install_postfix_advanced.sh,install_postfix_base.sh: comment deprecated parameter 'smtpd_tls_dh1024_param_file'.
This commit is contained in:
36
DOC/DMARC_Rejections_SOP.md
Normal file
36
DOC/DMARC_Rejections_SOP.md
Normal file
@@ -0,0 +1,36 @@
|
|||||||
|
# Analyse und Begründung von DMARC-Rejects
|
||||||
|
## (Postfix + OpenDMARC 1.4.2)
|
||||||
|
|
||||||
|
### 1. Zweck
|
||||||
|
Diese SOP beschreibt, wie DMARC-Rejects auf dem Mailserver revisionssicher analysiert und begründet werden, ohne die betroffene E-Mail anzunehmen oder erneut senden zu lassen.
|
||||||
|
|
||||||
|
### 2. Systemkontext
|
||||||
|
- MTA: Postfix
|
||||||
|
- DMARC-Filter: OpenDMARC 1.4.2
|
||||||
|
- SPF-Prüfung: policyd-spf
|
||||||
|
- DKIM-Prüfung: OpenDKIM
|
||||||
|
- Entscheidungspunkt: SMTP END-OF-MESSAGE
|
||||||
|
|
||||||
|
### 3. Grundprinzip
|
||||||
|
OpenDMARC loggt nur das Endergebnis der DMARC-Evaluation, nicht die Detailursachen. Die Ursache eines Rejects wird durch Log-Korrelation ermittelt.
|
||||||
|
|
||||||
|
### 4. Relevante Logquellen
|
||||||
|
- Postfix (SMTP-Rejects)
|
||||||
|
- policyd-spf (SPF-Ergebnis, identity)
|
||||||
|
- OpenDMARC (pass/fail/none pro Domain)
|
||||||
|
|
||||||
|
### 5. Entscheidungslogik
|
||||||
|
DMARC besteht nur, wenn mindestens ein Mechanismus DMARC-konform erfolgreich ist:
|
||||||
|
- SPF(mailfrom) aligned
|
||||||
|
- DKIM valid + aligned
|
||||||
|
|
||||||
|
SPF über HELO ist für DMARC nicht verwertbar.
|
||||||
|
|
||||||
|
### 6. Ableitungsregel
|
||||||
|
Wenn SPF nur über HELO erfolgreich war und DMARC fail meldet, muss DKIM fehlgeschlagen sein.
|
||||||
|
|
||||||
|
### 7. Revisionssichere Begründung
|
||||||
|
Die E-Mail wurde gemäß der DMARC-Policy der Absenderdomain abgelehnt, da keine DMARC-konforme Authentifizierung vorlag.
|
||||||
|
|
||||||
|
### 8. Referenzen
|
||||||
|
RFC 7489 (DMARC), RFC 7208 (SPF), RFC 6376 (DKIM)
|
||||||
BIN
DOC/DMARC_Rejections_SOP.pdf
Normal file
BIN
DOC/DMARC_Rejections_SOP.pdf
Normal file
Binary file not shown.
@@ -2126,7 +2126,9 @@ smtpd_tls_key_file = $_TLS_KEY_FILE
|
|||||||
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
|
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
|
||||||
## - also possible to use 2048 key with that parameter
|
## - also possible to use 2048 key with that parameter
|
||||||
## -
|
## -
|
||||||
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
|
## - DEPRECATED parameter-
|
||||||
|
## -
|
||||||
|
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
|
||||||
|
|
||||||
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
|
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
|
||||||
## -
|
## -
|
||||||
|
|||||||
@@ -929,7 +929,9 @@ smtpd_tls_key_file = $_TLS_KEY_FILE
|
|||||||
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
|
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
|
||||||
## - also possible to use 2048 key with that parameter
|
## - also possible to use 2048 key with that parameter
|
||||||
## -
|
## -
|
||||||
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
|
## - DEPRECATED parameter-
|
||||||
|
## -
|
||||||
|
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
|
||||||
|
|
||||||
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
|
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
|
||||||
## -
|
## -
|
||||||
|
|||||||
Reference in New Issue
Block a user