Difference between revisions of "PKP/Bug Fixes/SPF"
m (→References) |
m (→References) |
||
| Line 180: | Line 180: | ||
*http://www.unifiedemail.net/Tools/SPFParser | *http://www.unifiedemail.net/Tools/SPFParser | ||
*http://www.openspf.org | *http://www.openspf.org | ||
| + | *https://tools.ietf.org/html/rfc7208 | ||
Revision as of 12:50, 18 May 2016
Back to PKP Bug Fixes
Contents
Introduction
To combat spam and email phishing a new email system called the "Sender Policy Framework" (SPF) is being adopted world wide by academic institutions and others. This is a very recent development and therefore OJS systems must be retroactively configured to support SPF. This wiki page documents these efforts at Stellenbosch University Library.
What is the SPF?
https://en.wikipedia.org/wiki/Sender_Policy_Framework
From Wikipedia (retrieved 2016/05/17);
"Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.[1] The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques."
How does the SPF work?
To determine if there is an SPF record for a sending domain, use the "dig" command as per example below in a terminal;
dig txt sun.ac.za
See:http://stackoverflow.com/questions/4082935/using-dig-to-search-for-spf-records
As can be seen from the sample records below the implementation per institution differs, but the point is that each domain is now SPF enabled and therefore OJS must adapt.
Sample output for "sun.ac.za" (2016/05/17)
; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt sun.ac.za ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50092 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;sun.ac.za. IN TXT ;; ANSWER SECTION: sun.ac.za. 25238 IN TXT "University of Stellenbosch, South Africa" sun.ac.za. 25238 IN TXT "ydW1uk2ljPYuIuijeNP29VqLY1fH/1BYzJ8XkvuCmpe7b1pltGc4EaZcvw7V1PTKi5JkCgzH95fQNDdjOALHwQ==" sun.ac.za. 25238 IN TXT "v=spf1 ip4:146.232.64.12 ip4:146.232.64.13 ip4:146.232.64.14 include:spf.protection.outlook.com -all" sun.ac.za. 25238 IN TXT "Google Domain Verification 07082014" ;; Query time: 0 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Tue May 17 11:44:35 SAST 2016 ;; MSG SIZE rcvd: 353
Sample output for "uct.ac.za" (2016/05/17)
; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt uct.ac.za ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62084 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;uct.ac.za. IN TXT ;; ANSWER SECTION: uct.ac.za. 3600 IN TXT "Ox1qfakkMKmET7grQG8BzAU0BFKkXZlwIZLm68SBnlYXFefU2YK8lhbZCzevz88UNYx5QNheElQe6z5u/uApjQ==" uct.ac.za. 3600 IN TXT "v=spf1 ip4:137.158.153.103 ip4:137.158.153.104 ip4:137.158.154.116 ip4:137.158.154.166 ip4:137.158.154.117 ip4:137.158.154.165 a include:_netblocks.mimecast.com include:spf.protection.outlook.com ~all" uct.ac.za. 3600 IN TXT "MS=ms97433074" ;; Query time: 11 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Tue May 17 11:48:43 SAST 2016 ;; MSG SIZE rcvd: 378
Sample output for "up.ac.za" (2016/05/17)
; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt up.ac.za ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51005 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;up.ac.za. IN TXT ;; ANSWER SECTION: up.ac.za. 3600 IN TXT "google-site-verification=uZeP8pM4K0sBZNWCE4gAo8-gK4_WzH-nFuMRUlk4408" up.ac.za. 3600 IN TXT "MS=ms60833582" up.ac.za. 3600 IN TXT "v=spf1 ip4:137.215.0.0/16 mx ?all" ;; Query time: 22 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Tue May 17 11:50:04 SAST 2016 ;; MSG SIZE rcvd: 190
Using a "no-reply" email address for the system and an email address per journal as the "official" sender addresses
Step 1
To enable SPF for your federated domain you must FIRST add an "MX" record to your domain, so that the internet DNS servers know that your domain can receive email.
Step 2
To enable a full email system on the server, type the following in a terminal as the "root" sudo user;
sudo apt-get install tasksel
Then run the "tasksel" program as follows in a terminal;
tasksel
In the menu that appears select "Mail Server".
Step 3
For system mail to be managed, a no-reply system account needs to be created per federated system.
For example, for the "journals.ac.za" domain a "no-reply" email alias is created to deliver the "no-reply" email to the OJS system administrator, if needed.
See sample /etc/aliases file below;
# See man 5 aliases for format postmaster: root no-reply: hgibson@sun.ac.za
See sample OJS config below;
; Allow envelope sender to be specified ; (may not be possible with some server configurations) allow_envelope_sender = On ; Default envelope sender to use if none is specified elsewhere default_envelope_sender = no-reply@journals.ac.za ; Force the default envelope sender (if present) ; This is useful if setting up a site-wide noreply address ; The reply-to field will be set with the reply-to or from address. force_default_envelope_sender = On ; Enable attachments in the various "Send Email" pages. ; (Disabling here will not disable attachments on features that ; require them, e.g. attachment-based reviews) enable_attachments = On
Step 4
For each journal created, a local account must be created, so that email can be sent by the OJS system using this local account as the official send/recieve email address for that journal.
To add an account, follow the instructions below in a terminal;
adduser xxxx
Where xxxx is the acronym or abbreviation of the journal hosted... this is the "path" refered to in the OJS documentation.
So for the journal: http://www.journals.ac.za/index.php/sajev we type the following;
adduser sajev
Then when doing the journal configuration use the "sajev@journals.ac.za" email account in the journal configuration for sending emails.
Then for reading emails delivered to "sajev@journals.ac.za" add an email alias to send the emails to the journal manager.
For example;
# See man 5 aliases for format postmaster: root sajev: journal-manager@somedomain.whatever
Replace journal-manager@somedomain.whatever with a proper email address for the journal manager of that journal.
Then type "newaliases" as the "root" user to activate the new alias.
Notes for Stellenbosch University Library
For the single instance system used by Stellenbosch University Library, Step 4 above changes.
For the local instance only one email address is required.
For our situation we have chosen "manager" as the official send/recieve email address.
- For example
For the: http://sajlis.journals.ac.za journal we use manager@sajlis.journals.ac.za as the official send/recieve email address of the journal.
And there is an alias for the "manager" email account to send the email to the managers real email address.
Using GMail as the "official" sender
It is expected that most institutions will allow sending of emails from the gmail servers. To apply this on OJS, try the following;
References
- https://pkp.sfu.ca/wiki/index.php/PKP_Frequently_Asked_Questions#Emails_aren.27t_being_received_by_users.2C_or_I_am_encountering_Sender_Policy_Framework_.28SPF.29_validation_issues_on_sending_email.3B_what_should_I_do.3F
- http://www.unifiedemail.net/Tools/SPFParser
- http://www.openspf.org
- https://tools.ietf.org/html/rfc7208
