https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36606
--- Comment #3 from Thomas Dukleth <[email protected]> --- DNS Changes needed for koha-community.org to allow email authentication remedies to work. 1. DNS SPF Record Update for koha-community.org . The koha-community.org SPF record needs updating to include the IP address, 75.119.140.119 for hosting an intermediate mailserver sender providing DKIM signatures for automatically generated email on the same system which runs services such as jenkins. The intermediate mailserver can then relay email messages to secure-mailgate.com, any possible replacement of secure-mailgate.com, and provide continuity for email in case of service interruption or discontinuation from secure-mailgate.com or any future replacement. 1.1. DNS SPF Record in BIND Format. In BIND format the changed the updated SPF record would be: koha-community.org. IN TXT "v=spf1 ip4:75.119.140.119 a mx include:secure-mailgate.com ~all" Note leading trailing dot after the domain. 2. DNS A Record for Intermediate Mailserver and Relay Sender Subdomain for koha-community.org A subdomain DNS A record for the mailserver functioning as a relay sender is needed. An MX record is not needed as there is an MX record for the service is running at hetzner.trust-box.at . 2.1. DNS A Record in BIND Format. In BIND format the additional line would be: m01 IN A 75.119.140.119 It will be discovered in due course and be the direct recipient of some junk but best not to name it mail and make it an extra obvious target. A distinct subdomain is needed to avoid looping behaviour from the mailserver. 3. Reverse DNS PTR Record for Mailserver and Relay Sender Subdomain in koha-community.org . Reverse DNS records are very important for mailservers to avoid denylisting but perhaps you have a system which automatically creates reverse DNS PTR records for DNS A records. 3.1. Reverse DNS PTR Record in BIND Format. In BIND format the reverse DNS additional PTR record could be as follows but the configuration of the reverse DNS zone would need to be checked for possible leading quad, 119 in this possible case. 119 IN PTR m01.koha-community.org. The leading quad could be empty depending on the configuration of the reverse DNS zone for 75.119.140.119 . Note the trailing dot after the domain. 4. DNS DKIM Public Key Record for koha-community.org . I created a 2048 bit RSA DKIM key selector mail-koha . 4.1 DNS DKIM Public Key Record in BIND Format. In BIND format, the mail-koha DKIM public key in DNS may be formatted and added as follows. mail-koha._domainkey IN TXT ( "v=DKIM1; g=*; k=rsa; p=" "pMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyylPuDr3VwlRB" "eGypamhx97/7f7watPZl4z765mU5GfV5S/HSs5oW5E9QK6h/lCG+jHTSiE" "d+NG6SzkNaSjHY5dRZyXUWLJb9FMo/0xhACjkZdVvL+g8TYdx961TsrdKQ" "aG1tYJ3q3NnrowZQlDALQtk+SLPFYhvbr8kptwskGTnJ2VTh+Bc6kqVgT2" "lIwMiy9axMktGZkVrByrCf8KTLCWZ2VtJzz/0DE4vbC3uMC1n3ofFjrdxD" "mHg3Hke+X063e45u6Z9p597MnYpIa3C3JqkeR7/dAgxY5X6ZJrhIsXvjbd" "pYBzeINPLAVzxmi8NX61pb7yrLZ9FKxqv4++FBQIDAQAB" ) BIND allows a maximum of 255 characters per line. Reportedly, all the parts could go on one line in BIND with the quote separation of segments as long as segments do not exceed 255 characters but if not officially supported some future BIND record parser may break the one line workaround. Note the dot and then underscore after the DKIM key selector. 5. DMARC Record for koha-community.org . There is no DMARC record for koha-commnuity.org . 5.1. DMARC Record in BIND Format. In BIND format a DMARC record would be: _dmarc.koha-community.org. IN TXT "v=DMARC1; p=none" Note leading underscore before dmarc and trailing dot after domain. p=none effectively means no rejection policy set and ensures maximum delivery for email sent from koha-community.org . -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
