Nox-Rhea WiKi

Outils pour utilisateurs

Outils du site

Piste :
tutoriaux:install-email-server:install-email-server-part-6

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentesRévision précédente
Prochaine révision		Révision précédente
tutoriaux:install-email-server-part-6 [2022/08/31 11:51] – [Build Email Server From Scratch on Debian – Part 6 - Use OpenDMARC with Postfix to Block Spam/Email Spoofing] fratertutoriaux:install-email-server:install-email-server-part-6 [2023/01/06 17:56] (Version actuelle) – créée - modification externe 127.0.0.1
Ligne 9: Ligne 9:
 If a domain owner created [[https://www.linuxbabe.com/mail-server/create-dmarc-record|DMARC DNS record]] for his/her domain name and a receiving email server implemented DMARC check, then bad actors need to pass SPF alignment or DKIM alignment in order to pass DMARC check. If DMARC check fails, the spoofed email could be rejected. Never to be seen by end-users. It’s difficult for the bad actor to pass SPF or DKIM, unless the domain owner’s email server is compromised. If a domain owner created [[https://www.linuxbabe.com/mail-server/create-dmarc-record|DMARC DNS record]] for his/her domain name and a receiving email server implemented DMARC check, then bad actors need to pass SPF alignment or DKIM alignment in order to pass DMARC check. If DMARC check fails, the spoofed email could be rejected. Never to be seen by end-users. It’s difficult for the bad actor to pass SPF or DKIM, unless the domain owner’s email server is compromised.
  
-[[OpenDMARC Postfix Ubuntu]]+[[..:opendmarc_postfix_ubuntu]]
  
 ===== Email Spoofing Example ===== ===== Email Spoofing Example =====
Ligne 15: Ligne 15:
 A spammer sent me a Random email using ''claimonspt.com'' in the From address. The whois information of ''claimonspt.com'' is public. A spammer sent me a Random email using ''claimonspt.com'' in the From address. The whois information of ''claimonspt.com'' is public.
  
-{{ :tutoriaux:pasted:20220818-155914.png?800 |}}+{{ tutoriaux:debian-email:debian-spoofing-sample.png?800 |}}
  
 ''claimonspt.com'' has a DMARC record. ''claimonspt.com'' has a DMARC record.
  
-{{ :tutoriaux:pasted:20220818-160106.png |}}+{{ tutoriaux:debian-email:debian-dmark-record-sample.png |}}
  
 Then I checked the email headers, which shows SPF failed. There’s no DKIM signature. So DMARC check fails. This is a spoofed email. Then I checked the email headers, which shows SPF failed. There’s no DKIM signature. So DMARC check fails. This is a spoofed email.
  
-[[opendmarc postfix]]+[[..:opendmarc_postfix]]
  
 This goes to show that not only big brands are being used by email spoofers, any domain names on the Internet could be impersonated by bad actors. Unfortunately the DMARC policy for this domain name is p=none, which tells receiving email server to do nothing special if DMARC check fails. If the policy is to p=reject, then my Postfix SMTP server would reject this email with OpenDMARC. This goes to show that not only big brands are being used by email spoofers, any domain names on the Internet could be impersonated by bad actors. Unfortunately the DMARC policy for this domain name is p=none, which tells receiving email server to do nothing special if DMARC check fails. If the policy is to p=reject, then my Postfix SMTP server would reject this email with OpenDMARC.
Ligne 53: Ligne 53:
 ===== Prerequisites ===== ===== Prerequisites =====
  
-This tutorial is for mailbox providers and anyone who run their own mail server, to protect their users from being scammed by email spoofing. If you are a domain name owner and want to prevent your domain name from being used by email spoofers, please read this [[tutoriaux:install-email-server-part-5|article]] to create DMARC record and analyze DMARC report. I also recommend you to read that article if you don’t fully understand DMARC.+This tutorial is for mailbox providers and anyone who run their own mail server, to protect their users from being scammed by email spoofing. If you are a domain name owner and want to prevent your domain name from being used by email spoofers, please read this [[tutoriaux:install-email-server:install-email-server-part-5|article]] to create DMARC record and analyze DMARC report. I also recommend you to read that article if you don’t fully understand DMARC.
  
-To follow this tutorial, you need to get [[tutoriaux:install-email-server-part-4|SPF and DKIM]] verification working first, because DMARC depends on the SPF and DKIM verification results to make a final decision.+To follow this tutorial, you need to get [[tutoriaux:install-email-server:install-email-server-part-4|SPF and DKIM]] verification working first, because DMARC depends on the SPF and DKIM verification results to make a final decision.
  
 ===== Setting up OpenDMARC ===== ===== Setting up OpenDMARC =====
Ligne 65: Ligne 65:
 If you are asked to configure a database for OpenDMARC with dbconfig-common, you can safely choose No. You only need to configure a database for OpenDMARC if you want to generate DMARC reports for other mailbox providers. It’s not very useful for small mail server operators like us to generate DMARC reports, so we can skip it. If you are asked to configure a database for OpenDMARC with dbconfig-common, you can safely choose No. You only need to configure a database for OpenDMARC if you want to generate DMARC reports for other mailbox providers. It’s not very useful for small mail server operators like us to generate DMARC reports, so we can skip it.
  
-{{ :tutoriaux:pasted:20220818-154511.png?800 }}+{{ tutoriaux:debian-email:debian-apt-install-opendmark.png?800 }}
  
 Once installed, it will be automatically started. Check its status with: Once installed, it will be automatically started. Check its status with:
Ligne 84: Ligne 84:
 </code> </code>
  
-<WRAP center round important 80%>+<WRAP round important>
 Hint: If the above command doesn’t quit immediately, you can make it quit by pressing the Q key. Hint: If the above command doesn’t quit immediately, you can make it quit by pressing the Q key.
 </WRAP> </WRAP>
Ligne 145: Ligne 145:
 Save and close the file. Save and close the file.
  
-<WRAP center round info 80%>+<WRAP round info>
 Note: The /etc/default/opendmarc file can also set the socket file location, but the opendmarc package on Ubuntu 18.04 and 20.04 doesn’t read this file, so we need to set the socket file path in /etc/opendmarc.conf file. Note: The /etc/default/opendmarc file can also set the socket file location, but the opendmarc package on Ubuntu 18.04 and 20.04 doesn’t read this file, so we need to set the socket file path in /etc/opendmarc.conf file.
 Create a directory to hold the OpenDMARC socket file and change the ownership so that  opendmarc user and opendmarc group can access it. Create a directory to hold the OpenDMARC socket file and change the ownership so that  opendmarc user and opendmarc group can access it.
Ligne 294: Ligne 294:
 As you can see, my mail server rejected this email because it didn’t pass DMARC check and Paypal deployed a p=reject policy. As you can see, my mail server rejected this email because it didn’t pass DMARC check and Paypal deployed a p=reject policy.
  
-<WRAP center round important 80%>+<WRAP round important>
 If a domain’s DMARC policy is set to p=quarantine, then OpenDMARC milter will put the spoofed email into the Postifx hold queue indefinitely. The postmaster can list all messages in the queue with postqueue -p command and use the postsuper command line utility to release messages in the hold queue. If a domain’s DMARC policy is set to p=quarantine, then OpenDMARC milter will put the spoofed email into the Postifx hold queue indefinitely. The postmaster can list all messages in the queue with postqueue -p command and use the postsuper command line utility to release messages in the hold queue.
 </WRAP> </WRAP>
tutoriaux/install-email-server/install-email-server-part-6.txt · Dernière modification : 2023/01/06 17:56 de 127.0.0.1

Outils de la page

Sauf mention contraire, le contenu de ce wiki est placé sous les termes de la licence suivante : CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki