Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: Postmaster information

Older Revision
January 4 at 3:50 pm
»
Newer Revision
January 4 at 4:07 pm
add proactive whitelisting and further readings
# Postmaster information
Most likely you are visiting this page due to issues with our mail systems. Please refer to the information below for help, and contact [<postmaster@ipfire.org>]( mailto:<postmaster@ipfire.org>) _only_ if your question was not answered.
 
## Mail servers
||||
|:---|:---|:---:|
| IP address | FQDN and PTR | Location|
| `81.3.27.42` | `mail01.ipfire.org` | Hanover, DE |
| `2001:678:b28::25` | `mail01.ipfire.org` | Hanover, DE |
 
## Message size limit
Our mail infrastructure processes up to 100 MiB per message. Please consider alternate submission channels (mirror, rsync, ...) for bigger files.
 
## Transport encryption
Our mail servers support transport encryption via `STARTTLS` using `TLSv1` to `TLSv1.3` (preferred) with opportunistic [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) support enabled. Certificate is provided in both SMTP server and client scenario, and can be validated by using DANE. `ipfire.org` is DNSSEC-signed.
 
For interoperability reasons, a relaxed cipher suite is currently deployed for both SMTP server and client, as some mail servers lack support for modern cryptography. We plan to enforce [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) and `TLSv1.2` or better for destinations with DANE information available.
 
## Acceptable Use Policy
Our mail infrastructure applies the following criteria on both incoming and outgoing messages (except for the first one) and refuses to deliver mails that violate one of these:
 
1. A message must not be delivered from an IP address listed at common RBLs, such as [Spamhaus](https://www.spamhaus.org/). These includes IP ranges used for dial-up purposes. Choice of RBLs was made based on [eco e.V. recommendations (german only)](https://www.eco.de/wp-content/uploads/2015/11/auswahl-einer-dnsbl.pdf).
2. A message must not contain URLs whose FQDN is listed at common URIBLs, e.g. for hosting malware or phishing sites.
3. A message must not have attachments with double file extensions such as `document.pdf.exe`.
4. A message must not have nested archive attachments, which are often abused for bypassing AV scanners. Compress the stuff you want to send _once_, and consider changing compression algorithm if the size does not fit afterwards.
5. A message must not have encrypted archive attachments. Use GPG or S/MIME instead.
6. A message must not have attachments (or archives containing items) with file extensions as follows:
- `ade` (Microsoft Access Project Extension)
- `adp` (Microsoft Access Project)
- `asx` (Windows Media Audio/Video)
- `bas` (Microsoft Visual Basic class module)
- `bat` (batch file)
- `cmd` (Microsoft Windows NT Command Script)
- `com` (MS-DOS executable file)
- `cpl` (system control file)
- `exe` (executable file)
- `hlp` (Microsoft Help file)
- `hta` (HTML program)
- `inf` (setup information)
- `ins` (Internet Naming Service)
- `isp` (Internet Communication Settings)
- `js` (JavaScript file)
- `jse` (JavaScript encoded file)
- `msc` (Microsoft Console Program)
- `msi` (Microsoft Installation Package)
- `msp` (Microsoft Installation Patch
- `mst` (Microsoft Installation Program or Visual Test Source file)
- `pcd` (Photo CD file or Visual compiled script)
- `pif` (MS-DOS Shortcut)
- `prf` (Microsoft Outlook Profile file)
- `scf` (Windows Explorer file)
- `scr` (Microsoft Screensaver program)
- `sct` (Windows Script File)
- `shb` (Shell Scrap File)
- `shs` (Shell Scrap Object)
- `vb` (VBScript file)
- `vbe` (encoded VBScript file)
- `vbs` (VBScript file)
- `vsmacros` (Visual Studio .NET binary-based macro project)
- `vss` (Visio Stencil)
- `vst` (Visio Template)
- `vsw` (Visio Workspace file)
- `ws` (Windows Script file)
- `wsc` (Windows Script component)
- `wsf` (Windows Script file)
- `wsh` (Windows Scripting Host settings)
7. Delivering IP address must have a PTR set which resolves back to the IP address itself.
 
## Proactive whitelisting
Our mail servers are covered by [ID 58468](https://www.dnswl.org/s/index.pl?s=58468) at [DNSWL.org](https://www.dnswl.org/). We strive for a good reputation of these, and honor DNSWL listings of SMTP clients as well in order to reduce false positives.
 
## Further readings
- [Spamhaus: A Survival Guide for the Small Mail Server](https://www.spamhaus.org/news/article/719/a-survival-guide-for-the-small-mail-server)
- [Internet.nl results for IPFire's mail infrastructure](https://internet.nl/mail/ipfire.org/)
- [DANE SMTP Validator](https://dane.sys4.de/)
- [Hardenize](https://www.hardenize.com/)