Technical Coordinators Meeting Chris Bongaarts Steve Siirila July 13, 2005

Software Upgrades Lyris ListManager 8.8 Lyris ListManager 8.8 Procmail 3.22 Procmail 3.22 Apache (deployment in progress) Apache (deployment in progress)

Enhancements Auto-whitelisting of MTAs (effective 6/14) Auto-whitelisting of MTAs (effective 6/14) –Applies only to MTAs blocked due to rDNS –Requires at least 1 request/grant transaction –Does NOT exempt MTA from DNSBLs Autoreply: optional effective start date (effective 6/16) Autoreply: optional effective start date (effective 6/16)

Enhancements Blocked mail reporting option (July) Blocked mail reporting option (July) –User may select daily or weekly reports –Reports will be sent via at 6:15am –Covers previous 24 hour period (6am-6am) or 7 day period from Mon 6am - Mon 6am

New Blocking Options (proposed) Allow from: Allow from: –All MTAs (No false positives (FP)!) –All but insecure, known spammers, and dynamic IP ranges (Few FP) –All but insecure, known spammers, dynamic, and bad rDNS (current default) (Some FP) –All but insecure, known spammers, suspected spammers, dynamic, and bad rDNS (More FP) –Local ( umn.edu ) MTAs only (No FP!)

Inbox Auto-filing (proposed) Default selection criteria Default selection criteria –Messages older than 90 days –Only mailboxes larger than 20MB –Messages appended to folder named “Archive/YYYY” where YYYY is the year of the archived message User-selectable options User-selectable options –Retention term ( days?) –Destination folder name/format

Departmental MTA Registration MTAs and other devices which are using the relay.tc.umn.edu service must register by 7/19 to guarantee uninterrupted service MTAs and other devices which are using the relay.tc.umn.edu service must register by 7/19 to guarantee uninterrupted service Send IP address, type of device, and contact information to Send IP address, type of device, and contact information to As of 7/13, 383 IP addresses have been registered by 42 different departments As of 7/13, 383 IP addresses have been registered by 42 different departments Cannot be used from dynamic IP addresses! Cannot be used from dynamic IP addresses!

Certificate-based SMTP Authentication (proposed) Would use client-side certificates to authenticate to the SMTP gateway ( smtp.umn.edu ) Would use client-side certificates to authenticate to the SMTP gateway ( smtp.umn.edu ) Would allow departments to utilize central SMTP server from multiple servers regardless of their IP addresses Would allow departments to utilize central SMTP server from multiple servers regardless of their IP addresses Dynamic IP addresses would be allowed! Dynamic IP addresses would be allowed! Certificates would be available from Internet Services free of charge or from commercial CAs for a fee Certificates would be available from Internet Services free of charge or from commercial CAs for a fee

Phase-out of clear-text passwords Working with technical coordinators to get users set up securely Working with technical coordinators to get users set up securely SSL roundtable discussions were held with technical coordinators on 7/7 SSL roundtable discussions were held with technical coordinators on 7/7 Non-SSL autoresponder available: Non-SSL autoresponder available: –Checks current outgoing SMTP settings –Checks for recent non-SSL IMAP and POP –Mail to:

servers secured Pearl designated “warehouse” server Pearl designated “warehouse” server –Uses cheaper (slower) disks –Designated server for newly-created and inactive users Aquamarine designated “insecure” server Aquamarine designated “insecure” server –For users not yet converted to an SSL-only configuration –Will continue to allow non-SSL IMAP/POP/FTP access through at least Aug 2005 Garnet unchanged Garnet unchanged All others servers secured by 7/8 All others servers secured by 7/8

TELNET Usage 70 unique TELNET users since 6/17 70 unique TELNET users since 6/17 Access will be shut off soon! Access will be shut off soon!

Central Auth Hub for Apache 2 Mod_cookieauth2 3.0a1 available at Mod_cookieauth2 3.0a1 available at ALPHA! Not actually tested, but compiles okay ALPHA! Not actually tested, but compiles okay Special thanks to Will, Adam, and Chad Special thanks to Will, Adam, and Chad

‘Till next month… Steve Siirila Steve Siirila Chris Bongaarts Chris Bongaarts