summaryrefslogtreecommitdiff
path: root/src/_posts/2016-10-31-freebsd-mailserver-part-4-message-authentication.md
blob: e5cee0e366f13b7ac3aa0d9465785e520a1723ad (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
---
title: "FreeBSD email server - Part 4: Message authentication"
date: 2016-10-31 20:00:38
tags: Tutorial FreeBSD Email DKIM SPF
layout: post
---

Welcome to another part in the FreeBSD email server series. This time, we are
going to setup some mechanisms to deal with message authentication. This
practice will make other email providers accept your email messages and deliver
them properly in the inbox of the receiving user, instead of their spam box.

We will do so using three of the most common practices: [SPF][spf],
[DKIM][dkim] and [DMARC][dmarc].

## DKIM
### Installation
The tools for DKIM are easily installed using `pkg`.

{% highlight sh %}
pkg install opendkim
{% endhighlight %}

### Configuration
Write the following configuration into `/usr/local/etc/mail/opendkim.conf`.

{% highlight apache %}
# logging
Syslog  yes

# permissions
UserID  postfix
UMask   007

# general settings
AutoRestart         yes
Background          yes
Canonicalization    relaxed/relaxed
DNSTimeout          5
Mode                sv
SignatureAlgorithm  rsa-sha256
SubDomains          no
X-Header            yes
OversignHeaders     From

# tables
KeyTable      /usr/local/etc/opendkim/key.table
SigningTable  /usr/local/etc/opendkim/signing.table

# socket
Socket  inet:8891@localhost

# domains
Domain    domain.tld.privkey
KeyFile   /usr/local/etc/opendkim/domain.tld
Selector  mail
{% endhighlight %}

#### Postfix
Postfix needs to be instructed to sign the messages with a DKIM header using
the opendkim service. You can do so by inserting the following configuration
block somewhere around the end of `/usr/local/etc/postfix/main.cf`.

{% highlight ini %}
# milters
milter_protocol = 2
milter_default_action = reject
smtpd_milters =
    inet:localhost:8891
{% endhighlight %}

#### System service
OpenDKIM runs as a system service. As such, you will have to enable this
service in rcinit. This is a simple step, achieved with the given command.

{% highlight sh %}
echo 'milteropendkim_enable="YES"' >> /etc/rc.conf.local
{% endhighlight %}

Do not forget to actually start the service when you are done with the
tutorial!

### Creating and using keys
In order to use DKIM, you will need to generate some keys to sign the messages
with. You cannot use your Let's Encrypt SSL keys for this. First, create a
directory to house your domain's keys.

{% highlight sh %}
mkdir -p /usr/local/etc/opendkim/keys/domain.tld
chown -R postfix:wheel $_
{% endhighlight %}

Next up, generate your first key.

{% highlight sh %}
opendkim-genkey -D /usr/local/etc/opendkim/keys -b 4096 -r -s $(date +%Y%m%d) -d domain.tld
{% endhighlight %}

I tend to use the current date for the key names so I can easily sort them by
the most recent one.

Afterwards, you will have to add a line to two separate files to instruct DKIM
to use this key for a certain domain when signing mail. These are fairly
straightforward and can be done using a simple `echo` as well.

{% highlight sh %}
echo '*@domain.tld  domain.tld' >> /usr/local/etc/opendkim/signing.table
echo "domain.tld  domain.tld:$(date +%Y%m%d):/usr/local/etc/opendkim/keys/domain.tld/$(date +%Y%m%d).private" \
  >> /usr/local/etc/opendkim/key.table
{% endhighlight %}

### Adding the DNS records
You may have already noticed that `opendkim-genkey` also creates a `.txt` file
in addition to the private key. This text file contains the DNS record value
you need to add for your domain's DNS. Add the record to your DNS server, and
simply wait for it to propagate.

## SPF
SPF is simply a DNS record that shows which IPs are allowed to email for that
domain.

### Adding the DNS records
A simple example for an SPF record is the following. It allows mail to be sent
in the domain's name from any IP listed in the MX records.

```
v=spf1 mx -all
```

## DMARC
DMARC is, like SPF, a DNS record. It tells how to deal with messages coming
from the server and where to report abuse of your server. Some of the larger
email providers send out reports to the address given in the DMARC record so
you can figure out whether someone is spamming from your servers, for example.

### Adding the DNS records
A simple DMARC policy to get started with is to quarantine all emails that fail
authentication. This means the emails will go into the receiving user's spam
box. In addition, abuse reports will be sent to the address defined in the
`rua`.

```
v=DMARC1; p=quarantine; rua=mailto:abuse@domain.tld
```

## Conclusion
These few simple measures will make receiving servers trust the authenticity of
the mails you send. In effect, your messages will be much less likely to be
marked as spam.  However, you are a target of spam as well. How you can deal
with that, will be available in the next part of this series.

[dkim]: http://www.dkim.org/
[dmarc]: http://dmarc.org/
[spf]: https://en.wikipedia.org/wiki/Sender_Policy_Framework