Server Security Guide
Server Security Guide for Kicksecure, Linux, and Kicksecure Hardening
E-Mail Delivery[edit]
DMARC Strict Alignment[edit]
Consider using DMARC strict alignment:
aspf=s;
adkim=s
- relaxed alignment
aspf=r;
/adkim=r
might lead to spammers sending e-mails impersonating the domain name and DMARC passing anyhow. - Illustrative examples on DMARC Strict Alignment
Tools[edit]
- https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/
- https://report-uri.com/account/reports/dmarc/
- https://www.mailhardener.com/dashboard/dmarc-reports
- https://www.mailhardener.com/tools/dkim-validator
- https://tools.socketlabs.com/
- SPF/DKIM/DMARC/DomainKey/RBL Online Test
- https://github.com/6point6/dmarc_checker
DKIM Header Injection Attack[edit]
Introduction:
- https://prog.world/dkim-replay-attack-on-gmail/
- https://utcc.utoronto.ca/~cks/space/blog/spam/DKIMSpamReplayAttack
- https://wordtothewise.com/2014/05/dkim-injected-headers/
- https://www.zdnet.com/article/dkim-useless-or-just-disappointing/
Mitigation:
- https://halon.io/blog/the-dkim-replay-attack-and-how-to-mitigate
- https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html
- https://proton.me/blog/dkim-replay-attack-breakdown
- https://security.stackexchange.com/questions/265408/how-many-times-need-e-mail-headers-be-signed-with-dkim-to-mitigate-dkim-header-i
- https://github.com/rspamd/rspamd/issues/2136
Future:
DKIM Replay Attack[edit]
- https://wordtothewise.com/2014/05/dkim-replay-attacks/
- https://tools.wordtothewise.com/rfc/6376#section-8.6
- https://www.socketlabs.com/blog/dkim-replay-attacks-preventive-measures-to-protect-email-deliverability/
Could a DKIM replay attack be resolved by enforcing In theory, yes. In practice, unsupported by DMARC. See DMARC Alignment: Enforce messages pass BOTH SPF and DKIM. And unlikely to be ever implemented since this would break the e-mail forwarding use case.
DKIM Required[edit]
Is SPF + DMARC sufficient or would this lead to ending up in the spam folder?
- DMARC will
pass
(success, not a failure) when either SPF or DMARC haspass
.- Such as
pass
(as in DMARC reports) however does only indicate that DMARC waspass
. The e-mail could still end up being rejected for being spam or end up in the spam folder.
- Such as
- Quote https://emfluence.com/blog/how-dkim-affects-email-deliverability:
Yahoo! requires DKIM to sign up for their Feedback Loop (where they keep track of spam complaints). That means anyone who doesn’t have DKIM set up isn’t capturing spam complaints at Yahoo!, and because of that, those email addresses aren’t being suppressed automatically. That could put you on the road to being blocked or blacklisted by Yahoo!
- https://dmarcly.com/blog/can-i-set-up-dmarc-without-dkim doesn't mention spam.
- Quote https://support.google.com/a/answer/174124?hl=en:
Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.
e-mail self hosting is hard[edit]
- https://www.reddit.com/r/selfhosted/comments/xoi5im/google_smtp_low_domain_reputation/
- and google postmaster tools don't help https://www.tablix.org/~avian/blog/archives/2019/04/google_is_eating_our_mail/
- https://superuser.com/questions/1718259/google-bounce-email-with-error-550-5-7-1-our-system-has-detected-that-this-messa
- https://support.google.com/mail/thread/13395379/domain-reputation-got-bad-and-not-restoring-for-1-5-months-all-messages-bounced-back-with-550-5-7
rain dance required:
SPF[edit]
SPF mostly ignored:
- "SPF is terrible, but was necessary"
Headers[edit]
View e-mail headers:
- For example in Thunderbird: select an e-mail ->
View
->Message Source
There are two different "From" fields in an e-mail.
- A) 'MAIL FROM' https://en.wikipedia.org/wiki/Bounce_address
- B) 'From' header https://en.wikipedia.org/wiki/Email#Message_header
Very good explanation here: https://www.xeams.com/difference-envelope-header.htm
Checking DKIM Signatures on the Command Line[edit]
Might be mostly only useful for learning and testing purposes.
Install dkimverify
.
Install package(s) python3-dkim
following these instructions
1 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: In Template.
2 Update the package lists and upgrade the system .
sudo apt update && sudo apt full-upgrade
3 Install the python3-dkim
package(s).
Using apt
command line
--no-install-recommends
option
is in most cases optional.
sudo apt install --no-install-recommends python3-dkim
4 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification .
5 Done.
The procedure of installing package(s) python3-dkim
is complete.
dkimverify < e-mail.eml
Abuse Notifications[edit]
- consider signing up for https://www.abuse.net/addnew.phtml
Standard E-Mail Addresses[edit]
- a number of standard e-mail addresses should redirect to the inbox of the server administrator
Miscellaneous Server Tests[edit]
- See also Website and Server Tests.
- https://www.ssllabs.com/
- https://www.hardenize.com/
- https://www.sshaudit.com/
- https://hstspreload.org/
- https://securityheaders.com/
- https://clickjacker.io
- https://www.validbot.com/
- https://realfavicongenerator.net/
- https://sitecheck.sucuri.net/
- https://hostedscan.com/
- https://talosintelligence.com/
- https://www.debugbear.com/resource-hint-validator
- https://www.debugbear.com/test/website-speed
- https://developers.google.com/search/docs/appearance/structured-data
- https://pagespeed.web.dev/
- https://www.giftofspeed.com/gzip-test/
- https://gtmetrix.com/
- https://www.webpagetest.org/
- https://technicalseo.com/tools/robots-txt/
- https://www.cloudflare.com/ssl/encrypted-sni/
See Also[edit]
Footnotes[edit]
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!