Feature #1910
Help DMARC setup
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-mail-server | |||
| Target version: | ~FUTURE | |||
| Resolution: | REJECTED | NEEDINFO: | No |
Description
See http://www.dmarc.org/ for background.
The idea is to help the sysadmin to setup DMARC, SPF and DKIM, showing DNS records on a server-manager page.
History
#2
Updated by Filippo Carletti about 8 years ago
This feature could be implemented on our Control center (register), probably all needed info are transmitted.
Your opinion is welcome. :-)
#3
Updated by Cristian Mammoli about 7 years ago
IMHO the highest priority is to allow DKIM signing in amavisd. Many big providers are performing dkim checking and Spamassassin itself (on the receiving side) will significantly lower the spam score of correctly signed emails.
Administrators could setup dmarc records for their domains as long as the emails are DKIM signed and the SPF record is correctly configured.
A Wizard that suggests the correct DNS records would be nice but first you need to have all the pieces "ready" on the server side.
#4
Updated by Filippo Carletti about 7 years ago
IMHO the highest priority is to allow DKIM signing in amavisd. Many big providers are performing dkim checking and Spamassassin itself (on the receiving side) will significantly lower the spam score of correctly signed emails.
Agreed. Following this howto (http://www.faqforge.com/linux/how-to-enable-dkim-email-signatures-in-amavisd-new-and-ispconfig-3/) I configured dkim successfully in a few minutes. I plan to proceed in two steps:
1. add support to amavisd in templates and db
2. add a user interface to enable dkim and show txt record to c&p in dns
Random notes:
# grep dkim /etc/amavisd.conf
$enable_dkim_verification = 1; # disable DKIM signatures verification
$enable_dkim_signing = 1; # disable DKIM signing code
dkim_key('nethesis.lan', 'def', '/var/db/dkim/neth.key.pem');
@dkim_signature_options_bysender_maps = (
Adding a dkim txt record to dnsmasq for testing:
txt-record=def._domainkey.nethesis.lan.,v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUA...
The key should go into a backup, probably a better path to save keys would be in /var/lib/nethserver.
#5
Updated by Filippo Carletti about 7 years ago
# amavisd genrsa /etc/pki/tls/private/nethesis-dkim.key.pem
# chgrp amavis /etc/pki/tls/private/nethesis-dkim.key.pem
# chmod g+r /etc/pki/tls/private/nethesis-dkim.key.pem
# cat /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('nethesis.it', 'dkim', '/etc/pki/tls/private/nethesis-dkim.key.pem');
@dkim_signature_options_bysender_maps = (
\{ '.' => \{ ttl => 21*24*3600, c => 'relaxed/simple' \} \} );
dkim._domainkey.nethesis.it. in TXT
v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhnrXQYDUhfzxE1mg7U1JHWoPk8r0ZKl9OLxTApupnAIUfKJktAfVdSRUZhpqgOokH2X2fDGg5VRq7BYQ0nEDuWYqpOpMNb2neXT4KotrSib41kT3s0jSA23KL86/PjxXk0AuPoTyDQFZpcFbcn9wxYuvksQ+YMfOwZcqMem3v/wIDAQAB
Edit: see #1910#note-6
#6
Updated by Davide Principi almost 7 years ago
Filippo Carletti wrote:
[...]
Edit:
the private/public key pair PEM file must be readable by amavis group, otherwise service amavisd reload fails.
Added the following commands to the previous note.
chgrp amavis /etc/pki/tls/private/nethesis-dkim.key.pem chmod g+r /etc/pki/tls/private/nethesis-dkim.key.pem
See also
http://lists.amavis.org/pipermail/amavis-users/2013-March/002209.html
#7
Updated by Filippo Carletti almost 6 years ago
DKIM key could/should be created at domain creation time.
amavis dkim check could be enabled by default, but I'm not sure it will add protection against spam.
opendkim publishes stats (http://www.opendkim.org/stats/report.html), but I can't read them.
#8
Updated by Giacomo Sanchietti almost 5 years ago
- Status changed from NEW to CLOSED
- % Done changed from 0 to 100
- Resolution set to REJECTED
This feature will not be implemented in NS 6. If needed, please reopen it for NS 7.