Nox-Rhea WiKi

Outils pour utilisateurs

Outils du site

Piste :
tutoriaux:install-email-server:install-email-server-part-4

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentesRévision précédente
tutoriaux:install-email-server:install-email-server-part-4 [2023/01/06 16:41] – supprimée - modification externe (Unknown date) 127.0.0.1tutoriaux:install-email-server:install-email-server-part-4 [2023/01/06 16:51] (Version actuelle) – créée - modification externe 127.0.0.1
Ligne 1: Ligne 1:
 +====== Build Email Server From Scratch on Debian – Part 4 - SPF & DKIM Setup ======
  
 +After completing [[tutoriaux:install-email-server:install-email-server-part-1|part 1]], [[tutoriaux:install-email-server:install-email-server-part-2|part 2]] and [[tutoriaux:install-email-server:install-email-server-part-3|part 3]], we have a working Postfix SMTP server and Dovecot IMAP server. We can send and receive emails using a desktop email client. In this tutorial, we are going to learn how to improve email delivery to the recipient’s inbox by setting up SPF and DKIM on Debian server.
 +
 +===== What are SPF and DKIM Records? =====
 +
 +SPF and DKIM are two types of TXT records in DNS that allow you to detect email spoofing and help legitimate emails deliver into the recipient’s inbox instead of the spam folder. If your domain is abused by email spoofing, then your emails are likely to land in the recipient’s spam folder if they didn’t add you to the address book.
 +
 +**SPF** (Sender Policy Framework) record specifies **which hosts or IP addresses are allowed to send emails on behalf of a domain**. You should allow only your own email server or your ISP’s server to send emails for your domain.
 +
 +**DKIM** (DomainKeys Identified Mail) uses a private key to **add a signature to emails sent from your domain**. Receiving SMTP servers verify the signature by using the corresponding public key, which is published in your domain’s DNS zone.
 +
 +===== Create an SPF Record in DNS =====
 +
 +In your DNS management interface, create a new TXT record like below.
 +
 +
 +^ Record Type  ^ Name   ^ Value        ^
 +| TXT          | @      | v=spf1 mx ~all |
 +
 +Where:
 +
 +  * **TXT** indicates this is a TXT record.
 +  * Enter ''@'' in the name field to represent the apex domain (example.com).
 +  * **v=spf1** indicates this is an SPF record and the SPF record version is SPF1.
 +  * **mx** means all hosts listed in the MX records are allowed to send emails for your domain and all other hosts are disallowed.
 +  * **~all** indicates that emails from your domain should only come from hosts specified in the SPF record. Emails that are from other hosts will be flagged as untrustworthy. Possible alternatives are ''+all'', ''-all'', ''?all'', but they are rarely used.
 +
 +''-all'' means that emails sent from not-allowed hosts should be rejected, never to land in the recipient’s inbox or spam folder. I have seen it used by facebook.com, but we generally don’t need such a strict policy.
 +
 +Some folks might think that ''-all'' will be better as it will reject emails from untrusted hosts. Well, using ''-all'' in your SPF policy can cause your own emails to be rejected when the recipient has two SMTP servers and when the main SMTP server goes offline, your emails will be temporarily stored on the backup SMTP server. When the main SMTP server comes back online, the email will be relayed from the backup SMTP server to the main SMTP server. Since you didn’t list the recipient’s backup SMTP server in your SPF record, the email will be rejected by the recipient’s main SMTP server. So you should use ''~all'' in your SPF policy.
 +
 +You can also list a specific IP address in your SPF record.
 +
 +<code dns>
 +TXT    @     v=spf1 mx ip4:12.34.56.78 ~all
 +</code>
 +
 +Note that some DNS managers require you to wrap the SPF record with quotes like below.
 +
 +<code dns>
 +TXT    @    "v=spf1 mx ~all"
 +</code>
 +
 +To check if your SPF record is propagated to the public Internet, you can use the ''dig'' utility on your Linux box like below. 
 +
 +On Debian, you need to install the ''bind9-dnsutils'' package in order to use dig command: 
 +
 +<code bash>sudo apt install bind9-dnsutils</code>
 +
 +<code bash>dig example.com txt</code>
 +
 +The ''txt'' option tells ''dig'' that we only want to query TXT records.
 +
 +{{ tutoriaux:debian-email:debian-spf-domain.png?1000 |}}
 +
 +You can also use the [[https://dmarcian.com/spf-survey/|dmarcian SPF surveyor]] to test your SPF record syntax.
 +
 +===== Configure SPF Policy Agent on Debian Server =====
 +
 +We also need to tell our Postfix SMTP server to check SPF record for incoming emails. This doesn’t help outgoing email delivery but will help with detecting forged incoming emails.
 +
 +Install required packages:
 +
 +<code bash>
 +sudo apt install postfix-policyd-spf-python
 +</code>
 +
 +Then edit the Postfix master process configuration file.
 +
 +<code bash>sudo nano /etc/postfix/master.cf</code>
 +
 +Add the following lines at the end of the file, which tells Postfix to start the SPF policy daemon when it’s starting itself.
 +
 +<code>
 +policyd-spf  unix  -                               spawn
 +    user=policyd-spf argv=/usr/bin/policyd-spf
 +</code>
 +
 +Save and close the file. Next, edit Postfix main configuration file.
 +
 +<code bash>
 +sudo nano /etc/postfix/main.cf
 +</code>
 +
 +Append the following lines at the end of the file. The first line specifies the Postfix policy agent timeout setting. The following lines will impose a restriction on incoming emails by rejecting unauthorized email and checking SPF record.
 +
 +<code>
 +policyd-spf_time_limit = 3600
 +smtpd_recipient_restrictions =
 +   permit_mynetworks,
 +   permit_sasl_authenticated,
 +   reject_unauth_destination,
 +   check_policy_service unix:private/policyd-spf
 +</code>
 +   
 +Save and close the file. Then restart Postfix.
 +
 +<code bash>sudo systemctl restart postfix</code>
 +
 +Next time, when you receive an email from a domain that has an SPF record, you can see the SPF check results in the raw email header. The following header indicates the sender sent the email from an authorized host.
 +
 +<code>Received-SPF: Pass (sender SPF authorized).</code>
 +===== Set up DKIM on Debian Server =====
 +
 +Install OpenDKIM which is an open-source implementation of the DKIM sender authentication system.
 +
 +<code bash>sudo apt install opendkim opendkim-tools</code>
 +
 +Then add postfix user to opendkim group.
 +
 +<code bash>sudo gpasswd -a postfix opendkim</code>
 +Edit OpenDKIM main configuration file.
 +
 +<code bash>sudo nano /etc/opendkim.conf</code>
 +Uncomment the following lines.
 +
 +<code>
 +Canonicalization   relaxed/simple
 +Mode               sv
 +SubDomains         no
 +</code>
 +Find the following line.
 +
 +<code>
 +#Nameservers   127.0.0.1
 +</code>
 +
 +Change it to
 +
 +<code>
 +Nameservers     8.8.8.8,1.1.1.1,9.9.9.9
 +</code>
 +
 +This tells OpenDKIM to use 8.8.8.8, 1.1.1.1 and 9.9.9.9 to query DNS records. It’s always a good idea to use more than one name server. If one fails, the other can still answer DNS queries. Separate each IP address with a comma.
 +
 +Next, add the following lines at the end of this file.
 +
 +<code>
 +# Map domains in From addresses to keys used to sign messages
 +KeyTable           refile:/etc/opendkim/key.table
 +SigningTable       refile:/etc/opendkim/signing.table
 +
 +# Hosts to ignore when verifying signatures
 +ExternalIgnoreList  /etc/opendkim/trusted.hosts
 +
 +# A set of internal hosts whose mail should be signed
 +InternalHosts       /etc/opendkim/trusted.hosts
 +</code>
 +
 +Save and close the file.
 +===== Create Signing Table, Key Table, and Trusted Hosts File =====
 +
 +Create a directory structure for OpenDKIM
 +
 +<code bash>sudo mkdir -p /etc/opendkim/keys</code>
 +
 +Change the owner from ''root'' to ''opendkim'' and make sure only ''opendkim'' user can read and write to the keys directory.
 +
 +<code bash>sudo chown -R opendkim:opendkim /etc/opendkim
 +
 +sudo chmod go-rw /etc/opendkim/keys</code>
 +
 +Create the signing table.
 +
 +<code bash>sudo nano /etc/opendkim/signing.table</code>
 +
 +Add the following line to the file. This tells OpenDKIM that if a sender on your server is using a ''@example.com'' address, then it should be signed with the private key identified by ''default._domainkey.your-domain.com''. The second line tells that your sub-domains will be signed by the private key as well.
 +
 +<code>
 +*@example.com      default._domainkey.example.com
 +*@*.example.com    default._domainkey.example.com
 +</code>
 +
 +Save and close the file. Then create the key table.
 +
 +<code bash>sudo nano /etc/opendkim/key.table</code>
 +Add the following line, which tells the location of the private key.
 +
 +<code>default._domainkey.example.com     example.com:default:/etc/opendkim/keys/example.com/default.private</code>
 +
 +Save and close the file. Next, create the trusted hosts file.
 +
 +<code bash>sudo nano /etc/opendkim/trusted.hosts</code>
 +
 +Add the following lines to the newly created file. This tells OpenDKIM that if an email is coming from localhost or from the same domain, then OpenDKIM should not perform DKIM verification on the email.
 +
 +<code>
 +127.0.0.1
 +localhost
 +
 +*.example.com
 +</code>
 +Save and close the file.
 +
 +===== Generate Private/Public Keypair =====
 +
 +We need to generate two keys:
 +
 +  * **private key** for signing outgoing emails.
 +  * **public key** for receiving SMTP server to verify the DKIM signature. It will be published in your DNS zone, so the receiving SMTP server can find it.
 +
 +Create a separate folder for the domain.
 +
 +<code bash>sudo mkdir /etc/opendkim/keys/example.com</code>
 +Generate keys using ''opendkim-genkey'' tool.
 +
 +<code bash>sudo opendkim-genkey -b 2048 -d example.com -D /etc/opendkim/keys/example.com -s default -v</code>
 +
 +The above command will create 2048 bits keys. ''-d (domain)'' specifies the domain. ''-D (directory)'' specifies the directory where the keys will be stored and we use ''default'' as the ''selector (-s)'', also known as the name. Once the command is executed, the private key will be written to ''default.private'' file and the public key will be written to ''default.txt'' file.
 +
 +Make ''opendkim'' as the owner of the private key.
 +
 +<code bash>sudo chown opendkim:opendkim /etc/opendkim/keys/example.com/default.private</code>
 +
 +And change the permission, so only the ''opendkim'' user has read and write access to the file.
 +
 +<code bash>sudo chmod 600 /etc/opendkim/keys/example.com/default.private</code>
 +=====  Publish Your Public Key in DNS Records =====
 +
 +Display the public key
 +
 +<code bash>sudo cat /etc/opendkim/keys/example.com/default.txt</code>
 +
 +The string after the ''p'' parameter is the public key.
 +
 +{{ tutoriaux:debian-email:default-opendkim-public-key.png |}}
 +
 +In your DNS manager, create a TXT record, enter ''default._domainkey'' in the name field. Then go back to the terminal window, copy everything in the parentheses and paste it into the value field of the DNS record. You need to delete all double quotes and white spaces in the value field. If you don’t delete them, then the key test in the next step will probably fail.
 +
 +[[..:dkim_record]]
 +===== Test DKIM Key =====
 +
 +Enter the following command on Debian server to test your key.
 +
 +<code bash>sudo opendkim-testkey -d example.com -s default -vvv</code>
 +
 +If everything is OK, you will see ''Key OK'' in the command output.
 +
 +{{ tutoriaux:debian-email:debian-opendkim-testkey.png |}}
 +
 +Note that your DKIM record may need some time to propagate to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://www.dmarcanalyzer.com/dkim/dkim-check/, enter ''default'' as the selector and enter your domain name to check DKIM record propagation.
 +
 +If you see **Key not secure** in the command output, don’t panic. This is because DNSSEC isn’t enabled on your domain name. DNSSEC is a security standard for secure DNS query. Most domain names haven’t enabled DNSSEC. There’s absolutely no need to worry about **Key not secure**. You can continue to follow this guide.
 +
 +If you see the **query timed out** error, it means there’s DNS resolution problem on your server. You can run the above command again to see if it will work. If it still doesn’t work,  you can comment out the following line in /etc/opendkim.conf file and restart opendkim.service.
 +
 +<code>
 +TrustAnchorFile       /usr/share/dns/root.key
 +</code>
 +===== Connect Postfix to OpenDKIM =====
 +
 +Postfix can talk to OpenDKIM via a Unix socket file. The default socket file used by OpenDKIM is ''/run/opendkim/opendkim.sock'', as shown in ''/etc/opendkim.conf'' file. But the postfix SMTP daemon shipped with Debian runs in a chroot jail, which means the SMTP daemon resolves all filenames relative to the Postfix queue directory (''/var/spool/postfix''). So we need to change the OpenDKIM Unix socket file.
 +
 +Create a directory to hold the OpenDKIM socket file and allow only ''opendkim'' user and ''postfix'' group to access it.
 +
 +<code bash>
 +sudo mkdir /var/spool/postfix/opendkim
 +
 +sudo chown opendkim:postfix /var/spool/postfix/opendkim
 +</code>
 +
 +Then edit the OpenDKIM main configuration file.
 +
 +<code bash>
 +sudo nano /etc/opendkim.conf
 +</code>
 +
 +Find the following line.
 +
 +<code>
 +Socket    local:/run/opendkim/opendkim.sock
 +</code>
 +
 +Replace it with the following line.
 +
 +<code>
 +Socket    local:/var/spool/postfix/opendkim/opendkim.sock
 +</code>
 +
 +Save and close the file. Next, open the ''/etc/default/opendkim'' file.
 +
 +<code bash>
 +sudo nano /etc/default/opendkim
 +</code>
 +
 +Find the following line.
 +
 +<code>
 +SOCKET=local:$RUNDIR/opendkim.sock
 +</code>
 +
 +Change it to
 +<code>
 +SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"
 +</code>
 +
 +[[..:debian_opendkim_unix_socket]]
 +
 +Save and close the file.
 +
 +Next, we need to edit the Postfix main configuration file.
 +
 +<code bash>sudo nano /etc/postfix/main.cf</code>
 +
 +Add the following lines at the end of this file, so Postfix will be able to call OpenDKIM via the milter protocol.
 +
 +<code>
 +# Milter configuration
 +milter_default_action = accept
 +milter_protocol = 6
 +smtpd_milters = local:opendkim/opendkim.sock
 +non_smtpd_milters = $smtpd_milters
 +</code>
 +
 +Save and close the file. Then restart opendkim and postfix service.
 +
 +<code bash>sudo systemctl restart opendkim postfix</code>
 +===== SPF and DKIM Check =====
 +
 +You can now send a test email from your mail server to your Gmail account to see if SPF and DKIM checks are passed. On the right side of an opened email message in Gmail, if you click the ''show original'' button from the drop-down menu, you can see the authentication results.
 +
 +{{ tutoriaux:debian-email:debian-opendkim-gmail-report.png |}}
 +
 +If your message is not signed and DKIM check failed, you can check postfix log (''/var/log/mail.log'') to see what’s wrong with your configuration. 
 +
 +If you see the following message in the mail log:
 +
 +<code>
 +warning: connect to Milter service local:opendkim/opendkim.sock: No such file or directory
 +</code>
 +
 +you may want to check if the opendkim systemd service is actually running.
 +
 +<code bash>sudo systemctl status opendkim</code>
 +
 +If opendkim is running and you still see the above error, you might need to edit the ///etc/postfix/main.cf// file, change
 +
 +<code>smtpd_milters = local:opendkim/opendkim.sock</code>
 +to
 +
 +<code>smtpd_milters = local:/opendkim/opendkim.sock</code>
 +
 +Then restart Postfix.
 +
 +Your email server will also perform SPF and DKIM checks on the sender’s domain. You can see the results in the email headers. The following is SPF and DKIM check on a sender using Gmail.
 +
 +<code>
 +Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::c2d; helo=mail-yw1-xc2d.google.com; envelope-from=someone@gmail.com; receiver=<UNKNOWN> 
 +Authentication-Results: email.linuxbabe.com;
 + dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="XWMRd2co";
 + dkim-atps=neutral
 +</code>
 +===== Testing Email Score and Placement =====
 +
 +You can also go to https://www.mail-tester.com. You will see a unique email address. Send an email from your domain to this address and then check your score (when you've complete the next [[tutoriaux:install-email-server:install-email-server-part-6|part]], you should have an **perfect** score). 
 +
 +{{ tutoriaux:debian-email:debian-mail-tester-result.png |}}
 +
 +
 +===== Microsoft Mailboxes =====
 +
 +If your emails are rejected by Microsoft Outlook or Hotmail, you need to [[https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&locale=en-us&ccsid=635714983457075069|submit the sender information form]]. After that, your email will be accepted by Outlook/hotmail, but may still be labeled as spam.
 +
 +What if Your Emails Are Still Being Marked as Spam?
 +I have more tips for you in this article: 7 effective tips to stop your emails from being marked as spam.
 +
 +Next Step
 +In part 5, we will see how to create DMARC record to protect your domain from email spoofing. As always, if you found this post useful, please subscribe to our free newsletter or follow us on Twitter, or like our Facebook page.
 +
 +{{page>install-email-server-footer}}

Outils de la page

Sauf mention contraire, le contenu de ce wiki est placé sous les termes de la licence suivante : CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki