Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente Prochaine révision Les deux révisions suivantes | ||
smedev:qpsmtpd_096 [03/05/2016 00:55] dani [Inbound DKIM / SPF / DMARC] |
smedev:qpsmtpd_096 [17/06/2016 23:16] dani [Inbound DKIM / SPF / DMARC] |
||
---|---|---|---|
Ligne 9: | Ligne 9: | ||
The first step is to update the core qpsmtpd package to the latest version, adapt the spec file if needed, rebase needed patches. | The first step is to update the core qpsmtpd package to the latest version, adapt the spec file if needed, rebase needed patches. | ||
- | This is currently being worked on, my latest build is available in fws-testing repo | ||
- | |||
- | * http:// | ||
- | * http:// | ||
===== Check qpsmtpd-plugins and smeserver-qpsmtpd for duplicated plugins ===== | ===== Check qpsmtpd-plugins and smeserver-qpsmtpd for duplicated plugins ===== | ||
Ligne 105: | Ligne 101: | ||
* The karma plugin is now ready to be used | * The karma plugin is now ready to be used | ||
* The helo plugin can now check more than just the helo hostname | * The helo plugin can now check more than just the helo hostname | ||
- | * DKIM, SPF and DMARC can be used | + | * DKIM, SPF and DMARC are used |
- | * The loadcheck plugin can defer inbound | + | * The loadcheck plugin can defer inbound |
* The uribl plugin is ready to be used | * The uribl plugin is ready to be used | ||
* RBLList, SBLList and the new UBLList must now be comma separated. Previous configuration will be migrated automatically. For RBLList, you can use a semicolon to separate the service address and a reject message. This is useful for lists which doesn' | * RBLList, SBLList and the new UBLList must now be comma separated. Previous configuration will be migrated automatically. For RBLList, you can use a semicolon to separate the service address and a reject message. This is useful for lists which doesn' | ||
Ligne 153: | Ligne 149: | ||
==== Inbound DKIM / SPF / DMARC ==== | ==== Inbound DKIM / SPF / DMARC ==== | ||
- | DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled | + | DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings: |
- | * DMARCReject (1|0): Default value is 1. If set to 1, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure). You can isable | + | * DMARCReject (enabled|disabled): Default value is enabled. If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure). You can disable |
- | * DMARCReporting (1|0): Default value is 1. If set to 1, enable reporting (which is the **r** in dma**r**c). Reporting is a very important part of the DMARC standard. When enabled, you'll record | + | * DMARCReporting (enabled|disabled): Default value is enabled. If set to enabled, enable reporting (which is the **r** in dma**r**c). Reporting is a very important part of the DMARC standard. When enabled, you'll record |
- | * SPFDenyHardFail | + | * SPFRejectPolicy |
+ | * 0: do not reject anything | ||
+ | * 1: reject when SPF says fail | ||
+ | * 2: reject when SPF says softfail | ||
+ | * 3: reject when SPF says neutral | ||
+ | * 4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published | ||
+ | * Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported | ||
Example: | Example: | ||
<code bash> | <code bash> | ||
- | db configuration setprop DMARCReject | + | db configuration setprop |
signal-event email-update | signal-event email-update | ||
</ | </ | ||
Ligne 219: | Ligne 221: | ||
All you have to do now is publish those records | All you have to do now is publish those records | ||
+ | |||
+ | ==== Load ==== | ||
+ | The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting: | ||
+ | |||
+ | * MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred. | ||
+ |