content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: opendmarc section

This commit is contained in:
revsuine 2024-11-23 23:07:02 +00:00
parent 19c742b0b4
commit 4d580d21e8
Signed by: revsuine
GPG key ID: 3F257B68F5BC9339

View file

@ -1274,6 +1274,120 @@ The `fo` tag indicates when you would like to receive reports. The options are:
</tr> </tr>
</table> </table>
### OpenDMARC
We can use software called OpenDMARC to enforce DMARC policies for incoming mail. OpenDMARC is another milter. Let's
install it and enable its service:
# apk add opendmarc
# rc-update add opendmarc
# rc-service opendmarc start
Edit the OpenDMARC config at `/etc/opendmarc/opendmarc.conf`.
Change
```conf
AuthservID HOSTNAME
```
to
```conf
AuthservID OpenDMARC
```
This is so that the `Authentication-Results` header from OpenDKIM authentication. This will also make it clear which
program adds which `Authentication-Results` header.
Add the following line, replacing `mail.domain.com` with your *hostname* (so in [my
instance](#a-note-on-my-dns-records), this is `master.revsuine.xyz`).
```conf
TrustedAuthservIDs mail.domain.com
```
Enable `RejectFailures`, which means your server will comply with `p=reject` in DMARC DNS records.
```conf
RejectFailures true
```
You also probably want to enable `RequiredHeaders`, which rejects emails that don't conform to RFC5322 standards, e.g.
are missing a `From:` header.
```conf
RequiredHeaders true
```
In case external SPF validation fails (as in, no SPF results are placed in the message header), you probably want to
add
```conf
SPFSelfValidate true
```
which tells OpenDMARC to perform the SPF check itself if it can't find SPF results in the message header.
Now provide OpenDMARC with a socket to use for communication with sendmail. We will use a TCP socket on port 8893:
```conf
Socket inet:8893@localhost
```
For a Unix socket, you'd use the following format:
```conf
Socket local:/var/run/opendmarc/opendmarc.sock
```
By default, you will have the line
```conf
IgnoreHosts /etc/opendmarc/ignore.hosts
```
in `/etc/opendmarc/opendmarc.conf`. This tells OpenDMARC to not authenticate the list of hosts in
`/etc/opendmarc/ignore.hosts`. An example `ignore.hosts` is
127.0.0.1
93.113.25.226
Keep in mind that if you have specified `IgnoreHosts`, this file needs to exist in order for OpenDMARC to run. If you
have the option set, make sure to `touch /etc/opendmarc/ignore.hosts` (or whatever filepath you've specified).
Alternatively, comment out this option in order to use the default, which is to not authenticate mail coming from
127.0.0.1.
Restart OpenDMARC for these changes to take effect:
# rc-service opendmarc restart
To have Postfix use the OpenDMARC milter, it's simple as adding the socket to the `smptd_milters` and
`non_smtpd_milters` variable in `/etc/postfix/main.cf`:
```conf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters
```
Restart Postfix for the changes to take effect:
# rc-service postfix restart
And when you receive emails from a legitimate source that implements DMARC, you should see the following headers in
your emails:
```
Received-SPF: pass (protonmail.com: Sender is authorized to use 'revsuine@protonmail.com' in 'mfrom' identity (mechanism 'include:_spf.protonmail.ch' matched)) receiver=master.revsuine.xyz; identity=mailfrom; envelope-from="revsuine@protonmail.com"; helo=mail-40130.protonmail.ch; client-ip=185.70.40.130
DMARC-Filter: OpenDMARC Filter v1.4.2 master.revsuine.xyz 88CFF1288D1
Authentication-Results: OpenDMARC; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com
Authentication-Results: OpenDMARC; spf=pass smtp.mailfrom=protonmail.com
Authentication-Results: master.revsuine.xyz;
dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/
```
### Test SPF, DKIM, and DMARC ### Test SPF, DKIM, and DMARC
You can use [mail-tester.com](https://www.mail-tester.com/) and send an email from your domain to check that SPF, DKIM, You can use [mail-tester.com](https://www.mail-tester.com/) and send an email from your domain to check that SPF, DKIM,