Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
| Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
| centos:mail_c6:mta_13 [21.03.2014 12:31. ] – [Download] django | centos:mail_c6:mta_13 [20.05.2021 12:41. ] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
|---|---|---|---|
| Zeile 2: | Zeile 2: | ||
| {{: | {{: | ||
| - | **DMARC**((**D**omain-based **M**essage **A**uthentication, | + | **DMARC**((**D**omain-based **M**essage **A**uthentication, |
| Hinweise zu DMARC findet man bei auch auf der Webseite von [[http:// | Hinweise zu DMARC findet man bei auch auf der Webseite von [[http:// | ||
| Zeile 18: | Zeile 18: | ||
| Das nachfolgende Schaubild zeigt den Bearbeitungsverlauf einer eMail mit Berücksichtigung auf DMARC auf. | Das nachfolgende Schaubild zeigt den Bearbeitungsverlauf einer eMail mit Berücksichtigung auf DMARC auf. | ||
| - | < | + | < |
| + | skinparam defaultFontName Courier | ||
| state " | state " | ||
| sender : ------------------------------------------- | sender : ------------------------------------------- | ||
| Zeile 43: | Zeile 43: | ||
| state " | state " | ||
| smtp_a : Versand der eMail | smtp_a : Versand der eMail | ||
| - | smtp_a : zum eMail-Server | + | smtp_a : zum eMail-Server |
| smtp_a : des Empfängers | smtp_a : des Empfängers | ||
| } | } | ||
| Zeile 178: | Zeile 178: | ||
| </ | </ | ||
| - | ===== Definition unseres | + | ===== Zusammenspiel von DKIM, SPF und DMARC ===== |
| + | <WRAP round important> | ||
| + | </ | ||
| + | |||
| + | Wir setzen daher bei unserer Installation jeweils folgende Pakete ein: | ||
| + | * **SPF** **smf-spf** aus [[http:// | ||
| + | * **DKIM** **opendkim** aus dem [[centos: | ||
| + | * **DMARC** **opendmarc** aus [[http:// | ||
| + | |||
| + | Die Installation von **SPF-Milter** ist im Kapitel [[centos: | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ===== DMARC-Record ===== | ||
| + | ==== Beschreibung des Datensatzes ==== | ||
| Mit Hilfe des [[https:// | Mit Hilfe des [[https:// | ||
| Zeile 189: | Zeile 204: | ||
| Die einzelnen Werte haben nun folgende Bedeutung. | Die einzelnen Werte haben nun folgende Bedeutung. | ||
| - | ^ Parameter | + | ^ Parameter |
| - | | v | Plaintext; REQUIRED | DMARC1 | + | | v |
| - | | p | Plaintext; REQUIRED | reject | + | | p |
| - | | sp | + | | sp | Plaintext; |
| - | | rua | Kommaseparierte plain-text Liste von DMARC URIs; OPTIONAL | mailto: | + | | rua |
| - | | ruf | Kommaseparierte Plaintext Liste von DMARC URIs; OPTIONAL | mailto: | + | | ruf |
| - | | adkim | Plaintext; OPTIONAL; Default = relaxed | r | Definiert, wie konservativ das Ergebnis der DKIM-Signaturprüfung bewertet werden soll. Mögliche Werte sind entweder **r**=relaxed oder **s**=strikt. | | + | | adkim |
| - | | aspf | + | | aspf | Plaintext; OPTIONAL; Default = relaxed |
| - | | pct | Plaintext/ | + | | pct |
| - | | rf | + | | rf | Kommaseparierte Plaintext Liste; OPTIONAL; Default = afrf |
| - | | ri | + | | ri | Plaintext; OPTIONAL; Default = 86400 | 86400 |
| + | ==== Generierung unseres DMARC-Records ==== | ||
| Nach Erstellung des DMARC-Records von Hand oder über den [[https:// | Nach Erstellung des DMARC-Records von Hand oder über den [[https:// | ||
| | | ||
| + | ==== Testen der DMARC Definitionen ==== | ||
| Über die URL [[https:// | Über die URL [[https:// | ||
| Zeile 269: | Zeile 287: | ||
| ===== Download ===== | ===== Download ===== | ||
| - | Bei der Implementation von **DMARC** in unserem eigenen Mailserver, greifen wir auf das Projekt [[http:// | + | Bei der Implementation von **DMARC** in unserem eigenen Mailserver, greifen wir auf das Projekt |
| - | FIXME //working in progress | + | Entweder holt man sich das betreffende Quellpaket auf der [[http://sourceforge.net|sourceforge]]- |
| + | [[http:// | ||
| + | Also erstes laden wir uns die beiden benötigten Pakete auf unseren Rechner, zuvor wechseln wir abernoch in unser lokales Programm-Archiv. | ||
| + | # cd / | ||
| + | Die **x86_64-Pakete** findet man im Verzeichnis http:// | ||
| - | # wget http:// | + | Im Falle der x86_64-Pakete sind dies dann entsprechend folgende Pakete: |
| - | # wget http:// | + | # wget http:// |
| + | |||
| + | # wget http:// | ||
| ===== Installation ===== | ===== Installation ===== | ||
| - | # yum localinstall libopendmarc-1.2.0-1.el6.x86_64.rpm opendmarc-1.2.0-1.el6.x86_64.rpm | + | # yum localinstall libopendmarc-1.3.0-beta0.el6.x86_64.rpm opendmarc-1.3.0-beta0.el6.x86_64.rpm |
| # rpm -qil opendmarc | # rpm -qil opendmarc | ||
| - | < | + | < |
| - | Version | + | Release |
| - | Release | + | Install Date: Mon 28 Apr 2014 05:50:47 PM CEST Build Host: vml010039.intra.nausch.org |
| - | Install Date: Tue 18 Mar 2014 11:18:08 PM CET Build Host: vml010039.intra.nausch.org | + | Group : System Environment/ |
| - | Group : System Environment/ | + | Size : 175607 |
| - | Size : 173606 | + | Signature |
| - | Signature | + | |
| Packager | Packager | ||
| URL : http:// | URL : http:// | ||
| Zeile 312: | Zeile 335: | ||
| / | / | ||
| / | / | ||
| - | / | + | / |
| - | / | + | / |
| - | / | + | / |
| - | / | + | / |
| - | / | + | / |
| - | / | + | / |
| / | / | ||
| / | / | ||
| Zeile 330: | Zeile 353: | ||
| </ | </ | ||
| + | # rpm -qil libopendmarc | ||
| + | < | ||
| + | Version | ||
| + | Release | ||
| + | Install Date: Mon 28 Apr 2014 05:50:46 PM CEST Build Host: vml010039.intra.nausch.org | ||
| + | Group : System Environment/ | ||
| + | Size : 69016 License: BSD and Sendmail | ||
| + | Signature | ||
| + | Packager | ||
| + | URL : http:// | ||
| + | Summary | ||
| + | Description : | ||
| + | This package contains the library files required for running services built | ||
| + | using libopendmarc. | ||
| + | / | ||
| + | / | ||
| + | </ | ||
| - | ===== Konfiguration | + | ===== Konfigurations-Dokumentation |
| - | ==== Konfigurations-Dokumentation | + | ==== README |
| + | Viele hilfreiche Informationen zur Konfiguration von OpenDMARC finden sich in den nachfolgenden Dateien. | ||
| # less / | # less / | ||
| <file / | <file / | ||
| Zeile 494: | Zeile 535: | ||
| </ | </ | ||
| + | ==== README.schema ==== | ||
| # less / | # less / | ||
| <file / | <file / | ||
| Zeile 536: | Zeile 578: | ||
| </ | </ | ||
| + | ==== opendmarc.conf ==== | ||
| # man opendmarc.conf | # man opendmarc.conf | ||
| < | < | ||
| Zeile 770: | Zeile 813: | ||
| </ | </ | ||
| + | ==== opendmarc ==== | ||
| # man 8 opendmarc | # man 8 opendmarc | ||
| < | < | ||
| Zeile 877: | Zeile 921: | ||
| </ | </ | ||
| + | ==== reports-README ==== | ||
| # elinks http:// | # elinks http:// | ||
| < | < | ||
| Zeile 940: | Zeile 985: | ||
| </ | </ | ||
| + | ==== opendmarc.import ==== | ||
| # man opendmarc-import | # man opendmarc-import | ||
| Zeile 998: | Zeile 1043: | ||
| </ | </ | ||
| + | ==== opendmarc-reports ==== | ||
| # man opendmarc-reports | # man opendmarc-reports | ||
| < | < | ||
| Zeile 1074: | Zeile 1120: | ||
| The Trusted Domain Project | The Trusted Domain Project | ||
| </ | </ | ||
| + | ===== Konfiguration ===== | ||
| ==== opendmarc Konfiguration ==== | ==== opendmarc Konfiguration ==== | ||
| + | Die Konfiguration von OpenDMARC erfolgt über die Konfigurationsdatei **opendmarc.conf** im Verzeichnis **/etc**. | ||
| + | === / | ||
| # vim / | # vim / | ||
| Zeile 1085: | Zeile 1133: | ||
| ## AuthservID (string) | ## AuthservID (string) | ||
| - | ## defaults to MTA name | + | ## defaults to MTA name |
| ## | ## | ||
| ## Sets the " | ## Sets the " | ||
| Zeile 1093: | Zeile 1141: | ||
| # | # | ||
| # AuthservID name | # AuthservID name | ||
| + | # Django : 2013-03-18 | ||
| + | AuthservID mx01.nausch.org | ||
| ## AuthservIDWithJobID { true | false } | ## AuthservIDWithJobID { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## If " | ## If " | ||
| Zeile 1102: | Zeile 1152: | ||
| # | # | ||
| # AuthservIDWithJobID false | # AuthservIDWithJobID false | ||
| + | # Django : 2013-03-18 | ||
| + | AuthservIDWithJobID true | ||
| ## AutoRestart { true | false } | ## AutoRestart { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## Automatically re-start on failures. Use with caution; if the filter fails | ## Automatically re-start on failures. Use with caution; if the filter fails | ||
| Zeile 1112: | Zeile 1164: | ||
| ## AutoRestartCount n | ## AutoRestartCount n | ||
| - | ## default 0 | + | ## default 0 |
| ## | ## | ||
| ## Sets the maximum automatic restart count. | ## Sets the maximum automatic restart count. | ||
| Zeile 1121: | Zeile 1173: | ||
| ## AutoRestartRate n/t[u] | ## AutoRestartRate n/t[u] | ||
| - | ## default (no limit) | + | ## default (no limit) |
| ## | ## | ||
| ## Sets the maximum automatic restart rate. If the filter begins restarting | ## Sets the maximum automatic restart rate. If the filter begins restarting | ||
| Zeile 1136: | Zeile 1188: | ||
| ## Background { true | false } | ## Background { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## Causes opendmarc to fork and exits immediately, | ## Causes opendmarc to fork and exits immediately, | ||
| Zeile 1144: | Zeile 1196: | ||
| ## BaseDirectory (string) | ## BaseDirectory (string) | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## If set, instructs the filter to change to the specified directory using | ## If set, instructs the filter to change to the specified directory using | ||
| Zeile 1155: | Zeile 1207: | ||
| ## ChangeRootDirectory (string) | ## ChangeRootDirectory (string) | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## Requests that the operating system change the effective root directory of | ## Requests that the operating system change the effective root directory of | ||
| Zeile 1165: | Zeile 1217: | ||
| ## CopyFailuresTo (string) | ## CopyFailuresTo (string) | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## Requests addition of the specified email address to the envelope of | ## Requests addition of the specified email address to the envelope of | ||
| Zeile 1173: | Zeile 1225: | ||
| ## DNSTimeout (integer) | ## DNSTimeout (integer) | ||
| - | ## default 5 | + | ## default 5 |
| ## | ## | ||
| ## Sets the DNS timeout in seconds. | ## Sets the DNS timeout in seconds. | ||
| Zeile 1181: | Zeile 1233: | ||
| ## EnableCoredumps { true | false } | ## EnableCoredumps { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## On systems that have such support, make an explicit request to the kernel | ## On systems that have such support, make an explicit request to the kernel | ||
| Zeile 1192: | Zeile 1244: | ||
| ## ForensicReports { true | false } | ## ForensicReports { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## Enables generation of forensic reports when the DMARC test fails and the | ## Enables generation of forensic reports when the DMARC test fails and the | ||
| Zeile 1199: | Zeile 1251: | ||
| # | # | ||
| # ForensicReports false | # ForensicReports false | ||
| + | # Django : 2014-03-18 | ||
| + | ForensicReports true | ||
| ## ForensicReportsBcc (string) | ## ForensicReportsBcc (string) | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## When forensic reports are enabled and one is to be generated, always | ## When forensic reports are enabled and one is to be generated, always | ||
| Zeile 1210: | Zeile 1264: | ||
| # | # | ||
| # ForensicReportsBcc postmaster@example.coom | # ForensicReportsBcc postmaster@example.coom | ||
| + | # Django : 2014-03-18 | ||
| + | ForensicReportsBcc postmaster@nausch.org | ||
| ## ForensicReportsOnNone { true | false } | ## ForensicReportsOnNone { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## Supplements the " | ## Supplements the " | ||
| Zeile 1222: | Zeile 1278: | ||
| ## ForensicReportsSentBy string | ## ForensicReportsSentBy string | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## Specifies the email address to use in the From: field of forensic | ## Specifies the email address to use in the From: field of forensic | ||
| Zeile 1231: | Zeile 1287: | ||
| # | # | ||
| # ForensicReportsSentBy USER@HOSTNAME | # ForensicReportsSentBy USER@HOSTNAME | ||
| + | # Django : 2014-03-18 | ||
| + | ForensicReportsSentBy dmarc-admin@nausch.org | ||
| ## HistoryFile path | ## HistoryFile path | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## If set, specifies the location of a text file to which records are written | ## If set, specifies the location of a text file to which records are written | ||
| Zeile 1243: | Zeile 1301: | ||
| ## aggregate reports can be extracted by a tool such as opendmarc-import(8). | ## aggregate reports can be extracted by a tool such as opendmarc-import(8). | ||
| # | # | ||
| - | HistoryFile / | + | HistoryFile / |
| - | s | + | |
| ## IgnoreHosts path | ## IgnoreHosts path | ||
| - | ## default (internal) | + | ## default (internal) |
| ## | ## | ||
| ## Specifies the path to a file that contains a list of hostnames, IP | ## Specifies the path to a file that contains a list of hostnames, IP | ||
| Zeile 1255: | Zeile 1313: | ||
| # | # | ||
| # IgnoreHosts / | # IgnoreHosts / | ||
| + | # Django : 2014-03-19 | ||
| + | IgnoreHosts / | ||
| ## IgnoreMailFrom domain[, | ## IgnoreMailFrom domain[, | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## Gives a list of domain names whose mail (based on the From: domain) is to | ## Gives a list of domain names whose mail (based on the From: domain) is to | ||
| Zeile 1267: | Zeile 1327: | ||
| ## MilterDebug (integer) | ## MilterDebug (integer) | ||
| - | ## default 0 | + | ## default 0 |
| ## | ## | ||
| ## Sets the debug level to be requested from the milter library. | ## Sets the debug level to be requested from the milter library. | ||
| # | # | ||
| # MilterDebug 0 | # MilterDebug 0 | ||
| + | # Django : 2014-04-28 | ||
| + | MilterDebug 5 | ||
| ## PidFile path | ## PidFile path | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## Specifies the path to a file that should be created at process start | ## Specifies the path to a file that should be created at process start | ||
| Zeile 1281: | Zeile 1343: | ||
| # | # | ||
| # PidFile / | # PidFile / | ||
| + | # Django : 2014-03-18 | ||
| + | PidFile / | ||
| ## PublicSuffixList path | ## PublicSuffixList path | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## Specifies the path to a file that contains top-level domains (TLDs) that | ## Specifies the path to a file that contains top-level domains (TLDs) that | ||
| Zeile 1294: | Zeile 1358: | ||
| ## RecordAllMessages { true | false } | ## RecordAllMessages { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## If set and " | ## If set and " | ||
| Zeile 1304: | Zeile 1368: | ||
| ## RejectFailures { true | false } | ## RejectFailures { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## If set, messages will be rejected if they fail the DMARC evaluation, or | ## If set, messages will be rejected if they fail the DMARC evaluation, or | ||
| Zeile 1313: | Zeile 1377: | ||
| # | # | ||
| # RejectFailures false | # RejectFailures false | ||
| + | # Django : 2014-03-24 | ||
| + | RejectFailures true | ||
| ## ReportCommand string | ## ReportCommand string | ||
| - | ## default "/ | + | ## default "/ |
| ## | ## | ||
| ## Indicates the shell command to which forensic reports should be passed for | ## Indicates the shell command to which forensic reports should be passed for | ||
| Zeile 1323: | Zeile 1389: | ||
| ## RequiredHeaders { true | false } | ## RequiredHeaders { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## If set, the filter will ensure the header of the message conforms to the | ## If set, the filter will ensure the header of the message conforms to the | ||
| Zeile 1334: | Zeile 1400: | ||
| ## Socket socketspec | ## Socket socketspec | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## Specifies the socket that should be established by the filter to receive | ## Specifies the socket that should be established by the filter to receive | ||
| Zeile 1347: | Zeile 1413: | ||
| # | # | ||
| # Socket inet: | # Socket inet: | ||
| + | # Django : 2014-03-19 | ||
| + | Socket inet: | ||
| ## SoftwareHeader { true | false } | ## SoftwareHeader { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## Causes the filter to add a " | ## Causes the filter to add a " | ||
| Zeile 1357: | Zeile 1425: | ||
| # | # | ||
| # SoftwareHeader false | # SoftwareHeader false | ||
| + | # Django : 2014-03-18 | ||
| + | SoftwareHeader true | ||
| + | |||
| + | ## SPFIgnoreResults { true | false } | ||
| + | ## default " | ||
| + | ## | ||
| + | ## Causes the filter to ignore any SPF results in the header of the | ||
| + | ## message. | ||
| + | ## itself, or because you don't trust the arriving header. | ||
| + | # | ||
| + | # SPFIgnoreResults false | ||
| + | |||
| + | ## SPFSelfValidate { true | false } | ||
| + | ## default false | ||
| + | ## | ||
| + | ## Causes the filter to perform a fallback SPF check itself when | ||
| + | ## it can find no SPF results in the message header. | ||
| + | ## is also set, it never looks for SPF results in headers and | ||
| + | ## always performs the SPF check itself when this is set. | ||
| + | # | ||
| + | # SPFSelfValidate false | ||
| + | # Django : 2014-04-28 | ||
| + | SPFSelfValidate true | ||
| ## Syslog { true | false } | ## Syslog { true | false } | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## Log via calls to syslog(3) any interesting activity. | ## Log via calls to syslog(3) any interesting activity. | ||
| # | # | ||
| # Syslog false | # Syslog false | ||
| + | # Django : 2014-03-18 | ||
| + | Syslog true | ||
| ## SyslogFacility facility-name | ## SyslogFacility facility-name | ||
| - | ## default " | + | ## default " |
| ## | ## | ||
| ## Log via calls to syslog(3) using the named facility. | ## Log via calls to syslog(3) using the named facility. | ||
| Zeile 1374: | Zeile 1467: | ||
| ## TemporaryDirectory path | ## TemporaryDirectory path | ||
| - | ## default /var/tmp | + | ## default /var/tmp |
| ## | ## | ||
| ## Specifies the directory in which temporary files should be written. | ## Specifies the directory in which temporary files should be written. | ||
| Zeile 1381: | Zeile 1474: | ||
| ## TrustedAuthservIDs string | ## TrustedAuthservIDs string | ||
| - | ## default HOSTNAME | + | ## default HOSTNAME |
| ## | ## | ||
| ## Specifies one or more " | ## Specifies one or more " | ||
| Zeile 1393: | Zeile 1486: | ||
| ## UMask mask | ## UMask mask | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## Requests a specific permissions mask to be used for file creation. | ## Requests a specific permissions mask to be used for file creation. | ||
| Zeile 1403: | Zeile 1496: | ||
| # | # | ||
| # UMask 077 | # UMask 077 | ||
| + | # Django : 2014-03-23 | ||
| + | UMask 007 | ||
| ## UserID user[: | ## UserID user[: | ||
| - | ## default (none) | + | ## default (none) |
| ## | ## | ||
| ## Attempts to become the specified userid before starting operations. | ## Attempts to become the specified userid before starting operations. | ||
| Zeile 1412: | Zeile 1507: | ||
| # | # | ||
| # UserID opendmarc | # UserID opendmarc | ||
| + | # Django : 2014-03-23 | ||
| + | UserID opendmarc: | ||
| </ | </ | ||
| Zeile 1420: | Zeile 1517: | ||
| amavis.dmz.nausch.org | amavis.dmz.nausch.org | ||
| </ | </ | ||
| + | Besonderen Augenmerk legen wir dabei auf folgende Parameter: | ||
| + | * **AuthservID** Hier setzen wir den Namen unseres Mailservers. | ||
| + | * **HistoryFile** Name und Pfad, in dem OpenDMARC die Statistikdaten ablegen wird. | ||
| + | * **PidFile** Name und Pfad, in dem der Daemon sein PID-File ablegen soll. | ||
| + | * **Socket** Über diesen Socket wird später unser Postfix-Mailserver den OpenDMARC-Daemon ansprechen. | ||
| + | * **UserID** UserID und GroupID, die der Daemon beim Anlegen der Dateien // | ||
| + | Alle anderen Parameter definieren wir noch entsprechen der Gegebenheiten unserer Installation/ | ||
| + | Einen kompakten Überblick über die gewählten Optionen fragen wir einfach mit folgendem Aufruf ab. | ||
| + | # egrep -v ' | ||
| + | |||
| + | < | ||
| + | AuthservIDWithJobID true | ||
| + | ForensicReports true | ||
| + | ForensicReportsBcc postmaster@nausch.org | ||
| + | ForensicReportsOnNone true | ||
| + | ForensicReportsSentBy dmarc-admin@nausch.org | ||
| + | HistoryFile / | ||
| + | IgnoreHosts / | ||
| + | PidFile / | ||
| + | Socket inet: | ||
| + | SoftwareHeader true | ||
| + | Syslog true | ||
| + | UserID opendmarc: | ||
| + | </ | ||
| + | |||
| + | === / | ||
| + | In der Datei **ignore.hosts** definieren wir die Hostnamen, oder IP-Adressen, | ||
| + | # vim / | ||
| + | <file bash / | ||
| + | # folgende Hosts sollen von der DMARC-Überprüfung und Bewertung ausgenommen werden. | ||
| + | localhost | ||
| + | amavis.dmz.nausch.org | ||
| + | </ | ||
| ==== mysql Konfiguration ==== | ==== mysql Konfiguration ==== | ||
| - | < | + | Eigentlich könnten wir nun schon unseren DMARC-Daemon starten. Jedoch wollen wir noch kurz die nötige mySQL-Datenbank anlegen, damit der Daemon die gewünschten aufbereiteten Statiskdaten und forensischen Berichte generieren und dann per eMail verschicken kann. |
| + | |||
| + | Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an. | ||
| + | # mysql -h localhost -u root -p | ||
| + | |||
| + | < | ||
| + | Welcome to the MySQL monitor. | ||
| + | Your MySQL connection id is 1942 | ||
| + | Server version: 5.1.67 Source distribution | ||
| + | |||
| + | Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. | ||
| + | |||
| + | Oracle is a registered trademark of Oracle Corporation and/or its | ||
| + | affiliates. Other names may be trademarks of their respective | ||
| + | owners. | ||
| + | |||
| + | Type ' | ||
| + | |||
| + | mysql> | ||
| + | </ | ||
| + | Dort legen wir als aller erst einmal eine Datenbank mit dem Namen **opendmarc** an. | ||
| + | mysql> CREATE DATABASE opendmarc; | ||
| + | |||
| + | Anschließend legen wir uns dann einen Datenbankuser an, dem wir entsprechende Rechte an der Datenbank **opendmarc** einräumen. | ||
| + | | ||
| + | |||
| + | Query OK, 0 rows affected (0.00 sec) | ||
| + | |||
| + | | ||
| + | |||
| + | Query OK, 0 rows affected (0.00 sec) | ||
| + | |||
| + | Anschließend setzen wir noch die Nutzerberechtigungen unseres Datenbanknutzers **opendmarc_user** für die Datenbank **opendmarc** | ||
| + | | ||
| + | |||
| + | Query OK, 0 rows affected (0.00 sec) | ||
| - | mysql> | + | |
| - | mysql> CREATE USER ' | + | Query OK, 0 rows affected (0.00 sec) |
| - | mysql> | + | Zur Aktivierung weisen wir nun noch die Berechtigungen zu: |
| + | | ||
| - | mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO ' | + | Query OK, 0 rows affected (0.00 sec) |
| - | mysql> | + | Abschließend melden wir uns wieder von unserem Datenbankhost ab. |
| + | | ||
| + | Bye | ||
| + | Bevor wir die benötigten Tabellen anlegen, testen wir noch, ob der Zugriff von unserem Mail- bzw. Datenimportserver funktioniert. | ||
| + | # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p | ||
| - | [root@vml000080 ~]# mysql -h vml000030.dmz.nausch.org -D opendmarc -u opendmarc_user -p | + | < |
| - | Enter password: | + | |
| Welcome to the MySQL monitor. | Welcome to the MySQL monitor. | ||
| Your MySQL connection id is 2889 | Your MySQL connection id is 2889 | ||
| Zeile 1450: | Zeile 1619: | ||
| Type ' | Type ' | ||
| - | mysql> show databases; | + | mysql> |
| - | +--------------------+ | + | </ |
| + | mysql> show databases; | ||
| + | < | ||
| | Database | | Database | ||
| +--------------------+ | +--------------------+ | ||
| Zeile 1458: | Zeile 1629: | ||
| +--------------------+ | +--------------------+ | ||
| 2 rows in set (0.00 sec) | 2 rows in set (0.00 sec) | ||
| + | </ | ||
| + | | ||
| - | mysql> quit | + | |
| - | Bye | + | |
| + | Mit Hilfe der Datei // | ||
| + | # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p < / | ||
| - | # mysql -h vml000030.dmz.nausch.org -D opendmarc -u opendmarc_user -p < / | + | Auch hier können wir uns bei Bedarf noch überprüfen, |
| - | Enter password: | + | # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p |
| - | # mysql -h vml000030.dmz.nausch.org -D opendmarc -u opendmarc_user -pEnter | + | < |
| Reading table information for completion of table and column names | Reading table information for completion of table and column names | ||
| You can turn off this feature to get a quicker startup with -A | You can turn off this feature to get a quicker startup with -A | ||
| Zeile 1482: | Zeile 1656: | ||
| Type ' | Type ' | ||
| - | mysql> show databases; | + | mysql> |
| - | +--------------------+ | + | </ |
| + | mysql> show databases; | ||
| + | |||
| + | < | ||
| | Database | | Database | ||
| +--------------------+ | +--------------------+ | ||
| Zeile 1491: | Zeile 1668: | ||
| 2 rows in set (0.00 sec) | 2 rows in set (0.00 sec) | ||
| - | mysql> use opendmarc; | + | mysql> |
| - | Database changed | + | </ |
| - | mysql> show tables; | + | mysql> use opendmarc; |
| - | +---------------------+ | + | |
| + | | ||
| + | | ||
| + | |||
| + | mysql> show tables; | ||
| + | < | ||
| | Tables_in_opendmarc | | | Tables_in_opendmarc | | ||
| +---------------------+ | +---------------------+ | ||
| Zeile 1506: | Zeile 1688: | ||
| 6 rows in set (0.00 sec) | 6 rows in set (0.00 sec) | ||
| - | mysql> | + | mysql> |
| - | Bye | + | |
| </ | </ | ||
| - | ===== Programmstart ===== | + | |
| - | # service opendmarc start | + | Bye |
| - | Mar 19 00:02:17 vml000080 opendmarc[13533]: | + | ==== dbCollecting User einrichten ==== |
| - | Mar 19 00:02:17 vml000080 opendmarc[13533]: | + | Nicht immer möchte oder kann man von seinem oder seinen Mailservern eine Verbindung zum Datenbankhost ermöglichen. Um jetzt nicht von jedem einzelnen MX-Server einzurichten, |
| + | Wir legen uns nun unseren Nutzer an. Als UID und GID verwenden wir eine entsprechend freie Nummer, die wir entsprechend vorher abprüfen. | ||
| + | # grep 487 /etc/group | ||
| + | # grep 487 /etc/passwd | ||
| + | |||
| + | Anschließend legen wir uns unseren User an. | ||
| + | # groupadd -g 489 dmarc && useradd dmarc -c " | ||
| + | |||
| + | Anschließend erzeugen wir uns noch einen entsprechenden SSH-Key und verteilen diesen auf unseren Mailservern. Entsprechende Schritte sind im Wiki [[https:// | ||
| + | |||
| + | ==== dbCollecting Script anlegen ==== | ||
| + | Zum Einsammeln der Statistikdaten legen wir uns nun ein einfaches Shellscript an. | ||
| + | # vim / | ||
| + | <file bash / | ||
| + | # Script zum Importieren der DMARC-Daten aus dem lokalen cache-Datei in die mySQL Datenbank | ||
| + | # und Generieren der DMARC-reports | ||
| + | # Das Script wird um 03:33 Uhr via cronjob aufgerufen. | ||
| + | # | ||
| + | # crontab | ||
| + | # einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen. | ||
| + | # 33 3 * * * / | ||
| + | # | ||
| + | # Django : 2014-03-20 | ||
| + | |||
| + | WORKDIR="/ | ||
| + | WORKFILE=" | ||
| + | SSHKEYFILE=" | ||
| + | MXHOSTS=" | ||
| + | DBFILE=" | ||
| + | DBHOST=" | ||
| + | DBPORT=" | ||
| + | DBUSER=" | ||
| + | DBPASSWD=" | ||
| + | DBNAME=" | ||
| + | |||
| + | # DMARC Datenfile von den Mailservern abholen | ||
| + | cd $WORKDIR | ||
| + | for HOST in $MXHOSTS; do | ||
| + | scp -i $WORKDIR$SSHKEYFILE dmarc@${HOST}:/ | ||
| + | ssh -i $WORKDIR$SSHKEYFILE dmarc@${HOST} "/ | ||
| + | cat ${HOST}.dat >> $WORKFILE | ||
| + | done | ||
| + | |||
| + | # DMARC Daten in die mySQL-Datenbank opendmarc schreiben | ||
| + | / | ||
| + | --dbpasswd=$DBPASSWD < $WORKDIR$WORKFILE | ||
| + | |||
| + | # DMARC Statistik-Report erstellen | ||
| + | / | ||
| + | --dbpasswd=$DBPASSWD --verbose --interval=86400 --report-email ' | ||
| + | |||
| + | # DMARC Datenbank aufräumen, Datensätze die älter als 90 Tage sind werden gelöscht | ||
| + | / | ||
| + | --dbpasswd=$DBPASSWD --verbose --expire=90 | ||
| + | |||
| + | # Work-Verzeichnis wieder aufräumen | ||
| + | cd $WORKDIR | ||
| + | rm $WORKDIR*.dat -rf | ||
| + | </ | ||
| + | Anschließen setzen wir die Ausführungsrechte unseres neuen Scriptes. | ||
| + | # chmod +x / | ||
| + | |||
| + | Zu guter Letzt aktivieren wir dann noch einen Cronjob für die tägliche Ausführung. | ||
| + | # vim / | ||
| + | <file bash / | ||
| + | |||
| + | # Django : 2014-03-20 | ||
| + | # einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen. | ||
| + | 33 3 * * * / | ||
| + | |||
| + | ... | ||
| + | </ | ||
| + | |||
| + | ==== Postfix ==== | ||
| + | Die Konfiguration auf Seiten unseres Postfix-Mailserver gestaltet sich relativ einfach, muss doch nur ein zusätzlicher [[http:// | ||
| + | # vim / | ||
| + | |||
| + | <file bash / | ||
| + | |||
| + | # Django : 2014-03-19 | ||
| + | # SPF-Check und DKIM-Signaturüberprüfung via SMF-SPF- und DKIM-Milter einbinden. | ||
| + | smtpd_milters = | ||
| + | # SMF-SPF-Milter | ||
| + | | ||
| + | # DKIM-Milter: | ||
| + | | ||
| + | # DMARC-Milter | ||
| + | | ||
| + | |||
| + | ... | ||
| + | </ | ||
| + | |||
| + | ===== erster manueller Programmstart ===== | ||
| + | Nun ist es an der Zeit unseren DMARC-Daemon das erste mal zu starten. | ||
| + | # service opendmarc start | ||
| + | Im / | ||
| + | Apr 28 19:32:24 vml000080 opendmarc[28728]: | ||
| + | Apr 28 19:32:24 vml000080 opendmarc[28729]: | ||
| + | Apr 28 19:32:24 vml000080 opendmarc[28729]: | ||
| + | |||
| + | |||
| + | Über den Port 10012 sollte nun unser daemon ansprechbar sein. Was wir auch sehr einfach mittels **lsof** überprüfen können: | ||
| # lsof -i :10003 | # lsof -i :10003 | ||
| Zeile 1523: | Zeile 1804: | ||
| opendmarc 13533 root 3u IPv4 115489 | opendmarc 13533 root 3u IPv4 115489 | ||
| + | Auch mit Hilfe von **netstat** können wir abfragen, ob der Port **1003** in Verwendung ist. | ||
| + | # netstat -tulpen | grep 10012 | ||
| - | # netstat | + | tcp 0 0 127.0.0.1: |
| + | |||
| + | Anschließend können wir nun auch unseren Postfix-Mailserver durchstarten, | ||
| + | |||
| + | ===== automatisches Starten des Dienste beim Systemstart ===== | ||
| + | Damit nun unser DMARC-Daemon beim Booten unseres Servers automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor. | ||
| + | # chkconfig opendmarc on | ||
| + | |||
| + | Anschließend überprüfen wir noch unsere Änderung: | ||
| + | # chkconfig --list | grep opendmarc | ||
| + | |||
| + | opendmarc | ||
| - | tcp 0 0 127.0.0.1: | ||
| ===== Logging / Mailheader ===== | ===== Logging / Mailheader ===== | ||
| + | Im Maillog werden entsprechend unserer zuvor festgelegten Konfiguration, | ||
| + | Folgender Logeintrag zeigt einen erfolgreiche DMARC-Überprüfung. | ||
| + | Mar 23 22:46:01 vml000080 opendmarc[25914]: | ||
| - | | + | Im Mailheader der Nachricht, wird dies auch entsprechend vermerkt. |
| - | Authentication-Results: | + | |
| + | Authentication-Results: | ||
| + | Hat der Domainbetreiber keinen DMARC-Eintrag im DNS hinterlegt, sieht die betreffende Zeile im Maillog entsprechend so aus. | ||
| + | Mar 19 00:22:36 vml000080 opendmarc[14508]: | ||
| + | Auch dies wird im Mailheader entsprechend vermerkt. | ||
| + | DMARC-Filter: | ||
| + | Authentication-Results: | ||
django