Skip to main content

3 posts tagged with "dmarc"

View All Tags

· 4 min read
Mauro D.

Today we are announcing the release of Stalwart Mail Server version 0.10.7, an update that brings two of the most requested features from our users: robust troubleshooting tools and support for external recipients on mailing lists. This update also introduces the ability to store emails and blobs on Azure Blob Storage, alongside several minor fixes and improvements. As always, this release reflects our commitment to implementing the features most requested by our community.

Advanced Troubleshooting

One of the key highlights of version 0.10.7 is the addition of comprehensive troubleshooting tools designed to help administrators diagnose and resolve email delivery and DMARC-related issues more efficiently.

The email delivery troubleshooting tool provides a step-by-step simulation of the email delivery process. Accessible through the Webadmin interface under Manage -> Troubleshoot -> Email Delivery, this tool allows administrators to test delivery paths for any email address or domain. It performs critical tasks like resolving MX records, retrieving IP addresses, validating MTA-STS and DANE policies, upgrading the connection to TLS, and verifying recipient availability. Importantly, this tool does not send actual emails but offers a detailed analysis of the delivery pipeline, displaying each step in real-time and flagging any issues that arise. This ensures that administrators can identify and address problems before they impact actual email traffic.

The DMARC troubleshooting tool is another powerful addition. Located under Manage -> Troubleshoot -> DMARC, it enables administrators to verify the DMARC setup for both local and remote domains. By simulating the server's authentication process, this tool checks SPF, DKIM, ARC, and DMARC policies while also verifying that the reverse PTR matches the SPF EHLO hostname. Administrators can input details such as the sender address, server IP, EHLO hostname, and optionally, the message body for detailed DKIM and ARC testing. This comprehensive tool mirrors the checks Stalwart performs when receiving emails, making it easier to identify and resolve policy compliance issues.

External Recipients

Another significant enhancement in version 0.10.7 is the ability to add external recipients to mailing lists. In previous versions, mailing lists were restricted to local recipients, limiting their flexibility. With this update, administrators can now include recipients from external domains in mailing lists, enabling broader collaboration and more versatile email distribution. This change reflects our commitment to making Stalwart Mail Server more adaptable to the diverse needs of our users.

Azure Blob Storage

In addition to the major feature updates, Stalwart Mail Server 0.10.7 introduces support for storing emails and blobs on Azure Blob Storage. This new capability provides users with greater flexibility in managing their data storage, especially for organizations already leveraging Azure's robust cloud infrastructure. The release also includes a range of minor fixes to improve overall stability and performance.

Looking Ahead

As we celebrate the release of version 0.10.7, we are already working on the next major feature: faster and improved spam filtering. This enhancement, another highly requested feature, will bring more effective tools to combat unwanted emails while ensuring legitimate messages are processed efficiently. We are eager to share more details in the coming weeks.

Shape the Future

Stalwart Mail Server continues to evolve based on feedback from our community. New features and improvements are implemented in the order of the votes they receive, ensuring that development aligns with the needs of our users. We invite you to visit our GitHub page to review the current list of enhancement requests and vote for the features you would like to see implemented next. You can find the list at GitHub Enhancement Requests.

Thank you for your ongoing support and feedback, which are instrumental in shaping Stalwart Mail Server into the reliable, user-focused solution it is today. We look forward to hearing your thoughts on version 0.10.7 and what you'd like to see in future releases!

· One min read
Mauro D.

It’s official! We are proud to announce the release of Stalwart SMTP, the next-generation email server solution written in Rust for businesses, organizations, and individuals alike.

Stalwart SMTP is a robust and secure email server that offers a comprehensive set of features to meet the needs of today’s demanding email communications. Whether you’re running a large enterprise or a small business, Stalwart SMTP is designed to handle the most complex email environments with ease.

One of the key features of Stalwart SMTP is its support for advanced email security protocols, including DMARC, DKIM, SPF, ARC, DANE, MTA-STS, and SMTP TLS reporting. This means that you can be sure that your emails are protected from spoofing and phishing attempts, and that your email messages are delivered securely to their intended recipients.

We are confident that Stalwart SMTP will meet the needs of businesses and organizations of all sizes, and we look forward to hearing your feedback and suggestions. To learn more about Stalwart SMTP, visit our website and start exploring the many features and benefits of this powerful email server solution.

· 3 min read
Mauro D.

Today the mail-auth library was released, which is an e-mail authentication and reporting library written in Rust that supports the DKIM, ARC, SPF and DMARC protocols. It is the Rust equivalent of OpenDKIM, OpenSPF, OpenARC and OpenDMARC combined in one library (as well as some extras such ARF support). mail-auth includes the following features:

  • DomainKeys Identified Mail (DKIM):
  • ED25519-SHA256 (Edwards-Curve Digital Signature Algorithm), RSA-SHA256 and RSA-SHA1 signing and verification.
  • DKIM Authorized Third-Party Signatures.
  • DKIM failure reporting using the Abuse Reporting Format.
  • Authenticated Received Chain (ARC):
  • ED25519-SHA256 (Edwards-Curve Digital Signature Algorithm), RSA-SHA256 and RSA-SHA1 chain verification.
  • ARC sealing.
  • Sender Policy Framework (SPF):
  • Policy evaluation.
  • SPF failure reporting using the Abuse Reporting Format.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC):
  • Policy evaluation.
  • DMARC aggregate report parsing and generation.
  • Abuse Reporting Format (ARF):
  • Abuse and Authentication failure reporting.
  • Feedback report parsing and generation.

DKIM Signature Verification

        // Create a resolver using Cloudflare DNS
        let resolver = Resolver::new_cloudflare_tls().unwrap();

        // Parse message
        let authenticated_message = AuthenticatedMessage::parse(RFC5322_MESSAGE.as_bytes()).unwrap();

        // Validate signature
        let result = resolver.verify_dkim(&authenticated_message).await;

        // Make sure all signatures passed verification
        assert!(result.iter().all(|s| s.result() == &DKIMResult::Pass));

DKIM Signing

        // Sign an e-mail message using RSA-SHA256
        let pk_rsa = PrivateKey::from_rsa_pkcs1_pem(RSA_PRIVATE_KEY).unwrap();
        let signature_rsa = Signature::new()
            .headers(["From", "To", "Subject"])
            .domain("example.com")
            .selector("default")
            .sign(RFC5322_MESSAGE.as_bytes(), &pk_rsa)
            .unwrap();

        // Sign an e-mail message using ED25519-SHA256
        let pk_ed = PrivateKey::from_ed25519(
            &base64_decode(ED25519_PUBLIC_KEY.as_bytes()).unwrap(),
            &base64_decode(ED25519_PRIVATE_KEY.as_bytes()).unwrap(),
        )
        .unwrap();
        let signature_ed = Signature::new()
            .headers(["From", "To", "Subject"])
            .domain("example.com")
            .selector("default-ed")
            .sign(RFC5322_MESSAGE.as_bytes(), &pk_ed)
            .unwrap();

        // Print the message including both signatures to stdout
        println!(
            "{}{}{}",
            signature_rsa.to_header(),
            signature_ed.to_header(),
            RFC5322_MESSAGE
        );

ARC Chain Verification

        // Create a resolver using Cloudflare DNS
        let resolver = Resolver::new_cloudflare_tls().unwrap();

        // Parse message
        let authenticated_message = AuthenticatedMessage::parse(RFC5322_MESSAGE.as_bytes()).unwrap();

        // Validate ARC chain
        let result = resolver.verify_arc(&authenticated_message).await;

        // Make sure ARC passed verification
        assert_eq!(result.result(), &DKIMResult::Pass);

ARC Chain Sealing

        // Create a resolver using Cloudflare DNS
        let resolver = Resolver::new_cloudflare_tls().unwrap();

        // Parse message to be sealed
        let authenticated_message = AuthenticatedMessage::parse(RFC5322_MESSAGE.as_bytes()).unwrap();

        // Verify ARC and DKIM signatures
        let arc_result = resolver.verify_arc(&authenticated_message).await;
        let dkim_result = resolver.verify_dkim(&authenticated_message).await;

        // Build Authenticated-Results header
        let auth_results = AuthenticationResults::new("mx.mydomain.org")
            .with_dkim_result(&dkim_result, "[email protected]")
            .with_arc_result(&arc_result, "127.0.0.1".parse().unwrap());

        // Seal message
        if arc_result.can_be_sealed() {
            // Seal the e-mail message using RSA-SHA256
            let pk_rsa = PrivateKey::from_rsa_pkcs1_pem(RSA_PRIVATE_KEY).unwrap();
            let arc_set = ARC::new(&auth_results)
                .domain("example.org")
                .selector("default")
                .headers(["From", "To", "Subject", "DKIM-Signature"])
                .seal(&authenticated_message, &arc_result, &pk_rsa)
                .unwrap();

            // Print the sealed message to stdout
            println!("{}{}", arc_set.to_header(), RFC5322_MESSAGE)
        } else {
            eprintln!("The message could not be sealed, probably an ARC chain with cv=fail was found.")
        }

SPF Policy Evaluation

        // Create a resolver using Cloudflare DNS
        let resolver = Resolver::new_cloudflare_tls().unwrap();

        // Verify HELO identity
        let result = resolver
            .verify_spf_helo("127.0.0.1".parse().unwrap(), "gmail.com")
            .await;
        assert_eq!(result.result(), SPFResult::Fail);

        // Verify MAIL-FROM identity
        let result = resolver
            .verify_spf_sender("::1".parse().unwrap(), "gmail.com", "[email protected]")
            .await;
        assert_eq!(result.result(), SPFResult::Fail);

DMARC Policy Evaluation

        // Create a resolver using Cloudflare DNS
        let resolver = Resolver::new_cloudflare_tls().unwrap();

        // Verify DKIM signatures
        let authenticated_message = AuthenticatedMessage::parse(RFC5322_MESSAGE.as_bytes()).unwrap();
        let dkim_result = resolver.verify_dkim(&authenticated_message).await;

        // Verify SPF MAIL-FROM identity
        let spf_result = resolver
            .verify_spf_sender("::1".parse().unwrap(), "example.org", "[email protected]")
            .await;

        // Verify DMARC
        let dmarc_result = resolver
            .verify_dmarc(
                &authenticated_message,
                &dkim_result,
                "example.org",
                &spf_result,
            )
            .await;
        assert_eq!(dmarc_result.dkim_result(), &DMARCResult::Pass);
        assert_eq!(dmarc_result.spf_result(), &DMARCResult::Pass);

More examples available on Github under the examples directory.