Mail security

ericosman

Verified User
Joined
Nov 25, 2019
Messages
12
Hi guys,

I'm busy with updating my server so it meets the latest "rules" for email security.
What i did:
  • update to OpenSSL 1.0.2t
  • Enable DMARC (have to change a policy) because this is not 100% according to https://internet.nl/
v=DMARC1; p=none; sp=none; rua=mailto:spam-reports@mydomain.com
  • Set my SPF
  • Enabled DNSSEC on the server
To enable, add this value to your directadmin.conf: dns_tlsa=1 and restart DirectAdmin.
This is what i already did, now i have to edit the themes

What i would like to do:
  • Enable DNSSEC 100% (something with adding keys to my dns?)
  • Change the DMARC to be 100% (I think by setting p=quarantine)
  • Update to TLS 1.3
  • Update/enable my "ciphers"?
  • Enable / use "diffie-hellman-key-exchange"
  • Enable DANE
  • Disable client-initiated renegotiation

The system i use:
CentOS 7
DirectAdmin1.59.5
Dovecot2.3.9 (e7f79df99)
Exim4.92.3
MySQL10.4.11
Named9.11.4
OpenLiteSpeed1.6.4
php7.2.25
ProFTPd1.3.6b


Now is my question, can some one explain some things to me?

What i dont get is where and what to add to my DNS (DNSSEC)
Is it correct what i have to change to my DMARC?
How do i update my TLS to 1.3? (and is my OpenSSL the correct version?)
What is going on with the Chiphers and diffie-hellman-key-exchange?
How can i get Dane working (with OPENSSL) ?
How do i disable client-initiated renegotiation?


Thanks in advance!
 

mxroute

Verified User
Joined
Sep 24, 2019
Messages
18
What i dont get is where and what to add to my DNS (DNSSEC)
Does this help? https://help.directadmin.com/item.php?id=651

Is it correct what i have to change to my DMARC?
It's really important to not look at DMARC as a checklist item. This is going to be deeply personal. If you don't know why you would want your DMARC to be unique to your needs or what you want it to do, I highly suggest not using it at all. It's like declaring what you're going to have for lunch every day for the next week, you can't make an informed decision without a menu and knowledge of what you want. There's no incorrect way to do it short of syntax errors. You might end up hurting your own cause if you do it in a way that goes against your expectations elsewhere. For example, setting DMARC to "reject" means email with your domain in the From header will not be accepted by Google if not matching your SPF, which means people who use email forwarding to Gmail will no longer receive your emails (even if using SRS). I wrote some more detail about this here: https://blog.mxroute.com/2019/06/google-does-not-respect-srs-do-not-forward-email-to-google

So make sure that if you do use DMARC, read up and understand each portion of the record, and choose what you want each item to do.

I realize I didn't weigh in on the rest, those were the only items that I wanted to weigh in on myself :)
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
698
Location
Netherlands Germany
TLS 1.3 is CENTOS 8 read here in forum some advice not to do this with centos7x from smtalk. while openssl >-1.1.1

DH read this also:

How do i disable client-initiated renegotiation? not possible sofar i know with that openssl version

DNSSEC ( must be working for DANE) first ask where you register domain if there supported yes or no , and also at your hoster / where you handle dns..
 
Top