\u201dDomain-based Message Authentication, Reporting & Conformance\u201d (DMARC).<\/p>\n
DMARC basically builds on top of two existing frameworks, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).<\/p>\n
SPF is used to define who can send mail for a specific domain, while DKIM signs the message. Both of these are pretty useful on their own, and reduce incoming spam A LOT, but the problem is you don\u2019t have any \u201ccontrol\u201d over what the receiving end does with email. For example, company1\u2019s mail server may just give the email a higher spam score if the sending mail server fails SPF authentication, while company2\u2019s mail server might outright reject it.<\/p>\n
DMARC gives you finer control, allowing you to dictate what should be done. DMARC also lets you publish a forensics address. This is used to send back a report from remote mail servers, and contains details such as how many mails were received from your domain, how many failed authentication, from which IPs and which authentication tests failed.<\/p>\n
I\u2019ve had a DMARC record published for my domains for a few months now, but I have not setup any filter to check incoming mail for their DMARC records, or sending back forensic reports.<\/p>\n
Today, I was in the process of setting up a third backup MX for my domains, so I thought I\u2019d clean up my configs a little, and also setup DMARC properly in my mail servers.<\/p>\n
So in this article, I will be discussing how I setup my Postfix servers using Greylisting, SPF, DKIM and DMARC, and also using TLS for incoming\/outgoing mail. I won\u2019t be going into full details for how to setup a Postfix server, only the specifics needed for SPF\/DKIM\/DMARC and TLS.<\/p>\n
We\u2019ll start with TLS as that is easiest.
\nTLS<\/p>\n
I wanted all incoming and outgoing mail to use opportunistic TLS.<\/p>\n
To do this all you need to do is create a certificate:
\n[root@servah ~]# cd \/etc\/postfix\/
\n[root@servah ~]# openssl genrsa -des3 -out mx1.example.org.key
\n[root@servah ~]# openssl rsa -in mx1.example.org.key -out mx1.example.org.key-nopass
\n[root@servah ~]# mv mx1.example.org.key-nopass mx1.example.org.key
\n[root@servah ~]# openssl req -new -key mx1.example.org.key -out mx1.example.org.csr<\/p>\n
Now, you can either self sign it the certificate request, or do as I have and use CAcert.org. Once you have a signed certificate, dump it in mx1.example.crt, and tell postfix to use it in \/etc\/postfix\/main.cf:
\n# Use opportunistic TLS (STARTTLS) for outgoing mail if the remote server supports it.
\nsmtp_tls_security_level = may
\n# Tell Postfix where your ca-bundle is or it will complain about trust issues!
\nsmtp_tls_CAfile = \/etc\/ssl\/certs\/ca-bundle.trust.crt
\n# I wanted a little more logging than default for outgoing mail.
\nsmtp_tls_loglevel = 1
\n# Offer opportunistic TLS (STARTTLS) to connections to this mail server.
\nsmtpd_tls_security_level = may
\n# Add TLS information to the message headers
\nsmtpd_tls_received_header = yes
\n# Point this to your CA file. If you used CAcert.org, this
\n# available at http:\/\/www.cacert.org\/certs\/root.crt
\nsmtpd_tls_CAfile = \/etc\/postfix\/ca.crt
\n# Point at your cert and key
\nsmtpd_tls_cert_file = \/etc\/postfix\/mx1.example.org.crt
\nsmtpd_tls_key_file = \/etc\/postfix\/mx1.example.org.key
\n# I wanted a little more logging than default for incoming mail.
\nsmtpd_tls_loglevel = 1<\/p>\n
Restart Postfix:
\n[root@servah ~]# service postfix restart<\/p>\n
That should do it for TLS. I tested by sending an email from my email server, to my Gmail account, and back again, checking in the logs to see if the connections were indeed using TLS.
\nGreylisting<\/p>\n
Greylisting is method of reducing spam, which is so simple, yet so effective it\u2019s quite amazing!<\/p>\n
Basically, incoming relay attempts are temporarily delayed with a SMTP temporary reject for a fixed amount of time. Once this time has finished, any further attempts to relay from that IP are allowed to progress further through your ACLs.<\/p>\n
This is extremely effective, as a lot of spam bots will not have any queueing system, and will not re-try to send the message!<\/p>\n
As EPEL already has an RPM for Postgrey, so I\u2019ll use that for Greylisting:
\n[root@servah ~]# yum install postgrey<\/p>\n
Set it to start on boot, and manually start it:<\/p>\n
[root@servah ~]# chkconfig postgrey on
\n[root@servah ~]# service postgrey start<\/p>\n
Next we need to tell Postfix to pass messages through Postgrey. By default, the RPM provided init scripts setup a unix socket in \/var\/spool\/postfix\/postgrey\/socket so we\u2019ll use that. Edit \/etc\/postfix\/main.cf, and in your smtpd_recipient_restrictions, add \u201ccheck_policy_service unix:postgrey\/socket\u201d, like I have:<\/p>\n
smtpd_recipient_restrictions=
\npermit_mynetworks,
\nreject_invalid_hostname,
\nreject_unknown_recipient_domain,
\nreject_non_fqdn_recipient,
\npermit_sasl_authenticated,
\nreject_unauth_destination,
\ncheck_policy_service unix:postgrey\/socket,
\nreject_rbl_client dnsbl.sorbs.net,
\nreject_rbl_client zen.spamhaus.org,
\nreject_rbl_client bl.spamcop.net,
\nreject_rbl_client cbl.abuseat.org,
\nreject_rbl_client b.barracudacentral.org,
\nreject_rbl_client dnsbl-1.uceprotect.net,
\npermit<\/p>\n
As you can see, I am also using various RBLs.<\/p>\n
Next, we restart Postfix:<\/p>\n
[root@servah ~]# service postfix restart<\/p>\n
All done. Greylisting is now in effect!
\nSPF<\/p>\n
Next we\u2019ll setup SPF.<\/p>\n
There are many different SPF filters available, and probably the most popular one to use with Postfix would be pypolicyd-spf, which is also included in EPEL, but I was unable to get OpenDMARC to see the Recieved-SPF headers. I think this is due to the order in which a message is passed through a milter and through a postfix policy engine, and I was unable to find a workaround. So instead I decided to use smf-spf, which is currently unmaintained, but from what I understand it is quite widely used, and quite stable.<\/p>\n
I did apply some patches to smf-spf which were posted by Andreas Schulze on the the OpenDMARC mailing lists. They are mainly cosmetic patches, and aren\u2019t necessary but I liked them so I applied them.<\/p>\n
I was going to write a RPM spec file for smf-spf, but I noticed that Matt Domsch has kindly already submitted packages for smf-spf and libspf2 for review.<\/p>\n
I did have to modify both packages a little. For smf-spf I pretty much only added the patches I mentioned eariler, and a few minor changes I wanted. For libspf2 I had to re-run autoreconf and update Matt Domsch\u2019s patch as it seemed to break on EL6 boxes due to incompatible autoconf versions. I will edit this post later and add links to the SRPMS later.<\/p>\n
I build the RPMs, signed them with my key and published it in my internal RPM repo.
\nI won\u2019t go into detail into that, and will continue from installation:<\/p>\n
[root@servah ~]# yum install smf-spf<\/p>\n
Next, I edited \/etc\/mail\/smfs\/smf-spf.conf, set smf-spf to start on boot and started smf-spf:<\/p>\n
[root@servah ~]# cat \/etc\/mail\/smfs\/smf-spf.conf|grep -v “^#” | grep -v “^$”
\nWhitelistIP 127.0.0.0\/8
\nRefuseFail on
\nAddHeader on
\nUser smfs
\nSocket inet:8890@localhost<\/p>\n
Set smf-spf to start on boot, and also start it manually:
\n[root@servah ~]# chkconfig smf-spf on
\n[root@servah ~]# service smf-spf start<\/p>\n
Now we edit the Postfix config again, and add the following to the end of main.cf:
\nmilter_default_action = accept
\nmilter_protocol = 6
\nsmtpd_milters = inet:localhost:8890<\/p>\n
Restart Postfix:
\n[root@servah ~]# service postfix restart<\/p>\n
Your mail server should now be checking SPF records! ????
\nYou can test this by trying to forge an email from Gmail or something.
\nDKIM<\/p>\n
DKIM was a little more complicated to setup as I have multiple domains. Luckily, OpenDKIM is already in EPEL, so I didn\u2019t have to do any work to get an RPM for it! ????<\/p>\n
Install it using yum:
\n[root@servah ~]# yum install opendkim<\/p>\n
Next, edit the OpenDKIM config file. I\u2019ll just show what I done using a diff:
\n[root@servah ~]# diff \/etc\/opendkim.conf.stock \/etc\/opendkim.conf
\n20c20
\n< Mode v
\n—
\n> Mode sv
\n58c58
\n< Selector default
\n—
\n> #Selector default
\n70c70
\n< #KeyTable \/etc\/opendkim\/KeyTable
\n—
\n> KeyTable \/etc\/opendkim\/KeyTable
\n75c75
\n< #SigningTable refile:\/etc\/opendkim\/SigningTable
\n—
\n> SigningTable refile:\/etc\/opendkim\/SigningTable
\n79c79
\n< #ExternalIgnoreList refile:\/etc\/opendkim\/TrustedHosts
\n—
\n> ExternalIgnoreList refile:\/etc\/opendkim\/TrustedHosts
\n82c82
\n< #InternalHosts refile:\/etc\/opendkim\/TrustedHosts
\n—
\n> InternalHosts refile:\/etc\/opendkim\/TrustedHosts<\/p>\n
Next, I created a key:
\n[root@servah ~]# cd \/etc\/opendkim\/keys
\n[root@servah ~]# opendkim-genkey –append-domain –bits=2048 –domain example.org –selector=dkim2k –restrict –verbose<\/p>\n
This will give you two files in \/etc\/opendkim\/keys:<\/p>\n
dkim2k.txt \u2013 Contains your public key which can be published in DNS. It\u2019s already in a BIND compatible format, so I won\u2019t explain how to publish this in DNS.
\ndkim2k.private \u2013 Contains your private key.<\/p>\n
Next, we edit \/etc\/opendkim\/KeyTable. Comment out any of the default keys that are there and add your own:
\n[root@servah ~]# cat \/etc\/opendkim\/KeyTable
\ndkim2k._domainkey.example.org example.org:dkim2k:\/etc\/opendkim\/keys\/dkim2k.private<\/p>\n
(Thank you to andrewgdotcom for spotting the typo here)<\/p>\n
Now edit \/etc\/opendkim\/SigningTable, again commenting out the default entries and entering our own:
\n[root@servah ~]# cat \/etc\/opendkim\/SigningTable
\n*@example.org dkim2k._domainkey.example.org<\/p>\n
Repeat this process for as many domains as you want. It would also be quite a good idea to use different keys for different domains.<\/p>\n
We can now start opendkim, and set it to start on boot:
\n[root@servah ~]# chkconfig opendkim on
\n[root@servah ~]# service opendkim start<\/p>\n
Almost done with DKIM!
\nWe just need to tell Postfix to pass mail through OpenDKIM to verify signatures of incoming mail, and to sign outgoing mail. To do this, edit \/etc\/postfix\/main.cf again:
\n# Pass SMTP messages through smf-spf first, then OpenDKIM
\nsmtpd_milters = inet:localhost:8890, inet:localhost:8891
\n# This line is so mail received from the command line, e.g. using the sendmail binary or mail() in PHP
\n# is signed as well.
\nnon_smtpd_milters = inet:localhost:8891<\/p>\n
Restart Postfix:
\n[root@servah ~]# service postfix restart<\/p>\n
Done with DKIM!
\nNow your mail server will verify incoming messages that have a DKIM header, and sign outgoing messages with your own!
\nOpenDMARC<\/p>\n
Now it\u2019s the final part of the puzzle.<\/p>\n
OpenDMARC is not yet in EPEL, but again I did find an RPM spec waiting review, so I used it.<\/p>\n
Again, I won\u2019t go into the process of how to build an RPM, lets assume you have already published it in your own internal repos and continue from installation:
\n[root@servah ~]# yum install opendmarc<\/p>\n
First I edited \/etc\/opendmarc.conf:
\n15c15
\n< # AuthservID name
\n—
\n> AuthservID mx1.example.org
\n121c121
\n< # ForensicReports false
\n—
\n> ForensicReports true
\n144,145c144
\n< HistoryFile \/var\/run\/opendmarc\/opendmarc.dat\/;
\n< s
\n—
\n> HistoryFile \/var\/run\/opendmarc\/opendmarc.dat
\n221c220
\n< # ReportCommand \/usr\/sbin\/sendmail -t
\n—
\n> ReportCommand \/usr\/sbin\/sendmail -t -F ‘Example.org DMARC Report” -f ‘sysops@example.org’
\n236c235
\n< # Socket inet:8893@localhost
\n—
\n> Socket inet:8893@localhost
\n246c245
\n< # SoftwareHeader false
\n—
\n> SoftwareHeader true
\n253c252
\n< # Syslog false
\n—
\n> Syslog true
\n261c260
\n< # SyslogFacility mail
\n—
\n> SyslogFacility mail
\n301c300
\n< # UserID opendmarc
\n—
\n> UserID opendmarc<\/p>\n
Next, set OpenDMARC to start on boot and manually start it:
\n[root@servah ~]# chkconfig opendmarc on
\n[root@servah ~]# service opendmarc start<\/p>\n
Now we tell postfix to pass messages through OpenDMARC. To do this, we edit \/etc\/postfix\/main.cf once again:
\n# Pass SMTP messages through smf-spf first, then OpenDKIM, then OpenDMARC
\nsmtpd_milters = inet:localhost:8890, inet:localhost:8891, inet:localhost:8893<\/p>\n
Restart Postfix:
\n[root@servah ~]# service postfix restart<\/p>\n
That\u2019s it! Your mail server will now check the DMARC record of incoming mail, and check the SPF and DKIM results.<\/p>\n
I confirmed that OpenDMARC is working by sending a message from Gmail to my own email, and checking the message headers, then also sending an email back and checking the headers on the Gmail side.<\/p>\n
You should see that SPF, DKIM and DMARC are all being checked when receiving on either side.<\/p>\n
Finally, we can also setup forensic reporting for the benefit of others who are using DMARC.
\nDMARC Forensic Reporting<\/p>\n
I\u00a0 found OpenDMARC\u2019s documentation to be extremely limited and quite vague, so there was a lot of guess work involved.<\/p>\n
As I didn\u2019t want my mail servers to have access to my DB server, I decided to run the reporting scripts on a different box I use for running cron jobs.<\/p>\n
First I created a MySQL database and user for opendmarc:
\n[root@mysqlserver ~]# mysql -p
\nEnter password:
\nWelcome to the MariaDB monitor. Commands end with ; or \\g.
\nYour MariaDB connection id is 1474392
\nServer version: 5.5.34-MariaDB-log MariaDB Server<\/p>\n
Copyright (c) 2000, 2013, Oracle, Monty Program Ab and others.<\/p>\n
Type ‘help;’ or ‘\\h’ for help. Type ‘\\c’ to clear the current input statement.<\/p>\n
MariaDB [(none)]> CREATE DATABASE opendmarc;
\nMariaDB [(none)]> GRANT ALL PRIVILEGES ON opendmarc.* TO opendmarc@’script-server.example.org’ IDENTIFIED BY ‘supersecurepassword’;<\/p>\n
Next, we import the schema into the database:<\/p>\n
[root@scripty ~]# mysql -h mysql.example.org -u opendmarc -p opendmarc < \/usr\/share\/doc\/opendmarc-1.1.3\/schema.mysql<\/p>\n
Now, to actually import the data from my mail servers into the DB, and send out the forensics reports, I have the following script running daily:<\/p>\n
#!\/bin\/bash<\/p>\n
set -e<\/p>\n
cd \/home\/rmohan.com\/dmarc\/<\/p>\n
HOSTS=\u201dmx1.example.org mx2.example.org mx3.example.org\u201d
\nDBHOST=\u2019mysql.example.org\u2019
\nDBUSER=\u2019opendmarc\u2019
\nDBPASS=\u2019supersecurepassword\u2019
\nDBNAME=\u2019opendmarc\u2019<\/p>\n
for HOST in $HOSTS; do
\n# Pull the history from each host
\nscp -i \/home\/rmohan.com\/.ssh\/dmarc root@${HOST}:\/var\/run\/opendmarc\/opendmarc.dat ${HOST}.dat
\n# Purge history on each each host.
\nssh -i \/home\/rmohan.com\/.ssh\/dmarc root@${HOST} \u201ccat \/dev\/null > \/var\/run\/opendmarc\/opendmarc.dat\u201d<\/p>\n
# Merge the history files. Not needed, but this way opendmarc-import only needs to run once.
\ncat ${HOST}.dat >> merged.dat
\ndone<\/p>\n
\/usr\/sbin\/opendmarc-import \u2013dbhost=${DBHOST} \u2013dbuser=${DBUSER} \u2013dbpasswd=${DBPASS} \u2013dbname=${DBNAME} \u2013verbose < merged.dat
\n\/usr\/sbin\/opendmarc-reports \u2013dbhost=${DBHOST} \u2013dbuser=${DBUSER} \u2013dbpasswd=${DBPASS} \u2013dbname=${DBNAME} \u2013verbose \u2013interval=86400 \u2013report-email \u2018sysops@example.org\u2019 \u2013report-org \u2018Example.org\u2019
\n\/usr\/sbin\/opendmarc-expire \u2013dbhost=${DBHOST} \u2013dbuser=${DBUSER} \u2013dbpasswd=${DBPASS} \u2013dbname=${DBNAME} \u2013verbose<\/p>\n
rm -rf *.dat<\/p>\n
That\u2019s it! Run that daily, and you\u2019ll send forensic reports to those who want them. ????<\/p>\n
You now have a nice mail server that checks SPF, DKIM, and DMARC for authentication, and sends out forensic reports!<\/p>\n
With this setup, I haven\u2019t received any spam in the last two months! That\u2019s just as far as I can remember, but I\u2019m sure it\u2019s been a lot longer than that! ????<\/p>\n","protected":false},"excerpt":{"rendered":"
\u201dDomain-based Message Authentication, Reporting & Conformance\u201d (DMARC).<\/p>\n
DMARC basically builds on top of two existing frameworks, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).<\/p>\n
SPF is used to define who can send mail for a specific domain, while DKIM signs the message. Both of these are pretty useful on their own, and reduce incoming […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6173"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6173"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6173\/revisions"}],"predecessor-version":[{"id":6174,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6173\/revisions\/6174"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}