Différences

Ci-dessous, les différences entre deux révisions de la page.

--- smedev:qpsmtpd_096 [03/05/2016 00:50]
dani [Inbound DKIM / SPF / DMARC]
+++ smedev:qpsmtpd_096 [13/09/2016 09:43] (Version actuelle)
dani [Helo]
@@ Ligne 9: / Ligne 9: @@
 The first step is to update the core qpsmtpd package to the latest version, adapt the spec file if needed, rebase needed patches.
-This is currently being worked on, my latest build is available in fws-testing repo
-  * http://repo.firewall-services.com/centos-testing/6/SRPMS/qpsmtpd-0.96-1.beta3.el6.fws.src.rpm
-  * http://repo.firewall-services.com/centos-testing/6/noarch/qpsmtpd-0.96-1.beta3.el6.fws.noarch.rpm
 ===== Check qpsmtpd-plugins and smeserver-qpsmtpd for duplicated plugins =====
@@ Ligne 105: / Ligne 101: @@
   * The karma plugin is now ready to be used
   * The helo plugin can now check more than just the helo hostname
-  * DKIM, SPF and DMARC can be used
+  * DKIM, SPF and DMARC are used
-  * The loadcheck plugin can defer inbound email when your server load is too high
+  * The loadcheck plugin can defer inbound emails when your server load is too high
   * The uribl plugin is ready to be used
   * RBLList, SBLList and the new UBLList must now be comma separated. Previous configuration will be migrated automatically. For RBLList, you can use a semicolon to separate the service address and a reject message. This is useful for lists which doesn't have a TXT entry to get a reject message from, but only provides A entries.
@@ Ligne 142: / Ligne 138: @@
 Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:
-  * HeloPolicy: (lenient|rfc|strict). The default value is **rfc**. See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level
+  * HeloPolicy: (lenient|rfc|strict). The default value is **lenient**. See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level
 Example:
 <code bash>
-db configuration setprop qpsmtpd HeloPolicy lenient
+db configuration setprop qpsmtpd HeloPolicy rfc
 signal-event email-update
 </code>
@@ Ligne 153: / Ligne 149: @@
 ==== Inbound DKIM / SPF / DMARC ====
-DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled and has no settings exposed. dmarc has two settings:
+DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:
-  * DMARCReject (1|0): Default value is 1. If set to 1, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure). You can isable it by setting this to 0
+  * DMARCReject (enabled|disabled): Default value is disabled. If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)
-  * DMARCReporting (1|0): Default value is 1. If set to 1, enable reporting (which is the **r** in dma**r**c). Reporting is a very important part of the DMARC standard. When enabled, you'll record informations about email you receive from domains which have published a DMARC policy. Then, once a day, you send the aggregate reports to the domain owner so they have feedback. You can set this to 0 if you want to disable this feature
+  * DMARCReporting (enabled|disabled): Default value is enabled. If set to enabled, enable reporting (which is the **r** in dma**r**c). Reporting is a very important part of the DMARC standard. When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite). Then, once a day, you send the aggregate reports to the domain owner so they have feedback. You can set this to disabled if you want to disable this feature
+  * SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy. Note: this is only used when no DMARC policy is published by the sender. If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.
+    * 0: do not reject anything
+    * 1: reject when SPF says fail
+    * 2: reject when SPF says softfail
+    * 3: reject when SPF says neutral
+    * 4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published
+  * Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported
 Example:
 <code bash>
-db configuration setprop DMARCReject 0
+db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
 signal-event email-update
 </code>
 ==== Outbound DKIM signing / SPF / DMARC policy ====
@@ Ligne 219: / Ligne 221: @@
 All you have to do now is publish those records
+==== Load ====
+The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:
+  * MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.