Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
tutoriaux:install-email-server-part-6 [2022/08/31 11:51] – [Build Email Server From Scratch on Debian – Part 6 - Use OpenDMARC with Postfix to Block Spam/Email Spoofing] frater | tutoriaux:install-email-server:install-email-server-part-6 [2023/01/06 17:56] (Version actuelle) – créée - modification externe 127.0.0.1 | ||
---|---|---|---|
Ligne 9: | Ligne 9: | ||
If a domain owner created [[https:// | If a domain owner created [[https:// | ||
- | [[OpenDMARC Postfix Ubuntu]] | + | [[..: |
===== Email Spoofing Example ===== | ===== Email Spoofing Example ===== | ||
Ligne 15: | Ligne 15: | ||
A spammer sent me a Random email using '' | A spammer sent me a Random email using '' | ||
- | {{ :tutoriaux:pasted:20220818-155914.png?800 |}} | + | {{ tutoriaux:debian-email:debian-spoofing-sample.png?800 |}} |
'' | '' | ||
- | {{ :tutoriaux:pasted:20220818-160106.png |}} | + | {{ tutoriaux:debian-email:debian-dmark-record-sample.png |}} |
Then I checked the email headers, which shows SPF failed. There’s no DKIM signature. So DMARC check fails. This is a spoofed email. | Then I checked the email headers, which shows SPF failed. There’s no DKIM signature. So DMARC check fails. This is a spoofed email. | ||
- | [[opendmarc postfix]] | + | [[..: |
This goes to show that not only big brands are being used by email spoofers, any domain names on the Internet could be impersonated by bad actors. Unfortunately the DMARC policy for this domain name is p=none, which tells receiving email server to do nothing special if DMARC check fails. If the policy is to p=reject, then my Postfix SMTP server would reject this email with OpenDMARC. | This goes to show that not only big brands are being used by email spoofers, any domain names on the Internet could be impersonated by bad actors. Unfortunately the DMARC policy for this domain name is p=none, which tells receiving email server to do nothing special if DMARC check fails. If the policy is to p=reject, then my Postfix SMTP server would reject this email with OpenDMARC. | ||
Ligne 53: | Ligne 53: | ||
===== Prerequisites ===== | ===== Prerequisites ===== | ||
- | This tutorial is for mailbox providers and anyone who run their own mail server, to protect their users from being scammed by email spoofing. If you are a domain name owner and want to prevent your domain name from being used by email spoofers, please read this [[tutoriaux: | + | This tutorial is for mailbox providers and anyone who run their own mail server, to protect their users from being scammed by email spoofing. If you are a domain name owner and want to prevent your domain name from being used by email spoofers, please read this [[tutoriaux: |
- | To follow this tutorial, you need to get [[tutoriaux: | + | To follow this tutorial, you need to get [[tutoriaux: |
===== Setting up OpenDMARC ===== | ===== Setting up OpenDMARC ===== | ||
Ligne 65: | Ligne 65: | ||
If you are asked to configure a database for OpenDMARC with dbconfig-common, | If you are asked to configure a database for OpenDMARC with dbconfig-common, | ||
- | {{ :tutoriaux:pasted:20220818-154511.png?800 }} | + | {{ tutoriaux:debian-email:debian-apt-install-opendmark.png?800 }} |
Once installed, it will be automatically started. Check its status with: | Once installed, it will be automatically started. Check its status with: | ||
Ligne 84: | Ligne 84: | ||
</ | </ | ||
- | < | + | <WRAP round important> |
Hint: If the above command doesn’t quit immediately, | Hint: If the above command doesn’t quit immediately, | ||
</ | </ | ||
Ligne 145: | Ligne 145: | ||
Save and close the file. | Save and close the file. | ||
- | < | + | <WRAP round info> |
Note: The / | Note: The / | ||
Create a directory to hold the OpenDMARC socket file and change the ownership so that opendmarc user and opendmarc group can access it. | Create a directory to hold the OpenDMARC socket file and change the ownership so that opendmarc user and opendmarc group can access it. | ||
Ligne 294: | Ligne 294: | ||
As you can see, my mail server rejected this email because it didn’t pass DMARC check and Paypal deployed a p=reject policy. | As you can see, my mail server rejected this email because it didn’t pass DMARC check and Paypal deployed a p=reject policy. | ||
- | < | + | <WRAP round important> |
If a domain’s DMARC policy is set to p=quarantine, | If a domain’s DMARC policy is set to p=quarantine, | ||
</ | </ |