Revision 13 as of 2020-08-15 18:34:39

Clear message

Contents

  1. Description
  2. TLS
  3. SPF
  4. DMARC
  5. DKIM
  6. Checking
    1. Manual SMTP session

Description

SMTP is the mail backbone on the internet. A lot of stuff has been written. Most of this page is about FreeBSD and sendmail.

TLS

We use Letsencrypt fot the TLS in our sendmail configuration. First, get a certificate. We don't gonna tell you how, it's beyond the scope of this page. But your certificate is in /usr/local/etc/letsencrypt/live/<SMTP-HOSTNAME>/. Change the default configuration in /etc/mail/<HOSTNAME>.mc to: 

define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/<SMTP-HOSTNAME>')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl
define(`confCACERT', `CERT_DIR/chain.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh_4096.param')dnl

And at the end of the configfile: 

LOCAL_CONFIG
O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1 +SSL_OP_CIPHER_SERVER_PREFERENCE -SSL_OP_LEGACY_SERVER_CONNECT -SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1

Letsencrypt don't give you a DH file, so lets make one in /usr/local/etc/letsencrypt/live/<SMTP-HOSTNAME>/: 

$ openssl dhparam -out dh.param 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
..............................
<snip>
........................++*++*++*

Then run make and make install in /etc/mail. After this has been done, only a restart is necessary, service sendmail restart

SPF

SPF records are TXT records. In the past the SPF record type was used, but now it's just TXT. It will describe where the email will originated from, and only for the domain the record is made for. Not for the subdomains! It's not inherent. Make an extra record for them.

An example for a SPF record is: 

lists.example.org. 3600 TXT "v=spf1 a include:_spf.google.com ~all"

There are several options.

Options

Description

all

Matches all local and remote IPs and goes at the end of the SPF record. Example: "v=spf1 +all"

ip4

Specifies a single IPv4 address or an acceptable IPv4 address range. A mask of /32 is assumed if no prefix-length is included. Example: "v=spf1 ip4:192.168.0.1/16 -all"

ip6

Same concept found in ip4, but, obviously, with IPv6 addresses, instead. If no prefix-length is given, /128 is assumed (singling out an individual host address). Example: "v=spf1 ip6:1080::8:800:200C:417A/96 -all"

a

Specifies all IPs in the DNS A record. Example: "v=spf1 a:domain.com -all"

mx

Specifies all A records for each host's MX record. Example: "v=spf1 mx mx:domain.com -all"

ptr

Specifies all A records for each host's PTR record. Example: "v=spf1 ptr:domain.com -all"

exists

Specifies one or more domains normally singled out as exceptions to the SPF definitions. An A query is performed on the provided domain; if a result is found a match occurs. Example: "v=spf1 exists:domain.com -all"

include

Specifies other domains that are authorized domains. Example: "v=spf1 include:outlook.microsoft.com -all"

And every option has his qualifier.

Qualifier

Description

+

Pass = The address passed the test; accept the message. Example: "v=spf1 +all"

-

(Hard) Fail = The address failed the test; bounce any e-mail that does not comply. Example: "v=spf1 -all"

~

Soft Fail = The address failed the test, but the result is not definitive; accept & tag any non-compliant mail. Example: "v=spf1 ~all"

?

Neutral = The address did not pass or fail the test; do whatever (probably accept the mail). Example: "v=spf1 ?all"

The record is evaluated from left to right. More info on the site of Digital Ocean

DMARC

DKIM

Checking

Ways to check your mailserver.

Manual SMTP session

You can telnet to your mailserver and send an email by hand. See also https://www.atmail.com/blog/smtp-101-manual-smtp-sessions/ 

telnet smtp.domain.tld 25

HELO sciuro.org
MAIL FROM: test@sciuro.org
RCPT TO: bo.ter.ham@domain.tld
DATA
From: test@example.org
To: Bo Ter Ham <bo.ter.ham@domain.tld>
Subject: Testmail checking SPF
Hi.    

This is a test mail for checking is SPF is properly configured.

Bye!
.