Difference between revisions of "PKP/Bug Fixes/SPF"

From Libopedia
Jump to navigation Jump to search
 
(46 intermediate revisions by the same user not shown)
Line 12: Line 12:
 
"Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.[1] The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques."
 
"Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.[1] The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques."
  
==How does the SPF work?==
+
<font color="red"><big>'''Basically EVERY sending email domain MUST have a DNS text SPF record that contains the authorised IP addresses or sub-domains that are the official sending email servers for that domain, otherwise delivery email servers will refuse to deliver the email.'''</big></font>
 +
 
 +
==How to check for a DNS text SPF record==
 
To determine if there is an SPF record for a sending domain, use the "dig" command as per example below in a terminal;
 
To determine if there is an SPF record for a sending domain, use the "dig" command as per example below in a terminal;
 
  dig txt sun.ac.za
 
  dig txt sun.ac.za
 
See:http://stackoverflow.com/questions/4082935/using-dig-to-search-for-spf-records
 
See:http://stackoverflow.com/questions/4082935/using-dig-to-search-for-spf-records
  
 +
==Sample SPF records==
 
As can be seen from the sample records below the implementation per institution differs, but the point is that each domain is now SPF enabled and therefore OJS must adapt.
 
As can be seen from the sample records below the implementation per institution differs, but the point is that each domain is now SPF enabled and therefore OJS must adapt.
  
Line 95: Line 98:
 
</pre>
 
</pre>
  
==Using a "no-reply" email address for the system and an email address per journal as the "official" sender addresses==
+
Sample output for "nwu.ac.za" (2016/06/06)
===Step 1===
+
<pre>
To enable SPF for your federated domain you must FIRST add an "MX" record to your domain, so that the internet DNS servers know that your domain can receive email.
+
; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt nwu.ac.za
 +
;; global options: +cmd
 +
;; Got answer:
 +
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30490
 +
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  
Then add an SPF record in the DNS servers for your domain, that authorise your domain to send mail.
+
;; QUESTION SECTION:
 +
;nwu.ac.za. IN TXT
  
===Step 2===
+
;; ANSWER SECTION:
To enable a full email system on the server, type the following in a terminal as the "root" sudo user;
+
nwu.ac.za. 82390 IN TXT "v=spf1 ip4:143.160.36.0/22 ip4:143.160.32.0/24 ip4:143.160.56.0/24 ip4:196.6.221.2 mx -all"
sudo apt-get install tasksel
 
Then run the "tasksel" program as follows in a terminal;
 
tasksel
 
In the menu that appears select "Mail Server".
 
  
===Step 3===
+
;; Query time: 21 msec
For system mail to be managed, a no-reply system account needs to be created per federated system.
+
;; SERVER: 127.0.1.1#53(127.0.1.1)
 +
;; WHEN: Mon Jun 06 19:32:24 SAST 2016
 +
;; MSG SIZE  rcvd: 130
 +
</pre>
  
For example, for the "journals.ac.za" domain a "no-reply" email alias is created to deliver the "no-reply" email to the OJS system administrator, if needed.
+
Sample output for "unisa.ac.za" (2016/06/07)
 +
<pre>
 +
; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt unisa.ac.za
 +
;; global options: +cmd
 +
;; Got answer:
 +
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48424
 +
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
  
See sample /etc/aliases file below;
+
;; OPT PSEUDOSECTION:
<pre>
+
; EDNS: version: 0, flags:; udp: 4000
# See man 5 aliases for format
+
;; QUESTION SECTION:
postmaster:   root
+
;unisa.ac.za. IN TXT
no-reply:     hgibson@sun.ac.za
+
 
 +
;; ANSWER SECTION:
 +
unisa.ac.za. 3594 IN TXT "v=spf1 a mx ptr mx:voyager-01.unisa.ac.za mx:voyager-02.unisa.ac.za a:lmkn-pstfx01.unisa.ac.za include:spf.mandrillapp.com -all"
 +
unisa.ac.za. 3594 IN TXT "MS=ms83889141"
 +
unisa.ac.za. 3594 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;"
 +
 
 +
;; Query time: 0 msec
 +
;; SERVER: 127.0.1.1#53(127.0.1.1)
 +
;; WHEN: Tue Jun 07 11:02:19 SAST 2016
 +
;; MSG SIZE  rcvd: 454
 
</pre>
 
</pre>
  
See sample OJS config below;
+
==Federated System Setup==
 +
For system mail to be managed, a no-reply system account needs to be created per federated journal system.
 +
 
 +
The "domain" of the sending email address must match the "domain" of the federated system.
 +
 
 +
For example:
 +
#Federated Domain = journals.ac.za for www.journals.ac.za
 +
#Therefore sending domain = journals.ac.za
 +
#Therefore sending email address = no-reply@journals.ac.za
 +
#Therefore ''"default_envelope_sender = no-reply@journals.ac.za"''
 +
See sample section of OJS config file below;
 
<pre>
 
<pre>
 
; Allow envelope sender to be specified
 
; Allow envelope sender to be specified
Line 138: Line 170:
 
; require them, e.g. attachment-based reviews)
 
; require them, e.g. attachment-based reviews)
 
enable_attachments = On
 
enable_attachments = On
</pre>
 
 
===Step 4===
 
For each journal created, a local account must be created, so that email can be sent by the OJS system using this local account as the official send/recieve email address for that journal.
 
  
To add an account, follow the instructions below in a terminal;
+
; Amount of time required between attempts to send non-editorial emails
adduser xxxx
+
; in seconds. This can be used to help prevent email relaying via OJS.
Where xxxx is the acronym or abbreviation of the journal hosted... this is the "path" refered to in the OJS documentation.
+
time_between_emails = 3600
  
So for the journal: http://www.journals.ac.za/index.php/sajev we type the following;
+
; Maximum number of recipients that can be included in a single email
adduser sajev
+
; (either as To:, Cc:, or Bcc: addresses) for a non-priveleged user
Then when doing the journal configuration use the "sajev@journals.ac.za" email account in the journal configuration for sending emails.
+
max_recipients = 10
  
Then for reading emails delivered to "sajev@journals.ac.za" add an email alias to send the emails to the journal manager.
+
; If enabled, email addresses must be validated before login is possible.
 +
require_validation = On
  
For example;
+
; Maximum number of days before an unvalidated account expires and is deleted
<pre>
+
validation_timeout = 14
# See man 5 aliases for format
 
postmaster:    root
 
sajev:        journal-manager@somedomain.whatever
 
 
</pre>
 
</pre>
Replace ''journal-manager@somedomain.whatever'' with a proper email address for the journal manager of that journal.
 
  
Then type "newaliases" as the "root" user to activate the new alias.
+
==Individual Journal Setup==
 +
In addition each journal must be setup as follows (applies to OJS versions => 2.4.8);
  
==Notes for Stellenbosch University Library==
+
''The central email address to be used by default would be the one provided in '''Journal Setup Step 1.2: Principal Contact''', which should match the domain name from which the journal sends mail. (If this email address cannot match the sending domain on a per-journal basis, an alternate email address can be configured at the site level via the OJS config.inc.php file)''
For the single instance system used by Stellenbosch University Library, Step 4 above changes.
 
 
 
For the local instance only one email address is required.
 
 
 
For our situation we have chosen "manager" as the official send/recieve email address.
 
 
 
;For example:
 
For the: http://sajlis.journals.ac.za journal we use '''manager@sajlis.journals.ac.za''' as the official send/recieve email address of the journal.
 
 
 
And there is an alias for the "manager" email account to send the email to the managers real email address.
 
  
 
==Using GMail as the "official" sender==
 
==Using GMail as the "official" sender==
Line 185: Line 201:
  
 
The '''header sender address''' of an e-mail message is contained in the "From" or "Sender" header and is what is displayed to the user by mail programs. Generally, mail servers do not care about the header sender address when delivering a message.
 
The '''header sender address''' of an e-mail message is contained in the "From" or "Sender" header and is what is displayed to the user by mail programs. Generally, mail servers do not care about the header sender address when delivering a message.
==References==
+
==Check SPF records==
*https://pkp.sfu.ca/wiki/index.php/PKP_Frequently_Asked_Questions#Emails_aren.27t_being_received_by_users.2C_or_I_am_encountering_Sender_Policy_Framework_.28SPF.29_validation_issues_on_sending_email.3B_what_should_I_do.3F
+
*http://www.kitterman.com/spf/validate.html
 
*http://www.unifiedemail.net/Tools/SPFParser
 
*http://www.unifiedemail.net/Tools/SPFParser
*http://www.openspf.org
+
 
*https://tools.ietf.org/html/rfc7208
+
==Links==
 
*https://dmarc.org/overview/
 
*https://dmarc.org/overview/
 
*https://dmarc.org/wiki/FAQ
 
*https://dmarc.org/wiki/FAQ
 
*https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
 
*https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
 
*https://www.sympa.org/manual/dmarc
 
*https://www.sympa.org/manual/dmarc
 +
*http://www.jscape.com/blog/smtp-vs-imap-vs-pop3-difference
 +
==Help Links==
 +
*[https://pkp.sfu.ca/wiki/index.php/PKP_Frequently_Asked_Questions#Emails_aren.27t_being_received_by_users.2C_or_I_am_encountering_Sender_Policy_Framework_.28SPF.29_validation_issues_on_sending_email.3B_what_should_I_do.3F Read the PKP FAQ about SPF]
 +
*https://pkp.sfu.ca/support/forum/viewtopic.php?f=8&t=14082&p=53456&hilit=spf#p53456
 +
 +
==References==
 +
*http://www.openspf.org
 +
*http://www.openspf.org/SPF_Record_Syntax
 +
*https://tools.ietf.org/html/rfc7208

Latest revision as of 17:43, 1 September 2016

Back to PKP Bug Fixes

Introduction

To combat spam and email phishing a new email system called the "Sender Policy Framework" (SPF) is being adopted world wide by academic institutions and others. This is a very recent development and therefore OJS systems must be retroactively configured to support SPF. This wiki page documents these efforts at Stellenbosch University Library.

What is the SPF?

https://en.wikipedia.org/wiki/Sender_Policy_Framework

From Wikipedia (retrieved 2016/05/17);

"Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.[1] The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques."

Basically EVERY sending email domain MUST have a DNS text SPF record that contains the authorised IP addresses or sub-domains that are the official sending email servers for that domain, otherwise delivery email servers will refuse to deliver the email.

How to check for a DNS text SPF record

To determine if there is an SPF record for a sending domain, use the "dig" command as per example below in a terminal; 

dig txt sun.ac.za

See:http://stackoverflow.com/questions/4082935/using-dig-to-search-for-spf-records

Sample SPF records

As can be seen from the sample records below the implementation per institution differs, but the point is that each domain is now SPF enabled and therefore OJS must adapt.

Sample output for "sun.ac.za" (2016/05/17) 


; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt sun.ac.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50092
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;sun.ac.za.			IN	TXT

;; ANSWER SECTION:
sun.ac.za.		25238	IN	TXT	"University of Stellenbosch, South Africa"
sun.ac.za.		25238	IN	TXT	"ydW1uk2ljPYuIuijeNP29VqLY1fH/1BYzJ8XkvuCmpe7b1pltGc4EaZcvw7V1PTKi5JkCgzH95fQNDdjOALHwQ=="
sun.ac.za.		25238	IN	TXT	"v=spf1 ip4:146.232.64.12 ip4:146.232.64.13 ip4:146.232.64.14 include:spf.protection.outlook.com -all"
sun.ac.za.		25238	IN	TXT	"Google Domain Verification 07082014"

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue May 17 11:44:35 SAST 2016
;; MSG SIZE  rcvd: 353

Sample output for "uct.ac.za" (2016/05/17) 


; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt uct.ac.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62084
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;uct.ac.za.			IN	TXT

;; ANSWER SECTION:
uct.ac.za.		3600	IN	TXT	"Ox1qfakkMKmET7grQG8BzAU0BFKkXZlwIZLm68SBnlYXFefU2YK8lhbZCzevz88UNYx5QNheElQe6z5u/uApjQ=="
uct.ac.za.		3600	IN	TXT	"v=spf1 ip4:137.158.153.103 ip4:137.158.153.104 ip4:137.158.154.116 ip4:137.158.154.166 ip4:137.158.154.117 ip4:137.158.154.165 a include:_netblocks.mimecast.com include:spf.protection.outlook.com ~all"
uct.ac.za.		3600	IN	TXT	"MS=ms97433074"

;; Query time: 11 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue May 17 11:48:43 SAST 2016
;; MSG SIZE  rcvd: 378

Sample output for "up.ac.za" (2016/05/17) 


; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt up.ac.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51005
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;up.ac.za.			IN	TXT

;; ANSWER SECTION:
up.ac.za.		3600	IN	TXT	"google-site-verification=uZeP8pM4K0sBZNWCE4gAo8-gK4_WzH-nFuMRUlk4408"
up.ac.za.		3600	IN	TXT	"MS=ms60833582"
up.ac.za.		3600	IN	TXT	"v=spf1 ip4:137.215.0.0/16 mx ?all"

;; Query time: 22 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue May 17 11:50:04 SAST 2016
;; MSG SIZE  rcvd: 190

Sample output for "nwu.ac.za" (2016/06/06) 

; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt nwu.ac.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30490
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nwu.ac.za.			IN	TXT

;; ANSWER SECTION:
nwu.ac.za.		82390	IN	TXT	"v=spf1 ip4:143.160.36.0/22 ip4:143.160.32.0/24 ip4:143.160.56.0/24 ip4:196.6.221.2 mx -all"

;; Query time: 21 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Jun 06 19:32:24 SAST 2016
;; MSG SIZE  rcvd: 130

Sample output for "unisa.ac.za" (2016/06/07) 

; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt unisa.ac.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48424
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;unisa.ac.za.			IN	TXT

;; ANSWER SECTION:
unisa.ac.za.		3594	IN	TXT	"v=spf1 a mx ptr mx:voyager-01.unisa.ac.za mx:voyager-02.unisa.ac.za a:lmkn-pstfx01.unisa.ac.za include:spf.mandrillapp.com -all"
unisa.ac.za.		3594	IN	TXT	"MS=ms83889141"
unisa.ac.za.		3594	IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;"

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Jun 07 11:02:19 SAST 2016
;; MSG SIZE  rcvd: 454

Federated System Setup

For system mail to be managed, a no-reply system account needs to be created per federated journal system.

The "domain" of the sending email address must match the "domain" of the federated system.

For example:

  1. Federated Domain = journals.ac.za for www.journals.ac.za
  2. Therefore sending domain = journals.ac.za
  3. Therefore sending email address = no-reply@journals.ac.za
  4. Therefore "default_envelope_sender = no-reply@journals.ac.za"

See sample section of OJS config file below; 

; Allow envelope sender to be specified
; (may not be possible with some server configurations)
allow_envelope_sender = On 

; Default envelope sender to use if none is specified elsewhere
default_envelope_sender = no-reply@journals.ac.za

; Force the default envelope sender (if present)
; This is useful if setting up a site-wide noreply address
; The reply-to field will be set with the reply-to or from address.
force_default_envelope_sender = On 

; Enable attachments in the various "Send Email" pages.
; (Disabling here will not disable attachments on features that
; require them, e.g. attachment-based reviews)
enable_attachments = On

; Amount of time required between attempts to send non-editorial emails
; in seconds. This can be used to help prevent email relaying via OJS.
time_between_emails = 3600

; Maximum number of recipients that can be included in a single email
; (either as To:, Cc:, or Bcc: addresses) for a non-priveleged user
max_recipients = 10

; If enabled, email addresses must be validated before login is possible.
require_validation = On 

; Maximum number of days before an unvalidated account expires and is deleted
validation_timeout = 14

Individual Journal Setup

In addition each journal must be setup as follows (applies to OJS versions => 2.4.8);

The central email address to be used by default would be the one provided in Journal Setup Step 1.2: Principal Contact, which should match the domain name from which the journal sends mail. (If this email address cannot match the sending domain on a per-journal basis, an alternate email address can be configured at the site level via the OJS config.inc.php file)

Using GMail as the "official" sender

It is expected that most institutions will allow sending of emails from the gmail servers. To apply this on OJS, try the following;

Sender Addresses in EMail

Like paper mail letters, e-mail messages have at least two kinds of sender addresses: one on the envelope and one in the letterhead.

The envelope sender address (sometimes also called the return-path) is used during the transport of the message from mail server to mail server, e.g. to return the message to the sender in the case of a delivery failure. It is usually not displayed to the user by mail programs.

The header sender address of an e-mail message is contained in the "From" or "Sender" header and is what is displayed to the user by mail programs. Generally, mail servers do not care about the header sender address when delivering a message.

Check SPF records

Links

Help Links

References

Retrieved from "http://wiki.lib.sun.ac.za/index.php?title=PKP/Bug_Fixes/SPF&oldid=44406"