From 4d580d21e8142cc5d4764693d0a4035cecac0bc9 Mon Sep 17 00:00:00 2001 From: revsuine Date: Sat, 23 Nov 2024 23:07:02 +0000 Subject: [PATCH] content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: opendmarc section --- .../index.md | 114 ++++++++++++++++++ 1 file changed, 114 insertions(+) diff --git a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md index 7a67e99..6a05ccb 100644 --- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md +++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md @@ -1274,6 +1274,120 @@ The `fo` tag indicates when you would like to receive reports. The options are: +### OpenDMARC + +We can use software called OpenDMARC to enforce DMARC policies for incoming mail. OpenDMARC is another milter. Let's +install it and enable its service: + + # apk add opendmarc + # rc-update add opendmarc + # rc-service opendmarc start + +Edit the OpenDMARC config at `/etc/opendmarc/opendmarc.conf`. + +Change + +```conf +AuthservID HOSTNAME +``` + +to + +```conf +AuthservID OpenDMARC +``` + +This is so that the `Authentication-Results` header from OpenDKIM authentication. This will also make it clear which +program adds which `Authentication-Results` header. + +Add the following line, replacing `mail.domain.com` with your *hostname* (so in [my +instance](#a-note-on-my-dns-records), this is `master.revsuine.xyz`). + +```conf +TrustedAuthservIDs mail.domain.com +``` + +Enable `RejectFailures`, which means your server will comply with `p=reject` in DMARC DNS records. + +```conf +RejectFailures true +``` + +You also probably want to enable `RequiredHeaders`, which rejects emails that don't conform to RFC5322 standards, e.g. +are missing a `From:` header. + +```conf +RequiredHeaders true +``` + +In case external SPF validation fails (as in, no SPF results are placed in the message header), you probably want to +add + +```conf +SPFSelfValidate true +``` + +which tells OpenDMARC to perform the SPF check itself if it can't find SPF results in the message header. + +Now provide OpenDMARC with a socket to use for communication with sendmail. We will use a TCP socket on port 8893: + +```conf +Socket inet:8893@localhost +``` + +For a Unix socket, you'd use the following format: + +```conf +Socket local:/var/run/opendmarc/opendmarc.sock +``` + +By default, you will have the line + +```conf +IgnoreHosts /etc/opendmarc/ignore.hosts +``` + +in `/etc/opendmarc/opendmarc.conf`. This tells OpenDMARC to not authenticate the list of hosts in +`/etc/opendmarc/ignore.hosts`. An example `ignore.hosts` is + + 127.0.0.1 + 93.113.25.226 + +Keep in mind that if you have specified `IgnoreHosts`, this file needs to exist in order for OpenDMARC to run. If you +have the option set, make sure to `touch /etc/opendmarc/ignore.hosts` (or whatever filepath you've specified). +Alternatively, comment out this option in order to use the default, which is to not authenticate mail coming from +127.0.0.1. + +Restart OpenDMARC for these changes to take effect: + + # rc-service opendmarc restart + +To have Postfix use the OpenDMARC milter, it's simple as adding the socket to the `smptd_milters` and +`non_smtpd_milters` variable in `/etc/postfix/main.cf`: + +```conf +milter_default_action = accept +milter_protocol = 6 +smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893 +non_smtpd_milters = $smtpd_milters +``` + +Restart Postfix for the changes to take effect: + + # rc-service postfix restart + +And when you receive emails from a legitimate source that implements DMARC, you should see the following headers in +your emails: + +``` +Received-SPF: pass (protonmail.com: Sender is authorized to use 'revsuine@protonmail.com' in 'mfrom' identity (mechanism 'include:_spf.protonmail.ch' matched)) receiver=master.revsuine.xyz; identity=mailfrom; envelope-from="revsuine@protonmail.com"; helo=mail-40130.protonmail.ch; client-ip=185.70.40.130 +DMARC-Filter: OpenDMARC Filter v1.4.2 master.revsuine.xyz 88CFF1288D1 +Authentication-Results: OpenDMARC; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com +Authentication-Results: OpenDMARC; spf=pass smtp.mailfrom=protonmail.com +Authentication-Results: master.revsuine.xyz; + dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/ +``` + ### Test SPF, DKIM, and DMARC You can use [mail-tester.com](https://www.mail-tester.com/) and send an email from your domain to check that SPF, DKIM,