Feature #1910

Help DMARC setup

Added by Filippo Carletti over 6 years ago. Updated over 3 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-mail-server
Target version:~FUTURE
Resolution:REJECTED NEEDINFO:No

Description

See http://www.dmarc.org/ for background.
The idea is to help the sysadmin to setup DMARC, SPF and DKIM, showing DNS records on a server-manager page.

History

#2 Updated by Filippo Carletti over 6 years ago

This feature could be implemented on our Control center (register), probably all needed info are transmitted.
Your opinion is welcome. :-)

#3 Updated by Cristian Mammoli over 5 years ago

IMHO the highest priority is to allow DKIM signing in amavisd. Many big providers are performing dkim checking and Spamassassin itself (on the receiving side) will significantly lower the spam score of correctly signed emails.

Administrators could setup dmarc records for their domains as long as the emails are DKIM signed and the SPF record is correctly configured.

A Wizard that suggests the correct DNS records would be nice but first you need to have all the pieces "ready" on the server side.

#4 Updated by Filippo Carletti over 5 years ago

IMHO the highest priority is to allow DKIM signing in amavisd. Many big providers are performing dkim checking and Spamassassin itself (on the receiving side) will significantly lower the spam score of correctly signed emails.

Agreed. Following this howto (http://www.faqforge.com/linux/how-to-enable-dkim-email-signatures-in-amavisd-new-and-ispconfig-3/) I configured dkim successfully in a few minutes. I plan to proceed in two steps:
1. add support to amavisd in templates and db
2. add a user interface to enable dkim and show txt record to c&p in dns

Random notes:

# grep dkim /etc/amavisd.conf 
$enable_dkim_verification = 1; # disable DKIM signatures verification
$enable_dkim_signing = 1; # disable DKIM signing code
dkim_key('nethesis.lan', 'def', '/var/db/dkim/neth.key.pem');
@dkim_signature_options_bysender_maps = (

Adding a dkim txt record to dnsmasq for testing:
txt-record=def._domainkey.nethesis.lan.,v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUA...

The key should go into a backup, probably a better path to save keys would be in /var/lib/nethserver.

#5 Updated by Filippo Carletti over 5 years ago

# amavisd genrsa /etc/pki/tls/private/nethesis-dkim.key.pem
# chgrp amavis /etc/pki/tls/private/nethesis-dkim.key.pem
# chmod g+r /etc/pki/tls/private/nethesis-dkim.key.pem
# cat /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim 

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('nethesis.it', 'dkim', '/etc/pki/tls/private/nethesis-dkim.key.pem');
@dkim_signature_options_bysender_maps = (
\{ '.' => \{ ttl => 21*24*3600, c => 'relaxed/simple' \} \} );

dkim._domainkey.nethesis.it. in TXT
v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhnrXQYDUhfzxE1mg7U1JHWoPk8r0ZKl9OLxTApupnAIUfKJktAfVdSRUZhpqgOokH2X2fDGg5VRq7BYQ0nEDuWYqpOpMNb2neXT4KotrSib41kT3s0jSA23KL86/PjxXk0AuPoTyDQFZpcFbcn9wxYuvksQ+YMfOwZcqMem3v/wIDAQAB

Edit: see #1910#note-6

#6 Updated by Davide Principi over 5 years ago

Filippo Carletti wrote:

[...]

Edit:
the private/public key pair PEM file must be readable by amavis group, otherwise service amavisd reload fails.

Added the following commands to the previous note.

chgrp amavis /etc/pki/tls/private/nethesis-dkim.key.pem
chmod g+r /etc/pki/tls/private/nethesis-dkim.key.pem

See also
http://lists.amavis.org/pipermail/amavis-users/2013-March/002209.html

#7 Updated by Filippo Carletti over 4 years ago

DKIM key could/should be created at domain creation time.

amavis dkim check could be enabled by default, but I'm not sure it will add protection against spam.

opendkim publishes stats (http://www.opendkim.org/stats/report.html), but I can't read them.

#8 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from NEW to CLOSED
  • % Done changed from 0 to 100
  • Resolution set to REJECTED

This feature will not be implemented in NS 6. If needed, please reopen it for NS 7.

Also available in: Atom PDF