[Announcement] Upcoming changes to GNOME's mail infrastructure

Hi,

during early November the following changes will be applied to GNOME’s mail infrastructure:

  1. SPF records will be made more strict and outgoing email for any @gnome.org e-mail will have to transit over GNOME’s mail servers

  2. DKIM will be introduced to sign emails originating from a @gnome.org alias

  3. @gnome.org alias owners will have to change their mail client configuration to use GNOME mail servers as their SMTP server with authentication defaulting to their GNOME account credentials

There will be another communication from our side with an exact list of modifications you will need to apply to comply with the above changes. As a friendly reminder all the mailing lists (with the exception of l10n lists which are undergoing a set of code changes on damned-lies) hosted on mail.gnome.org will be retired at the end of October 2022. Please see [1].

Thanks,

[1] https://mail.gnome.org/archives/desktop-devel-list/2022-September/msg00018.html

4 Likes

These changes will be applied on the 24th of November 2022. Another communication will happen with an exact list of changes that are required from a mail client perspective.

This maintenance is complete, please see Infrastructure/MailAliasPolicy - GNOME Wiki! for instructions on how to properly configure your mail client in order to send mails via your @gnome.org alias.

Thank you for doing this security change for GNOME’s mail infrastructure.

I welcome it,

Evolution gives me “Error performing TLS handshake: An unexpected TLS packet was received.” Evolution 3.44.4, GNOME 42, Fedora 36. I’ve successfully sent thru stmp.gnome.org using the built-in Email app on my phone. I’ve been unsuccessful with K9 Mail on my tablet, but it gives an even less useful error than Evolution.

@shaunm can you please try with port 587 + STARTTLS after connection on Evo?

STARTTLS does work, thanks! And the same change worked for K9 Mail on Android.

(But note that STARTTLS is not secure, so don’t leave it like that.)

I gave up after attempting to follow the instructions for Geary several times. Geary doesn’t even give any error message when it fails to accept the new settings, so not much to go on.

If I really cared then I might investigate further, but the email alias is more a nice to have than an important required thing, so I’ll move on for now…

I tried configuring Geary following the instructions on the wiki, but it seems that they guide me to change the SMTP server for all email from one of my accounts, which seems undesirable. (And also, impossible for my Google account that comes from GOA.)

I also tried creating a regular account for the @gnome.org address and failed because an incoming server is required – perhaps this is where you got stuck, Michael?

My conclusion is that it is not possible to configure Geary to send mail from wjt@gnome.org via smtp.gnome.org but otherwise use my normal SMTP server.


I also tried following the Gmail steps on that same wiki page, and failed due to the configuration of Endless’s Google domain.

Screenshot from 2022-11-29 12-56-42

The relevant admin setting appears to be Admin Console → Apps → Google Workplace → Gmail → End user access → Allow per-user outbound gateways.


The Evolution instructions worked once I selected “STARTTLS after connecting” rather than “TLS on a dedicated port”, otherwise I got the same error as Shaun. Michael says above that this is insecure, so I’ve not updated the wiki, but it is the only working setting…

I also tried creating a regular account for the @gnome.org address and failed because an incoming server is required – perhaps this is where you got stuck, Michael?

Nah, I don’t mind using smtp.gnome.org for all outgoing mail. I’d need to figure out how to configure my personal domain’s SPF record to allow it, but that shouldn’t be hard. Where I get stuck is here:

At least there’s an error message now, albeit not a very useful one. Yesterday, it was not showing this error message.

STARTTLS would be insecure with smtpd_tls_security_level=may NOT with smtpd_tls_security_level=encrypt as we force the client to upgrade its connection to a secured one or postfix just refuses to accept mail delivery. Please see https://www.postfix.org/postconf.5.html#smtpd_tls_security_level.

Amazing, that’s great!

This post was flagged by the community and is temporarily hidden.