for HELO, RCPT TO, MAIL FROM
  • rejected MIME types are: application/x-msdownload, application/x-msdos-program, application/hta
  • relaying is only allowed using SMTP authentication in combination with transport layer security (TLS)
  • rejected file types are: .exe, .vbs, .pif, .scr, .bat, .cmd, .com, .cpl, .dll, .zip, .js, all Microsoft Office documents

For rfc2142 role based mailboxes this policies vary.

Incomming connections can verify the issued TLS cerficate by DANE (DNS-based Authentication of Named Entities).

All outgoing e-mails of this e-mail service:

  • will prefer transport layer security (TLS) based on Perfect Forward Secrecy (PFS), for some remote e-mail services TLS is mandatory
  • will use DNS-based Authentication of Named Entities (DANE) for TLS certificate verification of the remote e-mail service
  • contain a valid DKIM signature
  • contain a valid ARC signature
  • have a valid SPF DNS record
  • are virus scanned

Configuration of end user e-mail clients

The following auto configuration mechanisms will be supported for end user e-mail clients:

For a manual configuration of end user e-mail clients the following settings are required:

IMAP SMTP SIEVE
Server mx02.o-o-s.de mx02.o-o-s.de mx02.o-o-s.de
STARTTLS Port 143 587 N/A
SSL/TLS Port 993 465 4190
Username username@domain.tld username@domain.tld username@domain.tld
Authentication method Regular password (PLAIN) Regular password (PLAIN) Regular password (PLAIN)

 

Autoconfig

What is it?

Autoconfig is a method to automatically find the email settings for setting up an email account in Thunderbird, thus bypassing manual setup.

How is it configured?

This automatic configuration is used by thunderbird. autoconfig.<domain> returns a static XML file with the configuration. The server configuration requires:

1. A DNS record pointing to a webserver as A oder CNAME

autoconfig IN A 213.109.160.233

or

autoconfig IN CNAME autoconfig.o-o-s.de.

2. A config file with the configuration delivered via https:

https://autoconfig.cscholz.io/mail/config-v1.1.xml

Autodiscover

What is it?

Autoconfig is a method to automatically find the email settings for setting up an email account in Microsoft Outlook, thus bypassing manual setup.

How is it configured?

The get the configuration information the following urls are requested by outlook

  1. https://<domain>/autodiscover/autodiscover.xml
  2. https://autodiscover.<domain>/autodiscover/autodiscover.xml

Spam Filtering

Spam filter is done by using rspamd. This includes:

  • greylisting
  • neuronal learning and scanning
  • a spamtrap for training
  • antivirus scans

Common error messages

  • 554 5.1.8 : Sender address rejected: Domain not found
    EN: Your sending domain used is not resolvable by DNS.
    DE: Ihre Absenderdomäne kann per DNS nicht aufgelöst werden.
  • 554 5.7.0 Reject, id=XXXXX-XX – INFECTED
    EN: A virus was found in your e-mail. Please verify your e-mail against an antivirus scan engine (e.g. VirusTotal).
    DE: In Ihrer E-Mail wurde ein Virus festgestellt. Bitte überprüfen Sie Ihre E-Mail mit einem aktuellen Antivirus-Programm (z.B. VirusTotal).
  • 554 5.7.0 Reject, id=XXXXX-XX – BANNED
    EN: For security reasons (e.g. malware) the attachment file type has been rejected. Please use a document format with limited active content (e.g. plain Portable Document Format (PDF)). Renaming or archiving of the attachement is not a given solution.
    DE: Aus Sicherheitsgründen (z.B. aufgrund von Malware) wurde der Dateityp Ihres E-Mail Anhanges abgelehnt. Bitte verwenden Sie einen Dateityp, der keine Makros o.ä. enthält (z.B. ein einfaches Portable Document Format (PDF)). Auch umbenannte oder gepackte Dateitypen werden erkannt und entsprechend abgelehnt.
  • 554 5.7.0 Reject, id=XXXXX-XX – spam
    EN: Your e-mail was classified as spam.
    DE: Ihre E-Mail wurde als Spam eingestuft.
  • 554 5.7.1 Client host rejected: Access denied.
    EN: Your client host is not allowed to send any e-mail directly to our mail services (e.g. dynamic IP address or listed in a DNS RBL) or has a missing DNS configuration (e.g. invalid or missing DNS PTR). Please verify your DNS configuration and try again later.
    DE: Der IP-Adresse des von Ihnen verwendeten Servers ist es nicht gestattet, eine E-Mail direkt an uns auszuliefern. Evtl. handelt es sich um eine dynamische IP-Addresse oder die IP-Adresse ist in einer Negativliste eingetragen oder die DNS-Konfiguration für diese IP-Adresse ist fehlerhaft bzw. nicht vorhanden. Bitte überprüfen Sie die DNS-Konfiguration und senden Sie die E-Mail erneut.
  • 554 5.7.1 Service unavailable; Client host [XX.XX.XX.XX] blocked using …
    EN: Your client sending this email is blocked by a blacklist.
    DE: Ihr Absendender Client steht auf einer Blackliste
  • 554 5.7.1 : Helo command rejected: Host not found;
    EN: Your send helo/ehlo command is not resolvable by DNS.
    DE: Ihr beim Versand verwendeter helo/ehlo Name kann per DNS nicht aufgelöst werden

E-Mail Security

Domainkey/DKIM

What is it?

DKIM (DomainKeys Identified Mail) is a method of email authentication. DKIM adds a signature to your mails that is associated with your domain and is used for all outgoing mail. Using a DomainKey is a technique (similar to SPF) to make it harder to spoof the sender of an email.

How is it configured?

All outgoing emails are signed with domainkey (rfc6376). The selector for all domains looks like:

1546251274._domainkey IN TXT "v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDx5gzdf9K8bojU7UOzag4qIQD+WHoIA63rAqcjOGLaBic1rRvVDRaBkhayBk5dxIuohsz/YEJUXaP2IHZU8URan5iO/rLiHgQrW/1o0zEFfkrnMjnTkuL35vVkFxrnXBVPNe6GNJQgs7zwfymKCGRDFKsCTDLOhpXEFBHxwfDsIQIDAQAB"

The signature itself is applied by rspamd.

ARC

What is it?

Why using arc when already using domainkey?

If you are a member of a mailing list, you can send a message to all members of that list by addressing the mailing list itself. This recipient address will then forward your message to all members of the list. The list often contains additional information about the content of the message, such as a notification about the list of members with options to unsubscribe.

Since the senders in the above situation initially received emails with a DMARC valid setup, it would make sense to forward these results encrypted to the next recipient of the messages.

How is it configured?

All outgoing emails are signed with arc (rfc8617). The selector is the same es for domainkey.

SPF

What is it?

SPF (rfc4408, rfc7208) stands for Sender Policy Framework and is an entry in the DNS for sender authentication for spam protection. The receiving mail server can use the SPF record of the domain to check whether the received e-mail originates from an authorized mail server or from an unauthorized server. As a rule, this resource record is no longer used, since the same behavior is now mapped via the TXT record.

How is it configured?

SPF is used for all domains to publish mailservers allowed to send e-mails. The DNS record for all domains looks like

@ IN TXT "v=spf1 mx a:mx02.o-o-s.de include:mailbox.org -all"

E-Mail Reporting

DMARC

What is it?

DMARC (Domain-based Message Authentication, Reporting and Conformance, rfc7489) is designed to reduce email misuse. It attempts to address the inadequacies of authentication problems when sending e-mail and can be created in addition to DKIM and/or SPF records.

How is it configured?

All domains use dmarc to receive information about use abuse of own domains by failing spf and dkim. The DNS record for all domains looks like:

_dmarc IN TXT "v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:l2lbmog6@ag.dmarcian.eu; ruf=mailto:l2lbmog6@ag.dmarcian.eu; rf=afrf; pct=100;"

MTA-STS

What is it?

„MTA-STS “ [rfc8461] „is an inbound mail protocol designed to add a layer of encryption/security between sending and receiving mail servers. It was designed to patch an existing hole in the STARTTLS protocol that allowed for communication to be unencrypted via an attacker who could remove parts of the SMTP session (such as the “250 STARTTLS” response). This is accomplished by bringing DNS as a third party to verify connections.

The MTA-STS protocol works by having a DNS record that tells mail servers to fetch a policy file via HTTPS from a defined subdomain. This file contains a list of the receiver’s mail servers which are authenticated and approved to receive the messages and also what policy to apply to inbound messages.“

Source: https://dmarcian.com/mta-sts

How is it configured?

The DNS record looks like:

_mta-sts IN TXT "v=STSv1; id=id-2021051302"

The xml file looks like:

version: STSv1
mode: testing
mx: mx02.o-o-s.de
mx: *.mailbox.org
max_age: 86401

Currently it is only configures for the domain list below for testing purpose:

TLS Reporting

What is it?

„TLS reporting is a protocol that will notify you, the domain owner, when emails sent through your domain face issues with delivery. If an email fails to be sent due to an SMTP downgrade or some other issue, you will receive a report in a JSON file format containing the details of the email that failed.“

Source: https://powerdmarc.com/what-is-tls-rpt/

How is it configured?

The DNS record looks like:

_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:l2lbmog6@tls.eu.dmarcian.com"

Currently it is only configures for the domain list below for testing purpose:

Common E-Mail Security Standards

For further information take a look here: Hardenize Policy for Email Infrastructure | Hardenize Labs