[[!meta title="Egen domän"]] Om att använda ett eget domännamn ============== Alla kan koppla sitt eget domännamn till fripost.org. Man får då ett obegränsat antal alias som kan kopplas till inkorgen. Det betyder att om jag exempelvis äger domännamnet `skangas.se` så kan jag koppla det till mitt fripost-konto. På skangas.se kan jag sedan ha flera olika adresser som går till samma ställe: skangas@skangas.se -> stefan@fripost.org kontakt@skangas.se -> stefan@fripost.org info@skangas.se -> stefan@fripost.org Man kan då nå mig på flera olika adresser som sedan samlas upp i min inkorg för `stefan@fripost.org`. Proceduren för att fixa detta involverar just nu en del manuellt arbete men vi jobbar på att göra det enklare. Hur gör man? ============ 1. Skicka ett e-brev till [admin@fripost.org](mailto:admin@fripost.org) från ditt fripost-konto med det önskade domännamnet. Inkludera alla eventuella alias i ett rimligt format, t.ex. en lång lista med en e-postadress per rad, eller ännu hellre alla på en lång rad separerade med komma och mellanrum. Detta gör att det blir möjligt att skicka e-brev från Fripost med de önskade adresserna som avsändare. 2. Invänta en bekräftelse på att ditt domännamn har lagts till på Friposts system. 3. När bekräftelsen har inkommit ska [MX-posterna](https://en.wikipedia.org/wiki/MX_record) (MX records) i DNS-tabellen för domännamnet uppdateras så att de refererar till Friposts e-postservrar. I de flesta fall kan det göras hos det ombud där domännamnet köptes. Det gör att e-post som skickas till den önskade adressen hamnar hos Fripost. Friposts e-postservrar har de här adresserna: mx1.fripost.org mx2.fripost.org Ett förslag på prioritet för de olika servrarna är `5`, `10` och `15`. Det resulterar i att de fullständiga MX-posterna ser ut så här som standard (observera punkterna efter serveradresserna): Subdomän Typ TTL Data @ MX 7200 5 mx1.fripost.org. @ MX 7200 5 mx2.fripost.org. Ombudet där domänen köptes har troligen detaljerade instruktioner för hur just deras tjänst ska konfigureras på sin hemsida. Det kan dröja upp till 48 timmar efter att man har ändrat sina MX-poster innan de propagerats över hela Internet. 4. Till sist måste man i webbmejlen eller sitt e-postprogram ställa in att den nya adressen ska användas. I webbmejlen gör du det genom att logga in, gå till `Inställningar -> Identiteter`, klicka på `+`-tecknet nere till vänster, fylla i namn och ny adress samt klicka på Spara. Du kan sedan välja den nya adressen som avsändare när du skriver ny e-post. I e-post-programmet Icedove/Thunderbird gör du det under `Inställningar -> Kontoinställningar`. Under rubriken `Standardidentitet`, ändra fältet `E-postadress` till den nya adressen. Därefter kommer framtida e-post att skickas med den nya adressen som avsändare. Klart! Vanliga frågor ============== Får jag ha fler än ett domännamn? --------------------------------- Ja, om du vill koppla på fler än ett domännamn skicka ett e-brev till [admin@fripost.org](mailto:admin@fripost.org) så ska vi se vad vi kan göra. Men tänk på att administratörerna gör detta på sin fritid :-) Några medlemmar har valt att donera extra pengar till Fripost som tack för att administratörerna varit så vänliga och lagt till deras extra domännamn. Om man är flera som är medlemmar, kan man få olika adresser från samma domän till olika konton hos er? ------------------------------------------------------------------------------------------------------ Ja, det finns ingenting som hindrar det. Dock kan vi ha max en person som står som ägare per domännamn. Alla ändringar av eventuella alias måste göras av dess ägare. Vad menas med att DNS är Internets svagaste länk? ---------------- Ofta påpekas att DNS brister i datasäkerhet. Detta diskuteras av många, och bl. a. rekommenderar Rasmus Fleisher i Nyhetsmagasinet ETC, 2 jul, en essä av Robert W Gehl, [The internet's weakest link](https://thereboot.com/the-internets-weakest-link-dns-and-the-risks-of-consolidation/), *The Reboot*, 2021. Han hänvisar till Zookos triangel, vilken innebär att man måste kompromissa mellan Internets tre ideal: (a) säkerhet, (b) decentralisering och (c) begriplighet. Bara två kan prioriteras, men då på bekostnad av det tredje. DNS är exponerat för stater att blockera trafik och tillåter operatörer att spionera på kunderna surfvanor. Gehl varnar dock för att åtgärder mot detta riskerar ett centraliserande av DNS till informationsjättarna. Tekniska frågor (på engelska) ============================= What about the reserved `postmaster@` and `abuse@` addresses? ------------------------------------------------------------- According to [RFC 822 Section 6.3](https://tools.ietf.org/html/rfc822#section-6.3) and [RFC 2142 Section 4](https://tools.ietf.org/html/rfc2142#section-4), the addresses `postmaster@yourdomain.se` and `abuse@yourdomain.se` are both reserved and required, and *must* be routed to the person(s) responsible for your domain's mail system, i.e., [admin@fripost.org](mailto:admin@fripost.org). For convenience they are also automatically forwarded to the domain owner(s), but *beware that the Fripost admin team will also receive and read them*! On a related note, we encourage domain owners to create aliases for common roles and services such as `root@`, `hostmaster@`, `webmaster@`, etc. See [RFC 2142](https://tools.ietf.org/html/rfc2142) for details. For [technical reasons](http://www.postfix.org/postconf.5.html#double_bounce_sender), messages to `double-bounce@` are silently discarded. Furthermore a virtual domain `discard.fripost.org` is available on the MX:es, for which all messages are silently discarded. Hence you can define your own `noreply@` alias by routing it to `noreply@discard.fripost.org`. I want my domain `example.net` to mirror my other domain `example.org`, but only add addresses under the later. --------------------------------------------------------------------------------------------------------------- What you want is to make `example.net` a *domain alias* and point it to `example.org`. You won't be able to configure `example.org` directly (you won't be able to create `my-alias@example.net` for instance); instead any message to say, `whatever@example.net` will be routed to `whatever@example.org` (if it exists; the message will bounce otherwise). Just drop us a line at [admin@fripost.org](mailto:admin@fripost.org) if you want a domain alias, and tell us its destination (just like with regular aliases, the destination doesn't have to be hosted at Fripost). I want to receive messages sent to `anything@example.org`, but I can't create an infinite number of aliases! ------------------------------------------------------------------------------------------------------------ No problem, we can add a catch-all address on your domain; catch alls have the lowest priority, so you can still have regular aliases and point them to another address (`anything@example.org` will be delivered to the catch-all address *only* if `anything@example.org` is not an explicity existing address). Beware that you may receive a lot of Junk on your catch-all address, though! (Spammer like to shoot randomly, as it's a way to discover what are the valid recipients under a given domain.) Also, don't forget that the reserved addresses `postmaster@` and `abuse@` have a special treatment and will always bypass your catchall address (see above). Why are my outgoing emails signed with Fripost's DKIM key? ---------------------------------------------------------- When you're using our Mail Submission Agent (`smtp.fripost.org`, see our [wiki page](https://wiki.fripost.org/konfigurera/) on the subject) or our [webmail](https://mail.fripost.org) to send an email, you might have noticed a "DKIM-Signature" field in the mail header on the receiver side: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fripost.org; …; s=8f00fb94ec6c37aacb48bd43e073f9b7; … This field was added just before your mail left Fripost's infrastructure. The selector and signing domain, respectively given by "s=" and "d=", provide a way for the receiver to fetch the public part of the key used to sign the message from the signing domain's DNS zone: $ dig 8f00fb94ec6c37aacb48bd43e073f9b7._domainkey.fripost.org TXT +short \ | sed 's/" "//g' | tr -d '"' \ | fold -w64 | sed '1s/.*/ ( "&"/; 1!s/.*/ "&"/; $s/$/ )/' ( "v=DKIM1; k=rsa; t=s; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A" "MIIBCgKCAQEApmCWIVZt+L/bJ5+abvdmFm6Er/9g6e4WX2HKyeIfC5eDaPbUyHqH" "SY7xzWNiU+cbBvny8BASkdWsclLdoiuMJ6Yes5VSzkH6j2gp9Uuy7d6p61Jbrizi" "7/CQzCZfhi5uGKiGtV2g+V/sIuXekm9Q+Q2eqjj/6hUHGDPTTKEFlgruyaS6y+Ke" "s+sJYjMG62lbTOKL5TjY6z0Gr2AMfglBUj9QWD5jm+bH0clE1HZq51mxXQbV2v/7" "JEHjznR0nSB+jY2EV7g/MXM8DwJCDH4ZcknoH0NrcJRjuRt8ndufnx4Qh0t7qqWw" "mGF0jZOcZxHeODfkUlLxQ4SCMVeqV/SSTwIDAQAB" ) (Where the Resource Record is formatted as a parentheses-enclosed list of chunks, cf. [RFC 1035 sec. 5.1](https://tools.ietf.org/html/rfc1035#section-5.1).) The public part of our DKIM keys can also be found [there](https://git.fripost.org/fripost-ansible/tree/certs/dkim). See RFCs [6376](https://tools.ietf.org/html/rfc6376) and [7001](https://tools.ietf.org/html/rfc7001) for references. The [Wikipedia page](https://en.wikipedia.org/wiki/Dkim) might be another good read. Your email is being signed with fripost.org's key whenever you use our machines to send it, regardless of the identity you used ("From:" header or enveloppe sender address), because Fripost is stamping your message the last time it sees it, just before throwing it in the wild, and can guaranty its integrity on your behalf. If you use your own domain for outgoing mail, note however that the receiver's mail client might emphasize that your messages are signed by Fripost's key and not your own (GMail [surely does](https://support.google.com/mail/answer/1311182), for instance). This doesn't really disclose anything as our domain can be found in the mail header anyway, but feel free to drop us a line if you prefer to have a dedicated key pair for your domain. (In that case we'll generate the key material ourselves, and [*publish*](https://git.fripost.org/fripost-ansible/tree/certs/dkim) its public part, as well as the signing domain identifier and selector used in the `DKIM-Signature` header field.) How do I set up my own DKIM keys for my custom domain? ---------------------------------------------------------- The [Wikipedia page](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) has a nice introduction to DKIM. Begin by contacting the Fripost admins ([admin@fripost.org](mailto:admin@fripost.org)) with the request to create a DKIM key for your custom domain. This DKIM key can be associated with your whole domain or an individual email address. Await a response from the admins (remember they do it on their spare time!). Their response will contain an identifier and the text (public key) that you need to enable DKIM validation. To enable the DKIM validation with the public key received you have to login to your DNS-management system and add a new TXT record with the subdomain `[identifier]._domainkey.[your domain]`. The record should look like the following except your key after the `p=` part. ``` v=DKIM1; k=rsa; t=s; s=email; p=MIIB...AQAB ``` *Note* that in most DNS-management systems you should only use the subdomain (not the whole domain name) when you're creating a new TXT record. For example: `sub.example.org` only need `[identifier]._domainkey.sub`. How do I set up my own DMARC for my custom domain? ---------------------------------------------------------------------- The [Wikipedia page](https://en.wikipedia.org/wiki/DMARC) has a nice introduction to DMARC. Begin by logging into your DNS-management system and add a TXT record for `_dmarc.[your domain]`. The record should look something like the following. ``` v=DMARC1;p=none;sp=none; ``` You can tweak the `p=none` and `sp=none` parts to more restrictive configurations such as `reject` or `quarantine`. *Note* that in most DNS-management systems you should only use the subdomain (not the whole domain name) when you're creating a new TXT record. For example: `sub.example.org` only need `_dmarc.sub`. Should I publish a SPF (Sender Policy Framework) record for my domain? ---------------------------------------------------------------------- The [Wikipedia page](https://en.wikipedia.org/wiki/Sender_policy_framework) has a nice introduction to SPF; other references include the "official" [SPF page](http://www.openspf.org) and RFCs [6652](https://tools.ietf.org/html/rfc6652) and [7208](https://tools.ietf.org/html/rfc7208). `fripost.org` currently uses the following policy: $ dig +short fripost.org TXT "v=spf1 redirect=outgoing.fripost.org" $ dig +short outgoing.fripost.org TXT "v=spf1 a ?all" This essentially says that `outgoing.fripost.org` is authorized to send mails from `@fripost.org` addresses (more precisely, that the authorized sending hosts' IPs can be found in the A and AAAA records for `outgoing.fripost.org`). This host is used whenever you use our Mail Submission agent or webmail for instance; if a message from a `@fripost.org` address is being sent from another host, the `?all` (aka [NEUTRAL](http://www.openspf.org/SPF_Record_Syntax)) says that we don't know whether the host is authorized or not, and that the receiver should proceeed as if there wasn't any SPF policy. With that information at hand, the recipient may decide to classify the message as SPAM or HAM for instance. If you have your own domain and use Fripost's infrastructure to send mails, you can point your domain to our policy, too. Here are a few possible senarios: example.org IN TXT "v=spf1 redirect=outgoing.fripost.org" Here `example.org` is merely copying Fripost's policy. example.org IN TXT "v=spf1 include:outgoing.fripost.org -all" Here the policy says that mails `@example.org` should PASS if they're being accepted by Fripost's policy, that is if the sender host is `outgoing.fripost.org` and FAIL otherwise (where Fripost's policy would return NEUTRAL). Note however that DNS is spoofable, and if the `example.org` zone isn't authenticated then an attacker could poison the DNS cache resulting in a malicious SPF policy. example.org IN TXT "v=spf1 a include:outgoing.fripost.org -all" Here the policy is similar to the one before, but in addition the A and AAAA records for `example.org` are also allowed to send mails for that domain. (For instance you have your own mail server, and use that of Fripost as a backup; or vice-versa.) Whichever SPF policy you choose, be sure to test it! Please read OpenSPF's [FAQ](http://www.openspf.org/FAQ), [Common Mistakes](http://www.openspf.org/FAQ/Common_mistakes) and [Best Practices](http://www.openspf.org/Best_Practices) pages. There are e-mail based SPF testers; unfortunately the "official" one [spf-test@openspf.net](mailto:spf-test@openspf.net) doesn't work anymore, but you can use [Port25.com](https://www.port25.com/support/authentication-center/email-verification/)'s for instance.