Différences

Ci-dessous, les différences entre deux révisions de la page.

--- tutoriaux:install-email-server:install-email-server-part-6 [2023/01/06 16:41] – supprimée - modification externe (Unknown date) 127.0.0.1
+++ tutoriaux:install-email-server:install-email-server-part-6 [2024/09/27 18:31] (Version actuelle) – frater
@@ Ligne 1: / Ligne 1: @@
+====== Part 6 - OpenDMARC with Postfix to Block Spam/Email Spoofing ======
+This tutorial will be showing you how to set up OpenDMARC with Postfix SMTP server on debian to block email spoofing and spam. OpenDMARC is an open-source DMARC email policy filter for MTAs (Message Transport Agent, aka SMTP server).
+===== What is DMARC =====
+DMARC (Domain-based Message Authentication, Reporting and Conformance) is an Internet standard ([[https://tools.ietf.org/html/rfc7489|RFC 7489]]) that allows domain owners to prevent their domain names from being used by email spoofers. Before DMARC is invented, it is very easy for bad actors to use other people’s domain name in the From address.
+If a domain owner created [[https://www.linuxbabe.com/mail-server/create-dmarc-record|DMARC DNS record]] for his/her domain name and a receiving email server implemented DMARC check, then bad actors need to pass SPF alignment or DKIM alignment in order to pass DMARC check. If DMARC check fails, the spoofed email could be rejected. Never to be seen by end-users. It’s difficult for the bad actor to pass SPF or DKIM, unless the domain owner’s email server is compromised.
+[[..:opendmarc_postfix_ubuntu]]
+===== Email Spoofing Example =====
+A spammer sent me a Random email using ''claimonspt.com'' in the From address. The whois information of ''claimonspt.com'' is public.
+{{ tutoriaux:debian-email:debian-spoofing-sample.png?800 |}}
+''claimonspt.com'' has a DMARC record.
+{{ tutoriaux:debian-email:debian-dmark-record-sample.png |}}
+Then I checked the email headers, which shows SPF failed. There’s no DKIM signature. So DMARC check fails. This is a spoofed email.
+[[..:opendmarc_postfix]]
+This goes to show that not only big brands are being used by email spoofers, any domain names on the Internet could be impersonated by bad actors. Unfortunately the DMARC policy for this domain name is p=none, which tells receiving email server to do nothing special if DMARC check fails. If the policy is to p=reject, then my Postfix SMTP server would reject this email with OpenDMARC.
+Paypal and Facebook have created a reject DMARC policy for their domain name.
+opendmarc configuration
+So if a bad actor tries to spoof Paypal or Facebook, my email server can reject the spoofed email with OpenDMARC. There are many other well-known domain names that deployed a reject DMARC policy, as can be seen in the table below.
+bankofamerica.com
+yahoo.com
+chase.com
+wellsfargo.com
+facebook.com
+google.com
+youtube.com
+twitter.com
+reddit.com
+instagram.com
+linkedin.com
+medium.com
+pinterest.com
+dropbox.com
+microsoft.com
+whatsapp.com
+The secure mailbox provider Protonmail is using Postfix and OpenDMARC to perform DMARC checks on inbound emails and I will show you how to do the same on your own Postfix SMTP server.
+===== Prerequisites =====
+This tutorial is for mailbox providers and anyone who run their own mail server, to protect their users from being scammed by email spoofing. If you are a domain name owner and want to prevent your domain name from being used by email spoofers, please read this [[tutoriaux:install-email-server:install-email-server-part-5|article]] to create DMARC record and analyze DMARC report. I also recommend you to read that article if you don’t fully understand DMARC.
+To follow this tutorial, you need to get [[tutoriaux:install-email-server:install-email-server-part-4|SPF and DKIM]] verification working first, because DMARC depends on the SPF and DKIM verification results to make a final decision.
+===== Setting up OpenDMARC =====
+OpenDMARC is an open-source software that can perform DMARC verification and reporting. It’s already in the Ubuntu repository, so you can run the following command to install it.
+<code bash>sudo apt install opendmarc</code>
+If you are asked to configure a database for OpenDMARC with dbconfig-common, you can safely choose No. You only need to configure a database for OpenDMARC if you want to generate DMARC reports for other mailbox providers. It’s not very useful for small mail server operators like us to generate DMARC reports, so we can skip it.
+{{ tutoriaux:debian-email:debian-apt-install-opendmark.png?800 }}
+Once installed, it will be automatically started. Check its status with:
+systemctl status opendmarc
+Output:
+<code>
+● opendmarc.service - OpenDMARC Milter
+   Loaded: loaded (/lib/systemd/system/opendmarc.service; disabled; vendor preset: enabled)
+   Active: active (running) since Tue 2018-10-30 19:49:52 CST; 23s ago
+     Docs: man:opendmarc(8)
+           man:opendmarc.conf(5)
+ Main PID: 14858 (opendmarc)
+    Tasks: 6 (limit: 1110)
+   CGroup: /system.slice/opendmarc.service
+           └─14858 /usr/sbin/opendmarc
+</code>
+<WRAP round important>
+Hint: If the above command doesn’t quit immediately, you can make it quit by pressing the Q key.
+</WRAP>
+Note that auto-start at system boot time is disabled. We can enable it by:
+<code bash>sudo systemctl enable opendmarc</code>
+Then edit the main configuration file with your text editor.
+<code bash>sudo nano /etc/opendmarc.conf</code>
+Find the following line:
+<code># AuthservID name</code>
+By default, OpenDMARC uses the MTA hostname as the ''AuthserveID'', but it’s better to use a different name for the authentication service, because Amavisd-new will overwrite the authentication results header added by OpenDMARC. You can change it to the following, which will be very easy for you to see which program adds which authentication-results header.
+<code>AuthservID OpenDMARC</code>
+Next, add the following line. Replace the hostname with your real Postfix hostname. This tells OpenDMARC to trust authentication result with ''mail.yourdomain.com'' in the ID. This is needed when you have OpenDKIM running to do DKIM verification.
+<code>TrustedAuthservIDs mail.yourdomain.com</code>
+If the Postfix hostname isn’t included in the ''TrustedAuthservIDs'', or you have a typo in the hostname, then OpenDMARC will ignore the Authentication-Results header generated by OpenDKIM, and you will find the following error message in the mail log /var/log/mail.log
+<code>opendmarc[1133]: A436A205C9 ignoring Authentication-Results at 1 from mail.yourdomain.com</code>
+Then find this line:
+<code># RejectFailures false</code>
+By default, OpenDMARC won’t reject emails that fail DMARC check, even if the domain’s policy is set to ''p=reject''. If you prefer to reject emails that fail DMARC check when the domain’s policy is set to ''p=reject'', then uncomment this line and change ''false'' to ''true''.
+<code>RejectFailures true</code>
+You may want OpenDMARC to ignore SMTP clients that are successfully authenticated via SMTP AUTH. For example, I have a Postfix SMTP server running on my blog web server that uses my main mail server as a relay to send notification emails, so I want openDMARC to ignore emails that are submitted from my blog web server. This also applies to desktop/mobile mail clients that submit outgoing emails over port 587. In this case, add the following line at the end of this file.
+<code>IgnoreAuthenticatedClients true</code>
+Add the following line at the end of this file.
+<code>RequiredHeaders    true</code>
+This will reject emails that don’t conform to email header standards as described in RFC5322. For example, if an incoming email doesn’t have From: header or date: header, it will be rejected. A From: field from which no domain name could be extracted will also be rejected.
+It’s recommended to also add the following line at the end of this file. This will make OpenDMARC perform a fallback SPF check itself when it can find no SPF results in the message header.
+<code>SPFSelfValidate true</code>
+OpenDMARC is implemented as a milter (mail filter). Postfix can talk to milter applications via Unix socket. The default socket file used by OpenDMARC is /var/run/opendmarc/opendmarc.sock. But the Postfix SMTP daemon shipped with Ubuntu runs in chroot jail, which means the SMTP daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). So we need to change the socket file used by OpenDMARC.
+Find the following line.
+<code>Socket local:/var/run/opendmarc/opendmarc.sock</code>
+Change it to:
+<code>Socket local:/var/spool/postfix/opendmarc/opendmarc.sock</code>
+Save and close the file.
+<WRAP round info>
+Note: The /etc/default/opendmarc file can also set the socket file location, but the opendmarc package on Ubuntu 18.04 and 20.04 doesn’t read this file, so we need to set the socket file path in /etc/opendmarc.conf file.
+Create a directory to hold the OpenDMARC socket file and change the ownership so that  opendmarc user and opendmarc group can access it.
+</WRAP>
+<code bash>sudo mkdir -p /var/spool/postfix/opendmarc</code>
+<code bash>sudo chown opendmarc:opendmarc /var/spool/postfix/opendmarc -R</code>
+Change permission to 750 to restrict access, so users not in group opendmarc can’t access this directory.
+<code bash>sudo chmod 750 /var/spool/postfix/opendmarc/ -R</code>
+Add user postfix to group opendmarc.
+<code bash>sudo adduser postfix opendmarc</code>
+Then restart OpenDMARC.
+<code bash>sudo systemctl restart opendmarc</code>
+===== Configure Postfix SMTP Server =====
+Edit the main configuration file.
+<code bash>sudo nano /etc/postfix/main.cf</code>
+If you have already configured OpenDKIM, then you should have lines in this file like below.
+<code>
+# Milter configuration
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = local:opendkim/opendkim.sock
+non_smtpd_milters = $smtpd_milters
+</code>
+Now you just need to add the OpenDMARC socket file so that Postfix can talk to OpenDMARC. (Make sure it’s after the OpenDKIM socket.)
+<code>
+# Milter configuration
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = local:opendkim/opendkim.sock,local:opendmarc/opendmarc.sock
+non_smtpd_milters = $smtpd_milters
+</code>
+Save and close the file. Then restart Postfix for the change to take effect.
+<code bash>sudo systemctl restart postfix</code>
+===== Testing OpenDMARC Verification =====
+Now send an email from your other email address like Gmail to your domain address. After that, check the email headers. If OpenDMARC is working correctly, you can see the DMARC verification results like below.
+<code>Authentication-Results: OpenDMARC; dmarc=pass (p=none dis=none) header.from=gmail.com</code>
+I sent an email from my Gmail account to my domain email address and it passed DMARC verification. If you don’t see this email header, then check your mail logs.
+<code bash>sudo nano /var/log/mail.log</code>
+You will see something like below, which means OpenDMARC is working.
+<code>
+opendmarc[26495]: implicit authentication service: dante.nox-rhea.org
+opendmarc[26495]: 61DAA3EA44: gmail.com pass
+</code>
+==== Ignoring Authentication-Results ====
+If you see the following message.
+<code>ignoring Authentication-Results at 1 from dante.nox-rhea.org</code>
+it means OpenDMARC is ignoring the SPF and DKIM verification results, so OpenDMARC isn’t working. You need to add the following line in ''/etc/opendmarc.conf'' file, then restart OpenDMARC.
+<code>TrustedAuthservIDs mail.yourdomain.com</code>
+If you change the Postfix ''myhostname'' parameter, remember to add the new hostname to TrustedAuthservIDs. You can add multiple hostnames, separated by comma.
+<code>TrustedAuthservIDs mail.yourdomain.com,mail2.yourdomain.com</code>
+==== Postfix Can’t Connect to OpenDMARC ====
+If you find the following error in the Postfix mail log (''/var/log/mail.log''), it means Postfix can’t connect to OpenDMARC via the Unix domain socket (''local:opendmarc/opendmarc.sock'').
+<code>connect to Milter service local:opendmarc/opendmarc.sock: No such file or directory</code>
+you should check if the opendmarc service is running.
+<code bash>sudo systemctl status opendmarc</code>
+If ''opendmarc'' service is running but the above error still exists,  then you can configure OpenDMARC to use TCP/IP socket instead of Unix domain socket in order to fix this error. (Unix domain socket is usually faster than TCP/IP socket. If it doesn’t work on your server, then you should use TCP/IP socket.)
+<code>sudo nano /etc/opendmarc.conf</code>
+Find the following line:
+<code>Socket     local:/var/spool/postfix/opendmarc/opendmarc.sock</code>
+Replace it with
+<code>Socket     inet:8893@localhost</code>
+So OpenDMARC will be listening on the ''127.0.0.1:8893'' TCP/IP socket. Save and close the file. Then edit Postfix main config file.
+<code bash>sudo nano /etc/postfix/main.cf</code>
+Find the following line:
+<code>smtpd_milters = local:opendkim/opendkim.sock,local:opendmarc/opendmarc.sock</code>
+Replace it with:
+<code>smtpd_milters = local:opendkim/opendkim.sock,inet:127.0.0.1:8893</code>
+So Postfix will connect to OpenDMARC via the TCP/IP socket. Restart OpenDMARC and Postfix.
+<code bash>sudo systemctl restart opendmarc postfix</code>
+===== Testing OpenDMARC with Telnet =====
+You can use telnet to spoof another domain name, such as paypal.com. First, run the following command on your local computer to connect to port 25 of your mail server.
+<code>telnet mail.yourdomain.com 25</code>
+Then use the following steps to send a spoof email. (server response are starting with ''>>'' )
+<code>
+HELO mail.paypal.com
+>>250 mail.yourdomain.com
+MAIL FROM:<help@paypal.com>
+>>250 2.1.0 Ok
+RCPT TO:<someone@yourdomain.com>
+>>250 2.1.5 Ok
+DATA
+>>354 End data with <CR><LF>.<CR><LF>
+From:     help@paypal.com
+To:       someone@yourdomain.com
+Subject:  Please update your password.
+Click this link to update your password.
+.
+>>550 5.7.1 rejected by DMARC policy for paypal.com
+quit
+</code>
+As you can see, my mail server rejected this email because it didn’t pass DMARC check and Paypal deployed a p=reject policy.
+<WRAP round important>
+If a domain’s DMARC policy is set to p=quarantine, then OpenDMARC milter will put the spoofed email into the Postifx hold queue indefinitely. The postmaster can list all messages in the queue with postqueue -p command and use the postsuper command line utility to release messages in the hold queue.
+</WRAP>
+===== How to Whitelist an IP Address in OpenDMARC =====
+If you want to allow your other server to relay emails via port 25 of your main mail server which runs OpenDMARC, then you should whitelist the IP address of the other server in OpenDMARC, because OpenDMARC will check the From: domain in relay emails as well.
+Edit OpenDMARC config file.
+<code bash>sudo nano /etc/opendmarc.conf</code>
+Add the following line at the end of this file.
+<code bash>IgnoreHosts  /etc/opendmarc/ignore.hosts</code>
+Save and close the file. Then create the /etc/opendmarc/ directory.
+<code bash>sudo mkdir /etc/opendmarc/</code>
+Create the ignore.hosts file.
+<code bash>sudo nano /etc/opendmarc/ignore.hosts</code>
+Add the IP addresses you want to whitelist in this file like so:
+<code>
+.0.0.1
+.34.56.78
+</code>
+Save and close the file. Then restart OpenDMARC.
+<code bash>sudo systemctl restart opendmarc</code>
+===== Conclusion =====
+I hope this tutorial helped you set up OpenDMARC with Postfix SMTP server on Ubuntu to block email spoofing and spam. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂
+{{page>install-email-server-footer}}

Nox-Rhea WiKi

Outils pour utilisateurs

Outils du site

Différences

Outils de la page