content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: opendmarc section
This commit is contained in:
parent
19c742b0b4
commit
4d580d21e8
GPG key ID:
3F257B68F5BC9339
1 changed files with 114 additions and 0 deletions
|
|
@ -1274,6 +1274,120 @@ The `fo` tag indicates when you would like to receive reports. The options are:
|
||||||
</tr>
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
### OpenDMARC
|
||||||
|
|
||||||
|
We can use software called OpenDMARC to enforce DMARC policies for incoming mail. OpenDMARC is another milter. Let's
|
||||||
|
install it and enable its service:
|
||||||
|
|
||||||
|
# apk add opendmarc
|
||||||
|
# rc-update add opendmarc
|
||||||
|
# rc-service opendmarc start
|
||||||
|
|
||||||
|
Edit the OpenDMARC config at `/etc/opendmarc/opendmarc.conf`.
|
||||||
|
|
||||||
|
Change
|
||||||
|
|
||||||
|
```conf
|
||||||
|
AuthservID HOSTNAME
|
||||||
|
```
|
||||||
|
|
||||||
|
to
|
||||||
|
|
||||||
|
```conf
|
||||||
|
AuthservID OpenDMARC
|
||||||
|
```
|
||||||
|
|
||||||
|
This is so that the `Authentication-Results` header from OpenDKIM authentication. This will also make it clear which
|
||||||
|
program adds which `Authentication-Results` header.
|
||||||
|
|
||||||
|
Add the following line, replacing `mail.domain.com` with your *hostname* (so in [my
|
||||||
|
instance](#a-note-on-my-dns-records), this is `master.revsuine.xyz`).
|
||||||
|
|
||||||
|
```conf
|
||||||
|
TrustedAuthservIDs mail.domain.com
|
||||||
|
```
|
||||||
|
|
||||||
|
Enable `RejectFailures`, which means your server will comply with `p=reject` in DMARC DNS records.
|
||||||
|
|
||||||
|
```conf
|
||||||
|
RejectFailures true
|
||||||
|
```
|
||||||
|
|
||||||
|
You also probably want to enable `RequiredHeaders`, which rejects emails that don't conform to RFC5322 standards, e.g.
|
||||||
|
are missing a `From:` header.
|
||||||
|
|
||||||
|
```conf
|
||||||
|
RequiredHeaders true
|
||||||
|
```
|
||||||
|
|
||||||
|
In case external SPF validation fails (as in, no SPF results are placed in the message header), you probably want to
|
||||||
|
add
|
||||||
|
|
||||||
|
```conf
|
||||||
|
SPFSelfValidate true
|
||||||
|
```
|
||||||
|
|
||||||
|
which tells OpenDMARC to perform the SPF check itself if it can't find SPF results in the message header.
|
||||||
|
|
||||||
|
Now provide OpenDMARC with a socket to use for communication with sendmail. We will use a TCP socket on port 8893:
|
||||||
|
|
||||||
|
```conf
|
||||||
|
Socket inet:8893@localhost
|
||||||
|
```
|
||||||
|
|
||||||
|
For a Unix socket, you'd use the following format:
|
||||||
|
|
||||||
|
```conf
|
||||||
|
Socket local:/var/run/opendmarc/opendmarc.sock
|
||||||
|
```
|
||||||
|
|
||||||
|
By default, you will have the line
|
||||||
|
|
||||||
|
```conf
|
||||||
|
IgnoreHosts /etc/opendmarc/ignore.hosts
|
||||||
|
```
|
||||||
|
|
||||||
|
in `/etc/opendmarc/opendmarc.conf`. This tells OpenDMARC to not authenticate the list of hosts in
|
||||||
|
`/etc/opendmarc/ignore.hosts`. An example `ignore.hosts` is
|
||||||
|
|
||||||
|
127.0.0.1
|
||||||
|
93.113.25.226
|
||||||
|
|
||||||
|
Keep in mind that if you have specified `IgnoreHosts`, this file needs to exist in order for OpenDMARC to run. If you
|
||||||
|
have the option set, make sure to `touch /etc/opendmarc/ignore.hosts` (or whatever filepath you've specified).
|
||||||
|
Alternatively, comment out this option in order to use the default, which is to not authenticate mail coming from
|
||||||
|
127.0.0.1.
|
||||||
|
|
||||||
|
Restart OpenDMARC for these changes to take effect:
|
||||||
|
|
||||||
|
# rc-service opendmarc restart
|
||||||
|
|
||||||
|
To have Postfix use the OpenDMARC milter, it's simple as adding the socket to the `smptd_milters` and
|
||||||
|
`non_smtpd_milters` variable in `/etc/postfix/main.cf`:
|
||||||
|
|
||||||
|
```conf
|
||||||
|
milter_default_action = accept
|
||||||
|
milter_protocol = 6
|
||||||
|
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
|
||||||
|
non_smtpd_milters = $smtpd_milters
|
||||||
|
```
|
||||||
|
|
||||||
|
Restart Postfix for the changes to take effect:
|
||||||
|
|
||||||
|
# rc-service postfix restart
|
||||||
|
|
||||||
|
And when you receive emails from a legitimate source that implements DMARC, you should see the following headers in
|
||||||
|
your emails:
|
||||||
|
|
||||||
|
```
|
||||||
|
Received-SPF: pass (protonmail.com: Sender is authorized to use 'revsuine@protonmail.com' in 'mfrom' identity (mechanism 'include:_spf.protonmail.ch' matched)) receiver=master.revsuine.xyz; identity=mailfrom; envelope-from="revsuine@protonmail.com"; helo=mail-40130.protonmail.ch; client-ip=185.70.40.130
|
||||||
|
DMARC-Filter: OpenDMARC Filter v1.4.2 master.revsuine.xyz 88CFF1288D1
|
||||||
|
Authentication-Results: OpenDMARC; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com
|
||||||
|
Authentication-Results: OpenDMARC; spf=pass smtp.mailfrom=protonmail.com
|
||||||
|
Authentication-Results: master.revsuine.xyz;
|
||||||
|
dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/
|
||||||
|
```
|
||||||
|
|
||||||
### Test SPF, DKIM, and DMARC
|
### Test SPF, DKIM, and DMARC
|
||||||
|
|
||||||
You can use [mail-tester.com](https://www.mail-tester.com/) and send an email from your domain to check that SPF, DKIM,
|
You can use [mail-tester.com](https://www.mail-tester.com/) and send an email from your domain to check that SPF, DKIM,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue