Email: Difference between revisions
imported>Sjwhitak No edit summary |
imported>Sjwhitak No edit summary |
||
Line 22: | Line 22: | ||
** Name: <code>_dmarc.horatio.us</code>, Value: <code>v=DMARC1;p=quarantine;</code> |
** Name: <code>_dmarc.horatio.us</code>, Value: <code>v=DMARC1;p=quarantine;</code> |
||
These DNS records are required to prevent spammers from spoofing your email. It's quite simple to spoof your email, simply set the "From" header to whatever you want, and so you could just use <code>From: steven@example.com</code> to a bunch of people. The <code>spf1</code> DNS record says that if an email sent outside of the IP <code>141.219.188.20</code>. If someone actually <em>does</em> try to use your email, it'll be quarantined following your <code>DMARC1</code> value. Finally, if someone spoofs your IP somehow, they will also require your private key to compare with your <code>DKIM1</code> public key shown in the third <code>TXT</code> record. |
These DNS records are required to prevent spammers from spoofing your email. It's quite simple to spoof your email, simply set the "From" header to whatever you want, and so you could just use <code>From: steven@example.com</code> to a bunch of people. The <code>spf1</code> DNS record says that if an email sent outside of the IP <code>141.219.188.20</code>, then they'll assume someone else was trying to spoof your email. With no <code>spf1</code> record, there's no way to know if this email is spoofed or not, so your domain will not be trustworthy. If someone actually <em>does</em> try to use your email, it'll be quarantined following your <code>DMARC1</code> value. Finally, if someone spoofs your IP somehow, they will also require your private key to compare with your <code>DKIM1</code> public key shown in the third <code>TXT</code> record. |
||
Finally, you'll need to set your <code>rDNS</code> record on your server yourself. I don't know how to do this on a server you own, but if you're using a VPS, you set this rDNS value on your server, not the domain. <code>rDNS</code> is a lookup parameter so someone requesting your IP (<code>dig -x 141.219.188.20</code>), it'll respond with the mail server domain name. |
Finally, you'll need to set your <code>rDNS</code> record on your server yourself. I don't know how to do this on a server you own, but if you're using a VPS, you set this rDNS value on your server, not the domain. <code>rDNS</code> is a lookup parameter so someone requesting your IP (<code>dig -x 141.219.188.20</code>), it'll respond with the mail server domain name. |
Revision as of 07:59, 30 March 2022
This is honestly an academic exercise because almost everyone uses Google's IMAP servers or other big ones, and anyone who doesn't are probably spammers. So, you have to try really, really hard and put a lot of settings up to not act like a spammer. A spammer can do these exact same things, too, which means you'll need to try really hard to gain reputation and manually remove yourself from blacklists until you've put in so much effort that people have to assume you aren't a spammer. Then, if you get compromised and a spammer gains access to your mail server, you have to go through all of this all over again!
Own server
Follow this: https://gist.github.com/howyay/57982e6ba9eedd3a5662c518f1b985c7 to install dovecot and postfix. It's straightforward, but the DNS records may be a little confusing.
You need:
- A domain name (purchased by namecheap, whois, godaddy, etc)
- A server with Linux (Your own server, or purchase a VPS from linode, hostwinds, AWS, etc)
If your domain's example.com
and your server's IP is 141.219.188.20
, then point that domain to your server using your DNS records. This tutorial is a bit confusing with the DNS records, so I'm just going to step through this in more fidelity.
- A records
- Name:
example.com
, IP:141.219.188.20
- Name:
mail.example.com
, IP:141.219.188.20
- Name:
- MX records
- Name:
mail.example.com
, IP:141.219.188.20
, Priority0
- Name:
- TXT records
- Name:
example.com
, Value:v=spf1 ip4:141.219.188.20 -all
- Name:
default._domainkey.example.com
, Value:v=DKIM1; h=sha256; k=rsa; p=<your generated public key>
- Name:
_dmarc.horatio.us
, Value:v=DMARC1;p=quarantine;
- Name:
These DNS records are required to prevent spammers from spoofing your email. It's quite simple to spoof your email, simply set the "From" header to whatever you want, and so you could just use From: steven@example.com
to a bunch of people. The spf1
DNS record says that if an email sent outside of the IP 141.219.188.20
, then they'll assume someone else was trying to spoof your email. With no spf1
record, there's no way to know if this email is spoofed or not, so your domain will not be trustworthy. If someone actually does try to use your email, it'll be quarantined following your DMARC1
value. Finally, if someone spoofs your IP somehow, they will also require your private key to compare with your DKIM1
public key shown in the third TXT
record.
Finally, you'll need to set your rDNS
record on your server yourself. I don't know how to do this on a server you own, but if you're using a VPS, you set this rDNS value on your server, not the domain. rDNS
is a lookup parameter so someone requesting your IP (dig -x 141.219.188.20
), it'll respond with the mail server domain name.
Differences
The only trouble I had was working with PAM, and I think the configuration is wrong in 0x06 Setup Dovecot IMAP server
, I could only get it to work with:
passdb { args = failure_show_msg=yes driver = pam }
I don't really know why it worked. There might have been some issues where creating your user with PAM needed some reboots. In fact, I very much distrust this set up because I only modified this parameter so I could debug the issue, but it instead fixed it all. Who knows.
Logging
If you follow all these settings, you'll miss out on logging for everything, which will suck if something's not working. In /etc/dovecot/dovecot.conf
add this line:
!include conf.d/10-logging.conf
Then add some verbosities into this /etc/dovecot/conf.d/10-logging.conf
file,
log_path = /var/log/dovecot.log auth_verbose = yes auth_debug = yes auth_debug_passwords = yes mail_debug = yes verbose_ssl = yes
These 5 parameters are all the ones I found to get the most logging possible. Once you got it working, you can drop the logging lines to keep everything clean.
For postfix, you need to run these commands in your shell:
postfix stop postconf maillog_file=/var/log/postfix.log postfix start
Ports
The IMAP server (dovecot) uses port 143
for STARTTLS
.
The IMAP server (dovecot) uses port 993
for SSL/TLS
.
This configuration uses "Normal password" for the authentication method since Dovecot uses PAM as the login.
The SMTP server (postfix) uses port 587
for STARTTLS
.
The SMTP server (postfix) uses port 465
for SSL/TLS
.
I was only able to get SSL/TLS
working for the IMAP server. The SMTP server needed to use STARTTLS
.
Spam
Spam is a big issue with email and it's "fixed" by blocking literally everything (Google's policy) if the IP isn't positively trustworthy. If it's slightly trustworthy, the email is simply sent directly to spam rather than being completely blocked.
To get around this (and if you know an easy way, let me know, sjwhitak is my email, please and thank you), go to https://mxtoolbox.com/blacklists.aspx and search your IP. For every list that has you blacklisted, you'll need to go to each of their websites and manually request that you be removed. Some times it takes weeks, some times only a few days (one list immediately took me off their list, which is a bit surprising to me and makes me not want to trust their spam list). This still does not guarantee you'll get past Google's email death wall, but you'll eventually be able to get past it. Internet searches for Gmail 550-5.7.1
will show a lot of angry people at Google and their "improved" AI-system is blocking a lot of people.
If someone is more knowledgeable in this field, add to this. I'm not. I'm barely getting my email afloat and I can at least email disroot with this setup, but gmail outright fails completely, having a spammer use my IP 3 years ago.