Professional Documents
Culture Documents
Debian Mail Server, Part II: SPF and DKIM - Stéphane Caron PDF
Debian Mail Server, Part II: SPF and DKIM - Stéphane Caron PDF
Debian Mail Server, Part II: SPF and DKIM - Stéphane Caron PDF
In a previous post, we saw how to configure a Debian mail server with Postfix and Dovecot(/blog/debian-mail-postfix-dovecot.html) , but we did not address an important issue: spam.
Major e-mail providers are defending their users against spam by requiring two extra credentials: Sender Policy Framework (SPF) and DomainKey Identified Mail (DKIM). We will see how
to configure these two services. We will also configure a local defense against incoming spam with SpamAssassin.
Configuring SPF
Sender Policy Framework (SPF) is one of the two services you should configure in order not to be considered as a spammer by major e-mail service providers. Its installation starts with:
Then, add the instruction check_policy_service unix:private/policy-spf to your smtpd_recipient_restrictions in /etc/postfix/main.cf. A complete list of
recipient restrictions, including SPF, looks like:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policy-spf,
check_sender_access hash:/etc/postfix/sender_access,
check_recipient_access hash:/etc/postfix/recipient_access,
permit
A few rules apply: the policy service should always be after reject_unauth_destination, otherwise early responses from SPF can turn your system into an open relay. Also, put the
policy service after you permit local senders (permit_sasl_authenticated), as SPF should be applied to inbound e-mail from the Internet, not outbound e-mail from your users.
You should also add the following line to main.cf in order to avoid timeouts:
policy-spf_time_limit = 3600s
Finally, you will need to setup an SPF record in your DNS. It is basically a TXT record that looks as follows:
Adding your IP addresses is not mandatory but, as we will see later on, GMail will give you a softfail score if it cannot find these.
Configuring DKIM
DomainKeys Identified Mail (DKIM) is the other service you need to configure in order not to be considered as a spammer by big e-mail providers. It ties your e-mail server to your domain
name, so that receivers can check that e-mails originating from your domain indeed correspond to your computer. Start the installation with:
DKIM is based on asymmetric cryptography. Basically, we will generate a pair of public/private keys on your server, and publish the public key on your DNS records. First, edit
/etc/opendkim.conf and make sure it contains the following:
KeyTable /etc/opendkim/KeyTable
SigningTable /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
LogWhy yes
Create the directory /etc/opendkim if it does not exist. Then, enter all your domains, hostnames or IP addresses in /etc/opendkim/TrustedHosts:
https://scaron.info/blog/debian-mail-spf-dkim.html Page 1 of 3
Debian Mail Server, Part II: SPF and DKIM - Stéphane Caron 11/4/15, 9:42 PM
127.0.0.1
localhost
mydomain.com
x.253.204.64
x.253.204.32/27
# DKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345
Now, we need to generate the pair of public/private keys for your server. It goes as follows:
mkdir -p /etc/opendkim/keys/mydomain.com
cd /etc/opendkim/keys/mydomain.com
opendkim-genkey -s default -d mydomain.com
chown opendkim:opendkim default.private
default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default.private
And to /etc/opendkim/SigningTable:
mydomain.com default._domainkey.mydomain.com
(In some tutorials, you will see a *@mydomain.com instead of just mydomain.com at the beginning of this line. I tried both, but only the latter passed the DKIM checks discussed in the
next section.)
$ cat /etc/opendkim/keys/mydomain.com/default.txt
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfM...long hash...DAQAB"
You need to enter the full line as a free text (TXT) record of your domain's DNS (how to do so depends on your provider). If you cannot edit your DNS record directly but instead need to go
through a GUI, just remember that the field name starts with "default._domainkey". (This was the case of my provider's interface, and I left the default value there, which was my domain
name; subsequent experiences showed that DKIM was not working and a major e-mail provider identified me as a spammer.) Once you have configured your DNS, you can check it with:
The output should contain an "ANSWER" section with the same content as your default.txt file.
(Don't worry about the DomainKeys check, which is for a version of the protocol anterior to DKIM.) The second, and in my opinion most useful service, is mail-tester.com(https://www.mail-
tester.com/) . It performs similar checks, and also gives you hints on how to improve your configuration. Thanks to this service, I could identify and fix the DKIM mis-configuration
mentioned above, also learned about the following two improvements.
Configuring DMARC
Once both SPF and DKIM are configured, it is easy, yet appreciated by other e-mail providers, to add a DMARC record to your DNS. Just create a new TXT field with the default values:
https://scaron.info/blog/debian-mail-spf-dkim.html Page 2 of 3
Debian Mail Server, Part II: SPF and DKIM - Stéphane Caron 11/4/15, 9:42 PM
Reverse DNS
Some major e-mail providers check the domain name in your e-mails by a reverse DNS lookup. Consequently, you should make sure that your reverse DNS (dig -x +short
<your_IP_address>) returns the domain name used in your e-mails. If it is not the case, you will need to add a pointer (PTR type) record in your DNS. For me, this involved contacting
the customer support of my registrar, as they do not allow one to configure these records directly on their web interface.
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning user@mydomain.com
does not designate IP_ADDRESS_OF_THE_SERVER as permitted sender)
smtp.mailfrom=user@mydomain.com;
dkim=pass header.i=@mydomain.com;
dkim=pass header.i=@mydomain.com;
dmarc=pass (p=NONE dis=NONE) header.from=mydomain.com
We see that GMail indeed checks for SPF, DKIM and DMARC. Here, it noticed something that both previous tests had missed: my SPF record did not include my server's IP address,
which it considered suspicious ("domain of transitioning email_address does not designate ip_address as permitted sender"). After adding my IP to the SPF record, the softfail became
a pass.
Configuring SpamAssassin
Sooner rather than later, your e-mail server will receive spam. Good e-mail clients have junk filters, but the fight against it starts at the server level. SpamAssassin is a renowned e-mail
filter that does this job; plus, it is easy to install and configure. Start the setup with:
Let us first configure Postfix's master.cf: we need to add the filter -o content_filter=spamassassin to the smtp, smtps and submission services:
Finally, you can uncomment the following line in /etc/spamassassin/local.cf to label spam mails:
Webography
At the time of writing this post, I learned from articles of the Debian Wiki(https://wiki.debian.org/DebianSpamAssassin) and the Ubuntu Community
Wiki(https://help.ubuntu.com/community/Postfix/SPF) , as well as from the following tutorials:
Content on this website is licensed under a Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/) .
⚲
(https://scaron.info/tags.html)
https://scaron.info/blog/debian-mail-spf-dkim.html Page 3 of 3