[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Secure Mails via SMTP/Mail Auth on EPrints



Hi Martin,

I tend to install and configure Postfix to and then just configure 
EPrints (i.e leave the same in perl_lib/EPrints/SystemSettiings.pm) to 
use 127.0.0.1.? This gives you much more flexibility when it comes to 
configuration.

I have been dealing with the greater DMARC enforcement that comes from 
using Outlook / Office 365 as? your mail server.? My best advice is that 
you ask you organisation to register and SPF record for the specific 
domain of your server (e.g. for repository.example.org rather than 
example.org) and then use an email address like 
admin at repository.example.org.? You will need to get your organisation to 
create and email alias for this new address but most IT departments are 
struggling to get all the entries they needed into their SPF records for 
their main domain (no more than 10 lookups / 9 includes are allowed), so 
if you can use a different domain, they are happy to set this up as it 
saves them a headache.

An SPF record for your repositories domain would look something like:

repository.example.org.??????????? 28800?? IN????? TXT???? "v=spf1 
ip4:1.2.3.4 ~all"

Regarding Postfix, there is plenty of guidance of for Postfix's 
configuration on its website:

https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.postfix.org%2FBASIC_CONFIGURATION_README.html&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdf4771ea1b3049c0ce6b08db29f58535%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638149906690826496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zUVqBUqXkRS4U6M5KrNxWTwB6LE3Lt9VA0NQc0R7fz0%3D&reserved=0

However, if you setup an SPF record for you repository's domain and use 
an aliased email address to send email, then you can probably get away 
with the standard configuration.? If not you may need to look into 
setting up DKIM [1], if your institution enforces stricter DMARC 
enforcement.

One thing I have been working on the next release of EPrints [2] is to 
split up adminemail so there can be a separate email address for sending 
email.? So you maybe end up with a config something like:

$c->{adminemail} = admin at example.org
$c->{senderemail} = NO-REPLY at nodmarc.example.org

Here if the senderemail address domain does not have DMARC enforcement, 
then you can happily send emails from it without them being 
dropped/quarantined but the footer of these emails will still include 
the adminemail in email footer signature, if the recipient needs to 
email someone.? In some cases I have also configured the reply-to 
address so the recipient can even hit reply on the email and it will go 
to the adminemail rather than the black hole, which is the senderemail.

Regards

David Newman

[1] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FDomainKeys_Identified_Mail&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdf4771ea1b3049c0ce6b08db29f58535%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638149906690826496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gxlg2dDZbLZBeMDQv5tXtWZ95Qwv2H54FRKx0mgT6i0%3D&reserved=0
[2] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints3.4%2Fissues%2F256&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdf4771ea1b3049c0ce6b08db29f58535%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638149906690826496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=on9E5Os77k5YC7lNP9qp2pSsohni0wFvJ7Vmswk651E%3D&reserved=0

On 21/03/2023 9:41 am, Martin Br?ndle via Eprints-tech wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
>
> Dear all,
>
> because of a enforced change to a Outlook / Office 365 mail server at 
> our institution, SMTP-based mails out of our EPrints repo may soon see 
> the end.
>
> Has anybody a recipe how to configure mail within EPrints to use a 
> Outlook / Office 365 mail server with some sort of authentication ?
>
> E.g. for platform based on Open Journal Systems we do have the option 
> to configure the following parameters:
>
> Server name
>
> Port
>
> Auth mechanism (e.g. SSL, TLS)
>
> Username (for central sender)
>
> Password
>
> Auth type (e.g RAM-MD5, LOGIN, PLAIN, XOAUTH2)
>
> If OAUTH, client secret, id, token
>
> default_envelope_sender
>
> force_ default_envelope_sender
>
> DMARC compliance
>
> Kind regards,
>
> Martin
>
> --
>
> Dr. Martin Br?ndle
> Zentrale Informatik
> Universit?t Z?rich
> Stampfenbachstr. 73
> CH-8006 Z?rich
>
>
> *** Options:http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive:https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdf4771ea1b3049c0ce6b08db29f58535%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638149906690826496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xxDGf2Cc7g4pTalVgf0ojz%2FkUeIrJfudpAqh65SqvT4%3D&reserved=0
> *** EPrints community wiki:https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdf4771ea1b3049c0ce6b08db29f58535%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638149906690826496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dAJ5qL3IWWVrMbwFlfeAfBYB0Wn45Q0NfONe4y%2FdiII%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20230321/829fd82e/attachment-0001.html