Skip to content

Instantly share code, notes, and snippets.

@fawkesley

fawkesley/smtp_notes.md

Last active September 25, 2017 08:07
Show Gist options
  • Save fawkesley/d703af0760bee33c42b2ab50f7c66111 to your computer and use it in GitHub Desktop.
Save fawkesley/d703af0760bee33c42b2ab50f7c66111 to your computer and use it in GitHub Desktop.
Download ZIP
Notes on SMTP from LivLUG September 2017
Raw
smtp_notes.md

LivLUG SMTP

http://www.livlug.org.uk/2017/09/september-meeting/

focusing on outgoing side of emails

surprising amount of DNS understanding

smart relaying through your ISP is way easier

BUT disadvantage of smart relaying is shared reputation of ISPs IP addresses

did own IP SMTP server because of going into Hotmail junk

misconception: having incoming and outgoing email at the same place - not the csae

e.g. you can sen through your own SMTP but not be the MX (or you can be the MX but not the outgoing)

doing 1 at a time - incoming or outgoing - is helpful

Once an SMTP server accepts an email it passes it to an MDA, e.g. IMAP/POP3 server

considerations for outgoing smtp:

  • ip must be static - most dynamic ip addresses are blacklisted
  • you need a reverse dns setup correctly
  • smtp software must advertise external ip address
  • check Spamhaus PBL to see if IP is listed as "end user" or "non-MTA" address
    • some receiving SMTP servers will bounce emails
    • Spamhaus will allow you to delist a single IP address
    • Apparently ISPs can submit blocks of IPs as non-delistable
  • Virgin use their own lists
  • You need to create an A record e.g. mail.paulfurley.com -> 20.30.40.50
  • Ask ISP to create PTR record e.g. 20.30.40.50 -> mail.paulfurley.com

SPF records are designed ot restrict oridinating IP addresses for mail coming form a certain domain name.

SPF records are DNS TXT records

There's also a format where you can say "use the same as this other domain" so you only have to set the IP list once.

If you use anything like Xero that sends emails "as you", you'll have to add their SMTP ip addresses

DKIM record are a way of signing outgoing emails to prove their origin. Private key is stored in SMTP server. Public key is inserted into TXT record for domain.

DMARC TXT records tell the receiving end what to do about SPF and DKIM. Not quite sure why.

You can put DMARC in place and make it was strict as possible.

Security

Obviously secure the box

Block outgoing port 25 for all your client devices - a workstation should be relaying through the SMTP server, not going out to port 25 directly.

Even better: alert on outgoing port 25 attempts - it's probably an infected workstation.

Allow outoging port 587 (authenticated) email is OK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment