Fripost wiki » e-post » Egen domän »

Om att använda ett eget domännamn

Alla kan koppla sitt eget domännamn till fripost.org. Man får då ett obegränsat antal alias som kan kopplas till inkorgen.

Det betyder att om jag exempelvis äger domännamnet skangas.se så kan jag koppla det till mitt fripost-konto. På skangas.se kan jag sedan ha flera olika adresser som går till samma ställe:

skangas@skangas.se -> stefan@fripost.org
kontakt@skangas.se -> stefan@fripost.org
info@skangas.se -> stefan@fripost.org

Man kan då nå mig på flera olika adresser som sedan samlas upp i min inkorg för stefan@fripost.org.

Proceduren för att fixa detta involverar just nu en del manuellt arbete men vi jobbar på att göra det enklare.

Hur gör man?

  1. Skicka ett e-brev till admin@fripost.org från ditt fripost-konto med det önskade domännamnet. Inkludera alla eventuella alias i ett rimligt format, t.ex. en lång lista med en e-postadress per rad, eller ännu hellre alla på en lång rad separerade med komma och mellanrum. Detta gör att det blir möjligt att skicka e-brev från Fripost med de önskade adresserna som avsändare.

  2. Invänta en bekräftelse på att ditt domännamn har lagts till på Friposts system.

  3. När bekräftelsen har inkommit ska MX-posterna (MX records) i DNS-tabellen för domännamnet uppdateras så att de refererar till Friposts e-postservrar. I de flesta fall kan det göras hos det ombud där domännamnet köptes. Det gör att e-post som skickas till den önskade adressen hamnar hos Fripost.

    Friposts e-postservrar har de här adresserna:

    mx1.fripost.org
    mx2.fripost.org

    Ett förslag på prioritet för de olika servrarna är 5, 10 och 15.

    Det resulterar i att de fullständiga MX-posterna ser ut så här som standard (observera punkterna efter serveradresserna):

    Subdomän   Typ   TTL    Data
    @          MX    7200   5 mx1.fripost.org.
    @          MX    7200   5 mx2.fripost.org.

    Ombudet där domänen köptes har troligen detaljerade instruktioner för hur just deras tjänst ska konfigureras på sin hemsida. Det kan dröja upp till 48 timmar efter att man har ändrat sina MX-poster innan de propagerats över hela Internet.

  4. Till sist måste man i webbmejlen eller sitt e-postprogram ställa in att den nya adressen ska användas.

    I webbmejlen gör du det genom att logga in, gå till Inställningar -> Identiteter, klicka på +-tecknet nere till vänster, fylla i namn och ny adress samt klicka på Spara. Du kan sedan välja den nya adressen som avsändare när du skriver ny e-post.

I e-post-programmet Icedove/Thunderbird gör du det under Inställningar -> Kontoinställningar. Under rubriken Standardidentitet, ändra fältet E-postadress till den nya adressen. Därefter kommer framtida e-post att skickas med den nya adressen som avsändare.

Klart!

Vanliga frågor

Får jag ha fler än ett domännamn?

Ja, om du vill koppla på fler än ett domännamn skicka ett e-brev till admin@fripost.org så ska vi se vad vi kan göra. Men tänk på att administratörerna gör detta på sin fritid :-)

Några medlemmar har valt att donera extra pengar till Fripost som tack för att administratörerna varit så vänliga och lagt till deras extra domännamn.

Om man är flera som är medlemmar, kan man få olika adresser från samma domän till olika konton hos er?

Ja, det finns ingenting som hindrar det. Dock kan vi ha max en person som står som ägare per domännamn. Alla ändringar av eventuella alias måste göras av dess ägare.

Vad menas med att DNS är Internets svagaste länk?

Ofta påpekas att DNS brister i datasäkerhet. Detta diskuteras av många, och bl. a. rekommenderar Rasmus Fleisher i Nyhetsmagasinet ETC, 2 jul, en essä av Robert W Gehl, The internet’s weakest link, The Reboot, 2021. Han hänvisar till Zookos triangel, vilken innebär att man måste kompromissa mellan Internets tre ideal: (a) säkerhet, (b) decentralisering och (c) begriplighet. Bara två kan prioriteras, men då på bekostnad av det tredje.

DNS är exponerat för stater att blockera trafik och tillåter operatörer att spionera på kunderna surfvanor. Gehl varnar dock för att åtgärder mot detta riskerar ett centraliserande av DNS till informationsjättarna.

Tekniska frågor (på engelska)

What about the reserved postmaster@ and abuse@ addresses?

According to RFC 822 Section 6.3 and RFC 2142 Section 4, the addresses postmaster@yourdomain.se and abuse@yourdomain.se are both reserved and required, and must be routed to the person(s) responsible for your domain’s mail system, i.e., admin@fripost.org. For convenience they are also automatically forwarded to the domain owner(s), but beware that the Fripost admin team will also receive and read them!

On a related note, we encourage domain owners to create aliases for common roles and services such as root@, hostmaster@, webmaster@, etc. See RFC 2142 for details.

For technical reasons, messages to double-bounce@ are silently discarded. Furthermore a virtual domain discard.fripost.org is available on the MX:es, for which all messages are silently discarded. Hence you can define your own noreply@ alias by routing it to noreply@discard.fripost.org.

I want my domain example.net to mirror my other domain example.org, but only add addresses under the later.

What you want is to make example.net a domain alias and point it to example.org. You won’t be able to configure example.org directly (you won’t be able to create my-alias@example.net for instance); instead any message to say, whatever@example.net will be routed to whatever@example.org (if it exists; the message will bounce otherwise). Just drop us a line at admin@fripost.org if you want a domain alias, and tell us its destination (just like with regular aliases, the destination doesn’t have to be hosted at Fripost).

I want to receive messages sent to anything@example.org, but I can’t create an infinite number of aliases!

No problem, we can add a catch-all address on your domain; catch alls have the lowest priority, so you can still have regular aliases and point them to another address (anything@example.org will be delivered to the catch-all address only if anything@example.org is not an explicity existing address). Beware that you may receive a lot of Junk on your catch-all address, though! (Spammer like to shoot randomly, as it’s a way to discover what are the valid recipients under a given domain.) Also, don’t forget that the reserved addresses postmaster@ and abuse@ have a special treatment and will always bypass your catchall address (see above).

Why are my outgoing emails signed with Fripost’s DKIM key?

When you’re using our Mail Submission Agent (smtp.fripost.org, see our wiki page on the subject) or our webmail to send an email, you might have noticed a “DKIM-Signature” field in the mail header on the receiver side:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fripost.org; …; s=8f00fb94ec6c37aacb48bd43e073f9b7; …

This field was added just before your mail left Fripost’s infrastructure. The selector and signing domain, respectively given by “s=” and “d=”, provide a way for the receiver to fetch the public part of the key used to sign the message from the signing domain’s DNS zone:

$ dig 8f00fb94ec6c37aacb48bd43e073f9b7._domainkey.fripost.org TXT +short \
    | sed 's/" "//g' | tr -d '"' \
    | fold -w64 | sed '1s/.*/  ( "&"/; 1!s/.*/    "&"/; $s/$/ )/'
  ( "v=DKIM1; k=rsa; t=s; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
    "MIIBCgKCAQEApmCWIVZt+L/bJ5+abvdmFm6Er/9g6e4WX2HKyeIfC5eDaPbUyHqH"
    "SY7xzWNiU+cbBvny8BASkdWsclLdoiuMJ6Yes5VSzkH6j2gp9Uuy7d6p61Jbrizi"
    "7/CQzCZfhi5uGKiGtV2g+V/sIuXekm9Q+Q2eqjj/6hUHGDPTTKEFlgruyaS6y+Ke"
    "s+sJYjMG62lbTOKL5TjY6z0Gr2AMfglBUj9QWD5jm+bH0clE1HZq51mxXQbV2v/7"
    "JEHjznR0nSB+jY2EV7g/MXM8DwJCDH4ZcknoH0NrcJRjuRt8ndufnx4Qh0t7qqWw"
    "mGF0jZOcZxHeODfkUlLxQ4SCMVeqV/SSTwIDAQAB" )

(Where the Resource Record is formatted as a parentheses-enclosed list of chunks, cf. RFC 1035 sec. 5.1.) The public part of our DKIM keys can also be found there.

See RFCs 6376 and 7001 for references. The Wikipedia page might be another good read.

Your email is being signed with fripost.org’s key whenever you use our machines to send it, regardless of the identity you used (“From:” header or enveloppe sender address), because Fripost is stamping your message the last time it sees it, just before throwing it in the wild, and can guaranty its integrity on your behalf.

If you use your own domain for outgoing mail, note however that the receiver’s mail client might emphasize that your messages are signed by Fripost’s key and not your own (GMail surely does, for instance). This doesn’t really disclose anything as our domain can be found in the mail header anyway, but feel free to drop us a line if you prefer to have a dedicated key pair for your domain. (In that case we’ll generate the key material ourselves, and publish its public part, as well as the signing domain identifier and selector used in the DKIM-Signature header field.)

How do I set up my own DKIM keys for my custom domain?

The Wikipedia page has a nice introduction to DKIM.

Begin by contacting the Fripost admins (admin@fripost.org) with the request to create a DKIM key for your custom domain. This DKIM key can be associated with your whole domain or an individual email address. Await a response from the admins (remember they do it on their spare time!). Their response will contain an identifier and the text (public key) that you need to enable DKIM validation. To enable the DKIM validation with the public key received you have to login to your DNS-management system and add a new TXT record with the subdomain [identifier]._domainkey.[your domain]. The record should look like the following except your key after the p= part.

v=DKIM1; k=rsa; t=s; s=email; p=MIIB...AQAB

Note that in most DNS-management systems you should only use the subdomain (not the whole domain name) when you’re creating a new TXT record. For example: sub.example.org only need [identifier]._domainkey.sub.

How do I set up my own DMARC for my custom domain?

The Wikipedia page has a nice introduction to DMARC.

Begin by logging into your DNS-management system and add a TXT record for _dmarc.[your domain]. The record should look something like the following.

v=DMARC1;p=none;sp=none;

You can tweak the p=none and sp=none parts to more restrictive configurations such as reject or quarantine.

Note that in most DNS-management systems you should only use the subdomain (not the whole domain name) when you’re creating a new TXT record. For example: sub.example.org only need _dmarc.sub.

Should I publish a SPF (Sender Policy Framework) record for my domain?

The Wikipedia page has a nice introduction to SPF; other references include the “official” SPF page and RFCs 6652 and 7208.

fripost.org currently uses the following policy:

$ dig +short fripost.org TXT
"v=spf1 redirect=outgoing.fripost.org"
$ dig +short outgoing.fripost.org TXT
"v=spf1 a ?all"

This essentially says that outgoing.fripost.org is authorized to send mails from @fripost.org addresses (more precisely, that the authorized sending hosts’ IPs can be found in the A and AAAA records for outgoing.fripost.org). This host is used whenever you use our Mail Submission agent or webmail for instance; if a message from a @fripost.org address is being sent from another host, the ?all (aka NEUTRAL) says that we don’t know whether the host is authorized or not, and that the receiver should proceeed as if there wasn’t any SPF policy. With that information at hand, the recipient may decide to classify the message as SPAM or HAM for instance.

If you have your own domain and use Fripost’s infrastructure to send mails, you can point your domain to our policy, too. Here are a few possible senarios:

example.org IN TXT "v=spf1 redirect=outgoing.fripost.org"

Here example.org is merely copying Fripost’s policy.

example.org IN TXT "v=spf1 include:outgoing.fripost.org -all"

Here the policy says that mails @example.org should PASS if they’re being accepted by Fripost’s policy, that is if the sender host is outgoing.fripost.org and FAIL otherwise (where Fripost’s policy would return NEUTRAL). Note however that DNS is spoofable, and if the example.org zone isn’t authenticated then an attacker could poison the DNS cache resulting in a malicious SPF policy.

example.org IN TXT "v=spf1 a include:outgoing.fripost.org -all"

Here the policy is similar to the one before, but in addition the A and AAAA records for example.org are also allowed to send mails for that domain. (For instance you have your own mail server, and use that of Fripost as a backup; or vice-versa.)

Whichever SPF policy you choose, be sure to test it! Please read OpenSPF’s FAQ, Common Mistakes and Best Practices pages. There are e-mail based SPF testers; unfortunately the “official” one spf-test@openspf.net doesn’t work anymore, but you can use Port25.com’s for instance.


Last modified | History | Source | Preferences