RACE: Electronic Mail Service Quality Certification
As we know, the Electronic Mail (e-mail) is one of the most important services given by a Computer Department to the users of the system. The RedIRIS RACE Initiative, was borned to promote a good quality e-mail services within the Spanish Academic and Scientific network. As we are integrated into RedIRIS, we have prepared Calar Alto e-mail to observe the requirements needed for obtaining this important quality certification. We are conscious about the importance of the e-mail service on our Institution and we are trying to give the best service quality for all our users.
Because of the above, since 2003, we were working to build a totally new e-mail service from scratch, in order to achieve all the requirements to obtain the certification. In June 2005 we obtained the RACE Medium level certification, and in September 2008 we upgraded it to the new RACEv2 Advanced one, which is the maximum RACEv2 certification level. As it is said on RACEv2 page, there are three certification levels: Basic, Medium and Advanced. Please, do not be confused with the 'Basic' term. As discused within RedIRIS Institution, this is not a good name, and it could cause some sort of confussion. Probably it could be changed on the future. Do not think on 'Basic' word as a pejorative term. In fact, every institution having the RACE Basic Level is given an excelent e-mail service quality. Basic Level is having all important criterions and security measures for giving a guarranted e-mail service. Medium and Advanced levels are obviously having all the requirements for Basic level, plus some extra added values on the service. In order to let you know about the important criterions to be observed for granting this certificate, I'll explain them here. You, as a Calar Alto e-mail user, will have all the security measures, and all the services shown below when using the e-mail system. As stated above, obtaining the Advanced Level, involves having also all requirements for the Basic and Medium Levels, together with some extra quality and security measures:
1. Port 25 (SMTP) access control for traffic in both in and out. Only one computer will be allowed to send/receive mail. Rest of computers will have to designate that machine as the main e-mail server.
2. Anti-Relay rules. We serve e-mail only for Calar Alto Network. The IP for this service is clearly defined and those addresses are the only ones having rights to use our e-mail server. Only those clearly defined addresses can stablish an SMTP session against our server. We will not accept e-mail coming from outside Calar Alto Network and going to outside Calar Alto Network. There are two RFC with recommendations on this: RFC2505 and RFC2635
3. NTP synchronization. Our Server is UT (Universal Time) synchronized.
4. Anti-virus. We have two anti-virus engines in both in and out connections. The postmaster is informed about the virus entering on Calar Alto from outside and also on virus going out from an internal computer. The first thing, virus coming from outside, is a normal situation. On the majority of the cases, the sender will not be informed. But having notice about the internal computers trying to send virus is also very important, as we can detect, in this way, internal infected machines.
5. We observe a strict log files policy. We do not save sensitive information, but all the normal transaction information for e-mail. In this way, we can look for problems.
6. Our mail server has inverse resolution. See RFC3172
7. We are offering a Webmail service for our users, within an SSL (Secure Socket Layer) connection. This is basic for all our users connecting from outside Calar Alto. All their transaction will be encrypted.
8. The message limit is set to 100Mb.
9. We have also a list service. You can ask our mailman which lists we have and what users are suscribed. There are some internal lists for department where you can send e-mails too.
10. Of course, a regular user with normal account can change his password and set the vacation message.
11. Internal to the Computer Department, we have statistics that will let us know how the system is working.
12. There are two special accounts where you can send messages in case of problems ( postmaster ) and/or abuses, falsifications or spam ( abuse ).
13. There is a more detailed Calar Alto e-mail Description Document (DOCE), where the users can find all the relevant information concerning the service.
14. Since february 2005, we are using SPF. This is an additional security measure, still not widely implanted, although we hope it will, as it is reducing spam. SPF is ensuring that there are a explicit computer allowed for sending mail for a determinate domain. If a mail for that domain is coming from a non authorized machine, the mail will be rejected. We have both, defining SPF records at the DNS and checking SPF on incoming mail.
15. Maximum number of recipients controlled and up to 150 as recommended by RedIRIS. We control also the number of mails sent by an IP to not exceed a maximum per time unit.
16. Use of RedIRIS white lists. We have also our own white/black lists
17. Use of RedIRIS black list and third party black lists as those ones from spamhaus and spamcop
18. All our POP/IMAP services are done with pop3s / imaps, which means, security POP/IMAP service. POP3/IMAP unsecure is not allowed, even within our internal network. Together with this, we are offering SMTP-AUTH - SALS under a TLS connection when accesing CAHA mail system from outside network with mail clients other than webmail.
19. Strong Anti-Spam measures. Integrated with the anti-virus (2 engines), the anti-spam offers the e-mail user some extra security measure. Our policy is not to delete or stop the incoming mail, but to mark it as spam (on the 'Subject' field) so the user can do with it what he wants. This is done in this way, as spam filters always can give a false positive, I mean, mark as spam a legitimate mail. So the responsability of deleting spam marked mails, must be on the user side. We have to tell that since we are using anti-spam measures, only a few false positive were received.
20. Mails from computers with no reverse resolution are rejected
21. Strict back up policy is followed
To conclude this introduction, we have to say we keep on improving the service. This quality certificate is a very good thing and it is ensuring a good quality on the service. But we have to maintain this quality, and enhance the service through the years. As an example of the maintenance of this certification is the fact that we were able to pass from Medium Level to Advanced Level.
Of course, there can arise problems. Computer Department is at your disposal for every doubt, problem or suggestion. Do not hesitate to contact us when needed.
You can see here institutions with any of the RACEv2 levels.
Enjoy the service.