summaryrefslogtreecommitdiffstats
path: root/server/setup
diff options
context:
space:
mode:
authorSven Gothel <[email protected]>2016-08-22 01:47:40 +0200
committerSven Gothel <[email protected]>2016-08-22 01:47:40 +0200
commit09bb988527efdf69de26cf57c512b5635119e765 (patch)
tree31a5124006e8684797f88b9e57187b606f4fa1df /server/setup
parenta35614c1852746df4c0976d52c69c0debe90df80 (diff)
Adding SPF and DKIM for Email Security and Authenticity
Diffstat (limited to 'server/setup')
-rw-r--r--server/setup/05-service-settings/02-SERVICES.txt19
-rw-r--r--server/setup/05-service-settings/etc/mail/sendmail.mc12
-rw-r--r--server/setup/05-service-settings/etc/opendkim.conf33
-rw-r--r--server/setup/05-service-settings/etc/opendkim/KeyTable1
-rw-r--r--server/setup/05-service-settings/etc/opendkim/SigningTable1
-rw-r--r--server/setup/05-service-settings/etc/opendkim/TrustedHosts2
6 files changed, 63 insertions, 5 deletions
diff --git a/server/setup/05-service-settings/02-SERVICES.txt b/server/setup/05-service-settings/02-SERVICES.txt
index 70f15f8..3098baf 100644
--- a/server/setup/05-service-settings/02-SERVICES.txt
+++ b/server/setup/05-service-settings/02-SERVICES.txt
@@ -115,6 +115,25 @@ Debian 7.00 (Wheezy)
- cd /etc/mail
- make
+ - SPF
+ - add TXT dns entry jogamp.org IN TXT "v=spf1 mx a ptr:jogamp.org ip6:2a01:4f8:192:1164::2 -all"
+
+ - DKIM
+ https://dev.kafol.net/2013/01/dkim-spf-sendmail-for-multiple-domains.html
+ apt-get install opendkim
+ apt-get install opendkim-tools
+ vi /etc/opendkim.conf
+ mkdir /etc/opendkim/
+ mkdir /etc/opendkim/keys
+ mkdir /etc/opendkim/keys/jogamp.org
+ vi /etc/opendkim/TrustedHosts
+ vi /etc/opendkim/SigningTable
+ vi /etc/opendkim/KeyTable
+ opendkim-genkey -D /etc/opendkim/keys/jogamp.org -d jogamp.org -s default
+ chown -R opendkim:opendkim /etc/opendkim
+ chmod -R go-rwx /etc/opendkim
+
+
/etc/init.d/sendmail start
10 GIT
diff --git a/server/setup/05-service-settings/etc/mail/sendmail.mc b/server/setup/05-service-settings/etc/mail/sendmail.mc
index 704e4da..9cfbbb9 100644
--- a/server/setup/05-service-settings/etc/mail/sendmail.mc
+++ b/server/setup/05-service-settings/etc/mail/sendmail.mc
@@ -132,11 +132,11 @@ dnl define(`confCACERT', `/etc/ssl/local/ca-my.crt')dnl
dnl define(`confCRL', `/etc/ssl/local/ca-my.crl')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
-define(`confCACERT', `/etc/ssl/local/thawte-SSL123_CA_Bundle.pem')dnl
-define(`confSERVER_CERT', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl
-define(`confSERVER_KEY', `/etc/ssl/local/jogamp2013-hostkey.mail.pem')dnl
-define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl
-define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl
+define(`confCACERT', `/etc/ssl/local/thawte-ca-cert3-20151105.pem')dnl
+define(`confSERVER_CERT', `/etc/ssl/local/jogamp2016a-hostcert.pem')dnl
+define(`confSERVER_KEY', `/etc/ssl/local/jogamp2016a-hostkey.mail.pem')dnl
+define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2016a-hostcert.pem')dnl
+define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2016a-hostkey.mail.pem')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
@@ -180,6 +180,8 @@ dnl #
dnl FEATURE(local_procmail, `/usr/lib/dovecot/dovecot-lda', `/usr/lib/dovecot/dovecot-lda -d $u')dnl
dnl MODIFY_MAILER_FLAGS(`LOCAL', `-f')dnl
+INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
+
dnl #
dnl # The access db is the basis for most of sendmail's checking
dnl # FEATURE(`access_db', , `skip')dnl
diff --git a/server/setup/05-service-settings/etc/opendkim.conf b/server/setup/05-service-settings/etc/opendkim.conf
new file mode 100644
index 0000000..10c9064
--- /dev/null
+++ b/server/setup/05-service-settings/etc/opendkim.conf
@@ -0,0 +1,33 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+AutoRestart yes
+UMask 002
+Syslog yes
+AutoRestartRate 10/1h
+Canonicalization relaxed/simple
+ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
+InternalHosts refile:/etc/opendkim/TrustedHosts
+KeyTable refile:/etc/opendkim/KeyTable
+LogWhy yes
+Mode sv
+PidFile /var/run/opendkim/opendkim.pid
+SignatureAlgorithm rsa-sha256
+SigningTable refile:/etc/opendkim/SigningTable
+Socket inet:8891@localhost
+SyslogSuccess Yes
+TemporaryDirectory /var/tmp
+UserID opendkim:opendkim
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier. From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders From
+
+# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
+# (ATPS) (experimental)
+#ATPSDomains example.com
+
diff --git a/server/setup/05-service-settings/etc/opendkim/KeyTable b/server/setup/05-service-settings/etc/opendkim/KeyTable
new file mode 100644
index 0000000..05d3b19
--- /dev/null
+++ b/server/setup/05-service-settings/etc/opendkim/KeyTable
@@ -0,0 +1 @@
+default._domainkey.jogamp.org jogamp.org:default:/etc/opendkim/keys/jogamp.org/default.private
diff --git a/server/setup/05-service-settings/etc/opendkim/SigningTable b/server/setup/05-service-settings/etc/opendkim/SigningTable
new file mode 100644
index 0000000..7211e4d
--- /dev/null
+++ b/server/setup/05-service-settings/etc/opendkim/SigningTable
@@ -0,0 +1 @@
+*@jogamp.org default._domainkey.jogamp.org
diff --git a/server/setup/05-service-settings/etc/opendkim/TrustedHosts b/server/setup/05-service-settings/etc/opendkim/TrustedHosts
new file mode 100644
index 0000000..e0888a7
--- /dev/null
+++ b/server/setup/05-service-settings/etc/opendkim/TrustedHosts
@@ -0,0 +1,2 @@
+127.0.0.1
+jogamp.org
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-01 06:17:46 +0000