{"id":874,"date":"2016-03-15T11:35:55","date_gmt":"2016-03-15T11:35:55","guid":{"rendered":"http:\/\/esferas.org\/msqlu\/?p=874"},"modified":"2016-03-15T11:44:28","modified_gmt":"2016-03-15T11:44:28","slug":"servidor-de-correo-electronico-en-debian","status":"publish","type":"post","link":"https:\/\/esferas.org\/msqlu\/2016\/03\/15\/servidor-de-correo-electronico-en-debian\/","title":{"rendered":"Servidor de correo electr\u00f3nico en Debian"},"content":{"rendered":"<div class='__iawmlf-post-loop-links' style='display:none;' data-iawmlf-post-links='[{&quot;id&quot;:1016,&quot;href&quot;:&quot;https:\\\/\\\/es.wikipedia.org\\\/wiki\\\/B%C3%BAsqueda_DNS_inversa&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:393,&quot;href&quot;:&quot;https:\\\/\\\/es.wikipedia.org\\\/wiki\\\/Sender_Policy_Framework&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20260415121616\\\/https:\\\/\\\/es.wikipedia.org\\\/wiki\\\/Sender_Policy_Framework&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-04-21 03:17:27&quot;,&quot;http_code&quot;:429}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-21 03:17:27&quot;,&quot;http_code&quot;:429},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1017,&quot;href&quot;:&quot;https:\\\/\\\/www.digitalocean.com\\\/community\\\/tutorials\\\/how-to-create-a-spf-record-for-your-domain-with-google-apps&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20260415175818\\\/https:\\\/\\\/www.digitalocean.com\\\/community\\\/tutorials\\\/how-to-create-a-spf-record-for-your-domain-with-google-apps&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-04-21 03:17:28&quot;,&quot;http_code&quot;:200}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-21 03:17:28&quot;,&quot;http_code&quot;:200},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:395,&quot;href&quot;:&quot;https:\\\/\\\/es.wikipedia.org\\\/wiki\\\/DomainKeys_Identified_Mail&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20260415121643\\\/https:\\\/\\\/es.wikipedia.org\\\/wiki\\\/DomainKeys_Identified_Mail&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-04-21 03:17:27&quot;,&quot;http_code&quot;:200}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-21 03:17:27&quot;,&quot;http_code&quot;:200},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1018,&quot;href&quot;:&quot;https:\\\/\\\/dmarc.org&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20260403140627\\\/https:\\\/\\\/dmarc.org\\\/&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-04-15 17:53:54&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-21 03:17:29&quot;,&quot;http_code&quot;:200}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-21 03:17:29&quot;,&quot;http_code&quot;:200},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1019,&quot;href&quot;:&quot;https:\\\/\\\/www.debian-administration.org\\\/tag\\\/dmarc&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20190722113649\\\/https:\\\/\\\/debian-administration.org\\\/tag\\\/dmarc&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-04-15 17:54:06&quot;,&quot;http_code&quot;:404},{&quot;date&quot;:&quot;2026-04-21 03:17:27&quot;,&quot;http_code&quot;:404}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-21 03:17:27&quot;,&quot;http_code&quot;:404},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1020,&quot;href&quot;:&quot;http:\\\/\\\/blog.standalonecomplex.es\\\/2010\\\/06\\\/22\\\/medidas-anti-spam-i-spf-que-es-como-funciona-y-como-implementarlo&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;https:\\\/\\\/blog.standalonecomplex.es\\\/2010\\\/06\\\/22\\\/medidas-anti-spam-i-spf-que-es-como-funciona-y-como-implementarlo&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1021,&quot;href&quot;:&quot;http:\\\/\\\/www.spfwizard.net\\\/es&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1022,&quot;href&quot;:&quot;https:\\\/\\\/www.debian-administration.org\\\/article\\\/721\\\/Validating_SPF_and_DKIM_at_SMTP-time_with_exim&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;http:\\\/\\\/web.archive.org\\\/web\\\/*\\\/https:\\\/\\\/debian-administration.org\\\/article\\\/721\\\/Validating_SPF_and_DKIM_at_SMTP-time_with_exim&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1023,&quot;href&quot;:&quot;http:\\\/\\\/www.openspf.org\\\/SPF_Record_Syntax&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:137,&quot;href&quot;:&quot;https:\\\/\\\/gandi.net&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20170925104427\\\/https:\\\/\\\/www.gandi.net\\\/&quot;,&quot;redirect_href&quot;:&quot;https:\\\/\\\/www.gandi.net\\\/&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-04-16 12:27:22&quot;,&quot;http_code&quot;:206},{&quot;date&quot;:&quot;2026-04-21 03:17:29&quot;,&quot;http_code&quot;:206}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-21 03:17:29&quot;,&quot;http_code&quot;:206},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1024,&quot;href&quot;:&quot;http:\\\/\\\/www.kitterman.com\\\/spf\\\/validate.html&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20260415175910\\\/https:\\\/\\\/www.kitterman.com\\\/spf\\\/validate.html&quot;,&quot;redirect_href&quot;:&quot;https:\\\/\\\/www.kitterman.com\\\/spf\\\/validate.html&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-04-17 22:35:49&quot;,&quot;http_code&quot;:503},{&quot;date&quot;:&quot;2026-04-21 03:17:32&quot;,&quot;http_code&quot;:206}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-21 03:17:32&quot;,&quot;http_code&quot;:206},&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1025,&quot;href&quot;:&quot;http:\\\/\\\/www.iodigitalsec.com\\\/exim-dkim-and-debian-configuration&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;https:\\\/\\\/www.iodigitalsec.com\\\/exim-dkim-and-debian-configuration&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1026,&quot;href&quot;:&quot;http:\\\/\\\/dajul.com\\\/2010\\\/01\\\/22\\\/firmar-correos-con-dkim-y-exim4&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1027,&quot;href&quot;:&quot;http:\\\/\\\/www.protodave.com\\\/tools\\\/dkim-key-checker&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;https:\\\/\\\/protodave.com\\\/tools\\\/dkim-key-checker&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:1028,&quot;href&quot;:&quot;http:\\\/\\\/www.pal-blog.de\\\/entwicklung\\\/dkim\\\/setting-up-DKIM-with-Perl.html&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20250906064423\\\/http:\\\/\\\/www.pal-blog.de\\\/entwicklung\\\/dkim\\\/setting-up-DKIM-with-Perl.html&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[{&quot;date&quot;:&quot;2026-04-15 17:55:10&quot;,&quot;http_code&quot;:200},{&quot;date&quot;:&quot;2026-04-21 03:17:30&quot;,&quot;http_code&quot;:200}],&quot;broken&quot;:false,&quot;last_checked&quot;:{&quot;date&quot;:&quot;2026-04-21 03:17:30&quot;,&quot;http_code&quot;:200},&quot;process&quot;:&quot;done&quot;}]'><\/div>\n<p>Aunque el servidor no vaya a gestionar buzones de correo electr\u00f3nico considero que es valioso que sea capaz de enviar y recibir mensajes sin necesitar una pasarela con sus credenciales.<\/p>\n<p>Esto es especialmente cierto ya que suelo centralizar la cuenta del administrador para todas mis m\u00e1quinas en una cuenta externa, y me gusta que no tengan problemas a la hora de enviarme avisos. Es un rollo tener que consultar varios buzones locales para saber qu\u00e9 ha ocurrido.<\/p>\n<p>As\u00ed pues, quiero que cada m\u00e1quina pueda enviar correo al exterior y necesito reducir las posibilidades de que le ignoren (marc\u00e1ndolo como spam) o directamente le denieguen el acceso.<\/p>\n<p>Para ello el servidor tiene que cumplir una serie de requisitos:<\/p>\n<ol>\n<li>Registros MX apuntando al nombre completo del servidor.<\/li>\n<li>Direcci\u00f3n IP apuntando a nombre completo del servidor (<a href=\"https:\/\/es.wikipedia.org\/wiki\/B%C3%BAsqueda_DNS_inversa\">resoluci\u00f3n inversa<\/a>).<\/li>\n<li><a href=\"https:\/\/es.wikipedia.org\/wiki\/Sender_Policy_Framework\">SPF<\/a> activo en el registro DNS (tambi\u00e9n importante si se emplean <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-create-a-spf-record-for-your-domain-with-google-apps\">Google Apps<\/a>).<\/li>\n<li><a href=\"https:\/\/es.wikipedia.org\/wiki\/DomainKeys_Identified_Mail\">DKIM<\/a> activo en el servidor de correo (exim) y en el DNS.<\/li>\n<li><a href=\"https:\/\/dmarc.org\/\">DMARK<\/a> rematando ambos mecanismo ya que presentan alg\u00fan fleco por el que podr\u00edan ser inutilizados.<\/li>\n<\/ol>\n<p><a href=\"https:\/\/www.debian-administration.org\/tag\/dmarc\">Steve Kemp<\/a> tiene varios art\u00edculos al respecto. Como resumen podemos afirmar que todos requieren cambios en el DNS y la implicaci\u00f3n del servicio de correo.<\/p>\n<h4>SPF<\/h4>\n<p>Ya hay <a href=\"http:\/\/blog.standalonecomplex.es\/2010\/06\/22\/medidas-anti-spam-i-spf-que-es-como-funciona-y-como-implementarlo\/\">excelentes explicaciones<\/a> de c\u00f3mo funciona el invento as\u00ed que no me voy a extender en ello. Si escribo \u00e9sto es para anotar detalles t\u00e9cnicos a los que tendr\u00e9 que recurrir una y otra vez en el futuro.<\/p>\n<ol>\n<li><a href=\"http:\/\/www.spfwizard.net\/es\/\">Crear un registro <\/a>de texto en el DNS de mi dominio indicando qu\u00e9 m\u00e1quinas est\u00e1n autorizadas a enviar correo desde \u00e9l.<\/li>\n<li><a href=\"https:\/\/www.debian-administration.org\/article\/721\/Validating_SPF_and_DKIM_at_SMTP-time_with_exim\">Indicar al servidor de correo <\/a>(exim4) que emplee la verificaci\u00f3n SPF cuando reciba correo.<\/li>\n<\/ol>\n<p>En este dominio el registro SPF queda as\u00ed:<\/p>\n<pre style=\"padding-left: 30px;\"><em>v=spf1 mx a ip4:46.101.91.82\/32 -all<\/em><\/pre>\n<p>donde indico que s\u00f3lo los servidores definidos en el registro MX pueden enviar correo en su nombre, concretamente se\u00f1alo la direcci\u00f3n IP, e indico que los correos tienen que rechazarse si no cumplen alguna de \u00e9stas condiciones (<em>-all<\/em>). Se puede consultar la s\u00edntaxis <a href=\"http:\/\/www.openspf.org\/SPF_Record_Syntax\">aqu\u00ed<\/a>.<\/p>\n<p>Una vez tengamos la definici\u00f3n es recomendable crear dos registro en el DNS del dominio: uno de tipo SPF y otro de tipo TXT. Por lo visto no todos los clientes consultan el primero y es algo que no cuesta.<\/p>\n<p>Respecto a <em>exim4 <\/em>s\u00f3lo tenemos que preocuparnos de la recepci\u00f3n del correo y para ello vamos a indicar que emplee SPF<\/p>\n<ol>\n<li>Asegurarnos de tener instalada la versi\u00f3n <em>exim4-daemon-heavy<\/em>.<\/li>\n<li>Instalar el paquete <em>spf-tools-perl<\/em>.<\/li>\n<li>Activar la comprobaci\u00f3n v\u00eda <em>CHECK_RCPT_SPF=true<\/em> en el archivo <em>\/etc\/exim4\/conf\/main\/00_local_macros<\/em> y reiniciar.<\/li>\n<\/ol>\n<p>Si el registro SPF hubiese contenido una pol\u00edtica de fallo blando (<em>~all<\/em>)los mensajes recibidos ser\u00edan aceptados pero se incluir\u00eda un aviso en forma de cabecera especial<\/p>\n<pre>Received-SPF: softfail client-ip=...<\/pre>\n<p>que podr\u00eda ser utilizada por posteriores filtros de spam. En este caso concreto prefiero que dichos correos sean rechazados durante la conexi\u00f3n (par\u00e1metro <em>-all<\/em>) como el fragmento de conexi\u00f3n que muestro a continuaci\u00f3n:<\/p>\n<pre>MAIL FROM:&lt;root@esferas.org&gt;\r\n250 OK\r\nRCPT TO:&lt;root@esferas.org&gt;\r\n** 550-[SPF] 79.148.243.240 is not allowed to send mail from esferas.org. Please\r\n** 550 see http:\/\/www.openspf.org\/Why?scope=mfrom;identity=root@esferas.org;ip=79.148.243.240<\/pre>\n<h4>DKIM<\/h4>\n<p>Este mecanismo consiste en emplear un par de claves criptogr\u00e1ficas, una p\u00fablica y otra privada, y publicar la primera, la p\u00fablica, en el registro DNS. El servidor de correo firmar\u00e1 con la clave privada los mensajes salientes y el receptor del mismo podr\u00e1, tras consultar el registro DNS correspondiente, verificar la autenticidad del mismo.<\/p>\n<p>Los pasos a seguir son los siguientes:<\/p>\n<ol>\n<li>Crear un par de claves criptogr\u00e1ficas empleando openssh. La \u00fanica precauci\u00f3n a tomar es la longitud de la clave. Proveedores como <a href=\"https:\/\/gandi.net\">gandi.net<\/a> no admiten m\u00e1s de 1024 bits.<\/li>\n<li>Elegir una <em>palabra clave<\/em> como selector dado que en un mismo dominio pueden coexistir varios registros TXT. Este selector tendr\u00e1 que incluirse en el DNS y en el servidor de correo que emplea el mecanismo.<\/li>\n<\/ol>\n<h4>Enlaces y referencias<\/h4>\n<ul>\n<li>SPF:\n<ul>\n<li>Constructor de registros SPF: <a href=\"http:\/\/www.spfwizard.net\/es\/\">http:\/\/www.spfwizard.net\/es\/<\/a><\/li>\n<li>Testeo de configuraci\u00f3n SPF: <a href=\"http:\/\/www.kitterman.com\/spf\/validate.html\">http:\/\/www.kitterman.com\/spf\/validate.html<\/a><\/li>\n<\/ul>\n<\/li>\n<li>DKIM:\n<ul>\n<li>Configuraci\u00f3n de exim4:<a href=\"http:\/\/www.iodigitalsec.com\/exim-dkim-and-debian-configuration\/\">http:\/\/www.iodigitalsec.com\/exim-dkim-and-debian-configuration\/<\/a><\/li>\n<li>Otro art\u00edculo pero en espa\u00f1ol: <a href=\"http:\/\/dajul.com\/2010\/01\/22\/firmar-correos-con-dkim-y-exim4\/\">http:\/\/dajul.com\/2010\/01\/22\/firmar-correos-con-dkim-y-exim4\/<\/a><\/li>\n<li>Verificar DKIM en el registro DNS: <a href=\"http:\/\/www.protodave.com\/tools\/dkim-key-checker\/\">http:\/\/www.protodave.com\/tools\/dkim-key-checker\/<\/a><\/li>\n<li>Emplear Perl para configurar DKIM: <a href=\"http:\/\/www.pal-blog.de\/entwicklung\/dkim\/setting-up-DKIM-with-Perl.html\">http:\/\/www.pal-blog.de\/entwicklung\/dkim\/setting-up-DKIM-with-Perl.html<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<div id=\"s3gt_translate_tooltip\" class=\"s3gt_translate_tooltip\" style=\"position: absolute; left: 46px; top: 1273px; opacity: 0;\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Aunque el servidor no vaya a gestionar buzones de correo electr\u00f3nico considero que es valioso que sea capaz de enviar y recibir mensajes sin necesitar una pasarela con sus credenciales. Esto es especialmente cierto ya que suelo centralizar la cuenta del administrador para todas mis m\u00e1quinas en una cuenta externa, y me gusta que no [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","webmentions_disabled_pings":false,"webmentions_disabled":false,"footnotes":""},"categories":[6],"tags":[18,41,495,498,319,25,494],"class_list":["post-874","post","type-post","status-publish","format-standard","hentry","category-debian","tag-administracion-de-sistemas","tag-debian","tag-dkim","tag-dmarc","tag-dns","tag-email","tag-spf"],"_links":{"self":[{"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/posts\/874","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/comments?post=874"}],"version-history":[{"count":0,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/posts\/874\/revisions"}],"wp:attachment":[{"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/media?parent=874"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/categories?post=874"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/tags?post=874"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}