Server Security Guide
Donate
Server Security Guide for Kicksecure, Linux, and Kicksecure Hardening
Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.
E-Mail Delivery[edit]
DMARC Strict Alignment[edit]
Consider using DMARC strict alignment:
aspf=s;adkim=s- relaxed alignment
aspf=r;/adkim=rmight lead to spammers sending e-mails impersonating the domain name and DMARC passing anyhow. - Illustrative examples on DMARC Strict Alignment
Tools[edit]
- https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/
- https://report-uri.com/account/reports/dmarc/
- https://www.mailhardener.com/dashboard/dmarc-reports
- https://www.mailhardener.com/tools/dkim-validator
- https://tools.socketlabs.com/
- SPF/DKIM/DMARC/DomainKey/RBL Online Test
- https://github.com/6point6/dmarc_checker
DKIM Header Injection Attack[edit]
Introduction:
- https://prog.world/dkim-replay-attack-on-gmail/
- https://utcc.utoronto.ca/~cks/space/blog/spam/DKIMSpamReplayAttack
- https://wordtothewise.com/2014/05/dkim-injected-headers/
- https://www.zdnet.com/article/dkim-useless-or-just-disappointing/
Mitigation:
- https://halon.io/blog/the-dkim-replay-attack-and-how-to-mitigate
- https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html
- https://proton.me/blog/dkim-replay-attack-breakdown
- https://security.stackexchange.com/questions/265408/how-many-times-need-e-mail-headers-be-signed-with-dkim-to-mitigate-dkim-header-i
- https://github.com/rspamd/rspamd/issues/2136
Future:
DKIM Replay Attack[edit]
- https://wordtothewise.com/2014/05/dkim-replay-attacks/
- https://tools.wordtothewise.com/rfc/6376#section-8.6
- https://www.socketlabs.com/blog/dkim-replay-attacks-preventive-measures-to-protect-email-deliverability/
Could a DKIM replay attack be resolved by enforcing In theory, yes. In practice, unsupported by DMARC. See DMARC Alignment: Enforce messages pass BOTH SPF and DKIM. And unlikely to be ever implemented since this would break the e-mail forwarding use case.
DKIM Required[edit]
Is SPF + DMARC sufficient or would this lead to ending up in the spam folder?
- DMARC will
pass(success, not a failure) when either SPF or DMARC haspass.- Such as
pass(as in DMARC reports) however does only indicate that DMARC waspass. The e-mail could still end up being rejected for being spam or end up in the spam folder.
- Such as
- Quote https://emfluence.com/blog/how-dkim-affects-email-deliverability:
Yahoo! requires DKIM to sign up for their Feedback Loop (where they keep track of spam complaints). That means anyone who doesn’t have DKIM set up isn’t capturing spam complaints at Yahoo!, and because of that, those email addresses aren’t being suppressed automatically. That could put you on the road to being blocked or blacklisted by Yahoo!
- https://dmarcly.com/blog/can-i-set-up-dmarc-without-dkim doesn't mention spam.
- Quote https://support.google.com/a/answer/174124?hl=en:
Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.
e-mail self hosting is hard[edit]
- https://www.reddit.com/r/selfhosted/comments/xoi5im/google_smtp_low_domain_reputation/
- and google postmaster tools don't help https://www.tablix.org/~avian/blog/archives/2019/04/google_is_eating_our_mail/
- https://superuser.com/questions/1718259/google-bounce-email-with-error-550-5-7-1-our-system-has-detected-that-this-messa
- https://support.google.com/mail/thread/13395379/domain-reputation-got-bad-and-not-restoring-for-1-5-months-all-messages-bounced-back-with-550-5-7
rain dance required:
SPF[edit]
SPF mostly ignored:
- "SPF is terrible, but was necessary"
Headers[edit]
View e-mail headers:
- For example in Thunderbird: select an e-mail ->
View->Message Source
There are two different "From" fields in an e-mail.
- A) 'MAIL FROM' https://en.wikipedia.org/wiki/Bounce_address
- B) 'From' header https://en.wikipedia.org/wiki/Email#Message_header
Very good explanation here: https://www.xeams.com/difference-envelope-header.htm
Checking DKIM Signatures on the Command Line[edit]
Might be mostly only useful for learning and testing purposes.
Install dkimverify.
Install python3-dkim. To accomplish that, the following steps A. to D. need to be done.
A. Update the package lists.
sudo apt update
B. Upgrade the system.
sudo apt full-upgrade
C. Install the python3-dkim package.
Using apt command line parameter --no-install-recommends is in most cases optional.
sudo apt install --no-install-recommends python3-dkim
D. Done.
The procedure of installing python3-dkim is complete.
dkimverify < e-mail.eml
Abuse Notifications[edit]
- consider signing up for https://www.abuse.net/addnew.phtml
Standard E-Mail Addresses[edit]
- a number of standard e-mail addresses should redirect to the inbox of the server administrator
Miscellaneous Server Tests[edit]
- See also Website and Server Tests.
- https://www.ssllabs.com/
- https://www.hardenize.com/
- https://hstspreload.org/
- https://securityheaders.com/
- https://clickjacker.io
- https://www.validbot.com/
- https://realfavicongenerator.net/
- https://sitecheck.sucuri.net/
- https://hostedscan.com/
- https://talosintelligence.com/
- https://www.debugbear.com/resource-hint-validator
- https://www.debugbear.com/test/website-speed
- https://developers.google.com/search/docs/appearance/structured-data
- https://pagespeed.web.dev/
- https://www.giftofspeed.com/gzip-test/
- https://gtmetrix.com/
- https://www.webpagetest.org/
- https://technicalseo.com/tools/robots-txt/
- https://www.cloudflare.com/ssl/encrypted-sni/
See Also[edit]
Footnotes[edit]
Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.
At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
ENCRYPTED SUPPORT LP,
2023
We believe security software like Kicksecure needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!