Postfix : received mails - how it deals with SPF, DKIM DMARC

Discussion in 'Server Operation' started by francoisPE, May 9, 2021.

  1. francoisPE

    francoisPE Member HowtoForge Supporter

    Hello,
    I set up ispconfig 3.2.4 on ubuntu 20.04 server (perfect server conf)
    I set a reverse DNS on my server.
    I build a mail domain with DKIM. I add SPF and DMARC DNS record. I test with mxtoolbox.
    Everything is working good.
    My emails should be well received...

    Now, as a mail "receiver", I would like to understand how are filtered mails I receive.
    My question is : how does my postfix consider incoming mails vs SPF, DKIM, DMARC and reverse DNS ?
    - reverse DNS : do you confirm that option system>server config>mail>reject unknow hostname, correspond to reject server without reverse DNS ? This cannot be managed domain by domain. It is at server level only ?
    - SPF, DKIM and DMARC : server sending mails should says in SPF and DMARC what to do with mails. Is my configuration able to manage that directives from SPF & DMARC ? Should I do something to have SPF, DKIM, DMARC considered ? If these DNS record are not implemented by the sender, what my postfix is doing ?
    - what is reject_unknown_helo_hostname in comparaison to that ? I suspect to be SPF, but not sure.

    Thanks a lot :)
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You can read about all these buzzwords in Wikipedia. If that is not enough, use Internet Search engines.
    My signature has link to e-mail tutorial.
    I am willing to answer your guestions, but the way you wrote then now I am not able to answer in less than ten pages. So rather than my ten pages, read the answers in Wikipedia.
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    spf/dkim/dmarc are checked by your spam scanner, so see if you're using amavis or rspamd and keep that in mind as you are learning.
    This setting controls if postfix's reject_unknown_hostname and/or reject_unknown_helo_hostname settings are used (see postfix docs for details). Yes, they are server-wide, not per-recipient domain or such.
     
  4. francoisPE

    francoisPE Member HowtoForge Supporter

    I thought I read it carefully :confused:
    I will read it more deeply...o_O
    still to learn !
     
  5. francoisPE

    francoisPE Member HowtoForge Supporter

    I deep dive :D and come back to confirm few points (may be that will help other beginners...)

    Regarding postfix: reject_unknown_helo_hostname, reject_unknown_client_hostname. I understand that is "no A/MX DNS record" for reject_unknown_helo_hostname, and, "no matching PTR/A record" for reject_unknown_client_hostname. I make it very simple : every explaination on that page http://www.postfix.org/postconf.5.html

    Regarding DKIM : I found out in amavis conf, file '50-user' contains "$enable_dkim_verification = 1;" It is clear to me DKIM test is done for incoming mails.

    Regarding SPF, it seems that spamassassin is doing it. But ISPconfig set up includes : "
    service spamassassin stop ; update-rc.d -f spamassassin remove" and mentions that lib are used by ispconfig. So that I imagine that SPF test for incoming mails are done. Do you confirm ?

    SPF and DKIM test results are turn into score to tag mails (spamassassin lib as I understand)

    Regarding DMARC, it seems that incoming mails are not tested (to have directives from sender). Do you confirm ? Is there any reason for that ? Opendmarc conf seems to be not so difficult to do...

    I modify workflow found in https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-postfix to illustrate configurations as I understand it.

    Many thanks for your patience :)
     

    Attached Files:

    Last edited: May 12, 2021
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Whether your e-mail server checks SPF and DKIM is up to you. You can make it check those or ignore them.
    I run rspamd now, and it has scores for incoming mail matching SPF and having OK DKIM signature. Those scores can then be used to classify e-mail as spam or ham.
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    No, both spamassassin and rspamd check dmarc and will have rules/symbols set accordingly.
     
  8. francoisPE

    francoisPE Member HowtoForge Supporter

    @Taleman
    My question was about default config following https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/
    I already change a little bit config adding postfwd.
    But I changed nothing on existing "default" configuration regarding DKIM, DMARC and SPF.
    Thanks to your replies (I don't forget @Jesse Norell !) it is now clear to me.

    For a reason I ignore https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/, is with spamassassin and not rspamd...
    I read on released note from Till, that 3.2 is nominally with rspamd ! Probably ubuntu 20.04 causes...

    I read so many things.

    One was about DKIM rotation.
    Is it really key, because ispconfig doesn't propose an automated rotation process. On your side, what are you doing ? with a 2048 key, I though it is almost impossible to hack !?

    Another was about postscreen : Do you think it is usefull to set up postcreen in addition to tests already performed with conf : https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/
     
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I'm not really sure what your question is, but you can generate a new dkim key if you want to change it for some reason (eg. Larger key size). You might want to change the selector in that case, and may wish to keep the old selector published for a short time (you might have to add it manually after changing the selector, if guess).

    I use postscreen; many of the tests can't be performed by any other tool. I have found that in practice using the deep protocol tests requires installing postwhite along with some occasional (eg. maybe a couple times a year at most across several small servers) custom additions to the domain whitelist; I might try disabling those tests to simplify things.
     
  10. francoisPE

    francoisPE Member HowtoForge Supporter

    Thanks a lot.
    I'll look at :)
     

Share This Page