content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: opendmarc section
This commit is contained in:
parent
19c742b0b4
commit
4d580d21e8
GPG key ID:
3F257B68F5BC9339
1 changed files with 114 additions and 0 deletions
|
|
@ -1274,6 +1274,120 @@ The `fo` tag indicates when you would like to receive reports. The options are:
|
|||
</tr>
|
||||
</table>
|
||||
|
||||
### OpenDMARC
|
||||
|
||||
We can use software called OpenDMARC to enforce DMARC policies for incoming mail. OpenDMARC is another milter. Let's
|
||||
install it and enable its service:
|
||||
|
||||
# apk add opendmarc
|
||||
# rc-update add opendmarc
|
||||
# rc-service opendmarc start
|
||||
|
||||
Edit the OpenDMARC config at `/etc/opendmarc/opendmarc.conf`.
|
||||
|
||||
Change
|
||||
|
||||
```conf
|
||||
AuthservID HOSTNAME
|
||||
```
|
||||
|
||||
to
|
||||
|
||||
```conf
|
||||
AuthservID OpenDMARC
|
||||
```
|
||||
|
||||
This is so that the `Authentication-Results` header from OpenDKIM authentication. This will also make it clear which
|
||||
program adds which `Authentication-Results` header.
|
||||
|
||||
Add the following line, replacing `mail.domain.com` with your *hostname* (so in [my
|
||||
instance](#a-note-on-my-dns-records), this is `master.revsuine.xyz`).
|
||||
|
||||
```conf
|
||||
TrustedAuthservIDs mail.domain.com
|
||||
```
|
||||
|
||||
Enable `RejectFailures`, which means your server will comply with `p=reject` in DMARC DNS records.
|
||||
|
||||
```conf
|
||||
RejectFailures true
|
||||
```
|
||||
|
||||
You also probably want to enable `RequiredHeaders`, which rejects emails that don't conform to RFC5322 standards, e.g.
|
||||
are missing a `From:` header.
|
||||
|
||||
```conf
|
||||
RequiredHeaders true
|
||||
```
|
||||
|
||||
In case external SPF validation fails (as in, no SPF results are placed in the message header), you probably want to
|
||||
add
|
||||
|
||||
```conf
|
||||
SPFSelfValidate true
|
||||
```
|
||||
|
||||
which tells OpenDMARC to perform the SPF check itself if it can't find SPF results in the message header.
|
||||
|
||||
Now provide OpenDMARC with a socket to use for communication with sendmail. We will use a TCP socket on port 8893:
|
||||
|
||||
```conf
|
||||
Socket inet:8893@localhost
|
||||
```
|
||||
|
||||
For a Unix socket, you'd use the following format:
|
||||
|
||||
```conf
|
||||
Socket local:/var/run/opendmarc/opendmarc.sock
|
||||
```
|
||||
|
||||
By default, you will have the line
|
||||
|
||||
```conf
|
||||
IgnoreHosts /etc/opendmarc/ignore.hosts
|
||||
```
|
||||
|
||||
in `/etc/opendmarc/opendmarc.conf`. This tells OpenDMARC to not authenticate the list of hosts in
|
||||
`/etc/opendmarc/ignore.hosts`. An example `ignore.hosts` is
|
||||
|
||||
127.0.0.1
|
||||
93.113.25.226
|
||||
|
||||
Keep in mind that if you have specified `IgnoreHosts`, this file needs to exist in order for OpenDMARC to run. If you
|
||||
have the option set, make sure to `touch /etc/opendmarc/ignore.hosts` (or whatever filepath you've specified).
|
||||
Alternatively, comment out this option in order to use the default, which is to not authenticate mail coming from
|
||||
127.0.0.1.
|
||||
|
||||
Restart OpenDMARC for these changes to take effect:
|
||||
|
||||
# rc-service opendmarc restart
|
||||
|
||||
To have Postfix use the OpenDMARC milter, it's simple as adding the socket to the `smptd_milters` and
|
||||
`non_smtpd_milters` variable in `/etc/postfix/main.cf`:
|
||||
|
||||
```conf
|
||||
milter_default_action = accept
|
||||
milter_protocol = 6
|
||||
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
|
||||
non_smtpd_milters = $smtpd_milters
|
||||
```
|
||||
|
||||
Restart Postfix for the changes to take effect:
|
||||
|
||||
# rc-service postfix restart
|
||||
|
||||
And when you receive emails from a legitimate source that implements DMARC, you should see the following headers in
|
||||
your emails:
|
||||
|
||||
```
|
||||
Received-SPF: pass (protonmail.com: Sender is authorized to use 'revsuine@protonmail.com' in 'mfrom' identity (mechanism 'include:_spf.protonmail.ch' matched)) receiver=master.revsuine.xyz; identity=mailfrom; envelope-from="revsuine@protonmail.com"; helo=mail-40130.protonmail.ch; client-ip=185.70.40.130
|
||||
DMARC-Filter: OpenDMARC Filter v1.4.2 master.revsuine.xyz 88CFF1288D1
|
||||
Authentication-Results: OpenDMARC; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com
|
||||
Authentication-Results: OpenDMARC; spf=pass smtp.mailfrom=protonmail.com
|
||||
Authentication-Results: master.revsuine.xyz;
|
||||
dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/
|
||||
```
|
||||
|
||||
### Test SPF, DKIM, and DMARC
|
||||
|
||||
You can use [mail-tester.com](https://www.mail-tester.com/) and send an email from your domain to check that SPF, DKIM,
|
||||
|
|
|
|||
Loading…
Reference in a new issue