set up an email account

[chadwhitacre]

A few instances have cropped up where having an email account for AspenWeb would be useful:

• PyPI
• AppVeyor
• HackerOne

[chadwhitacre]

@Changaco Since Gratipay is managing registration and DNS for the aspen.io domain, would Liberapay be willing to manage email?

[Changaco]

Liberapay's email is currently hosted on my personal server, so I can easily add an account for Aspen. The tricky part would be sharing access to the mailbox, I haven't figured that out yet (liberapay/salon#11).

[chadwhitacre]

@Changaco Can you just forward [email protected] (or whatever) to yourself, @pjz and me?

[chadwhitacre]

Or we can share a password.

[Changaco]

Yes, I can easily forward an address. We can also share the password of course. I don't have a webmail set up at the moment though, I just use an IMAP client.

[chadwhitacre]

IMAP is fine with me. I use Gmail, which I'm pretty sure I've used as an IMAP client before.

[pjz]

I'd rather just have it be an alias that forwards to our individual e-mail addresses. Sharing a password can get dicey when adding or removing people.

[chadwhitacre]

@pjz The place where it becomes an issue is if we have to send using the address, for verification purposes or whatever. Probably uncommon enough to run that through @Changaco as needed.

[Changaco]

I've configured my server, but we need to configure aspen.io's DNS records before proceeding.

[chadwhitacre]

@Changaco What are the records to add?

[Changaco]

You need to modify the SPF and add an MX. Pointing both to changaco.oy.lc should work (syntax for SPF: v=spf1 include:changaco.oy.lc -all). You also have to drop the existing DKIM record (I don't have that set up yet).

[chadwhitacre]

@Changaco I'm not seeing a DKIM record. Are you referring to the DMARC record?

$ dig TXT aspen.io

; <<>> DiG 9.8.3-P1 <<>> TXT aspen.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5897
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;aspen.io.                      IN      TXT

;; ANSWER SECTION:
aspen.io.               3600    IN      TXT     "v=DMARC1\; p=reject\; pct=100\; rua=mailto:[email protected]\; ruf=mailto:[email protected]"
aspen.io.               3600    IN      TXT     "v=spf1 -all"
aspen.io.               3600    IN      TXT     "ALIAS for aspen-io.herokuapp.com"

;; Query time: 59 msec
;; SERVER: 75.75.76.76#53(75.75.76.76)
;; WHEN: Tue Mar 15 11:54:27 2016
;; MSG SIZE  rcvd: 203

$

[Changaco]

@whit537 Yes, I meant the DMARC record, sorry.

[chadwhitacre]

@Changaco We're going to hear about it under #3 if we don't configure DMARC for aspen.io (that's why it's there now; see https://hackerone.com/reports/117159, pending public disclosure in a few days). How valuable is it to configure DMARC with just SPF?

[Changaco]

I'm not sure a DMARC record is actually useful, but I don't see how it could hurt, so if it saves us from receiving reports on HackerOne then let's do keep one I guess. We should also specify in the security policy that we don't want reports about DKIM not being set up, and hope researchers actually read all those boilerplate policies.

[chadwhitacre]

Alright, so what should our DMARC record be? :-)

[Changaco]

This should do the trick: v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

[chadwhitacre]

Done! The previous record was v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected], and it was misconfigured at aspen.io instead of at _dmarc.aspen.io. I've also updated our SPF record and set an MX record.

@Changaco How's it look?

[Changaco]

Looks good. I don't remember seeing an MX record with a priority of 0 before, I always use 10, but both are fine I guess.

I'm testing my setup now, working out issues in my forwarding script.

[chadwhitacre]

Cool. MX priority is used for sorting multiple MX records. The values are sorted numerically. The values need only be properly ordered relative to each other, there's no absolute meaning to them.

[Changaco]

I know, I was just pointing out that in my experience a value of zero is unusual. :-)

[Changaco]

So, my simple forwarding script works, but basically it's a stupid mailing list software, and MLs can mess up SPF/DKIM/DMARC, so emails might not always make it to your inboxes, but I'll have them in the team's inbox and my personal one, so we won't lose messages.

[chadwhitacre]

Works for me. !m @Changaco

[Changaco]

I've added your email addresses to the list, I'm sending a test message to [email protected], let me know if you get it.

[chadwhitacre]

@Changaco I got it. :-)

!m @Changaco

[Changaco]

I've added the following section to https://hackerone.com/aspen:

Known issues

We are aware that aspen.io's email infrastructure doesn't follow all best practices to the letter (e.g. DKIM isn't set up yet), and we ask you not to send us reports about missing best practices concerning email. However, reports of vulnerabilities are welcome.

[chadwhitacre]

!m @Changaco