EPrints Technical Mailing List Archive

Message: #09244


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Secure Mails via SMTP/Mail Auth on EPrints


Hi Martin,

I tend to install and configure Postfix to and then just configure EPrints (i.e leave the same in perl_lib/EPrints/SystemSettiings.pm) to use 127.0.0.1.  This gives you much more flexibility when it comes to configuration.

I have been dealing with the greater DMARC enforcement that comes from using Outlook / Office 365 as  your mail server.  My best advice is that you ask you organisation to register and SPF record for the specific domain of your server (e.g. for repository.example.org rather than example.org) and then use an email address like admin@repository.example.org.  You will need to get your organisation to create and email alias for this new address but most IT departments are struggling to get all the entries they needed into their SPF records for their main domain (no more than 10 lookups / 9 includes are allowed), so if you can use a different domain, they are happy to set this up as it saves them a headache.

An SPF record for your repositories domain would look something like:

repository.example.org.            28800   IN      TXT     "v=spf1 ip4:1.2.3.4 ~all"

Regarding Postfix, there is plenty of guidance of for Postfix's configuration on its website:

https://www.postfix.org/BASIC_CONFIGURATION_README.html

However, if you setup an SPF record for you repository's domain and use an aliased email address to send email, then you can probably get away with the standard configuration.  If not you may need to look into setting up DKIM [1], if your institution enforces stricter DMARC enforcement.

One thing I have been working on the next release of EPrints [2] is to split up adminemail so there can be a separate email address for sending email.  So you maybe end up with a config something like:

$c->{adminemail} = admin@example.org
$c->{senderemail} = NO-REPLY@nodmarc.example.org

Here if the senderemail address domain does not have DMARC enforcement, then you can happily send emails from it without them being dropped/quarantined but the footer of these emails will still include the adminemail in email footer signature, if the recipient needs to email someone.  In some cases I have also configured the reply-to address so the recipient can even hit reply on the email and it will go to the adminemail rather than the black hole, which is the senderemail.

Regards

David Newman

[1] https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
[2] https://github.com/eprints/eprints3.4/issues/256

On 21/03/2023 9:41 am, Martin Brändle via Eprints-tech wrote:
CAUTION: This e-mail originated outside the University of Southampton.

Dear all,

 

because of a enforced change to a Outlook / Office 365 mail server at our institution, SMTP-based mails out of our EPrints repo may soon see the end.

 

Has anybody a recipe how to configure mail within EPrints to use a Outlook / Office 365 mail server with some sort of authentication ?

E.g. for platform based on Open Journal Systems we do have the option to configure the following parameters:

 

Server name

Port

Auth mechanism (e.g. SSL, TLS)

Username (for central sender)

Password

Auth type (e.g RAM-MD5, LOGIN, PLAIN, XOAUTH2)

If OAUTH, client secret, id, token

default_envelope_sender

force_ default_envelope_sender

DMARC compliance

 

Kind regards,

 

Martin

 

--

Dr. Martin Brändle
Zentrale Informatik
Universität Zürich
Stampfenbachstr. 73
CH-8006 Zürich

 

 


*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/