A checked version of this page, approved on 1 January 2025, was based on this revision.

Server Security Guide for Kicksecure, Linux, and Kicksecure Hardening

Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.

url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

An adversary might connect a keyboard to a server and attempt to login into a virtual console. See also Virtual Consoles Usage Documentation and Protection against Physical Attacks, Virtual Consoles.

The user should set a password for account user. If using user-sysmaint-split, the user should also set a password for account sysmaint.

If logging in passwordless over SSH using public key authentication, the user might be tempted to Locking a Password. However, then recovery using a virtual console over a KVM switch (such as PiKVM) will be no longer possible.

Confidential Computing Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Confidential_Computing Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#Confidential_Computing|Confidential Computing]]
Copy as Wikitext Click = Copy Copied to clipboard! [Confidential Computing](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Confidential_Computing)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Confidential Computing](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Confidential_Computing)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Confidential_Computing]Confidential Computing[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Confidential computing is an advanced security technology that protects data while it's in use, complementing existing protections for data at rest and in transit. The goal is to isolate sensitive data from unauthorized access, even from the cloud provider or system administrators.Confidential Computing (developers)

To the best of the author's knowledge, reasonably secure confidential computing is not currently achievable with Freedom Software. Technical details are available on the wiki pages Confidential Computing (developers) and Verified Boot.

E-Mail Delivery Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#E-Mail_Delivery Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#E-Mail_Delivery|E-Mail Delivery]]
Copy as Wikitext Click = Copy Copied to clipboard! [E-Mail Delivery](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#E-Mail_Delivery)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [E-Mail Delivery](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#E-Mail_Delivery)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#E-Mail_Delivery]E-Mail Delivery[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

DMARC Strict Alignment Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DMARC_Strict_Alignment Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#DMARC_Strict_Alignment|DMARC Strict Alignment]]
Copy as Wikitext Click = Copy Copied to clipboard! [DMARC Strict Alignment](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DMARC_Strict_Alignment)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [DMARC Strict Alignment](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DMARC_Strict_Alignment)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DMARC_Strict_Alignment]DMARC Strict Alignment[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Consider using DMARC strict alignment:

aspf=s;
adkim=s
relaxed alignment aspf=r; / adkim=r might lead to spammers sending e-mails impersonating the domain name and DMARC passing anyhow.
Illustrative examples on DMARC Strict Alignment

Tools Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Tools Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#Tools|Tools]]
Copy as Wikitext Click = Copy Copied to clipboard! [Tools](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Tools)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Tools](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Tools)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Tools]Tools[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

DKIM Header Injection Attack Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Header_Injection_Attack Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#DKIM_Header_Injection_Attack|DKIM Header Injection Attack]]
Copy as Wikitext Click = Copy Copied to clipboard! [DKIM Header Injection Attack](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Header_Injection_Attack)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [DKIM Header Injection Attack](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Header_Injection_Attack)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Header_Injection_Attack]DKIM Header Injection Attack[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Introduction:

Mitigation:

Future:

https://datatracker.ietf.org/doc/draft-kucherawy-dkim-anti-replay/

DKIM Replay Attack Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Replay_Attack Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#DKIM_Replay_Attack|DKIM Replay Attack]]
Copy as Wikitext Click = Copy Copied to clipboard! [DKIM Replay Attack](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Replay_Attack)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [DKIM Replay Attack](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Replay_Attack)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Replay_Attack]DKIM Replay Attack[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Could a DKIM replay attack be resolved by enforcing In theory, yes. In practice, unsupported by DMARC. See DMARC Alignment: Enforce messages pass BOTH SPF and DKIM. And unlikely to be ever implemented since this would break the e-mail forwarding use case.

DKIM Required Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Required Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#DKIM_Required|DKIM Required]]
Copy as Wikitext Click = Copy Copied to clipboard! [DKIM Required](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Required)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [DKIM Required](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Required)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#DKIM_Required]DKIM Required[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Is SPF + DMARC sufficient or would this lead to ending up in the spam folder?

DMARC will pass (success, not a failure) when either SPF or DMARC has pass.
- Such as pass (as in DMARC reports) however does only indicate that DMARC was pass. The e-mail could still end up being rejected for being spam or end up in the spam folder.
Quote https://emfluence.com/blog/how-dkim-affects-email-deliverability:
Yahoo! requires DKIM to sign up for their Feedback Loop (where they keep track of spam complaints). That means anyone who doesn’t have DKIM set up isn’t capturing spam complaints at Yahoo!, and because of that, those email addresses aren’t being suppressed automatically. That could put you on the road to being blocked or blacklisted by Yahoo!
https://dmarcly.com/blog/can-i-set-up-dmarc-without-dkim doesn't mention spam.
Quote https://support.google.com/a/answer/174124?hl=en:
Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.

e-mail self hosting is hard Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#e-mail_self_hosting_is_hard Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#e-mail_self_hosting_is_hard|e-mail self hosting is hard]]
Copy as Wikitext Click = Copy Copied to clipboard! [e-mail self hosting is hard](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#e-mail_self_hosting_is_hard)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [e-mail self hosting is hard](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#e-mail_self_hosting_is_hard)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#e-mail_self_hosting_is_hard]e-mail self hosting is hard[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

rain dance required:

https://www.mailmonitor.com/repair-a-bad-domain-reputation-with-gmail/

SPF Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#SPF Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#SPF|SPF]]
Copy as Wikitext Click = Copy Copied to clipboard! [SPF](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#SPF)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [SPF](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#SPF)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#SPF]SPF[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

SPF mostly ignored:

"SPF is terrible, but was necessary"
- https://security.stackexchange.com/questions/115981/why-do-email-that-didnt-pass-spf-checks-go-to-my-mailbox

Headers Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Headers Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#Headers|Headers]]
Copy as Wikitext Click = Copy Copied to clipboard! [Headers](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Headers)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Headers](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Headers)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Headers]Headers[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

View e-mail headers:

For example in Thunderbird: select an e-mail -> View -> Message Source

There are two different "From" fields in an e-mail.

A) 'MAIL FROM' https://en.wikipedia.org/wiki/Bounce_address
B) 'From' header https://en.wikipedia.org/wiki/Email#Message_header

Very good explanation here: https://www.xeams.com/difference-envelope-header.htm

Checking DKIM Signatures on the Command Line Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Checking_DKIM_Signatures_on_the_Command_Line Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#Checking_DKIM_Signatures_on_the_Command_Line|Checking DKIM Signatures on the Command Line]]
Copy as Wikitext Click = Copy Copied to clipboard! [Checking DKIM Signatures on the Command Line](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Checking_DKIM_Signatures_on_the_Command_Line)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Checking DKIM Signatures on the Command Line](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Checking_DKIM_Signatures_on_the_Command_Line)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Checking_DKIM_Signatures_on_the_Command_Line]Checking DKIM Signatures on the Command Line[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Might be mostly only useful for learning and testing purposes.

Install dkimverify.

Install package(s) python3-dkim following these instructions

Platform specific notice.

Kicksecure: No special notice.
Kicksecure-Qubes: In Template.

Update the package lists and upgrade the system.

Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade

Install the python3-dkim package(s).

Using apt command line --no-install-recommends option is in most cases optional.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends python3-dkim

Platform specific notice.

Kicksecure: No special notice.
Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

Done.

The procedure of installing package(s) python3-dkim is complete.

Click = Copy Copied to clipboard! dkimverify < e-mail.eml

Abuse Notifications Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Abuse_Notifications Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#Abuse_Notifications|Abuse Notifications]]
Copy as Wikitext Click = Copy Copied to clipboard! [Abuse Notifications](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Abuse_Notifications)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Abuse Notifications](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Abuse_Notifications)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Abuse_Notifications]Abuse Notifications[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

consider signing up for https://www.abuse.net/addnew.phtml

Standard E-Mail Addresses Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Standard_E-Mail_Addresses Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#Standard_E-Mail_Addresses|Standard E-Mail Addresses]]
Copy as Wikitext Click = Copy Copied to clipboard! [Standard E-Mail Addresses](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Standard_E-Mail_Addresses)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Standard E-Mail Addresses](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Standard_E-Mail_Addresses)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Standard_E-Mail_Addresses]Standard E-Mail Addresses[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

a number of standard e-mail addresses should redirect to the inbox of the server administrator

Miscellaneous Server Tests Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Miscellaneous_Server_Tests Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#Miscellaneous_Server_Tests|Miscellaneous Server Tests]]
Copy as Wikitext Click = Copy Copied to clipboard! [Miscellaneous Server Tests](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Miscellaneous_Server_Tests)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Miscellaneous Server Tests](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Miscellaneous_Server_Tests)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Miscellaneous_Server_Tests]Miscellaneous Server Tests[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Footnotes Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Footnotes Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Server_Security_Guide#Footnotes|Footnotes]]
Copy as Wikitext Click = Copy Copied to clipboard! [Footnotes](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Footnotes)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Footnotes](https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Footnotes)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Server_Security_Guide?direction=prev&oldid=91829#Footnotes]Footnotes[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Server Security Guide

Contents

Navigation menu

Server Security Guide

Navigation menu

Search

Disable server cache for this browser

Debug vis URL