Securing email of your domain against spam and phishing

Securing email of your domain against spam and phishing has two aspects:

  1. You need an authentication key to sign all outgoing emails
  2. You need publish via DNS records the public key of the authentication key, along with policies about who can send for your domain and what others should do if they receive unauthenticated emails from your domain.

Hosting email of your domain on Google Apps makes things pretty easy to authenticate your emails, prevent spammers and phishing. But you’ll need a good DNS provider as well to support provisioning a number of DNS records.

Below are three articles from Google Apps that covers what you need do - they are not limited to Google Apps hosted emails and could be very informative in general:

  • Authenticate email with DKIM. This tells you how to enable Google Apps email authentication and publish the public key in a DNS TXT record for DKIM

  • Identify spam messages with SPF records. This is about how to create a DNS TXT record for SPF policy to help receiver identify spammers from your authorized sender or email gateway.

  • Prevent outgoing spam with DMARC. This describes the DNS TXT record for DMARC that publishes your desired policy of how the receiver shall deal with unauthenticated emails from your domain if the email does not pass SPF and DKIM check.

Finally, when you’ve done all your settings, use Google Apps Toolbox - Check MX to validate your domain’s MX records.

Switched to jekyll and CloudFlare

Dreamhost has been a great host for many years but there are other options for hosting a plain blog like this one these days, which makes paying out ~$50 for two years’ hosting start feeling too much.

So I finally converted to jekyll+github-pages solution and uses a free plan from CloudFlare to front the blog with HTTPS. In order to do its job, CloudFlare also becomes my domain DNS server.

CloudFlare for this site now runs in Full SSL mode, which means SSL is run between visitors and CloudFlare CDN, as well as between CloudFlare and github-pages.

I cannot run Full (strict) mode, which would ask CloudFlare to validate its connection to github-pages with a server-side certificate for my domain, because github-pages only serve HTTPS with a certificate for github.com/github.io.

Switched to HTTPS/TLS

Thanks to Dreamhost and Let’s Encrypt, this WordPress site is now serving over HTTPS only.

Switching to HTTPS with Dreamhost and Let’s Encrypt was pretty straightforward and took about 1 hour or so at most, thanks to the nice guide by Aaron. I didn’t see some of the trouble with PHP - it might well be the case that Dreamhost has updated their default PHP configuration for hosted sites.

The procedure I took was:

  1. Update WordPress and all plugins to latest.
  2. Backup your database
  3. Enable “Secure Hosting” on Dreamhost Panel
  4. Put .htaccess with the excellent permanent redirect from http to https by Aaron:

     <IfModule mod_rewrite.c>
     # enable Rewrite
     RewriteEngine On
     # make sure not already HTTPS
     RewriteCond %{HTTPS} !=on
     # redirect from original to same location using HTTPS
     RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
     </IfModule>
    
  5. Clean up database by replacing all local refs to use HTTPS using the SQL presented by Aaron (replace domainname with your own):

     UPDATE wp_comments SET comment_author_url = replace(comment_author_url, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_comments SET comment_content = replace(comment_content, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_options SET option_value = replace(option_value, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_postmeta SET meta_value = replace(meta_value, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_posts SET post_content = replace(post_content, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_posts SET guid = replace(guid, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_sitemeta SET meta_value = replace(meta_value, 'http://domainname.com', 'https://domainname.com');
    
  6. If possible update external references with HTTPS as well (e.g., serving Google fonts over HTTPS/HTTP)

Link: Defensive Bash Programming (2012)

Simple principles nicely put together:

http://www.kfirlavi.com/blog/2012/11/14/defensive-bash-programming

Link: Convert keys between GnuPG, OpenSsh and OpenSSL

From Convert keys between GnuPG, OpenSsh and OpenSSL:

OpenSSL to OpenSSH

Private keys format is same between OpenSSL and OpenSSH. So you just a have to rename your OpenSSL key:

  cp myid.key id_rsa

In OpenSSL, there is no specific file for public key (public keys are generally embeded in certificates). However, you extract public key from private key file:

  ssh-keygen -y -f  myid.key > id_rsa.pub

[Update] Also converting from OpenSSH private key to .pem in X.509 format, which is a format required by Microsoft Azure VMs:

  openssl req -x509 -key ~/.ssh/id_rsa -nodes -days 365 -newkey rsa:2048 -out myCert.pem

Contents on this site are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Creative Commons License