# DavMail settings, see http://davmail.sourceforge.net/ for documentation
+# DavMail settings, see http://davmail.sourceforge.net/ for documentation
-#############################################################
-# Basic settings
+#############################################################
+# Basic settings
-# Server or workstation mode
-davmail.server=true
+# Server or workstation mode
+davmail.server=true
-# connection mode auto, EWS or WebDav
-davmail.enableEws=auto
+# connection mode auto, EWS or WebDav
+davmail.enableEws=auto
-# base Exchange OWA or EWS url
-davmail.url=https://outlook.office365.com/EWS/Exchange.asmx
+# base Exchange OWA or EWS url
+davmail.url=https://outlook.office365.com/EWS/Exchange.asmx
-# Listener ports
-davmail.imapPort=1143
+# Listener ports
+davmail.imapPort=1143
-#############################################################
-# Network settings
+#############################################################
+# Network settings
-# Network proxy settings
-davmail.enableProxy=false
-davmail.useSystemProxies=false
-davmail.proxyHost=
-davmail.proxyPort=
-davmail.proxyUser=
-davmail.proxyPassword=
+# Network proxy settings
+davmail.enableProxy=false
+davmail.useSystemProxies=false
+davmail.proxyHost=
+davmail.proxyPort=
+davmail.proxyUser=
+davmail.proxyPassword=
-# proxy exclude list
-davmail.noProxyFor=
+# proxy exclude list
+davmail.noProxyFor=
-# block remote connection to DavMail
-davmail.allowRemote=false
+# block remote connection to DavMail
+davmail.allowRemote=false
-# bind server sockets to the loopback address
-davmail.bindAddress=127.0.0.1
+# bind server sockets to the loopback address
+davmail.bindAddress=127.0.0.1
-# disable SSL for specified listeners
-davmail.ssl.nosecureimap=true
+# disable SSL for specified listeners
+davmail.ssl.nosecureimap=true
-# Send keepalive character during large folder and messages download
-davmail.enableKeepalive=true
+# Send keepalive character during large folder and messages download
+davmail.enableKeepalive=true
-# Message count limit on folder retrieval
-davmail.folderSizeLimit=0
+# Message count limit on folder retrieval
+davmail.folderSizeLimit=0
-#############################################################
-# IMAP settings
+#############################################################
+# IMAP settings
-# Delete messages immediately on IMAP STORE \Deleted flag
-davmail.imapAutoExpunge=true
+# Delete messages immediately on IMAP STORE \Deleted flag
+davmail.imapAutoExpunge=true
-# Enable IDLE support, set polling delay in minutes
-davmail.imapIdleDelay=1
+# Enable IDLE support, set polling delay in minutes
+davmail.imapIdleDelay=1
-# Always reply to IMAP RFC822.SIZE requests with Exchange approximate
-# message size for performance reasons
-davmail.imapAlwaysApproxMsgSize=true
+# Always reply to IMAP RFC822.SIZE requests with Exchange approximate
+# message size for performance reasons
+davmail.imapAlwaysApproxMsgSize=true
-# Client connection timeout in seconds - default 300, 0 to disable
-davmail.clientSoTimeout=0
+# Client connection timeout in seconds - default 300, 0 to disable
+davmail.clientSoTimeout=0
-#############################################################
+#############################################################
-
Running DavMail as a systemd service
+
+Running DavMail as a systemd service
Use systemd to run davmail as a service.
Create a system user
sudo useradd davmail -r -s /bin/false
@@ -945,21 +873,21 @@ sudo chmod u=rw,g
sudo nano /etc/systemd/system/davmail.service
[Unit]
-Description=DavMail gateway service
-Documentation=https://sourceforge.net/projects/davmail/
-Wants=network-online.target
-After=syslog.target network.target
+[Unit]
+Description=DavMail gateway service
+Documentation=https://sourceforge.net/projects/davmail/
+Wants=network-online.target
+After=syslog.target network.target
-[Service]
-ExecStart=/opt/davmail/davmail /opt/davmail/davmail.properties
-User=davmail
-Group=davmail
-Restart=always
-RestartSec=5m
+[Service]
+ExecStart=/opt/davmail/davmail /opt/davmail/davmail.properties
+User=davmail
+Group=davmail
+Restart=always
+RestartSec=5m
-[Install]
-WantedBy=multi-user.target
+[Install]
+WantedBy=multi-user.target
Then, enable the service
@@ -972,7 +900,7 @@ sudo service davmail restart
Note
You must also run the above commands whenever you edit
davmail.service.
-
+
Warning
Always restart the service every time you upgrade to a new version of
@@ -980,7 +908,7 @@ sudo service davmail restart
sudo service davmail restart
-
+
To check the status of the service, run:
@@ -994,33 +922,33 @@ current process (newest to oldest), run:
journalctl -u davmail.service -r
-
-
-
Configuring parsedmarc for DavMail
+
+
+
+Configuring parsedmarc for DavMail
Because you are interacting with DavMail server over the loopback
(i.e. 127.0.0.1), add the following options to parsedmarc.ini
config file:
-[imap]
-host=127.0.0.1
-port=1143
-ssl=False
-watch=True
+[imap]
+host=127.0.0.1
+port=1143
+ssl=False
+watch=True
-
-
Elasticsearch and Kibana
+
+
+
+Elasticsearch and Kibana
Note
Splunk is also supported starting with parsedmarc 4.3.0
-
+
To set up visual dashboards of DMARC data, install Elasticsearch and Kibana.
Note
Elasticsearch and Kibana 6 or later are required
-
+
On Debian/Ubuntu based systems, run:
+
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl enable kibana.service
@@ -1101,39 +1029,39 @@ sudo chmod -R u=rX,gsudo nano /etc/nginx/sites-available/kibana
-
server {
- listen 443 ssl http2;
- ssl_certificate /etc/nginx/ssl/kibana.crt;
- ssl_certificate_key /etc/nginx/ssl/kibana.key;
- ssl_session_timeout 1d;
- ssl_session_cache shared:SSL:50m;
- ssl_session_tickets off;
+server {
+ listen 443 ssl http2;
+ ssl_certificate /etc/nginx/ssl/kibana.crt;
+ ssl_certificate_key /etc/nginx/ssl/kibana.key;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_tickets off;
- # modern configuration. tweak to your needs.
- ssl_protocols TLSv1.2;
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
- ssl_prefer_server_ciphers on;
+ # modern configuration. tweak to your needs.
+ ssl_protocols TLSv1.2;
+ ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ ssl_prefer_server_ciphers on;
- # Uncomment this next line if you are using a signed, trusted cert
- #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
- add_header X-Frame-Options SAMEORIGIN;
- add_header X-Content-Type-Options nosniff;
- auth_basic "Login required";
- auth_basic_user_file /etc/nginx/htpasswd;
+ # Uncomment this next line if you are using a signed, trusted cert
+ #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+ add_header X-Frame-Options SAMEORIGIN;
+ add_header X-Content-Type-Options nosniff;
+ auth_basic "Login required";
+ auth_basic_user_file /etc/nginx/htpasswd;
- location / {
- proxy_pass http://127.0.0.1:5601;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
-}
+ location / {
+ proxy_pass http://127.0.0.1:5601;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+}
-server {
- listen 80;
- return 301 https://$host$request_uri;
-}
+server {
+ listen 80;
+ return 301 https://$host$request_uri;
+}
Enable the nginx configuration for Kibana:
@@ -1165,8 +1093,8 @@ breaks them, as there are no permissions/access controls in Kibana without
the commercial X-Pack.
-
-
Upgrading Kibana index patterns
+
+Upgrading Kibana index patterns
parsedmarc 5.0.0 makes some changes to the way data is indexed in
Elasticsearch. if you are upgrading from a previous release of
parsedmarc, you need to complete the following steps to replace the
@@ -1183,17 +1111,17 @@ the latest version of export.ndjson by clicking Import from the Kibana
Saved Objects page
-
-
Records retention
+
+
+Records retention
Starting in version 5.0.0, parsedmarc stores data in a separate
index for each day to make it easy to comply with records
retention regulations such as GDPR. For fore information,
check out the Elastic guide to managing time-based indexes efficiently.
-
-
-
Splunk
+
+
+
+Splunk
Starting in version 4.3.0 parsedmarc supports sending aggregate and/or
forensic DMARC data to a Splunk HTTP Event collector (HEC).
The project repository contains XML files for premade Splunk dashboards for
@@ -1204,13 +1132,13 @@ editor.
Warning
Change all occurrences of index="email" in the XML to
match your own index name.
-
+
The Splunk dashboards display the same content and layout as the Kibana
dashboards, although the Kibana dashboards have slightly easier and more
flexible filtering options.
-
-
-
Running parsedmarc as a systemd service
+
+
+Running parsedmarc as a systemd service
Use systemd to run parsedmarc as a service and process reports as they
arrive.
Create a system user
@@ -1226,21 +1154,21 @@ sudo chmod u=rw,g
sudo nano /etc/systemd/system/parsedmarc.service
[Unit]
-Description=parsedmarc mailbox watcher
-Documentation=https://domainaware.github.io/parsedmarc/
-Wants=network-online.target
-After=network.target network-online.target elasticsearch.service
+[Unit]
+Description=parsedmarc mailbox watcher
+Documentation=https://domainaware.github.io/parsedmarc/
+Wants=network-online.target
+After=network.target network-online.target elasticsearch.service
-[Service]
-ExecStart=/usr/local/bin/parsedmarc -c /etc/parsedmarc.ini
-User=parsedmarc
-Group=parsedmarc
-Restart=always
-RestartSec=5m
+[Service]
+ExecStart=/usr/local/bin/parsedmarc -c /etc/parsedmarc.ini
+User=parsedmarc
+Group=parsedmarc
+Restart=always
+RestartSec=5m
-[Install]
-WantedBy=multi-user.target
+[Install]
+WantedBy=multi-user.target
Then, enable the service
@@ -1253,7 +1181,7 @@ sudo service parsedmarc restart
Note
You must also run the above commands whenever you edit
parsedmarc.service.
-
+
Warning
Always restart the service every time you upgrade to a new version of
@@ -1261,7 +1189,7 @@ sudo service parsedmarc restart
sudo service parsedmarc restart
-
+
To check the status of the service, run:
service parsedmarc status
@@ -1275,20 +1203,20 @@ current process (newest to oldest), run:
journalctl -u parsedmarc.service -r
-
-
-
-
Using the Kibana dashboards
+
+
+
+
+Using the Kibana dashboards
The Kibana DMARC dashboards are a human-friendly way to understand the results
from incoming DMARC reports.
Note
The default dashboard is DMARC Summary. To switch between dashboards,
click on the Dashboard link in the left side menu of Kibana.
-
-
-
DMARC Summary
+
+
+DMARC Summary
As the name suggests, this dashboard is the best place to start reviewing your
aggregate DMARC data.
Across the top of the dashboard, three pie charts display the percentage of
@@ -1299,7 +1227,7 @@ will filter for that value.
Messages should not be considered malicious just because they failed to pass
DMARC; especially if you have just started collecting data. It may be a
legitimate service that needs SPF and DKIM configured correctly.
-Start by filtering the results to only show failed DKIM alignment. While DMARC
passes if a message passes SPF or DKIM alignment, only DKIM alignment remains
valid when a message is forwarded without changing the from address, which is
@@ -1330,7 +1258,7 @@ emails from an old account to a new account, which is why DKIM
authentication is so important, as mentioned earlier. Similar patterns may
be observed with businesses who send from reverse DNS addressees of
parent, subsidiary, and outdated brands.
-
+
Further down the dashboard, you can filter by source country or source IP
address.
Tables showing SPF and DKIM alignment details are located under the IP address
@@ -1340,12 +1268,12 @@ table.
Previously, the alignment tables were included in a separate dashboard
called DMARC Alignment Failures. That dashboard has been consolidated into
the DMARC Summary dashboard. To view failures only, use the pie chart.
-
Any other filters work the same way. You can also add your own custom temporary
filters by clicking on Add Filter at the upper right of the page.
-
-
DMARC Forensic Samples
+
+
+DMARC Forensic Samples
The DMARC Forensic Samples dashboard contains information on DMARC forensic
reports (also known as failure reports or ruf reports). These reports contain
samples of emails that have failed to pass DMARC.
@@ -1354,21 +1282,16 @@ samples of emails that have failed to pass DMARC.
Most recipients do not send forensic/failure/ruf reports at all to avoid
privacy leaks. Some recipients (notably Chinese webmail services) will only
supply the headers of sample emails. Very few provide the entire email.
-
-
-
DMARC Alignment Guide
+
+
+
+
+DMARC Alignment Guide
DMARC ensures that SPF and DKM authentication mechanisms actually authenticate
against the same domain that the end user sees.
A message passes a DMARC check by passing DKIM or SPF, as long as the related
indicators are also in alignment.
-
-
-
-
-
|
DKIM |
@@ -1404,9 +1327,9 @@ header
-
-
-
What if a sender won’t support DKIM/DMARC?
+
+
+What if a sender won’t support DKIM/DMARC?
Some vendors don’t know about DMARC yet; ask about SPF and DKIM/email
authentication.
Do not alter the p or sp values of the DMARC record on the
Top-Level Domain (TLD) – that would leave you vulnerable to spoofing of
your TLD and/or any subdomain.
-
-
-
What about mailing lists?
+
+
+
+What about mailing lists?
When you deploy DMARC on your domain, you might find that messages relayed by
mailing lists are failing DMARC, most likely because the mailing list is
spoofing your from address, and modifying the subject, footer, or other part
of the message, thereby breaking the DKIM signature.
-
-
Mailing list list best practices
+
+Mailing list list best practices
Ideally, a mailing list should forward messages without altering the headers
or body content at all. Joe Nelson does a fantastic job of explaining exactly
what mailing lists should and shouldn’t do to be fully DMARC compliant.
@@ -1473,14 +1396,10 @@ list.
tell that a message came from the mailing list, because the message was sent
to the mailing list post address, and not their email address.
Configuration steps for common mailing list platforms are listed below.
-
-
Mailman 2
+
+Mailman 2
Navigate to General Settings, and configure the settings below
-
-
-
-
Setting |
Value |
@@ -1510,10 +1429,6 @@ to the mailing list post address, and not their email address.
Navigate to Non-digest options, and configure the settings below
-
-
-
-
Setting |
Value |
@@ -1531,10 +1446,6 @@ to the mailing list post address, and not their email address.
Navigate to Privacy Options> Sending Filters, and configure the settings below
-
-
-
-
Setting |
Value |
@@ -1550,18 +1461,14 @@ to the mailing list post address, and not their email address.
-
-
Mailman 3
+
+
+Mailman 3
Navigate to Settings> List Identity
Make Subject prefix blank.
Navigate to Settings> Alter Messages
Configure the settings below
-
-
-
-
Setting |
Value |
@@ -1589,10 +1496,6 @@ to the mailing list post address, and not their email address.
Navigate to Settings> DMARC Mitigation
Configure the settings below
-
-
-
-
Setting |
Value |
@@ -1614,24 +1517,20 @@ command line instead, for example:
Where list.example.com the list ID, and en is the language.
Then restart mailman core.
-
-
-
-
Workarounds
+
+
+
+Workarounds
If a mailing list must go against best practices and
modify the message (e.g. to add a required legal footer), the mailing
list administrator must configure the list to replace the From address of the
message (also known as munging) with the address of the mailing list, so they
no longer spoof email addresses with domains protected by DMARC.
Configuration steps for common mailing list platforms are listed below.
-
-
Mailman 2
+
+Mailman 2
Navigate to Privacy Options> Sending Filters, and configure the settings below
-
-
-
-
Setting |
Value |
@@ -1657,16 +1556,12 @@ clients.
accidentally reply to the entire list, when they only intended to reply to
the original sender.
Choose the option that best fits your community.
-
-
-
-
Mailman 3
+
+
+
+Mailman 3
In the DMARC Mitigations tab of the Settings page, configure the settings below
-
-
-
-
Setting |
Value |
@@ -1688,49 +1583,49 @@ clients.
On the other hand, replacing the From address might cause users to
accidentally reply to the entire list, when they only intended to reply to
the original sender.
-
-
-
-
LISTSERV
+
+
+
+LISTSERV
LISTSERV 16.0-2017a and higher will rewrite the From header for domains
that enforce with a DMARC quarantine or reject policy.
Some additional steps are needed for Linux hosts.
-
-
API
+
+
+
+
+API
A Python package for parsing DMARC reports
-
-exception parsedmarc.InvalidAggregateReport[source]
+exception parsedmarc.InvalidAggregateReport[source]
Raised when an invalid DMARC aggregate report is encountered
-
-exception parsedmarc.InvalidDMARCReport[source]
+exception parsedmarc.InvalidDMARCReport[source]
Raised when an invalid DMARC report is encountered
-
-exception parsedmarc.InvalidForensicReport[source]
+exception parsedmarc.InvalidForensicReport[source]
Raised when an invalid DMARC forensic report is encountered
-
-exception parsedmarc.ParserError[source]
+exception parsedmarc.ParserError[source]
Raised whenever the parser fails for some reason
-
-parsedmarc.email_results(results, host, mail_from, mail_to, mail_cc=None, mail_bcc=None, port=0, require_encryption=False, verify=True, username=None, password=None, subject=None, attachment_filename=None, message=None)[source]
+parsedmarc.email_results(results, host, mail_from, mail_to, mail_cc=None, mail_bcc=None, port=0, require_encryption=False, verify=True, username=None, password=None, subject=None, attachment_filename=None, message=None)[source]
Emails parsing results as a zip file
-- Parameters
+- Parameters:
-
Indices and tables
+
+
+
-
-
-
-
-