NethServer Version: nethserver-7.9.2009-x86_64
Module: email

While reading a lot in the forum and in the wiki, I’m wondering how from SME the SPF and DMARC settings could be configured in NS?

In a running SME mail server (fix IP, no rely) the output of:

#db configuration show qpsmtpd
qpsmtpd=service
BadCountries=A1,AC,AD,AE,AF,AG,AI,AL,AM,AN,AO,AQ,AP,AR,AS,ASIA,AU,AW,AX,AZ,BB,BD,BF,BG,BH,BI,BJ,BL,BM,BN,BO,BQ,BR,BS,BT,BV,BW,BY,BZ,CC,CD,CF,CG,CI,CK,CL,CM,CN,CO,CR,CU,CV,CW,CX,CY,DJ,DM,DO,DZ,EC,EDU,EE,EG,EH,ER,FJ,FK,FM,FO,GA,GD,GE,GF,GG,GH,GI,GL,GM,GN,GOV,GP,GQ,GS,GT,GU,GW,GY,HK,HM,HN,HT,ID,IL,IM,IN,IO,IQ,IR,JE,JM,JO,JOBS,JP,KE,KG,KH,KI,KM,KN,KP,KR,KW,KY,KZ,LA,LB,LC,LK,LR,LS,LT,LV,LY,MA,MC,MD,ME,MF,MG,MH,MIL,ML,MM,MN,MO,MOBI,MP,MQ,MR,MS,MT,MU,MUSE,MV,MW,MX,MY,MZ,NA,NAME,NC,NE,NF,NG,NI,NP,NR,NU,NZ,OM,PA,PE,PF,PG,PH,PK,PM,PN,PR,PRO,PS,PW,PY,QA,RE,RO,RS,RU,RW,SA,SB,SC,SD,SE,SG,SH,SJ,SK,SL,SM,SN,SO,SR,SS,ST,SU,SV,SX,SY,SZ,TC,TD,TEL,TF,TG,TH,TJ,TK,TL,TM,TN,TO,TP,TR,TRAV,TT,TV,TW,TZ,UA,UG,UM,UY,UZ,VA,VC,VE,VG,VI,VN,VU,WF,WS,XXX,YE,YT,ZA,ZM,ZW
Bcc=enabled
BccMode=bcc
BccUser=maillog
DKIMSigning=enabled
DMARCReject=enabled
DMARCReporting=enabled
DNSBL=enabled
GeoIP=enabled
HeloPolicy=lenient
Karma=enabled
KarmaNegative=3
KarmaStrikes=3
LogLevel=6
MaxScannerSize=35000000
RBLList=zen.spamhaus.org,bl.spamcop.net,dnsbl-1.uceprotect.net
RHSBL=enabled
RelayRequiresAuth=enabled
SBLList=multi.surbl.org,rhsbl.sorbs.net,dbl.spamhaus.org,black.uribl.com
SPFRejectPolicy=1
TlsBeforeAuth=1
UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
URIBL=enabled
access=public
qplogsumm=disabled
status=enabled

Where/how can DMARC Reject and Reporting and SPF Reject be configured (besides i.E. Geo-blocking) in the NS?

BTW the SME shows for:

#qpsmtpd-print-dns online.de

default._domainkey IN TXT "v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqVcwtXs861k8h99DZjzF3ZhdIo7LKDzLEL2sQJUFdMUEZxkqaaFFVcXgVVQiKGy9UyUl9nl3/sV7NCpMcQyeWatKPYQR8hLhWyl87xtHgTT0ytpfH9TY0Sme2PLlLQODpbJ4V9H1mzg+0"“i6tiTRvMk4dwaNO2MGKIOPbgN5bqMW9FfJNN79fQkUbC64hN4gfTh5lcxQE4qrPzmUd2mspBipQ0CtDAMoUL4e/HWeHkbXI9mHew+gFdOgMJ6aSDjtd3i00aSvnGdmfb+zGoksenbsfNwIDAQAB;t=y”
@ IN SPF “v=spf1 mx a -all”
@ IN TXT “v=spf1 mx a -all”
_dmarc IN TXT “v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@online.de; pct=100”

All records are properly defined at the hoster which gives my email a lovely 10/10 at mailtester.

If I overread something, just a hint or link would be nice. Thanks for any help.

regards,
stefan

Antispam (mail filtering) is done by nethserver-mail-filter which is installed by default if you installed the mail module from the software center. The nethserver-mail-filter module is based on rspamd.

EDIT (be more precise in the answer):
AFAIK: DMARC and SPF policies are enabled by default in rspamd.

If you have it installed you may have a peek at the complete list, in cockpit goto Applications > email > settings

then filter > goto Rspamd user interface : Open

If you hit the symbols button you can see all the filter modules enabled.
Do not ask me how to personalize the settings, I keep it default as-is:

image1902×730 40.2 KB

In short the working principle of rspamd is: it looks at all kind of properties of the incoming mail and adds an score per property to it. If the score exceeds the spam threshold it blocks the mail is lower it gets delivered in the spam-mailbox .

This is all the help Ican give, hope it is a bit useful

Thank you, this is very helpful.

Is there a way to use my old dkim key from the SME on the NS after migration?

regards,
stefan

Hi @schulzstefan

you can enable/configure he DKIM signature for your domain at:

Applications > Email > settings
then: Domains > [list item] = 3 dots on the left > Configure DKIM

TIP (if you did not find it yet)
goto Applications > Email > [list item] = 3 dots on the left
and chose Add shortcut now the Email module is pinned on the left menu

So copy and paste would do the job?

Not sure, the signature can be in (raw) “TXT” or (DNS) “record” format.

As you know it has to be a exact match, hope others can chim in on how SME and NS formats relate to each other.

I’ll give the “TXT” a chance and check it.

I migrated the server last night. First things to check was email and letsencrypt. Both are not running out of the box after a few other things which can wait.

Let’s start with the dkim record. May provider allows up 2048 bit keys. While copy and paste the key gives a mismatch error at the check status box. How can this be solved? Is the key a new one or is it from the migration?

Here’s an error from an email I sent to vodafone:

dkim=fail header.d=online.de (key DNS reply corrupt);

It’s a new one, you need to input it again in the DNS record.

Thank’s for your help.

I already put it in the DNS record of the provider. Still getting a mismatch.

Could you please tell me (even privately if you prefer) your domain name so that I could check your public DNS records?

The domain is ivbonline.de.

The DKIM record seems to be valid.
I’m sorry I can’t guess more without further information.

Allright, what do we need to track this down?

edit: Let’s try to fix this (beside other migration errors) at another day. My wife tells me our neighbours are visiting us for dinner. (Yes it’s corona conform, they’re two people, and we’re also two people, it’s o.k. for Germany (BW)). Maybe we can start tomorrow, your help is very much appreciated. Perhaps I should open a separate thread i.e. migration roadmap from sme 9.2 to NethServer 7.9.2009?

regards,
stefan

cat /etc/opendkim/default.txt

should show the same value of

host -t txt default._domainkey.online.de

Also, please, show output of:

db domains show ivbonline.de

Here we go:

cat /etc/opendkim/default.txt
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
“p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2yKpjcXU8TBZ183OzLaiiUCAXf8MhqT5UgqjWQ69GFSziWUZMINfEMobp5VrN3y+FNsKV5wuT5kvuNYynBG2QBJoDSHKUovICsKQdTOrSQ1o58dHVYHw2asBanpBcJuOnDCOg4u0HopfnIhCsbDnhK0AhyJQnVdUPGixXtdp+3CMS2q63rJhVM/1CNMoPo3mmF8N+z7On7HK39”
“kyrqr1PnvOEa784w+JwksheQTvit5dDmhBIzQf1Bu13mIlBAvRkCndv+BlDyK00cH/tcSJgZ96qAh7Pd7VtvefiBHkBarBc9ZKb8gXpDoocUlHiLsRytee+/nPDreZkwWdB1/CzQIDAQAB” ) ; ----- DKIM key default for ivbonline.de

host -t txt default._domainkey.online.de

default._domainkey.online.de.ivbonline.de has no TXT record

db domains show ivbonline.de

ivbonline.de=domain
AlwaysBccAddress=
AlwaysBccStatus=disabled
Description=
DisclaimerStatus=disabled
OpenDkimStatus=enabled
TransportType=LocalDelivery
UnknownRecipientsActionDeliverMailbox=
UnknownRecipientsActionType=bounce

I think there was a little typo in the instructions… (your domain is ivbonline right?)

# host -t txt default._domainkey.ivbonline.de
default._domainkey.ivbonline.de descriptive text "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2yKpjcXU8TBZ183OzLaiiUCAXf8MhqT5UgqjWQ69GFSziWUZMINfEMobp5VrN3y+FNsKV5wuT5kvuNYynBG2QBJoDSHKUovICsKQdTOrSQ1o58dHVYHw2asBanpBcJuOnDCOg4u0HopfnIhCsbDnhK0kyrqr1PnvOEa784w+JwksheQTvit5dDmhBIzQf1Bu13m" "IlBAvRkCndv+BlDyK00cH/tcSJgZ96qAh7Pd7VtvefiBHkBarBc9ZKb8gXpDoocUlHiLsRytee+/nPDreZkwWdB1/CzQIDAQAB"

Oops, my fault, sorry.

@schulzstefan everything seems to be configured correctly.
Can you show the headers of a mail you sent from your NethServer account?

Correct.

Again:

host -t txt default._domainkey.ivbonline.de

default._domainkey.ivbonline.de descriptive text “v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2yKpjcXU8TBZ183OzLaiiUCAXf8MhqT5UgqjWQ69GFSziWUZMINfEMobp5VrN3y+FNsKV5wuT5kvuNYynBG2QBJoDSHKUovICsKQdTOrSQ1o58dHVYHw2asBanpBcJuOnDCOg4u0HopfnIhCsbDnhK0kyrqr1PnvOEa784w+JwksheQTvit5dDmhBIzQf1Bu13m” “IlBAvRkCndv+BlDyK00cH/tcSJgZ96qAh7Pd7VtvefiBHkBarBc9ZKb8gXpDoocUlHiLsRytee+/nPDreZkwWdB1/CzQIDAQAB”

• deleted -