Who has its own domain name and has an email server without the available security measures?
Hi, I am trying to collect some data about the use of security measures used in an email server in your home or with a provider where you do your own configuration. Apart from doing malware checking on incoming messages, there are more measures you can take to protect the email with your own email server. The first measure is SPF checking, which means that you check that an incoming email really comes from the server it should come from. The owner of that server entered a so-called SPF TXT record in the DNS to indicate which server(s) are allowed to send messages with that domain name in the From address. You can do the same by having such a TXT record in the DNS with your domain. Obviously you rely on others to check this SPF TXT record. There might come some time that email that cannot be checked this way will be refused or at least goes into the spam folder. A second measure is DKIM checking and signing. When you inspect message from gmail.com you will see that these messages contain a DKIM signatures. The measure you take is that you check if the incoming signed message is really coming with a proper signature and is not tampered with (the content, including headers, is signed). But you can do the same. You can sign outgoing message with your DKIM signature. This means that you sign your messages with your private key and the public key is in the DNS of your domain. Signing messages this way makes it more likely that your messages are accepted. I did receive returned messages because they did not have a DKIM signature or could not be checked using SPF. The third measure is DMARC. This also twofold, checking and providing a DMARC TXT record in the DNS of your domain. A DMARC record indicates what receiving servers should do with SPF and DKIM checks. So you have some control over what will be done when checks fail or partly fail (when the From-address contains a subdomain of your domain). Please indicate whether you are interested in a script to implement these measures. -- fr.gr. member openSUSE Freek de Kruijf
On Freitag, 1. September 2023 12:39:14 CEST Freek de Kruijf wrote:
Hi,
[...]
Please indicate whether you are interested in a script to implement these measures.
I am always interested in security improvements, but I am not sure, if your suggested measures are applicable for my environment, although I have an internal mail server and my own domain(s). My domain is split between the outside world and my internal network, i.e. a few DNS entries are known world wide and hosted by external DNS servers, but most of the machines are only known within my internal network and are managed by internal DNS servers. My smtp (postfix) and my imap servers (dovecot) are among these internal only machines. Receiving mail is handled by uucp (!!), sending mail by postfix and smtp directly to an smtp server hosted by my computer club. Because there is no connection between the internal machines and the external DNS, I suspect that your measures won't work here. If I'm wrong, please correct me. Bye. Michael.
Op vrijdag 1 september 2023 13:08:59 CEST schreef mh@mike.franken.de:
On Freitag, 1. September 2023 12:39:14 CEST Freek de Kruijf wrote:
Hi,
[...]
Please indicate whether you are interested in a script to implement these measures.
I am always interested in security improvements, but I am not sure, if your suggested measures are applicable for my environment, although I have an internal mail server and my own domain(s). My domain is split between the outside world and my internal network, i.e. a few DNS entries are known world wide and hosted by external DNS servers, but most of the machines are only known within my internal network and are managed by internal DNS servers. My smtp (postfix) and my imap servers (dovecot) are among these internal only machines. Receiving mail is handled by uucp (!!), sending mail by postfix and smtp directly to an smtp server hosted by my computer club. Because there is no connection between the internal machines and the external DNS, I suspect that your measures won't work here. If I'm wrong, please correct me.
Bye. Michael.
The script I have been working on is about a rather simple environment. There is one domain name and you have a server which is serving that domain using postfix and optional dovecot as imap/authentication server. Obviously it is connected rather directly to the global internet (maybe via port forwarding in your router). In your case I assume you have one or more servers, more or less directly connected to the internet. The measures I wrote about are only necessary on this/these server(s). The server of your computer club? It is a requirement that outgoing email to the internet is presented on port 587 (submission), obviously authenticated. Is incoming email from the internet also coming into this/these server(s)? If yes, it is there where you do the checking and when accepted you can send it on to wherever you want is and with the protocol you want, but that is not covered in my script. When you use the setup with one domain as an example, it is quite easy to expand it for more domains. -- fr.gr. member openSUSE Freek de Kruijf
On Freitag, 1. September 2023 13:54:47 CEST Freek de Kruijf wrote:
Op vrijdag 1 september 2023 13:08:59 CEST schreef mh@mike.franken.de:
On Freitag, 1. September 2023 12:39:14 CEST Freek de Kruijf wrote:
Hi,
[...]
Please indicate whether you are interested in a script to implement these measures.
I am always interested in security improvements, but I am not sure, if your suggested measures are applicable for my environment, although I have an internal mail server and my own domain(s). My domain is split between the outside world and my internal network, i.e. a few DNS entries are known world wide and hosted by external DNS servers, but most of the machines are only known within my internal network and are managed by internal DNS servers. My smtp (postfix) and my imap servers (dovecot) are among these internal only machines. Receiving mail is handled by uucp (!!), sending mail by postfix and smtp directly to an smtp server hosted by my computer club. Because there is no connection between the internal machines and the external DNS, I suspect that your measures won't work here. If I'm wrong, please correct me.
Bye. Michael.
The script I have been working on is about a rather simple environment. There is one domain name and you have a server which is serving that domain using postfix and optional dovecot as imap/authentication server. Obviously it is connected rather directly to the global internet (maybe via port forwarding in your router).
In your case I assume you have one or more servers, more or less directly connected to the internet. The measures I wrote about are only necessary on
The postfix can't be reached from the internet, incoming mail is fetched via uucp. The dovecot server is available from the internet via vpn, but not directly. Outgoing mail can be sent via the postfix server - in this direction by smtp, not by uucp. Everything is protected by pfSense routers *and* additionally by a Fritz!Box firewall.
this/these server(s). The server of your computer club? It is a requirement that outgoing email to the internet is presented on port 587 (submission), obviously authenticated.
This is how my postfix server is delivering mail to the smtp server of my computer club.
Is incoming email from the internet also coming into this/these server(s)?
No, incoming mail comes via uucp.
If yes, it is there where you do the checking and when accepted you can send it on to wherever you want is and with the protocol you want, but that is not covered in my script.
Probably checking can be done between the first postfix, that gets the mails by uucp and the postfix, that delivers them internally.
When you use the setup with one domain as an example, it is quite easy to expand it for more domains.
Ok. Thx. Bye. Michael.
Op vrijdag 1 september 2023 18:12:51 CEST schreef mh@mike.franken.de:
On Freitag, 1. September 2023 13:54:47 CEST Freek de Kruijf wrote:
In your case I assume you have one or more servers, more or less directly connected to the internet. The measures I wrote about are only necessary on
The postfix can't be reached from the internet, incoming mail is fetched via uucp. The dovecot server is available from the internet via vpn, but not directly. Outgoing mail can be sent via the postfix server - in this direction by smtp, not by uucp. Everything is protected by pfSense routers *and* additionally by a Fritz!Box firewall.
But the server that delivers the email via uucp receives it from the internet, so that's the server that needs to do the checking I talked about (checks using SPF, DKIM and DMARC).
this/these server(s). The server of your computer club? It is a requirement that outgoing email to the internet is presented on port 587 (submission), obviously authenticated.
This is how my postfix server is delivering mail to the smtp server of my computer club.
And this server is sending the email onto the internet. So this one could sign these messages with the DKIM signature. Depending on the number of domain names in the from addresses, you need to have several DKIM keys and several SPF and DMARC entries in the DNSes for these domains. Once you have it setup for one domain name, it is rather straight forward to support more domain names. -- fr.gr. member openSUSE Freek de Kruijf
On Samstag, 2. September 2023 15:45:16 CEST Freek de Kruijf wrote:
Op vrijdag 1 september 2023 18:12:51 CEST schreef mh@mike.franken.de:
On Freitag, 1. September 2023 13:54:47 CEST Freek de Kruijf wrote:
In your case I assume you have one or more servers, more or less directly connected to the internet. The measures I wrote about are only necessary on
The postfix can't be reached from the internet, incoming mail is fetched via uucp. The dovecot server is available from the internet via vpn, but not directly. Outgoing mail can be sent via the postfix server - in this direction by smtp, not by uucp. Everything is protected by pfSense routers *and* additionally by a Fritz!Box firewall.
But the server that delivers the email via uucp receives it from the internet, so that's the server that needs to do the checking I talked about (checks using SPF, DKIM and DMARC).
This machine isn't under my control. The uucp server belongs to our computer club.
this/these server(s). The server of your computer club? It is a requirement that outgoing email to the internet is presented on port 587 (submission), obviously authenticated.
This is how my postfix server is delivering mail to the smtp server of my computer club.
And this server is sending the email onto the internet. So this one could sign these messages with the DKIM signature. Depending on the number of domain names in the from addresses, you need to have several DKIM keys and several SPF and DMARC entries in the DNSes for these domains. Once you have it setup for one domain name, it is rather straight forward to support more domain names.
Ok, where do I put these signatures? Internal DNS?
On 9/1/23 03:39, Freek de Kruijf wrote:
I am trying to collect some data about the use of security measures used in an email server in your home or with a provider where you do your own configuration.
Apart from doing malware checking on incoming messages, there are more measures you can take to protect the email with your own email server.
The first measure is SPF checking, which means that you check that an incoming email really comes from the server it should come from. The owner of that server entered a so-called SPF TXT record in the DNS to indicate which server(s) are allowed to send messages with that domain name in the From address. You can do the same by having such a TXT record in the DNS with your domain. Obviously you rely on others to check this SPF TXT record. There might come some time that email that cannot be checked this way will be refused or at least goes into the spam folder.
A second measure is DKIM checking and signing. When you inspect message from gmail.com you will see that these messages contain a DKIM signatures. The measure you take is that you check if the incoming signed message is really coming with a proper signature and is not tampered with (the content, including headers, is signed). But you can do the same. You can sign outgoing message with your DKIM signature. This means that you sign your messages with your private key and the public key is in the DNS of your domain. Signing messages this way makes it more likely that your messages are accepted. I did receive returned messages because they did not have a DKIM signature or could not be checked using SPF.
The third measure is DMARC. This also twofold, checking and providing a DMARC TXT record in the DNS of your domain. A DMARC record indicates what receiving servers should do with SPF and DKIM checks. So you have some control over what will be done when checks fail or partly fail (when the From-address contains a subdomain of your domain).
Please indicate whether you are interested in a script to implement these measures.
Yes! I'd be greatly interested in a SPF/DKIM/DMARC script! I've been procrastinating for years to get this done for myself. Regards, Lew
Op vrijdag 1 september 2023 15:41:18 CEST schreef Lew Wolfgang:
On 9/1/23 03:39, Freek de Kruijf wrote:
Please indicate whether you are interested in a script to implement these measures.
Yes! I'd be greatly interested in a SPF/DKIM/DMARC script! I've been procrastinating for years to get this done for myself.
Regards, Lew
On the wiki page https://en.opensuse.org/Mail_server_HOWTO you will find a link to githup where you can find a script to implement such a service. The documentation can be found on githup as well. This script uses the dkim support in amavis. I am working on a script which mimics an enhanced version of the mail module of yast. It configures an enhanced version of /etc/sysconfig/postfix, which is used by /usr/sbin/config.postfix to configure postfix (including SPF checks), amavisd-new, dovecot, opendkim or the dkim support in amavis and opendmarc in case you want to use these services. This is still work in progress. I will publish this work also on githup, but it is still not finished and documentation is the last part of my work on it. -- fr.gr. member openSUSE Freek de Kruijf
Op zaterdag 2 september 2023 16:05:59 CEST schreef Freek de Kruijf:
Op vrijdag 1 september 2023 15:41:18 CEST schreef Lew Wolfgang:
On 9/1/23 03:39, Freek de Kruijf wrote:
Please indicate whether you are interested in a script to implement these measures.
Yes! I'd be greatly interested in a SPF/DKIM/DMARC script! I've been procrastinating for years to get this done for myself.
Regards, Lew
On the wiki page https://en.opensuse.org/Mail_server_HOWTO you will find a link to githup where you can find a script to implement such a service. The documentation can be found on githup as well. This script uses the dkim support in amavis.
I am working on a script which mimics an enhanced version of the mail module of yast. It configures an enhanced version of /etc/sysconfig/postfix, which is used by /usr/sbin/config.postfix to configure postfix (including SPF checks), amavisd-new, dovecot, opendkim or the dkim support in amavis and opendmarc in case you want to use these services. This is still work in progress.
I will publish this work also on githup, but it is still not finished and documentation is the last part of my work on it.
Apart from some cosmetic changes I finished my project to implement a packet of postfix that gives the possibility to easily configure a postfix server with support for SPF/DKIM and DMARC. These packages for different architectures and versions of openSUSE are available on: https://download.opensuse.org/repositories/home:/fdekruijf:/ branches:/server:/mail/ Documentation can be found on: https://github.com/freekdk/GenPDSDM/blob/master/genmailmodule.pdf -- fr.gr. member openSUSE Freek de Kruijf
participants (3)
-
Freek de Kruijf -
Lew Wolfgang -
mh@mike.franken.de