Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
email_protection_resources [2018/01/14 03:51] Stephane de Labrusse |
email_protection_resources [2018/05/26 15:24] (current) Dan Brown [How to configure it?] remove errant italics |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| The email server is a central communication hub for your company. It needs to be protected and secured against spam, but also you must be sure that your emails are correctly delivered to your recipients and not rejected or tagged as spam by other platforms like Google Apps, Outlook 365, etc. | The email server is a central communication hub for your company. It needs to be protected and secured against spam, but also you must be sure that your emails are correctly delivered to your recipients and not rejected or tagged as spam by other platforms like Google Apps, Outlook 365, etc. | ||
| - | Around an Email Server, you have always methods to verify the emails are not sent by a spam host, like SPF, DKIM, DMARC, rDNS: This is what we will talk. In all probability if you do not configure properly all of these authentication methods your email will be refused. | + | Around an Email Server, you have always methods to verify the emails are not sent by a spam host, like SPF, DKIM, DMARC, rDNS: This is what we will talk. In all probability if you do not configure properly all of these authentication methods your email will be refused. For the impatient, they can check now and see what they have to configure: go to https://www.mail-tester.com and send an email to the address given (only three free tests per day). Think to remove your smarthost sender if you have one configured. |
| - | For the impatient, they can check now and see what they have to configure: go to https://www.mail-tester.com and send an email to the address given (only three free tests per day). Think to remove your smarthost sender if you have one configured. | + | It is easy to install and create a mail server with nethserver, but you must configure the DNS zone of your domain name in the settings of your public DNS provider, we want to detail all the mandatory DNS records. This settings are really important it is likely the phone number of your server. As a side note, the DNS is not relevant of the email server, it is used by all services which need to be reachable on internet. |
| <WRAP center round important 60%> | <WRAP center round important 60%> | ||
| Line 38: | Line 38: | ||
| The purpose of DNS is to use easy to remember domain names for websites instead of their numeric IP addresses. It also enables website owners to change their web hosts without changing domain names. Website owners can simply change the DNS entry for their domain name and point to their new web host’s name servers. | The purpose of DNS is to use easy to remember domain names for websites instead of their numeric IP addresses. It also enables website owners to change their web hosts without changing domain names. Website owners can simply change the DNS entry for their domain name and point to their new web host’s name servers. | ||
| - | <WRAP center round todo 60%> | + | |
| - | It is easy to install and create a mail server with nethserver, but you must configure the DNS zone of your domain name in the settings of your public DNS provider, we want to explain all the mandatory DNS records. | + | |
| - | </WRAP> | + | |
| - | + | ||
| ===== DNS ===== | ===== DNS ===== | ||
| Line 64: | Line 61: | ||
| </file> | </file> | ||
| - | ===How to check it=== | + | ===How to check it ?=== |
| The domain must be tested | The domain must be tested | ||
| Line 80: | Line 77: | ||
| 164.132.xxx.xxx | 164.132.xxx.xxx | ||
| </file> | </file> | ||
| + | |||
| === sub.domain.com === | === sub.domain.com === | ||
| - | Nethserver creates several sub domain by default to be reached from outside or internally (check /etc/hosts), you have to declare them to your (external) public DNS provider and creates for each one a 'A' record with the internet IP of your server | + | Nethserver creates several sub domain by default to be reached from outside or internally (check /etc/hosts), you have to declare them to your (external) public DNS provider and creates for each one a 'A' record with the internet IP of your server. This is not relevant to your email server, but generally for all services running on your server and needing to be reachable on the internet. |
| **At minimal you must create these sub.domains and set the 'A' records to the internet IP of your server** | **At minimal you must create these sub.domains and set the 'A' records to the internet IP of your server** | ||
| Line 116: | Line 114: | ||
| </file> | </file> | ||
| - | ===How to check it=== | + | ===How to check it ?=== |
| Each subdomain must be tested | Each subdomain must be tested | ||
| Line 160: | Line 158: | ||
| </file> | </file> | ||
| - | ===How to check it=== | + | ===How to check it ?=== |
| * Web tools | * Web tools | ||
| Line 206: | Line 204: | ||
| - | ====How to check it==== | + | ====How to check it ?==== |
| * Web tools | * Web tools | ||
| Line 240: | Line 238: | ||
| <file> | <file> | ||
| - | PTR record YourIpProvider | + | set PTR record YourIpProvider |
| </file> | </file> | ||
| - | ====How to check it==== | + | ====How to check it ?==== |
| * Web tools | * Web tools | ||
| Line 304: | Line 302: | ||
| * [[https://support.smtp2go.com/hc/en-gb/sections/205104687-SPF-DKIM-Setup-Guides|smtp2go.com]] | * [[https://support.smtp2go.com/hc/en-gb/sections/205104687-SPF-DKIM-Setup-Guides|smtp2go.com]] | ||
| - | ====How to check it==== | + | ====How to check it ?==== |
| * Web tools | * Web tools | ||
| https://mxtoolbox.com/spf.aspx | https://mxtoolbox.com/spf.aspx | ||
| Line 330: | Line 328: | ||
| Dkim is really simple with NethServer, go to the email panel and allow DKIM in the setting of your domain, then retrieve the digital key of this domain. Then this key must be saved in a **TXT record** in your (external) public DNS provider. | Dkim is really simple with NethServer, go to the email panel and allow DKIM in the setting of your domain, then retrieve the digital key of this domain. Then this key must be saved in a **TXT record** in your (external) public DNS provider. | ||
| - | DKIM needs to be configured in the public DNS. You must create a **TXT** record 'default._domainkey' or 'default._domainkey.domain.com' in the DNS zone of your provider. **Your DKIM selector is default** | + | DKIM needs to be configured in the public DNS. You must create a **TXT** record '%%default._domainkey%%' or '%%default._domainkey.domain.com%%' in the DNS zone of your provider. **Your DKIM selector is default** |
| <file> | <file> | ||
| Line 341: | Line 339: | ||
| ====How to configure it ?==== | ====How to configure it ?==== | ||
| * [[https://support.smtp2go.com/hc/en-gb/sections/205104687-SPF-DKIM-Setup-Guides|smtp2go.com]] | * [[https://support.smtp2go.com/hc/en-gb/sections/205104687-SPF-DKIM-Setup-Guides|smtp2go.com]] | ||
| - | ====How to check it==== | + | ====How to check it ?==== |
| * Web tools | * Web tools | ||
| https://mxtoolbox.com/dkim.aspx | https://mxtoolbox.com/dkim.aspx | ||
| Line 379: | Line 377: | ||
| </file> | </file> | ||
| - | ==== How to check it ==== | + | Here's a more complex DMARC entry for the test domain DMARC site: |
| + | |||
| + | <file> | ||
| + | v=DMARC1; p=quarantine; rua=mailto:reports@dmarc.site; ruf=mailto:reports@dmarc.site; adkim=r; aspf=r; rf=afrf | ||
| + | </file> | ||
| + | |||
| + | * The "p" option has three options: none, quarantine, or reject, for how email that violates policies should be handled | ||
| + | * The adkim and aspf options define how strictly DKIM and SPF policy should be applied, with 's' indicating strict and 'r' indicating relaxed | ||
| + | * The RUA provides an address for aggregate data reports, while the RUF provides an address for forensic reports | ||
| + | ==== How to check it ?==== | ||
| * Web tools | * Web tools | ||
