Linux Hub

Translated articles about Linux!

Linux Hub

Translated articles about Linux!

Debian

Validating SPF and DKIM at SMTP-time with exim

Rork

In our recent articles we've discussed creating SPF-records to avoid spoofed mails, and the creation and setup for DKIM-signing emails, for a similar purpose. Here we'll look at the other side of the coin; performing DKIM and SPF testing on your incoming email.

To recap, briefly:

  • SPF is used to list IP addresses, and hosts, which are permitted to send mail for a given domain.
  • DKIM allows mail-headers to be signed, such that spoofs cannot fake them, and if valid signatures are found (using a public key stored in DNS) you can trust i

Configuring a mail-server can be done in numerous ways, even if you stick to the default MTA that Debian would select, which is exim4. To simplify things somewhat we will assume that you're using the "split config", which involves a bunch of configuration snippets stored beneath /etc/exim4/conf.d/ – The snippets are concatenated to create a complete configuration which the daemon will actually use.

Whenever you make changes to these configuration-snippets you'll need to run two commands:

# update-exim4.conf # service exim4 restart

(The first command rebuilds the configuration file, the second reloads the service such that the new configuration will be applied.)

SPF-Checking at SMTP-time

Providing you have the exim4-daemon-heavy package installed, as opposed to the exim4-daemon-light variant of exim, as supplied by Debian, you can check SPF records at SMTP-time.

The configuration is very simple, but you do need to install some supporting software before you can enable it:

# apt-get install spf-tools-perl

The spf-tools-perl package provides you with a simple daemon, and a simple application which allows you to test that a given IP address may send mail from a particular domain. If you wish to perform such a test you can do so like so:

# spfquery.mail-spf-perl --ip-address 1.2.3.4 --mfrom [email protected] example.com: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity (mechanism '-all' matched)

That command showed that the IP address 1.2.3.4 was not permitted to send mail for the domain example.com. By contrast this example shows that the IP address 212.110.179.70 is permitted to send mail from this domain:

# spfquery.mail-spf-perl --ip-address 212.110.179.70 --mfrom [email protected] debian-administration.org: 212.110.179.70 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'ip4:212.110.179.65/28' matched)

Back on-topic, once you have the appropriate supporting package present you can add the following to the file /etc/exim4/conf.d/main/00_local_macros, creating that file if necessary:

 CHECK_RCPT_SPF=true

Once you've done that, and applied the change, you'll find that SPF-failures will be rejected at SMTP-time.

DKIM-Checking at SMTP-time

DKIM-checking requires no additional software to be installed, but it does have a slightly more complex configuration. Edit /etc/exim4/conf.d/acl/00_exim4-config_header, adding the following to the start of the file:

 acl_smtp_dkim = acl_check_dkim

All being well this will then be the complete contents:

 acl_smtp_dkim = acl_check_dkim  ###################################################################### #                       ACL CONFIGURATION                            # #         Specifies access control lists for incoming SMTP mail      # ###################################################################### begin acl

After this create the file /etc/exim4/conf.d/acl/10_local_dkim_check, with this content:

 acl_check_dkim:        # Deny failures       deny            dkim_status = fail            logwrite = DKIM test failed: $dkim_verify_reason            add_header = X-DKIM: DKIM test failed: (address=$sender_address domain=$dkim_cur_signer), signature is bad.         # Deny invalid signatures       deny            dkim_status = invalid            add_header = X-DKIM: $dkim_cur_signer ($dkim_verify_status); $dkim_verify_reason            logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), but signature is invalid.        # Accept valid/passed sigs       accept            dkim_status = pass            logwrite = DKIM test passed            add_header = X-DKIM: DKIM passed: (address=$sender_address domain=$dkim_cur_signer), signature is good.         # And anything else.       accept

This concludes the configuration of SMTP-time DKIM checking, for exim. Once you've updated the configuration, and restarted the service you'll see log-entries like so:

 .. 2015-08-02 19:34:06 1ZLy5G-0001rA-Lh DKIM: d=googlemail.com s=20120113 c=relaxed/relaxed a=rsa-sha256 [verification succeeded] 2015-08-02 19:34:06 1ZLy5G-0001rA-Lh DKIM test passed 2015-08-02 19:34:06 1ZLy5G-0001rA-Lh <= [email protected] .. ..

As you can see from the snippet incoming emails will have a new header X-DKIM added to them logging the result, but failures will result in SMTP-time rejection, and the logging will only end up in the mailserver logfile (/var/log/exim4/mainlog).

My only disappointment is that it doesn't seem possible to check DMARC configuration, at SMTP-time, using stock exim, without using a proxy of some kind, or complex and site-specific configuration. I'd certainly appreciate any pointers to such a thing.

Original Post

Leave a Reply

Your email address will not be published. Required fields are marked *