You are here: start » tools » emailsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
tools:emailsec [2023/04/21 10:23] – [SPF] darrontools:emailsec [2023/05/18 21:05] (current) – [DKIM] darron
Line 1: Line 1:
 ==== E-mail security==== ==== E-mail security====
 +<wrap right> 
 +{{tools:emailsec.jpg?200}} 
 +</wrap>
 How to use e-mail security features in EXIM SMTP with BIND DNS. How to use e-mail security features in EXIM SMTP with BIND DNS.
  
Line 13: Line 15:
 __Zone__ __Zone__
 <code> <code>
-1H IN TXT "v=spf1 a:hostname -all"+1H IN TXT "v=spf1 a:HOSTNAME -all"
 </code> </code>
  
Line 24: Line 26:
 ===DKIM=== ===DKIM===
  
-[[https://www.dkim.org/|DomainKeys Identified Mail]] is signing process used when sending email to determine authenticity and detect tampering on the receiving server.+[[https://www.dkim.org/|DomainKeys Identified Mail]] is signing process used when sending email to determine authenticity and detect tampering on the receiving server.
  
 ==OPENSSL== ==OPENSSL==
  
-Openssl is used to generate the private signing key and public key published in DNS.+Openssl can be used to generate the private signing key and public key published in DNS.
  
 <code> <code>
Line 64: Line 66:
 example the selector is simply "dkim". example the selector is simply "dkim".
  
 +__Zone__
 <code> <code>
 dkim._domainkey IN TXT ("v=DKIM1; k=rsa; p=" dkim._domainkey IN TXT ("v=DKIM1; k=rsa; p="
         "use output from above")         "use output from above")
 +</code>
 +
 +The "p" directive contains a base64 encoded public key which can be created by openssl in the previous section.
 +
 +__Test__
 +<code>
 +dig in txt dkim._domainkey.DOMAIN
 </code> </code>
  
 The text record format for BIND is explained in [[https://www.rfc-editor.org/rfc/rfc6376.html|RFC 6376]]. The text record format for BIND is explained in [[https://www.rfc-editor.org/rfc/rfc6376.html|RFC 6376]].
 +
  
 ==EXIM== ==EXIM==
Line 95: Line 106:
 remote_smtp_dkim_DOMAIN: remote_smtp_dkim_DOMAIN:
  driver           = smtp  driver           = smtp
 + helo_data        = HOSTNAME
 + interface        = <;IPV4;IPV6
  dkim_domain      = DOMAIN  dkim_domain      = DOMAIN
  dkim_selector    = dkim  dkim_selector    = dkim
  dkim_private_key = /etc/exim4/private.pem  dkim_private_key = /etc/exim4/private.pem
 </code> </code>
 +
 +For SPF the HOSTNAME must resolve to the specified IP address(es).
  
 The DKIM domain needn't be the same as the sender domain. The DKIM domain needn't be the same as the sender domain.
 ===DMARC=== ===DMARC===
  
-[[https://dmarc.org/|DMARC]] defines a policy used for e-mails that fail SPF and DKIM tests.+[[https://dmarc.org/|DMARC]] defines a policy and reporting facility for e-mails. 
 + 
 +E-mails that fail SPF and DKIM tests may be processed according to this table. 
 + 
 +^Policy^Effect^ 
 +|none|Mail delivered normally| 
 +|quarantine|Mail delivered to spam folder| 
 +|reject|Mail rejected and not delivered| 
 + 
 +For reporting, providers such as google send details of e-mails that pass and fail. For google the reports originate from noreply-dmarc-support@google.com.
  
 ==BIND== ==BIND==
Line 111: Line 135:
 to reject or quarantine. to reject or quarantine.
  
 +__Zone__
 <code> <code>
 _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@DOMAIN" _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@DOMAIN"
 +</code>
 +
 +Once you are confident that you are sending e-mail from the correct server(s) in with the correct signature(s) then the policy can be made more strict.
 +
 +__Test__
 +<code>
 +dig in txt _dmarc.DOMAIN
 </code> </code>
  
 See [[https://www.rfc-editor.org/rfc/rfc7489.html|RFC 7489]] for more information. See [[https://www.rfc-editor.org/rfc/rfc7489.html|RFC 7489]] for more information.
 +
 +
 +
 +===Resources===
 +
 +[[https://dkimvalidator.com/|DKIM validator]]
 +
 +=== Export ===
 +
 +[[:tools:emailsec?do=export_pdf|PDF]]