Author: admin

Posted on

What is a DMARC record and how do I create it on DNS server?

Command to verify the DNS record : dig _dmarc.saic.it any

Description

Email Security: What is DMARC record and how to create it on DNS server.

Prerequisites:

Before creating DMARC records it’s a good idea to test DKIM and SPF. Testing can be found here: https://dmarcguide.globalcyberalliance.org/#/

Resolution

Creating a DMARC record

Create the record
DMARC is designed to give receivers of email better judgment control  based on sending domain reputations.  It provides a platform where the sending side can publish policies to improve effectiveness against spam and phishing, in effect building domain reputations. This helps to provide guidelines on how to address messages that do not align according to those policies published by the sending domains.
  
DMARC was aimed at:
Reducing false negatives
Provide authentication reporting
Apply sender policies at the receiving end
Reduce phishing
Be scalable
  
In order to get started with DMARC, the sending domain needs to have an SPF and DKIM record published. Once the SPF and DKIM records are in place, you can configure DMARC by adding policies to your domain’s TXT records (the same way in which you published your SPF and DKIM records).  Your TXT record name should read something similar to “_dmarc.your_domain.com.”  Please replace the “your_domain.com” with your own domain.
 
As DMARC policies are published as TXT records, it defines what an email receiver should do with non-aligned mail it receives.

A DMARC record’s name when creating a TXT record is “_dmarc” which forms a TXT record such as _dmarc.mydomain.com or _dmarc.mydomain.net etc

An external guide/wizard on creating DMARC records: https://dmarcguide.globalcyberalliance.org/#/dmarc/

 Example:
“v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com”  
 
 In this scenario, the sender defines the policy as such that the receiver outright rejects all non-aligned messages and sends a report about the rejections to a specific email address. If the sender were to use the “quarantine” setting in the policy, it would look like:
 
“v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@dmarcdomain.com” 

and would request the action to quarantine on the receiving end of the message. In the next example, if a message claims to be from your domain.com and fails DMARC, no action is taken. Instead, these messages will then show up in your daily aggregate report sent to
 
 “v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com” 

Here is a sample where the message fails DMARC, then quarantines it 5% of the time.
 
 “v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com” 

In this sample, the policy is set to reject the message 100% of the time and send the daily report to the specified address of dmarc@your_domain.com.
 
“v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com, mailto:dmarc@your_domain.com”
  
 DMARC records follow the extensible “tag-value” syntax for DNS-based key records defined in DKIM. The following chart illustrates some of the available tags:
  
Common tags used in DMARC TXT records:
 

TagName   RequiredPurposeSample
v             requiredProtocol Versionv=DMARC1
prequiredProtocol for Domainp=quarantine
pctoptional% of message subjected to filteringpct=20
ruaoptionalReporting UTIof aggregate reportrua=mailto:postmstr@domain.com
spoptionalPolicy for subdomains of the domainsp=r
aspfoptionalAlignment mode for spfaspf=r 
 


Only the v (version) and p (policy) tags are required. Three possible policy settings are available:

  • none – Take no action. Only log the affected messages in the daily report.
  • quarantine – Mark affected messages as spam.
  • reject – Cancel the message at the SMTP layer.  

 
Alignment mode refers to the analysis which sender records are compared to SPF and DKIM signatures. There are two possible values being presented, relaxed “r” or strict “s”. Relaxed allows for partial matches such as subdomains while strict requires an exact match.
Be sure to include an email address with the optional rua tag to have the daily reports sent to that address.
 
Example report
The daily reports are sent in XML format. They provide feedback informing you of the sending source IP addresses that have been sending out on your domain’s behalf.  This helps in determining which sources are valid or not. As a result, this assists in more effective deployment of your SPF and DKIM records.
Here is an example of a daily aggregate report. The judgement result is shown along with the source IP addresses and the action taken.
  
<record>
 <row>
 <source_ip>207.126.144.129</source_ip>
 <count>1</count>
 <policy_evaluated>
 <disposition>none</disposition>
 </policy_evaluated>
 </row>
 <identities>
 <header_from>stefanomail.com</header_from>
 </identities>
 <auth_results>
 <dkim>
 <domain>stefanomail.com</domain>
 <result>pass</result>
 <human_result></human_result>
 </dkim>
 <spf>
 <domain>stefanomail.com</domain>
 <result>pass</result>
 </spf>
 </auth_results>
 </record>
 <record>
 <row>
 <source_ip>207.126.144.131</source_ip>
 <count>1</count>
 <policy_evaluated>
 <disposition>none</disposition>
 <reason>
 <type>forwarded</type>
 <comment></comment>
 </reason>
 </policy_evaluated>
 </row>
 <identities>
 <header_from>stefanomail.com</header_from>
 </identities>
 <auth_results>
 <dkim>
 <domain>stefanomail.com</domain>
 <result>pass</result>
 <human_result></human_result>
 </dkim>
 <spf>
 <domain>stefanomail.com</domain>
 <result>pass</result>
 </spf>
 </auth_results>
 </record> 
 
Here is an example of how to specify the optional size limit argument and set it to 10 MB.
“v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com!10m”
  
Deploy slowly 
As the DMARC specification takes into consideration that scaling out the deployment may be challenging for some organizations to do at once, there are a number of built-in methods for “throttling” the DMARC processing so full deployment can be done in increments over time.

  • First thing to do is monitor your traffic and reports. Assess where your vulnerabilities are (where messages are being delivered without being digitally signed or are coming from invalid source IP addresses) and address them through SPF and DKIM records.
  • As you monitor your daily aggregate reports and get to a place where you are comfortable with the results, you can change the action on your policies to start to quarantine. You do this by changing your TXT record using DMARC to use the “quarantine” action. Continue to monitor your daily reports
  • Once you have been monitoring your traffic and daily reports for some time and feel comfortable with the sources seen sending traffic on behalf of your domain and they are all being digitally signed, you can move forward with the next step in changing the policy to use the “reject” tag to fully deploy DMARC in its entirety. Monitoring your reports and your spamfeed is an essential part of maintenance for DMARC accuracy.

Also worth noting, the optional pct tag can be used to sample your DMARC deployment in increments as well. Since 100% is the default, passing “pct=20” in your DMARC TXT record results in one-fifth of all messages affected by the policy actually receiving the disposition instead of all of them. This setting is especially useful once you elect to quarantine and reject mail. Start with a lower percent to begin with and increase it every few days.
So a conservative deployment cycle would resemble:

  1. Monitor all.
  2. Quarantine 1%.
  3. Quarantine 5%.
  4. Quarantine 10%.
  5. Quarantine 25%.
  6. Quarantine 50%.
  7. Quarantine all.
  8. Reject 1%.
  9. Reject 5%.
  10. Reject 10%.
  11. Reject 25%.
  12. Reject 50%.
  13. Reject all.

When you are ready to complete the DMARC deployment, remove the percentages from your policies so that the full action of “quarantine” and “reject” is now functioning at 100%. As always, monitor your daily reports.
Recap DMARC deployment.

  1. Deploy SPF and DKIM records for your domain.
  2. Confirm that all sending MTA’s on behalf of the specified domain are aligning the appropriate identifiers appropriately.
  3. Publish DMARC record using the “monitor” flag and specify rua value to receive daily aggregate reports.
  4. Assess vulnerabilities from the daily reports and adjust SPF and DKIM accordingly. Make changes to your mailstreams as needed.
  5. Change DMARC policy flags to “quarantine” and then eventually to “reject” as you see fit.

For further reference, you can go to:
http://dmarc.org/overview.html
http://dmarc.org/specification.html

Posted on

Protect Roundcube with Google reCaptcha

reCaptcha plugin for Roundcube is a good way to protect your server against brute-force attacks on a webmail.

We will install it from the plugin’s repository https://github.com/dsoares/rcguard.git. The addon was tested at the moment of the writing of this guide with RoundCube version 1.3.3.

First make sure you’ve got git installed on your server. If it’s missing you can install it either from your OS repository with a package manager or from sources.

So we start

Installation of the plugin into RoundCube on a Directadmin server starts with the following commands:

cd /var/www/html/roundcube/plugins/
GIT_SSL_NO_VERIFY=true git clone https://github.com/dsoares/rcguard.git rcguard
chown -R webapps:webapps rcguard/
cd rcguard
mv config.inc.php.dist config.inc.php

Example of an output from git command:

# GIT_SSL_NO_VERIFY=true git clone https://github.com/dsoares/rcguard.git rcguard
Cloning into 'rcguard'...
remote: Counting objects: 470, done.
remote: Total 470 (delta 0), reused 0 (delta 0), pack-reused 470
Receiving objects: 100% (470/470), 82.68 KiB, done.
Resolving deltas: 100% (240/240), done.

If you see an error you should read everything carefully and try to resolve it. Please feel free to contact us if anything goes wrong here.

Add your reCaptcha keys

Go to https://www.google.com/recaptcha/admin and get your keys.

It’s important to mention, that Google will show reCaptcha only on domains which were registered at Google for these particular pair of keys. It means that you should either register all of your domains at Google if you want to access RoundCube on users’ domains, or use one domain (or hostname) for all users and register one domain at Google.

As soon as you get your keys you should add them into configuration file of the addon.

Open the config file of the plugin in an editor:

vi config.inc.php

and update the following lines with your real public and private keys from Google:

// Public key for reCAPTCHA
$config['recaptcha_publickey'] = '';

// Private key for reCAPTCHA
$config['recaptcha_privatekey'] = '';

So it would look like the following:

// Public key for reCAPTCHA
$rcmail_config['recaptcha_publickey'] = '6LdNmhYTAAAAAOXR**********OcI6MPpePq2eRn';

// Private key for reCAPTCHA
$rcmail_config['recaptcha_privatekey'] = '6LdNmhYTAAAAAB**********vJxvSjDR9VUiDDq-';

For security reasons some symbols are masked here, in your case there should not be asterisks.

You can change other settings of the plugin per your needs. For example this one:

// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 5;

can be changed to

// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 1;

if you want reCaptcha to be shown after the first failed login (the default is 5).

Create MySQL table for the plugin

Connect to mysql either in a shell with the following command:

mysql --defaults-extra-file=/usr/local/directadmin/conf/my.cnf da_roundcube

Or use phpMyAdmin interface and choose DB with name da_roundcube.

Then run the following query:

CREATE TABLE `rcguard` (
  `ip` VARCHAR(40) NOT NULL,
  `first` DATETIME NOT NULL,
  `last` DATETIME NOT NULL,
  `hits` INT(10) NOT NULL,
  PRIMARY KEY (`ip`),
  INDEX `last_index` (`last`),
  INDEX `hits_index` (`hits`)
) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;

quit;

Here is an example of a desirable output: “Query OK, 0 rows affected (0.03 sec)”, and in full it will look as the following:

MariaDB [da_roundcube]> CREATE TABLE `rcguard` (
    ->   `ip` VARCHAR(40) NOT NULL,
    ->   `first` DATETIME NOT NULL,
    ->   `last` DATETIME NOT NULL,
    ->   `hits` INT(10) NOT NULL,
    ->   PRIMARY KEY (`ip`),
    ->   INDEX `last_index` (`last`),
    ->   INDEX `hits_index` (`hits`)
    -> ) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;
Query OK, 0 rows affected (0.03 sec)

MariaDB [da_roundcube]>
MariaDB [da_roundcube]> quit;
Bye

Updating Roundcube config

Now we need to modify RoundCube main configuration in order to let it work with the addon/plugin.

Register the plugin by modifying config.inc.php:

cd /var/www/html/roundcube/config/
vi ./config.inc.php

Find the line

$config['plugins'] = array(

and change it to:

$config['plugins'] = array(
    'rcguard',

Don’t forget to add a comma in the end of the line.

Protect your customization for future updates

For this you need to copy the plugin and updated config into a special folder of custombuild:

mkdir -p /usr/local/directadmin/custombuild/custom/roundcube/plugins/
cd /usr/local/directadmin/custombuild/custom/roundcube/
cp -r /var/www/html/roundcube/plugins/rcguard ./plugins/
cp -p /var/www/html/roundcube/config/config.inc.php .

Every time when you update a version of RoundCube with Directadmin you will still have the plugin enabled.

That’s it. Tags: directadminE-mailRoundcubepluginsSecurityreCaptcha

Posted on

Setup sftp user

List of user’s group
# groups username

# adduser username -g sftp -s /sbin/nologin
# passwd username

in general to add a new group

# groupadd

in general to add user to a group

#usermod -G group username

Open and add the following lines to /etc/ssh/sshd_config configuration file:

list of groups and its users
#  cat /etc/group

Subsystem sftp internal-sftp
 
   Match Group sftp
   ChrootDirectory /home/%u
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no


# systemctl restart sshd
OR
# service sshd restart

then check the user home directory permissions
# ls /home/ -ltra
in case run this
# chmod 755 /home/username/
# chown root:sftp /home/username/ -Rf
# chown username:sftp /home/username/basedir

I had this error when I tried to create folder in basedir:
mkdir /New directory: permission denied

after googlig a lot I found this here (Thanks):
# setsebool -P ssh_chroot_rw_homedirs on
# restorecon -R /home/username
After this, sftp works as expected, even when chrooted, without having to disable SELinux completely.

——other explanation——

This tutorial will help you to create SFTP only user (without ssh access) on CentOS and RedHat systems. The user can connect the server with SFTP access only and allowed to access the specified directory. User can’t SSH into the server. Follow the below tutorial to create sftp only account.

Step 1 – Create Account

First of all, create a user account to use for sftp access. Below command will create user named sftpuser with no shell access.

sudo adduser --shell /bin/false sftpuser
sudo passwd sftpuser

Step 2 – Create Directory

Now, create the directory structure to be accessible by sftp user.

sudo mkdir -p /var/sftp/files

Change the ownership of the files directory to sftp user. So that sftpuser can read and write on this directory.

sudo chown sftpuser:sftpuser /var/sftp/files

And set the owner and group owner of the /var/sftp to root. The root user has read/write access on this access. Group member and other account have only read and execute permissions.

sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp

Step 3 – Configure SSH for SFTP

Now edit the SSH configuration file in a text editor

sudo vim /etc/ssh/sshd_config

and add the following settings at end of file.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Save the configuration and restart SSH service to apply changes.

sudo systemctl restart sshd.service
Posted on

How to check email in sql query

and c.email_address NOT REGEXP ‘[-a-z0-9~!$%^&=+}{\\’?]+(\.[-a-z0-9~!$%^&=+}{\\’?]+)@([a-z0-9_][-a-z0-9_](\.[-a-z0-9_]+)*\.(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|travel|mobi|[a-z][a-z])|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(:[0-9]{1,5})?’