1 Topic by oquidave

  • oquidave
  • Member
  • Offline
  • Registered: 2015-09-28
  • Posts: 15

Topic: Require sending server to have PTR, MX, SPF, DKIM DNS records

==== Required information ====
- iRedMail version (check /etc/iredmail-release):  0.9.7
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello, how can I configure iRedmail such that all sending mail servers MUST have PTR, MX, SPF, DKIM DNS records  set up? I want to do this as a mechanism to combat spam.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Require sending server to have PTR, MX, SPF, DKIM DNS records

DNS records are done in the DNS management web panel offered by your DNS vendor.
FYI: http://www.iredmail.org/web/docs/setup.dns.html

3 Reply by oquidave

  • oquidave
  • Member
  • Offline
  • Registered: 2015-09-28
  • Posts: 15

Re: Require sending server to have PTR, MX, SPF, DKIM DNS records

Hello I mean that the sending server should have those dns records before iRedmail can accept the sending server's emails.

ZhangHuangbin wrote:

DNS records are done in the DNS management web panel offered by your DNS vendor.
FYI: http://www.iredmail.org/web/docs/setup.dns.html

4 Reply by swejun

  • swejun
  • Member
  • Offline
  • Registered: 2017-07-26
  • Posts: 84

Re: Require sending server to have PTR, MX, SPF, DKIM DNS records

oquidave wrote:

Hello I mean that the sending server should have those dns records before iRedmail can accept the sending server's emails.

ZhangHuangbin wrote:

DNS records are done in the DNS management web panel offered by your DNS vendor.
FYI: http://www.iredmail.org/web/docs/setup.dns.html


It's not just a click in a box....

First of all you must be aware of the methods and measures referred to, what they are used for and the intention
of each item.

Greylisting in the real spam stopper. In our environment, I would say that 85% of the incoming mail items are
blocked due to the sending server never retries. (using the same triplet)

And then fight spam with messages inspection and RBL after greylisting check is done.

Checking/ validating  PTR, MX and SPF records of a sender: The owner of the domain defines what
measures to take for a failing SPF record check. (i.e. an e-mail arrives, but the sending host
is not validated via the SPF record) Fail, Warn, Pass
see: http://www.openspf.org/FAQ/Common_receiver_mistakes

The SPF record can refer to the MX and A records for the domain.
In iRedMail, you can for example do a whitelisting for GreyListing based on the outcome of SPF check


For DKIM, its the same story. The owner of the domain defines what to do if the dkim check fails,
using the DMARC entry.

https://securityintelligence.com/unders … echanisms/

Quote:
"Not a Spam Filter
This might come as a shock, but neither SPF nor DKIM are spam filters.
They merely help you (and, in fact, the servers that route email) decide if a certain
message is likely to be an unwanted email message or not. Both mechanisms contribute in
the process of verifying that the source of an email is not falsified. As such, SPF and
DKIM can help in protecting against phishing, but it would be foolish to utilize them as your only line of defense"

https://luxsci.com/blog/7-common-miscon … -spam.html


But if You really want to do this...(I havn't  yet)
https://www.skelleton.net/2015/03/21/ho … ith-dmarc/
It really describes the Big picture + details.
Note that DKIM signing is already in place in the iReadMail package, but havn't found any
settings for validating according with DMARC. (maybe I'm wrong here, though)

It involves using postfix-policyd-spf-python  for the SPF check
and opendmarc for the DKIM check. (Dmarc is the DNS entry that defines how to treat a failing
DKIM from  a sending mail domain)

Note, Warning:
It's a bit tricky to configure the postfix main.cf  when it comes to the order of items
in "smtpd_recipient_restrictions". TEST TEST TEST, It may become an open relay if you fail.
Verify using an external mailing test host, like https://mxtoolbox.com/diagnostic.aspx

Or you maybe block all incoming mail, which might be the best spam filer ;-)

5 Reply by swejun

  • swejun
  • Member
  • Offline
  • Registered: 2017-07-26
  • Posts: 84

Re: Require sending server to have PTR, MX, SPF, DKIM DNS records

After doing some more investigations, I find that the Spamassassin and Amavis-new got  SPF and DKIM
entries. So maybe it is already in place. I guess that a failed SPF and DKIM check will beef up the spam score.
So, my guess is that iRedmail is already handling both SPF and DKIM/DMARC verifications out of the box.


/etc/amavisd/amavisd.conf:
$enable_dkim_verification = 1;  # enable DKIM signatures verification

and for Spamassasin, there are whitelist posibilities based on a positive SPF and DKIM check,
meaning you can tune the maximum allowed spam score down from the default value "5.0" to a lower value, lets say "4.0"
and whitelist the good guys. It all depends on how much filtering of "legitimate" e-mails you can afford. Tune and test

/etc/mail/spamassassin/local.cf:
# Whitelist from SPF.
#whitelist_from_spf joe@example.com fred@example.com
#whitelist_from_spf *@example.com

# Whitelist from DKIM.
loadplugin Mail::SpamAssassin::Plugin::DKIM
whitelist_from_dkim *@paypal.com
whitelist_from_dkim *@linkedin.com
whitelist_from_dkim *@twitter.com
whitelist_from_dkim *@bounce.twitter.com