From 003e8b7bb1579accd78dfd9d7b9e1e3b8a150f7b Mon Sep 17 00:00:00 2001 From: Hilko Date: Fri, 25 Dec 2020 23:19:16 +0100 Subject: [PATCH 1/3] Adjust max-recursion-queries to fix alternating rdns status (#1876) --- setup/system.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/setup/system.sh b/setup/system.sh index 07f4aa1b..208a35df 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -320,6 +320,9 @@ fi #NODOC # name server, on IPV6. # * The listen-on directive in named.conf.options restricts `bind9` to # binding to the loopback interface instead of all interfaces. +# * The max-recursion-queries directive increases the maximum number of iterative queries. +# If more queries than specified are sent, bind9 returns SERVFAIL. After flushing the cache during system checks, +# we ran into the limit thus we are increasing it from 75 (default value) to 100. apt_install bind9 tools/editconf.py /etc/default/bind9 \ "OPTIONS=\"-u bind -4\"" @@ -327,6 +330,10 @@ if ! grep -q "listen-on " /etc/bind/named.conf.options; then # Add a listen-on directive if it doesn't exist inside the options block. sed -i "s/^}/\n\tlisten-on { 127.0.0.1; };\n}/" /etc/bind/named.conf.options fi +if ! grep -q "max-recursion-queries " /etc/bind/named.conf.options; then + # Add a max-recursion-queries directive if it doesn't exist inside the options block. + sed -i "s/^}/\n\tmax-recursion-queries 100;\n}/" /etc/bind/named.conf.options +fi # First we'll disable systemd-resolved's management of resolv.conf and its stub server. # Breaking the symlink to /run/systemd/resolve/stub-resolv.conf means From c7280055a83085b3d3efd5a9296a1bea4923315c Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Fri, 25 Dec 2020 14:22:24 -0800 Subject: [PATCH 2/3] Implement SPF/DMARC checks, add spam weight to those mails (#1836) --- setup/dkim.sh | 26 ++++++++++++++++++++++ setup/spamassassin.sh | 50 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) diff --git a/setup/dkim.sh b/setup/dkim.sh index 5bd32370..05221b27 100755 --- a/setup/dkim.sh +++ b/setup/dkim.sh @@ -64,6 +64,32 @@ tools/editconf.py /etc/opendmarc.conf -s \ "Syslog=true" \ "Socket=inet:8893@[127.0.0.1]" +# SPFIgnoreResults causes the filter to ignore any SPF results in the header +# of the message. This is useful if you want the filter to perfrom SPF checks +# itself, or because you don't trust the arriving header. This added header is +# used by spamassassin to evaluate the mail for spamminess. + +tools/editconf.py /etc/opendmarc.conf -s \ + "SPFIgnoreResults=true" + +# SPFSelfValidate causes the filter to perform a fallback SPF check itself +# when it can find no SPF results in the message header. If SPFIgnoreResults +# is also set, it never looks for SPF results in headers and always performs +# the SPF check itself when this is set. This added header is used by +# spamassassin to evaluate the mail for spamminess. + +tools/editconf.py /etc/opendmarc.conf -s \ + "SPFSelfValidate=true" + +# AlwaysAddARHeader Adds an "Authentication-Results:" header field even to +# unsigned messages from domains with no "signs all" policy. The reported DKIM +# result will be "none" in such cases. Normally unsigned mail from non-strict +# domains does not cause the results header field to be added. This added header +# is used by spamassassin to evaluate the mail for spamminess. + +tools/editconf.py /etc/opendkim.conf -s \ + "AlwaysAddARHeader=true" + # Add OpenDKIM and OpenDMARC as milters to postfix, which is how OpenDKIM # intercepts outgoing mail to perform the signing (by adding a mail header) # and how they both intercept incoming mail to add Authentication-Results diff --git a/setup/spamassassin.sh b/setup/spamassassin.sh index d6c8b83b..989bbff4 100755 --- a/setup/spamassassin.sh +++ b/setup/spamassassin.sh @@ -67,6 +67,56 @@ tools/editconf.py /etc/spamassassin/local.cf -s \ "add_header all Report"=_REPORT_ \ "add_header all Score"=_SCORE_ + +# Authentication-Results SPF/Dmarc checks +# --------------------------------------- +# OpenDKIM and OpenDMARC are configured to validate and add "Authentication-Results: ..." +# headers by checking the sender's SPF & DMARC policies. Instead of blocking mail that fails +# these checks, we can use these headers to evaluate the mail as spam. +# +# Our custom rules are added to their own file so that an update to the deb package config +# does not remove our changes. +# +# We need to escape period's in $PRIMARY_HOSTNAME since spamassassin config uses regex. + +escapedprimaryhostname="${PRIMARY_HOSTNAME//./\\.}" + +cat > /etc/spamassassin/miab_spf_dmarc.cf << EOF +# Evaluate DMARC Authentication-Results +header DMARC_PASS Authentication-Results =~ /$escapedprimaryhostname; dmarc=pass/ +describe DMARC_PASS DMARC check passed +score DMARC_PASS -0.1 + +header DMARC_NONE Authentication-Results =~ /$escapedprimaryhostname; dmarc=none/ +describe DMARC_NONE DMARC record not found +score DMARC_NONE 0.1 + +header DMARC_FAIL_NONE Authentication-Results =~ /$escapedprimaryhostname; dmarc=fail \(p=none/ +describe DMARC_FAIL_NONE DMARC check failed (p=none) +score DMARC_FAIL_NONE 2.0 + +header DMARC_FAIL_QUARANTINE Authentication-Results =~ /$escapedprimaryhostname; dmarc=fail \(p=quarantine/ +describe DMARC_FAIL_QUARANTINE DMARC check failed (p=quarantine) +score DMARC_FAIL_QUARANTINE 5.0 + +header DMARC_FAIL_REJECT Authentication-Results =~ /$escapedprimaryhostname; dmarc=fail \(p=reject/ +describe DMARC_FAIL_REJECT DMARC check failed (p=reject) +score DMARC_FAIL_REJECT 10.0 + +# Evaluate SPF Authentication-Results +header SPF_PASS Authentication-Results =~ /$escapedprimaryhostname; spf=pass/ +describe SPF_PASS SPF check passed +score SPF_PASS -0.1 + +header SPF_NONE Authentication-Results =~ /$escapedprimaryhostname; spf=none/ +describe SPF_NONE SPF record not found +score SPF_NONE 2.0 + +header SPF_FAIL Authentication-Results =~ /$escapedprimaryhostname; spf=fail/ +describe SPF_FAIL SPF check failed +score SPF_FAIL 5.0 +EOF + # Bayesean learning # ----------------- # From e26cf4512c3e2c82a46824ce17bfe99da292d58a Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 25 Dec 2020 17:28:34 -0500 Subject: [PATCH 3/3] Update CHANGELOG --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd1745a8..fb146e80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,17 @@ CHANGELOG ========= +In Development +-------------- + +* Incoming emails with SPF/DKIM/DMARC failures now have a higher spam score, and these messages are more likely to appear in the junk folder, since they are often spam/phishing. +* A new Download button in the control panel's External DNS page can be used to download the required DNS records in zonefile format. +* Blackblaze is now a supported backup protocol. +* Fixed the problem when the control panel would report DNS entries as Not Set by increasing a bind query limit. +* Fixed a control panel startup bug on some systems. +* Fixed the MTA-STS policy file's line endings. +* Nextcloud's photos, dashboard, and activity apps are disabled since we only support contacts and calendar. + v0.51 (November 14, 2020) -------------------------