revsuine/revsuine.xyz
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: revsuine:343a2d8f22da424b23cd7e2e47fe9a9abcfc417f
Branches Tags
revsuine:master
...
compare: revsuine:4d580d21e8142cc5d4764693d0a4035cecac0bc9
Branches Tags
revsuine:master

2 commits
343a2d8f22 ... 4d580d21e8

Author SHA1 Message Date
revsuine
4d580d21e8
content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: opendmarc section 2024-11-23 23:07:02 +00:00
revsuine
19c742b0b4
content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: postfix-policyd-spf-perl section 2024-11-23 20:47:15 +00:00
1 changed files with 191 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

191
content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
View file

@ -94,10 +94,18 @@ The mail server will be composed of the following software:
<td>Mail delivery agent</td>
<td colspan="2">Dovecot</td>
</tr>
<tr>
<td>SPF authentication</td>
<td colspan="2">postfix-policyd-spf-perl</td>
</tr>
<tr>
<td>DKIM authentication and signing</td>
<td colspan="2">OpenDKIM</td>
</tr>
<tr>
<td>DMARC authentication</td>
<td colspan="2">OpenDMARC</td>
</tr>
<tr>
<td>Spam filter</td>
<td rowspan="2">Amavis</td>
@ -801,6 +809,8 @@ checks.
## Sender Policy Framework
### Set up your DNS record
Add a TXT record for your root domain with the contents `v=spf1 mx ~all`, like:
```dns
@ -863,6 +873,68 @@ Breaking down the TXT data:
</tr>
</table>
### Get Postfix to validate SPF
We're going to use a Postfix SMTPd policy server called postfix-policyd-spf-perl to check SPF of incoming emails.
postfix-policyd-spf-perl is very simple and requires almost no configuration.
Install `postfix-policyd-spf-perl` and create a user, `policyd-spf` for it:
# apk add postfix-policyd-spf-perl
# adduser -S -s /sbin/nologin -h /dev/null -H policyd-spf
Explanation of `adduser` flags:
<table>
<tr>
<th>Option</th>
<th>Explanation</th>
</tr>
<tr>
<td><code>-S</code></td>
<td>Create a system user</td>
</tr>
<tr>
<td><code>-s /sbin/nologin</code></td>
<td>Set shell to <code>/sbin/nologin</code> so the user doesn't have a shell</td>
</tr>
<tr>
<td><code>-h /dev/null</code></td>
<td>Set home directory to <code>/dev/null</code></td>
</tr>
<tr>
<td><code>-H</code></td>
<td>
Don't create a home directory (if you try to create <code>/dev/null</code> and assign it to
<code>policyd-spf</code> there will be all sorts of permissions issues)
</td>
</tr>
</table>
Now edit `/etc/postfix/master.cf` to tell Postfix to start up the postfix-policyd-spf-perl daemon:
```conf
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
```
Now get Postfix to use postfix-policyd-spf-perl in `/etc/postfix/main.cf` by adding the following lines:
```conf
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf
policyd-spf_time_limit = 3600
```
postfix-policyd-spf-perl is now set up, and you can test it by sending yourself an email from a mainstream email
provider (which ought to have an SPF record) and checking for the presence of this header:
```
Received-SPF: pass (protonmail.com: Sender is authorized to use 'revsuine@protonmail.com' in 'mfrom' identity (mechanism 'include:_spf.protonmail.ch' matched))
```
## DomainKeys Identified Mail
### Configure OpenDKIM
@ -1065,6 +1137,11 @@ non_smtpd_milters = $smtpd_milters
This uses the Milter extension, which is something that can be used to process mail; in this case, to add headers to
emails relating to DKIM.
You can, again, test this on both incoming and outgoing mail. On outgoing mail, there should be a `DKIM-Signature:`
header present. On incoming mail from domains implementing DKIM, there should be a
`Authentication-Results: master.revsuine.xyz;` header (obviously replacing `master.revsuine.xyz` with your hostname)
indicating whether or not the email has passed DKIM authentication.
## Domain-based Message Authentication, Reporting, and Conformance
### Ensure your domains are aligned in email headers
@ -1197,6 +1274,120 @@ The `fo` tag indicates when you would like to receive reports. The options are:
</tr>
</table>
### OpenDMARC
We can use software called OpenDMARC to enforce DMARC policies for incoming mail. OpenDMARC is another milter. Let's
install it and enable its service:
# apk add opendmarc
# rc-update add opendmarc
# rc-service opendmarc start
Edit the OpenDMARC config at `/etc/opendmarc/opendmarc.conf`.
Change
```conf
AuthservID HOSTNAME
```
to
```conf
AuthservID OpenDMARC
```
This is so that the `Authentication-Results` header from OpenDKIM authentication. This will also make it clear which
program adds which `Authentication-Results` header.
Add the following line, replacing `mail.domain.com` with your *hostname* (so in [my
instance](#a-note-on-my-dns-records), this is `master.revsuine.xyz`).
```conf
TrustedAuthservIDs mail.domain.com
```
Enable `RejectFailures`, which means your server will comply with `p=reject` in DMARC DNS records.
```conf
RejectFailures true
```
You also probably want to enable `RequiredHeaders`, which rejects emails that don't conform to RFC5322 standards, e.g.
are missing a `From:` header.
```conf
RequiredHeaders true
```
In case external SPF validation fails (as in, no SPF results are placed in the message header), you probably want to
add
```conf
SPFSelfValidate true
```
which tells OpenDMARC to perform the SPF check itself if it can't find SPF results in the message header.
Now provide OpenDMARC with a socket to use for communication with sendmail. We will use a TCP socket on port 8893:
```conf
Socket inet:8893@localhost
```
For a Unix socket, you'd use the following format:
```conf
Socket local:/var/run/opendmarc/opendmarc.sock
```
By default, you will have the line
```conf
IgnoreHosts /etc/opendmarc/ignore.hosts
```
in `/etc/opendmarc/opendmarc.conf`. This tells OpenDMARC to not authenticate the list of hosts in
`/etc/opendmarc/ignore.hosts`. An example `ignore.hosts` is
127.0.0.1
93.113.25.226
Keep in mind that if you have specified `IgnoreHosts`, this file needs to exist in order for OpenDMARC to run. If you
have the option set, make sure to `touch /etc/opendmarc/ignore.hosts` (or whatever filepath you've specified).
Alternatively, comment out this option in order to use the default, which is to not authenticate mail coming from
127.0.0.1.
Restart OpenDMARC for these changes to take effect:
# rc-service opendmarc restart
To have Postfix use the OpenDMARC milter, it's simple as adding the socket to the `smptd_milters` and
`non_smtpd_milters` variable in `/etc/postfix/main.cf`:
```conf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters
```
Restart Postfix for the changes to take effect:
# rc-service postfix restart
And when you receive emails from a legitimate source that implements DMARC, you should see the following headers in
your emails:
```
Received-SPF: pass (protonmail.com: Sender is authorized to use 'revsuine@protonmail.com' in 'mfrom' identity (mechanism 'include:_spf.protonmail.ch' matched)) receiver=master.revsuine.xyz; identity=mailfrom; envelope-from="revsuine@protonmail.com"; helo=mail-40130.protonmail.ch; client-ip=185.70.40.130
DMARC-Filter: OpenDMARC Filter v1.4.2 master.revsuine.xyz 88CFF1288D1
Authentication-Results: OpenDMARC; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com
Authentication-Results: OpenDMARC; spf=pass smtp.mailfrom=protonmail.com
Authentication-Results: master.revsuine.xyz;
dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/
```
### Test SPF, DKIM, and DMARC
You can use [mail-tester.com](https://www.mail-tester.com/) and send an email from your domain to check that SPF, DKIM,