Recently, I moved to Plesk to easily manage some websites. I discovered that plesk has some mail security things that could be improved.
That's why I'm going to discuss some things that you can do to make your Plesk mail more secure.
DKIM, SPF and DMARC using an external DNS server
DKIM (Domain Keys Identified Mail), SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are ways to secure your mail. You can easily enable these inside Plesk, but what if you want to use an external DNS server?
In that case, you need to do a little more complex stuff. Don't worry, here is a step by step guide.
First off all you need to create a public key that you will use for DKIM. Make sure DKIM is enabled inside Plesk first.
After you have enabled DKIM inside Plesk, you can SSH into your server. A great SSH client for windows is PuTTY. You can download it HERE.
Once you got a shell, run the following command:
# Replace example.com with your domain openssl rsa -in /etc/domainkeys/example.com/default -pubout -out public_dkim.key
Now run the following command and copy it's output to a temporary notepad on your current PC or laptop:
After you have copied the output of that command, you can remove the generated public key again from your server. You can do this by running:
The last part of the process of setting up DKIM, SPF and DMARC on an external DNS server is creating the DNS records on your domain. You need to add the following records to your domain:
v=spf1 mx a include:mail.example.com ~all
v=DMARC1; p=quarantine; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com;
The first item is for DKIM, please replace PUBLIC_KEY with the key you copied earlier. The second item is for SPF. This rule specifies which mail servers are allowed to send mail from your domain. Please change mail.example.com to your mail server address. The last rule is for DMARC. This rule specifies what the mail client should do when SPF or DKIM fails. This tells the client to move failed emails to the quarantine/spam folder and to send a report to firstname.lastname@example.org. You should change this email address to your own.
Save your changes and you're done!
It can take some time before DNS changes are visible.
Removing sensitive headers from your emails
Some mail clients "talk” too much. For example, some mail clients add information about your device, your public ip and more to your email. There is a simple tweak to remove these headers from your emails.
Start by connecting to your server using SSH. I'll be using nano as a text editor. To install nano on CentOS, run the following:
yum install nano
To install nano on Debian/Ubuntu, run the following:
apt-get update apt-get install -y nano
Now, open the postfix config file on your server by running:
Scroll all the way down by using the arrow keys and add the following two lines to the bottom of the file:
mime_header_checks = regexp:/etc/postfix/header_checks header_checks = regexp:/etc/postfix/header_checks
You can now save and close the file by pressing "CTRL + X” and "Y”.
Now you need to add some checks. To do this, open the header_checks file by running the following:
Insert the following at the bottom of the file:
/^Received:.*with ESMTPSA/ IGNORE /^X-Originating-IP:/ IGNORE /^X-Mailer:/ IGNORE
These 3 rules remove most sensitive data from your mail headers, like: the ip it has been sent from, device info, and the mail client used.
Close and save the file again using the same keyboard shortcuts.
Once your file is saved, you can reload postfix and rebuild the hash table by running the following two commands:
postmap /etc/postfix/header_checks postfix reload
And that's it. You have improved the security of your Plesk mail server!