{{Header}}
{{#seo:
|description=Server Security Guide for {{project_name_long}}, Linux, and {{project_name_long}} Hardening
|image=Securityguide123132.jpg
}}
[[image:Securityguide123132.jpg|thumb]]
{{intro|
Server Security Guide for {{project_name_short}}, Linux, and {{project_name_short}} Hardening
}}
{{stub}}
= E-Mail Delivery =
== DMARC Strict Alignment ==
Consider using DMARC strict alignment:
* aspf=s;
* adkim=s
* relaxed alignment aspf=r; / adkim=r might lead to spammers sending e-mails impersonating the domain name and DMARC passing anyhow.
* [https://web.archive.org/web/20221013074445/https://www.zerobounce.net/faqs/services.html Illustrative examples on DMARC Strict Alignment]
== Tools ==
* https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/
* https://report-uri.com/account/reports/dmarc/
* https://www.mailhardener.com/dashboard/dmarc-reports
* https://www.mailhardener.com/tools/dkim-validator
* https://tools.socketlabs.com/
* [https://www.appmaildev.com/en/dkimfile SPF/DKIM/DMARC/DomainKey/RBL Online Test]
* https://github.com/6point6/dmarc_checker
== DKIM Header Injection Attack ==
Introduction:
* https://prog.world/dkim-replay-attack-on-gmail/
* https://utcc.utoronto.ca/~cks/space/blog/spam/DKIMSpamReplayAttack
* https://wordtothewise.com/2014/05/dkim-injected-headers/
* https://www.zdnet.com/article/dkim-useless-or-just-disappointing/
Mitigation:
* https://halon.io/blog/the-dkim-replay-attack-and-how-to-mitigate
* https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html
* https://proton.me/blog/dkim-replay-attack-breakdown
* https://security.stackexchange.com/questions/265408/how-many-times-need-e-mail-headers-be-signed-with-dkim-to-mitigate-dkim-header-i
* https://github.com/rspamd/rspamd/issues/2136
Future:
* https://datatracker.ietf.org/doc/draft-kucherawy-dkim-anti-replay/
== DKIM Replay Attack ==
* https://wordtothewise.com/2014/05/dkim-replay-attacks/
* https://tools.wordtothewise.com/rfc/6376#section-8.6
* https://www.socketlabs.com/blog/dkim-replay-attacks-preventive-measures-to-protect-email-deliverability/
Could a DKIM replay attack be resolved by enforcing In theory, yes. In practice, unsupported by DMARC. See [https://serverfault.com/questions/812367/dmarc-alignment-enforce-messages-pass-both-spf-and-dkim DMARC Alignment: Enforce messages pass BOTH SPF and DKIM]. And unlikely to be ever implemented since this would break the e-mail forwarding use case.
== DKIM Required ==
Is SPF + DMARC sufficient or would this lead to ending up in the spam folder?
* DMARC will pass (success, not a failure) when either SPF or DMARC has pass.
** Such as pass (as in DMARC reports) however does only indicate that DMARC was pass. The e-mail could still end up being rejected for being spam or end up in the spam folder.
* Quote https://emfluence.com/blog/how-dkim-affects-email-deliverability: Yahoo! requires DKIM to sign up for their Feedback Loop (where they keep track of spam complaints). That means anyone who doesn’t have DKIM set up isn’t capturing spam complaints at Yahoo!, and because of that, those email addresses aren’t being suppressed automatically. That could put you on the road to being blocked or blacklisted by Yahoo!
* https://dmarcly.com/blog/can-i-set-up-dmarc-without-dkim doesn't mention spam.
* Quote https://support.google.com/a/answer/174124?hl=en: Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.
== e-mail self hosting is hard ==
* https://www.reddit.com/r/selfhosted/comments/xoi5im/google_smtp_low_domain_reputation/
* and google postmaster tools don't help https://www.tablix.org/~avian/blog/archives/2019/04/google_is_eating_our_mail/
* https://superuser.com/questions/1718259/google-bounce-email-with-error-550-5-7-1-our-system-has-detected-that-this-messa
* https://support.google.com/mail/thread/13395379/domain-reputation-got-bad-and-not-restoring-for-1-5-months-all-messages-bounced-back-with-550-5-7
rain dance required:
* https://www.mailmonitor.com/repair-a-bad-domain-reputation-with-gmail/
== SPF ==
SPF mostly ignored:
* "SPF is terrible, but was necessary"
** https://security.stackexchange.com/questions/115981/why-do-email-that-didnt-pass-spf-checks-go-to-my-mailbox
== Headers ==
View e-mail headers:
* For example in Thunderbird: select an e-mail -> View -> Message Source
There are two different "From" fields in an e-mail.
* A) 'MAIL FROM' https://en.wikipedia.org/wiki/Bounce_address
* B) 'From' header https://en.wikipedia.org/wiki/Email#Message_header
Very good explanation here: https://www.xeams.com/difference-envelope-header.htm
== Checking DKIM Signatures on the Command Line ==
Might be mostly only useful for learning and testing purposes.
Install dkimverify.
{{Install Package|package=
python3-dkim
}}
{{CodeSelect|code=
dkimverify < e-mail.eml
}}
== Abuse Notifications ==
* consider signing up for https://www.abuse.net/addnew.phtml
== Standard E-Mail Addresses ==
* a number of [https://webmasters.stackexchange.com/questions/2030/should-i-set-up-standard-email-accounts-what-are-they standard e-mail addresses] should redirect to the inbox of the server administrator
= Miscellaneous Server Tests=
* See also [[Website_Tests|Website and Server Tests]].
* https://www.ssllabs.com/
* https://www.hardenize.com/
* https://hstspreload.org/
* https://securityheaders.com/
* https://clickjacker.io
* https://www.validbot.com/
* https://realfavicongenerator.net/
* https://sitecheck.sucuri.net/
* https://hostedscan.com/
* https://talosintelligence.com/
* https://www.debugbear.com/resource-hint-validator
* https://www.debugbear.com/test/website-speed
* https://developers.google.com/search/docs/appearance/structured-data
* https://pagespeed.web.dev/
* https://www.giftofspeed.com/gzip-test/
* https://gtmetrix.com/
* https://www.webpagetest.org/
* https://technicalseo.com/tools/robots-txt/
* https://www.cloudflare.com/ssl/encrypted-sni/
= See Also =
* https://help.ubuntu.com/lts/serverguide/console-security.html
* [[Website Tests]]
* [[Browser Tests]]
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]