E-mail Technical E-mail Technical Coordinators MeetingCoordinators Meeting

Chris BongaartsChris Bongaarts

Steve SiirilaSteve Siirila

June 8, 2005

Internet ServicesInternet Services

Directory LookupDirectory Lookup Directory ManagementDirectory Management AuthenticationAuthentication E-mailE-mail World Wide Web HostingWorld Wide Web Hosting CalendaringCalendaring U CardU Card Many others!Many others!

Directory Lookup Directory Lookup ServicesServices Web Lookup (Web Lookup (

www.umn.edu/lookupwww.umn.edu/lookup)) LDAP (LDAP (ldap.umn.eduldap.umn.edu)) PHPH FingerFinger GopherGopher WhoisWhois

Directory ManagementDirectory Management

Directory Update Tools (Directory Update Tools (www.umn.edu/dirtoolswww.umn.edu/dirtools))– Account InformationAccount Information– Credentials ManagementCredentials Management– E-mail SettingsE-mail Settings– E-mail Storage UsageE-mail Storage Usage– Blocked E-mail Display/ManagementBlocked E-mail Display/Management– Other (URL, U Card, Modem Pool, UMCal)Other (URL, U Card, Modem Pool, UMCal)

Departmental Directory Population (e.g. Departmental Directory Population (e.g. AD)AD)

Authentication Authentication ServicesServices CAH (Central Authentication Hub)CAH (Central Authentication Hub) Radius (Modem Pool, Wireless, Radius (Modem Pool, Wireless,

etc.)etc.) KerberosKerberos Authen (Internal)Authen (Internal) Shibboleth (Future)Shibboleth (Future)

E-mail ServicesE-mail Services

E-mail Services (E-mail Services (user@umn.eduuser@umn.edu))– Inbound (IMAP/POP) Inbound (IMAP/POP)

((username.email.umn.eduusername.email.umn.edu))– Outbound (SMTP)Outbound (SMTP)

Authenticated (Authenticated (smtp.umn.edusmtp.umn.edu)) Smart Relay, IP-based permission Smart Relay, IP-based permission

((relay.tc.umn.edurelay.tc.umn.edu))

Bulk/List E-mail Bulk/List E-mail ServicesServices Listserv (Listserv (lists.umn.edulists.umn.edu))

– Traditional discussion list serviceTraditional discussion list service Lyris (Lyris (ecommunication.umn.eduecommunication.umn.edu))

– AnnouncementsAnnouncements– Marketing CampaignsMarketing Campaigns– Link click-through trackingLink click-through tracking

World Wide Web World Wide Web Hosting ServicesHosting Services Web Hotel (Web Hotel (www1.umn.edu)www1.umn.edu)

– Lightweight service (HTML, CGI, PHP)Lightweight service (HTML, CGI, PHP)– Fee for serviceFee for service– Free virtual host redirectionFree virtual host redirection– JAWS offers more advanced hostingJAWS offers more advanced hosting

Personal Web (Personal Web (www.tc.umn.eduwww.tc.umn.edu))– CGI for interactive users, HTML only for CGI for interactive users, HTML only for

non-interactivenon-interactive– Free with all central accountsFree with all central accounts

Other ServicesOther Services

Calendaring (UMCal) Calendaring (UMCal) ((umcal.umn.eduumcal.umn.edu))

U Card IssuanceU Card Issuance SSL Server CertificatesSSL Server Certificates USENET Newsgroups USENET Newsgroups

((news.umn.edunews.umn.edu)) Internet Relay Chat (IRC) Internet Relay Chat (IRC)

((irc.umn.eduirc.umn.edu))

Now, on with the Now, on with the show…show…

Virus DetectionVirus Detection

Virus definition updates missed for Virus definition updates missed for some inbound and outbound serverssome inbound and outbound servers

Affected 1 of 3 inbound servers from Affected 1 of 3 inbound servers from April 16April 16thth to June 6 to June 6thth (Note: spam (Note: spam blocking generally blocks most blocking generally blocks most viruses) viruses)

Affected 2 of 3 outbound servers Affected 2 of 3 outbound servers from April 16from April 16thth to June 6 to June 6thth

Problem has been correctedProblem has been corrected

Hardware UpgradesHardware Upgrades

E-mail serversE-mail servers– Two Sun V890’s will replace four Two Sun V890’s will replace four

V440’sV440’s– Phased in over summerPhased in over summer

Directory serversDirectory servers– Four Dual-CPU Sun V210 servers to Four Dual-CPU Sun V210 servers to

support new Aphelion directorysupport new Aphelion directory– Will eventually handle load of current Will eventually handle load of current

single-CPU V210’ssingle-CPU V210’s

Inbox Auto-filing Inbox Auto-filing (proposed)(proposed) Default selection criteriaDefault selection criteria

– Messages older than 90 daysMessages older than 90 days– Only mailboxes larger than 20MBOnly mailboxes larger than 20MB

User-selectable optionsUser-selectable options– Retention term (14-365 days?)Retention term (14-365 days?)– Tool to archive on-demand by Tool to archive on-demand by

message age and/or sizemessage age and/or size

E-mail Enhancements E-mail Enhancements (mid-June)(mid-June) Auto-whitelisting of MTAsAuto-whitelisting of MTAs

– Applies only to MTAs blocked due to rDNSApplies only to MTAs blocked due to rDNS– Requires at least 1 request/grant Requires at least 1 request/grant

transactiontransaction– Does NOT exempt MTA from DNSBLsDoes NOT exempt MTA from DNSBLs

Blocked mail reporting optionBlocked mail reporting option– User may select daily or weekly reportsUser may select daily or weekly reports– Reports will be sent via e-mail at 6:15amReports will be sent via e-mail at 6:15am– Covers previous 24 hour period (6am-6am) Covers previous 24 hour period (6am-6am)

or 7 day period from Mon 6am - Mon 6am or 7 day period from Mon 6am - Mon 6am Autoreply: optional effective start dateAutoreply: optional effective start date

Messages Blocked By Reason (Past 12 Months)

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

5/3

5/24

6/14

7/05

7/26

8/16

9/06

9/27

10/1

811

/08

11/2

912

/20

01/1

001

/31

02/2

103

/14

04/0

404

/25

05/1

606

/06

Week Ending

Nu

mb

er

of

Me

ss

ag

es

Blo

ck

ed

Spamsource

Dynamic

Insecure

DNS

Bad mailfrom

Spam/Virus Blocking by Reason (May 9 - June 5)

3,033,17515.59%

4,1920.02%

12,789,96265.76%

1,142,7905.88%

2,479,97312.75%

Spam source

Dynamic

Insecure

DNS

Bad mail from

Incoming Email Statistics (Past 12 Months)

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

3,500,000

4,000,000

4,500,000

5,000,000

2004

0503

2004

0531

2004

0628

2004

0726

2004

0823

2004

0920

2004

1018

2004

1115

2004

1213

2005

0110

2005

0207

2005

0307

2005

0404

2005

0502

2005

0530

Week Ending

Nu

mb

er

of

Me

ss

ag

es

Accepted

User allows allemailPermitted

perm local only

Blocked

Blocked local

Relay denied

Unknown user

User inactive

Pre-init user

Temporary error

Incoming Email Statistics (May 9 - June 5)

User allows all email1%

Other1%

Temporary error1%

Accepted23%

Unknown user34%

Blocked40%

Departmental MTA Departmental MTA RegistrationRegistration MTAs and other devices which are using MTAs and other devices which are using

the the relay.tc.umn.edurelay.tc.umn.edu service must service must register to guarantee uninterrupted register to guarantee uninterrupted serviceservice

Send IP address, type of device, and Send IP address, type of device, and contact information to contact information to isgroup@umn.eduisgroup@umn.edu

As of 6/7, 259 IP addresses have been As of 6/7, 259 IP addresses have been registered by 24 different departmentsregistered by 24 different departments

Cannot be used from dynamic IP Cannot be used from dynamic IP addresses!addresses!

Phase-out of clear-text Phase-out of clear-text passwordspasswords General mailings went out over the General mailings went out over the

past 3 weeks to about 15,000 userspast 3 weeks to about 15,000 users Mailings to technical coordinators Mailings to technical coordinators

went out prior to the general mailingswent out prior to the general mailings Non-SSL autoresponder available:Non-SSL autoresponder available:

– Checks current outgoing SMTP settingsChecks current outgoing SMTP settings– Checks for recent non-SSL IMAP and POPChecks for recent non-SSL IMAP and POP– Mail to: Mail to: ssl-test@umn.edussl-test@umn.edu

Clear-text password Clear-text password phase-out timelinephase-out timeline June 8June 8thth

– Pearl becomes “warehouse” serverPearl becomes “warehouse” server Uses cheaper (slower) disksUses cheaper (slower) disks Designated server for inactive usersDesignated server for inactive users Allows secure IMAP/POP/FTP access onlyAllows secure IMAP/POP/FTP access only

– Move inactive users to Pearl dailyMove inactive users to Pearl daily– Move newly-active users off Pearl Move newly-active users off Pearl

dailydaily

Clear-text password Clear-text password phase-out timeline phase-out timeline (cont)(cont) June 10June 10thth

– Aquamarine becomes “insecure” serverAquamarine becomes “insecure” server Designated server for users not yet converted Designated server for users not yet converted

to an SSL-only configurationto an SSL-only configuration Will continue to allow non-SSL IMAP/POP/FTP Will continue to allow non-SSL IMAP/POP/FTP

access through at least Aug 2005access through at least Aug 2005

– Begin moving “secure” users off (ongoing)Begin moving “secure” users off (ongoing)– Begin moving “insecure” users onBegin moving “insecure” users on– New users NOT created on AquamarineNew users NOT created on Aquamarine

Clear-text password Clear-text password phase-out timeline phase-out timeline (cont)(cont) Mid-July 2005Mid-July 2005

– All servers (except Aquamarine) no All servers (except Aquamarine) no longer allow insecure IMAP/POP/FTP longer allow insecure IMAP/POP/FTP accessaccess

August 2005August 2005– Aquamarine becomes secure-only Aquamarine becomes secure-only

and is no longer special-casedand is no longer special-cased

POP users (Apr 4 - May 1)

Non-SSL11,445

59%

SSL8,08141%

POP users (May 9 - June 5)

SSL9,09747%Non-SSL

10,23053%

IMAP users (Apr 4 - May 1)

Non-SSL3,39826%

SSL9,73674%

IMAP Users (May 9 - June 5)

Non-SSL3,06423%

SSL10,018

77%

SMTP Gateway Usage (Jan 1 - Jun 5)

0

5,000

10,000

15,000

20,000

25,0001

/3

1/1

0

1/1

7

1/2

4

1/3

1

2/7

2/1

4

2/2

1

2/2

8

3/7

3/1

4

3/2

1

3/2

8

4/4

4/1

1

4/1

8

4/2

5

5/2

5/9

5/1

6

5/2

3

5/3

0

6/6

Week Ending

Nu

mb

er

of

Us

ers

Non-Auth

Auth

FTP Users (Jan 1 - June 6)

0

100

200

300

400

500

600

700

800

900

20050103

20050117

20050131

20050214

20050228

20050314

20050328

20050411

20050425

20050509

20050523

20050606

Week Ending

Nu

mb

er

of

Us

ers

Kerberos Kerberos Authentication ServiceAuthentication Service Now in production use by the new Now in production use by the new

Active Directory projectActive Directory project Contact Contact isgroup@umn.eduisgroup@umn.edu if you if you

are interested in exploring use of are interested in exploring use of Kerberos for authenticationKerberos for authentication

Listserv UpgradeListserv Upgrade

Listserv upgraded to version 14.3Listserv upgraded to version 14.3– Security fixes for Web interfaceSecurity fixes for Web interface– Web interface performance Web interface performance

improvementsimprovements– Anti-spam: Lists can be made to require Anti-spam: Lists can be made to require

confirmation for non-member messagesconfirmation for non-member messages– 72 new "message templates“ allow for 72 new "message templates“ allow for

more customization of system more customization of system messagesmessages

– http://www.lsoft.com/manuals/1.8e/relnhttp://www.lsoft.com/manuals/1.8e/relnotes/LISTSERV14.3-Release-Notes.htmlotes/LISTSERV14.3-Release-Notes.html

Message Management Message Management Platform (MMP) 1.1 Platform (MMP) 1.1 UpgradeUpgrade Test Aphelion Directory fully Test Aphelion Directory fully

populated and updated in real-timepopulated and updated in real-time Testing of directory and messaging Testing of directory and messaging

components continuescomponents continues New directory will run in parallel with New directory will run in parallel with

existing directory for several monthsexisting directory for several months Finalizing licensing with vendor (BT)Finalizing licensing with vendor (BT)

‘‘Till next month…Till next month…

Steve SiirilaSteve Siirila sfs@umn.edusfs@umn.edu 612-626-0244612-626-0244

Chris BongaartsChris Bongaarts cab@umn.educab@umn.edu 612-625-1809612-625-1809