start using tails.net for e-mail
E-mails from boum.org are getting rejected because we don't have DMARC there and it's a pain to set up without access to the domainname. Let's use our fancy tails.net name instead and do mail properly.
Given that we now have the chance to start fresh without wonky mail routing, I propose we set up a dedicated VM for this on a machine outside of lizard, and preferably outside of that colo, just so mail will still work if nearly everything else fails. We'd need a VM with at least 2GB RAM, its own IP, and possibility to set reverse DNS from a trusted provider.
In terms of functionality, I propose we set up:
- relay/smarthost functionality for nodes inside our VPN using tails.net
- full DMARC shizzle, MTA-STS, and DANE
- schleuder lists running under tails.net
To slowly migrate our schleuder lists, we can for every boum.org schleuder list create a tails.net one, move the subscribers to the new list, and subscribe the old list to the new one.
Note: For S11, this fits in:
-
B.2 - Keep our infrastructure up-to-date and secure
: Being able to control our email domain makes it easier for us to implement domain-based authentication techniques such as SPF, DKIM and DMARC, which helps with SPAM filtering and delivery in the email ecosystem.