From 09bb988527efdf69de26cf57c512b5635119e765 Mon Sep 17 00:00:00 2001 From: Sven Gothel Date: Mon, 22 Aug 2016 01:47:40 +0200 Subject: Adding SPF and DKIM for Email Security and Authenticity --- server/setup/05-service-settings/02-SERVICES.txt | 19 +++++++++++++ .../setup/05-service-settings/etc/mail/sendmail.mc | 12 ++++---- server/setup/05-service-settings/etc/opendkim.conf | 33 ++++++++++++++++++++++ .../05-service-settings/etc/opendkim/KeyTable | 1 + .../05-service-settings/etc/opendkim/SigningTable | 1 + .../05-service-settings/etc/opendkim/TrustedHosts | 2 ++ 6 files changed, 63 insertions(+), 5 deletions(-) create mode 100644 server/setup/05-service-settings/etc/opendkim.conf create mode 100644 server/setup/05-service-settings/etc/opendkim/KeyTable create mode 100644 server/setup/05-service-settings/etc/opendkim/SigningTable create mode 100644 server/setup/05-service-settings/etc/opendkim/TrustedHosts (limited to 'server/setup') diff --git a/server/setup/05-service-settings/02-SERVICES.txt b/server/setup/05-service-settings/02-SERVICES.txt index 70f15f8..3098baf 100644 --- a/server/setup/05-service-settings/02-SERVICES.txt +++ b/server/setup/05-service-settings/02-SERVICES.txt @@ -115,6 +115,25 @@ Debian 7.00 (Wheezy) - cd /etc/mail - make + - SPF + - add TXT dns entry jogamp.org IN TXT "v=spf1 mx a ptr:jogamp.org ip6:2a01:4f8:192:1164::2 -all" + + - DKIM + https://dev.kafol.net/2013/01/dkim-spf-sendmail-for-multiple-domains.html + apt-get install opendkim + apt-get install opendkim-tools + vi /etc/opendkim.conf + mkdir /etc/opendkim/ + mkdir /etc/opendkim/keys + mkdir /etc/opendkim/keys/jogamp.org + vi /etc/opendkim/TrustedHosts + vi /etc/opendkim/SigningTable + vi /etc/opendkim/KeyTable + opendkim-genkey -D /etc/opendkim/keys/jogamp.org -d jogamp.org -s default + chown -R opendkim:opendkim /etc/opendkim + chmod -R go-rwx /etc/opendkim + + /etc/init.d/sendmail start 10 GIT diff --git a/server/setup/05-service-settings/etc/mail/sendmail.mc b/server/setup/05-service-settings/etc/mail/sendmail.mc index 704e4da..9cfbbb9 100644 --- a/server/setup/05-service-settings/etc/mail/sendmail.mc +++ b/server/setup/05-service-settings/etc/mail/sendmail.mc @@ -132,11 +132,11 @@ dnl define(`confCACERT', `/etc/ssl/local/ca-my.crt')dnl dnl define(`confCRL', `/etc/ssl/local/ca-my.crl')dnl dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl -define(`confCACERT', `/etc/ssl/local/thawte-SSL123_CA_Bundle.pem')dnl -define(`confSERVER_CERT', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl -define(`confSERVER_KEY', `/etc/ssl/local/jogamp2013-hostkey.mail.pem')dnl -define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl -define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl +define(`confCACERT', `/etc/ssl/local/thawte-ca-cert3-20151105.pem')dnl +define(`confSERVER_CERT', `/etc/ssl/local/jogamp2016a-hostcert.pem')dnl +define(`confSERVER_KEY', `/etc/ssl/local/jogamp2016a-hostkey.mail.pem')dnl +define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2016a-hostcert.pem')dnl +define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2016a-hostkey.mail.pem')dnl dnl # dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl @@ -180,6 +180,8 @@ dnl # dnl FEATURE(local_procmail, `/usr/lib/dovecot/dovecot-lda', `/usr/lib/dovecot/dovecot-lda -d $u')dnl dnl MODIFY_MAILER_FLAGS(`LOCAL', `-f')dnl +INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost') + dnl # dnl # The access db is the basis for most of sendmail's checking dnl # FEATURE(`access_db', , `skip')dnl diff --git a/server/setup/05-service-settings/etc/opendkim.conf b/server/setup/05-service-settings/etc/opendkim.conf new file mode 100644 index 0000000..10c9064 --- /dev/null +++ b/server/setup/05-service-settings/etc/opendkim.conf @@ -0,0 +1,33 @@ +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +AutoRestart yes +UMask 002 +Syslog yes +AutoRestartRate 10/1h +Canonicalization relaxed/simple +ExternalIgnoreList refile:/etc/opendkim/TrustedHosts +InternalHosts refile:/etc/opendkim/TrustedHosts +KeyTable refile:/etc/opendkim/KeyTable +LogWhy yes +Mode sv +PidFile /var/run/opendkim/opendkim.pid +SignatureAlgorithm rsa-sha256 +SigningTable refile:/etc/opendkim/SigningTable +Socket inet:8891@localhost +SyslogSuccess Yes +TemporaryDirectory /var/tmp +UserID opendkim:opendkim + +# Always oversign From (sign using actual From and a null From to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From + +# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures +# (ATPS) (experimental) +#ATPSDomains example.com + diff --git a/server/setup/05-service-settings/etc/opendkim/KeyTable b/server/setup/05-service-settings/etc/opendkim/KeyTable new file mode 100644 index 0000000..05d3b19 --- /dev/null +++ b/server/setup/05-service-settings/etc/opendkim/KeyTable @@ -0,0 +1 @@ +default._domainkey.jogamp.org jogamp.org:default:/etc/opendkim/keys/jogamp.org/default.private diff --git a/server/setup/05-service-settings/etc/opendkim/SigningTable b/server/setup/05-service-settings/etc/opendkim/SigningTable new file mode 100644 index 0000000..7211e4d --- /dev/null +++ b/server/setup/05-service-settings/etc/opendkim/SigningTable @@ -0,0 +1 @@ +*@jogamp.org default._domainkey.jogamp.org diff --git a/server/setup/05-service-settings/etc/opendkim/TrustedHosts b/server/setup/05-service-settings/etc/opendkim/TrustedHosts new file mode 100644 index 0000000..e0888a7 --- /dev/null +++ b/server/setup/05-service-settings/etc/opendkim/TrustedHosts @@ -0,0 +1,2 @@ +127.0.0.1 +jogamp.org -- cgit v1.2.3