Server Security Guide

From Kicksecure
Jump to navigation Jump to search

Server Security Guide for Kicksecure, Linux, and Kicksecure Hardening

Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.

E-Mail Delivery[edit]

DMARC Strict Alignment[edit]

Consider using DMARC strict alignment:

Tools[edit]

DKIM Header Injection Attack[edit]

Introduction:

Mitigation:

Future:

DKIM Replay Attack[edit]

Could a DKIM replay attack be resolved by enforcing In theory, yes. In practice, unsupported by DMARC. See DMARC Alignment: Enforce messages pass BOTH SPF and DKIMarchive.org. And unlikely to be ever implemented since this would break the e-mail forwarding use case.

DKIM Required[edit]

Is SPF + DMARC sufficient or would this lead to ending up in the spam folder?

  • DMARC will pass (success, not a failure) when either SPF or DMARC has pass.
    • Such as pass (as in DMARC reports) however does only indicate that DMARC was pass. The e-mail could still end up being rejected for being spam or end up in the spam folder.
  • Quote https://emfluence.com/blog/how-dkim-affects-email-deliverabilityarchive.org:

    Yahoo! requires DKIM to sign up for their Feedback Loop (where they keep track of spam complaints). That means anyone who doesn’t have DKIM set up isn’t capturing spam complaints at Yahoo!, and because of that, those email addresses aren’t being suppressed automatically. That could put you on the road to being blocked or blacklisted by Yahoo!

  • https://dmarcly.com/blog/can-i-set-up-dmarc-without-dkimarchive.org doesn't mention spam.
  • Quote https://support.google.com/a/answer/174124?hl=enarchive.org:

    Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.

e-mail self hosting is hard[edit]

rain dance required:

SPF[edit]

SPF mostly ignored:

Headers[edit]

View e-mail headers:

  • For example in Thunderbird: select an e-mail -> View -> Message Source

There are two different "From" fields in an e-mail.

Very good explanation here: https://www.xeams.com/difference-envelope-header.htmarchive.org

Checking DKIM Signatures on the Command Line[edit]

Might be mostly only useful for learning and testing purposes.

Install dkimverify.

Install package(s) python3-dkim. Follow steps A to E.

Platform specific notice.

Update the package lists and upgrade the system The Web Archive Onion Version .

sudo apt update && sudo apt full-upgrade

Install the python3-dkim package(s).

Using apt command line --no-install-recommends option The Web Archive Onion Version is in most cases optional.

sudo apt install --no-install-recommends python3-dkim

Platform specific notice.

Done.

The procedure of installing package(s) python3-dkim is complete.

dkimverify < e-mail.eml

Abuse Notifications[edit]

Standard E-Mail Addresses[edit]

Miscellaneous Server Tests[edit]

See Also[edit]

Footnotes[edit]

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!