Submitted by rrhode on Wed, 12/17/2014 - 21:08
OpenDMARC http://www.trusteddomain.org/opendmarc/
Could have things that validate at some of the Message Validation addresses here: http://www.dmarc.org/resources.html
I think the unlocktheinbox test was pretty good and had a lot of extra records you could use to test.
Status:
Active
Comments
Submitted by JamieCameron on Thu, 12/18/2014 - 15:56 Comment #1
I'm not quite sure what you are requesting here - is Virtualmin not setting up DMARC / DKIM properly?
Submitted by rrhode on Thu, 12/18/2014 - 17:51 Comment #2
Hi there,
Sorry I didn't add much info to my original post, I was being rushed at the time.
Yes there are no DMARC records or even ADSP records created so some mail doesn't get delivered properly. Especially when trying to allow a service like aweber to send mail on your domain's behalf. I didn't think Virtualmin had anything to even try to add those records and don't see anywhere to change options for them either. I do see the DKIM section and it's setup and it adds that record, even though it doesn't automatically add additional domains to sign for in it's options.
If you were to do some testing with the unlocktheinbox address listed in the dmarc.org resources section you would see how email deliverability and authentication and whatnot could be improved.
I feel like I am always struggling with email and spam and so forth on Virtualmin and would love for things to be better by default so I'm just trying to help out with some suggestions and links to some good resources.
One of the issues has also been when users enter email forwards to forward all their email to gmail and then they get spam forwarded there and the host (OVH) doesn't like that and disables mail. Google doesn't like that and temporarily throttles mail from the server and the server slowly gets associated with spam. The host scans the mail logs and sees that Google has detect spam being sent from the server and blocks mail from sending. I know it's just mail being forwarded but they don't know that. I don't know if this would prevent that sort of thing from happening but it would be nice if I could fix that too so I'm doing everything I can to figure it out.
Thanks!
Submitted by Chris_C on Thu, 12/18/2014 - 18:10 Comment #3
There's a way to configure Postfix SMTP server, to scan email for spam/viruses BEFORE forwarding everything onwards to the specified forwarding destination mail server. The way Virtualmin configures Postfix, it simply blindly forwards everything, including spam, with absolutely no virus or spam checks. Very soon, the Virtualmin IP is tagged as a spam source on the internet wide RBL and SPL lists, Spamhaus for example.
The solution is to enable postscreen and have all fowarded mails filtered by spamassassin clamav for every user on the system who is forwarding all their mail to an external mail server (gmail, aol, yahoo, microsoft, etc...) !
More info on this forum thread from january 2014 ! http://virtualmin.com/node/23183
"...basically I just followed the instructions here, including enabling zen.spamhaus.org, bl.spamcop.net and b.barracudacentral.org:
http://www.postfix.org/POSTSCREEN_README.html#config
The spam messages reaching my personal account dropped from around 800/day to 5/day just by doing this! Be aware that a LOT of log messages will be generated in the process, and there's no way to disable them.
Oh, and to get forwarded mails to be filtered by Spamassassin and ClamAV you need to first enable them in Virtualmin > System Settings > Feature and Plugins, then make any adjustments in Virtualmin > Email Messages > Spam and Virus Scanning (select whether to run as daemons or not).
Then select every individual user one by one (it took me hours) and under Mail Forwarding settings select "Deliver to this user normally" (and remove any existing forwarding, perhaps cutting the addresses to your clipboard). Then click the "Login to Usermin" button and select "Forward Email" and select "Email forwarding enabled" and paste the desired forwarding addresses there.
Then click Email Filters > Add a new email filter and select All email, Perform spam classification, Continue with other filter rules and click Create. Move this rule to the top of the list."
Submitted by rrhode on Thu, 12/18/2014 - 19:09 Comment #4
Wow thanks for taking the time to post all that! I am definitely going to give that a shot too.
Submitted by rrhode on Sat, 01/03/2015 - 11:47 Comment #5
DMARC checks are still failing for me even though I've tried to create the records (this is only for one domain though on the server) and everything seems like it should be setup properly. However the DMARC reports I get from various places seem to indicate otherwise. They appear to state that about half the emails sent via aweber (on behalf of the domain) fail, mostly due to spf and/or dmarc being "not aligned" but passing in most cases. I just wish it would work by default and everything always seems to bring me back to OpenDMARC. I haven't had the time to try to implement it myself and not sure if I should try, maybe it's not actually the right thing to use.
I haven't had time either to try implementing this postscreen thing and modifying the accounts by hand but if it isn't 100% effective I suspect there to still be issues. I've already implemented scans through blacklists and whatnot though.