Mail security

[ericosman]

Hi guys,

I'm busy with updating my server so it meets the latest "rules" for email security.
What i did:

• update to OpenSSL 1.0.2t
• Enable DMARC (have to change a policy) because this is not 100% according to https://internet.nl/

v=DMARC1; p=none; sp=none; rua=mailto:[email protected]

• Set my SPF
• Enabled DNSSEC on the server

To enable, add this value to your directadmin.conf: dns_tlsa=1 and restart DirectAdmin.

This is what i already did, now i have to edit the themes

What i would like to do:

• Enable DNSSEC 100% (something with adding keys to my dns?)
• Change the DMARC to be 100% (I think by setting p=quarantine)
• Update to TLS 1.3
• Update/enable my "ciphers"?
• Enable / use "diffie-hellman-key-exchange"
• Enable DANE
• Disable client-initiated renegotiation

The system i use:
CentOS 7

DirectAdmin		1.59.5
Dovecot		2.3.9 (e7f79df99)
Exim		4.92.3
MySQL		10.4.11
Named		9.11.4
OpenLiteSpeed		1.6.4
php		7.2.25
ProFTPd		1.3.6b

Now is my question, can some one explain some things to me?

What i dont get is where and what to add to my DNS (DNSSEC)
Is it correct what i have to change to my DMARC?
How do i update my TLS to 1.3? (and is my OpenSSL the correct version?)
What is going on with the Chiphers and diffie-hellman-key-exchange?
How can i get Dane working (with OPENSSL) ?
How do i disable client-initiated renegotiation?


Thanks in advance!

 

[mxroute]

What i dont get is where and what to add to my DNS (DNSSEC)

Does this help? https://help.directadmin.com/item.php?id=651

Is it correct what i have to change to my DMARC?

It's really important to not look at DMARC as a checklist item. This is going to be deeply personal. If you don't know why you would want your DMARC to be unique to your needs or what you want it to do, I highly suggest not using it at all. It's like declaring what you're going to have for lunch every day for the next week, you can't make an informed decision without a menu and knowledge of what you want. There's no incorrect way to do it short of syntax errors. You might end up hurting your own cause if you do it in a way that goes against your expectations elsewhere. For example, setting DMARC to "reject" means email with your domain in the From header will not be accepted by Google if not matching your SPF, which means people who use email forwarding to Gmail will no longer receive your emails (even if using SRS). I wrote some more detail about this here: https://blog.mxroute.com/2019/06/google-does-not-respect-srs-do-not-forward-email-to-google

So make sure that if you do use DMARC, read up and understand each portion of the record, and choose what you want each item to do.

I realize I didn't weigh in on the rest, those were the only items that I wanted to weigh in on myself

 

[ikkeben]

TLS 1.3 is CENTOS 8 read here in forum some advice not to do this with centos7x from smtalk. while openssl >-1.1.1

DH read this also:

Key exchange 'ffdhe3072' or even 'ffdhe4096' instead of own created DH 2048 , 3072 while is not safe enough anymore, and cipher order preference

Read here about user and discussion. DH-3072 != ffdhe3072 so that is my mistake and many more i guess here :cry: You can download files with predefined groups ffdhe3072 or ffdhe4096 ? don't know howto in Directadmin? https://github.com/internetstandards/dhe_groups GUIDELINES...

forum.directadmin.com

How do i disable client-initiated renegotiation? not possible sofar i know with that openssl version

DNSSEC ( must be working for DANE) first ask where you register domain if there supported yes or no , and also at your hoster / where you handle dns..