DMARC - Domain-based Message Authentication, Reporting & Conformance

DMARC¹⁾ ist an sich kein eigenständiger Prozess in der eMail-Verarbeitung, vielmehr erweitert DMARC auf die beiden Techniken SPF²⁾ und DKIM³⁾. DMARC ergänzt somit DKIM und SPF, ohne die DMARC nicht funktionieren kann. Hinweise zu DMARC findet man bei auch auf der Webseite von DMARC.org, oder im Entwurf der Network Working Group, die der ITF⁴⁾ Anfang 2012 zur Prüfung vorgelegt wurde.

Obwohl DMARC aktuell noch als Entwurf gilt, wird laut den Angaben der aktuellen DMARC-Präsentation aus 2014 bereits mehr als 60% der weltweiten eMail-Postfächer mit Hilfe von DMARC geschützt.

Die weltgößten eMail-Provider setzen auf DMARC, wie z.B.:

GMail, Yahoo, AOL, Comcast, oder Outlook.com
Mail.ru (größter eMail-Provider in Russland)
NetEase (größter eMail-Provider in China)
XS4All (größter eMail-Provider in den Niederlanden)

Alles gute Gründe, sich dem Thema DMARC dennoch intensiver zu widmen!

Bei DMARC kann definiert werden, wie ein empfangender Mailserver Nachrichten behandeln und verarbeiten soll, insbesondere mit Hinblick auf die Bewertung der Versandberechtigung des einliefernden Mailservers (SPF) und der nicht veränderten Nachricht (DKIM). Fällt eine oder beide Überprüfungen negativ aus, definiert DMARC, ob die eMail in Quarantäne gestellt, die Annahme der eMail abgelehnt (reject) oder eben dennoch zugestellt werden soll.

Das nachfolgende Schaubild zeigt den Bearbeitungsverlauf einer eMail mit Berücksichtigung auf DMARC auf.

Möchten wir DMARC bei unserem Mailserver einsetzen, ist es wichtig, dass alle drei Komponenten via Milter⁵⁾ an unseren Postfix-Mailserver angebunden werden. Nur so stehen dem DMARC-Daemon alle relevanten Headerinformationen zur Bewertung zur Verfügung.

Wir setzen daher bei unserer Installation jeweils folgende Pakete ein:

SPF smf-spf aus Djangos-Repository
DKIM opendkim aus dem RPMforge
DMARC opendmarc aus Djangos-Repository

Die Installation von SPF-Milter ist im Kapitel SPF - Sender Policy Framework und OpenDKIM-Milter im Kapitel DKIM - Domain Key Identified Mail genauer beschrieben.

Mit Hilfe des DMARC Record Assistant kann man sich sehr leicht und einfach den nötigen DMARC-Record generieren lassen, den man dann über einen TXT-Record der Subdomain _dmarc in seinem DNS einträgt. Im Kapitel 6.2. General Record Format des DMARC Standardisierungs-Entwurf ist die

Als Beispiel sehen wir uns nun den aktuellen DMARC-Record von nausch.org an, den wir u.a. mit dem Aufruf des Befehls host vom DNS-Server abfrsagen können.

 # host -t TXT _dmarc.nausch.org

_dmarc.nausch.org descriptive text "v=DMARC1\; p=reject\; rua=mailto:postmaster@nausch.org\; ruf=mailto:django@nausch.org\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400\; sp=reject"

Die einzelnen Werte haben nun folgende Bedeutung.

Parameter	Art	Wert	Bedeutung
v	Plaintext; REQUIRED	DMARC1	Identifiziert den Datensatz als DMARC-Record. Der Parameter muss als erster wert im DMARC-Record gesetzt sein. Fehlt dieser ist der gesamte DMARC-Record zu verwerfen!
p	Plaintext; REQUIRED	reject	Beschreibt, wie der Empfänger die Nachrichten des Domain-Inhabers verwerten soll. Diese gilt auch für die Subdomains, sofern für diese mit dem Parameter sp keine separate Definition vorliegt. Mögliche Werte sind: none : Der Domaininhaber hat keine Vorgaben zur Verabeitung/Zustellung der eMails. quarantine : Der Domaininhaber wünscht, dass eMails, die die DMARC-Bewertung nicht bestehen, als verdächtig gewertet werden sollen. Abhängig vom Empfänger können diese als verdächtig markiert werden, mit weiteren/zusätzlichen SPAM prüfungen zu belegen ist, oder in einen SPAM-Ordner verschoben werden soll. reject : Der Domaininhaber wünscht, dass eMails, die die DMARC-Bewertung nicht bestehen, rejected, also nicht angenommen werden sollen. Dies sollte, wenn möglich, noch während des SMTP-Dialogs passieren.
sp	Plaintext;OPTIONAL	reject	Beschreibt, wie der Empfänger die Nachrichten des Domain-Inhabers einer Subdomäne verwerten soll. Der Parameter beschreibt nur die abgefragte Subdomäne, nicht die Domäne an sich! Der Syntax entspricht dem Parameter p. Wird der Paramter sp nicht gesetzt, gelten die Definitionen des Parameters p auch für alle Subdomänen.
rua	Kommaseparierte plain-text Liste von DMARC URIs; OPTIONAL	mailto:postmaster@nausch.org	Der Domaininhaber wünscht, per eMail mit aufbereiteten Statiskdaten der verarbeiteten eMails, informiert zu werden. Ist dieser Parameter nicht gesetzt, braucht der Empfänger keine Statistikdaten aufbereiten.
ruf	Kommaseparierte Plaintext Liste von DMARC URIs; OPTIONAL	mailto:django@nausch.org	Der Domaininhaber wünscht, per eMail mit detailierten forensischen Statiskdaten der verarbeiteten eMails, informiert zu werden. Ist dieser Parameter nicht gesetzt, braucht der Empfänger keine Statistikdaten aufbereiten.
adkim	Plaintext; OPTIONAL; Default = relaxed	r	Definiert, wie konservativ das Ergebnis der DKIM-Signaturprüfung bewertet werden soll. Mögliche Werte sind entweder r=relaxed oder s=strikt.
aspf	Plaintext; OPTIONAL; Default = relaxed	r	Definiert, wie konservativ das Ergebnis der SPF-Prüfung bewertet werden soll. Mögliche Werte sind entweder r=relaxed oder s=strikt.
pct	Plaintext/Zahlenwert zwischen 0 und 100; OPTIONAL; Default = 100	100	Der Domaininhaber wünscht, daß der angegebene Prozentwert an Nachrichten von den DMARC-Prüfungen benutzt werden soll. Der Wert beschreibt nicht das Verhältnis in den DMARC-Reports.
rf	Kommaseparierte Plaintext Liste; OPTIONAL; Default = afrf	afrf	Der Domaininhaber wünscht, dass die aufbereiteten forensischen Prüfberichte im Format AFRF⁶⁾ oder IODEF⁷⁾ zu erhalten, wenn sowohl der DKIM- wie auch der SPF-Test negativ ausfällt.
ri	Plaintext; OPTIONAL; Default = 86400	86400	Der Domaininhaber wünscht, dass die aufbereiteten Statistik- und Forensikdaten spätestens alle „n“ Sekunden verschickt werden sollen.

Nach Erstellung des DMARC-Records von Hand oder über den DMARC Record Assistant, tragen wir demnach bei unserem zuständigen DNS entsprechenden eigenen und richtigen Daten ein.

 _dmarc.nausch.org                        IN      TXT     "v=DMARC1\; p=reject\; rua=mailto:postmaster@nausch.org\; ruf=mailto:django@nausch.org\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400\; sp=reject"

Über die URL OTA Query Tool for SPF & DMARC Records der Online trust Alliance kann man online bei Bedarf testen, ob der DMARC-Eintrag soweit richtig ist.

Mit Hilfe der DMARC Inspectors kann man (s)einen DMARC-Record testen und sich die Optionen die der Domaininhaber gesetzt hat, beschreiben lassen. Möchte man seinen SPF-Record testen lassen, steht einem der SPF Surveyor zur Verfügung.

Zu guter Letzt kann mit dem DKIM Key Checker der, im DNS hinterlegte, DKIM-Schlüssel einer Domäne getestet werden.

Möchte man dann noch testen, ob der eigene Mailserver alle Voraussetzungen für eine DMARC-policy hat, schickt man einfach eine „leere eMail“ an checkmyauth@auth.returnpath.net, so erhält man anschließen einen ausführlichen Prüfbericht.

From: "Return Path" <noreply@returnpath.net>
Subject: Return Path DKIM/SPF Reflector Report
Date: Fri, 21 Mar 2014 03:58:12 -0600 (MDT)
To: undisclosed-recipients:;

Return Path DKIM/SPF Reflector Report
=====================================
Source IP = 217.91.103.190
Mail From = django@nausch.org

Identity Alignment Results
==========================
SPF Domain Alignment Result = PASS
	The From domain 'nausch.org' is an exact match with the SPF domain 'nausch.org'.
	Note that the alignment policy is set to relaxed in your DMARC record.

DKIM Domain Alignment Results:
	Result for DNS Record: 140224._domainkey.nausch.org = PASS
	The From domain 'nausch.org' is an exact match with the DKIM domain 'nausch.org'.
	Note that the alignment policy is set to relaxed in your DMARC record.

DKIM Results
============
Result = pass
Domain = nausch.org
Selector = 140224
DNS Record(s) =
	140224._domainkey.nausch.org TXT v=DKIM1; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuJ3/CruOs3fCU0ujOStcNN85TJh+5HvMa9m99C5XuRBlxOr+fp5BeIEtiPO0szKvvPojwrueCq0oOuEzjR/i2ObpRkzKRUXmAa0qVezUZwQIbKeiuKII0PnpQclDrmQrzSXcQWPT57tkPg17Q9WamFUUaHeN3+pVGtMyjYekRaAoRlV+a1gD111kXMPhiaFTMIncoRBS/gYN8FjfekH+ezqbLHLB8DLJQBZEGUILvJjAHX0722XyqYtkn1qfv63nPRGw/qqAW1072Gchq4ZS4ZPQ89SrK4KcHt/XptSlztXMWtmRFQriHdvbjr1Fx7ZwXdTQ+ik2AUZLMdhMrQe6/1GujQiMD6po81NpYbrjnfd+QF4sUbus4wPQKVNzsctiuzGlWsFexSHP4dAZtKnImJhVDnzZODQy0nSafedlr5g4VR36vgm0YPWjSyRNnC/APHyw0DtHIrzTqfKuDeGv80uMPbEdujrw9gLbK3H8ow42iTicmgPgT3J5j70ZOo4o4FMtpZ/AEQw+VnWpSfw7bkMjufLc29XHbtp22wfgq2Lmarr3+psaHokFaQrImkMbzdSL9CdabkLptanAilLScvq8UaKVC+G1+vHDgaweq3BhXD5+YcJnJlp4msUqqxGYlnx4RSvv8PipMU2DsVFbNJSH5NJuS7GuzplNg+f20ysCAwEAAQ==
	Public Key Length = 4096

DomainKeys Results
==================
No DomainKeys signature(s) found.

SPF Results
===========
Result = pass
Domain = nausch.org
DNS Record(s) =
	nausch.org TXT v=spf1 ip4:217.91.103.190/32 mx ?all

DMARC Results
=============
Domain = _dmarc.nausch.org
DNS Record = 
	_dmarc.nausch.org TXT v=DMARC1; p=reject; rua=mailto:postmaster@nausch.org; ruf=mailto:django@nausch.org; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=reject

DMARC Record Validation Results
===============================
DMARC Errors Detected: None.
Non-DMARC flags encountered (skipped): None.

Visit http://www.returnpath.com/solution-content/dmarc-support/ for more information on DMARC record creation and validation.

Bei der Implementation von DMARC in unserem eigenen Mailserver, greifen wir auf das Projekt OpenDMARC zurück.

Entweder holt man sich das betreffende Quellpaket auf der sourceforge- Download-Seite oder man greift auf die RPM-Pakete von Djangos Repository] zurück.

Also erstes laden wir uns die beiden benötigten Pakete auf unseren Rechner, zuvor wechseln wir abernoch in unser lokales Programm-Archiv.

 # cd /usr/local/src/packages/

Die x86_64-Pakete findet man im Verzeichnis http://repository.nausch.org/public/x86_64/, die Pakete für i686 im Verzeichnis http://repository.nausch.org/public/i686/.

Im Falle der x86_64-Pakete sind dies dann entsprechend folgende Pakete:

 # wget http://repository.nausch.org/public/x86_64/libopendmarc-1.3.0-beta0.el6.x86_64.rpm

 # wget http://repository.nausch.org/public/x86_64/opendmarc-1.3.0-beta0.el6.x86_64.rpm

 # yum localinstall libopendmarc-1.3.0-beta0.el6.x86_64.rpm opendmarc-1.3.0-beta0.el6.x86_64.rpm

 # rpm -qil opendmarc

Version     : 1.3.0                             Vendor: Django
Release     : beta0.el6                     Build Date: Mon 28 Apr 2014 05:46:34 PM CEST
Install Date: Mon 28 Apr 2014 05:50:47 PM CEST      Build Host: vml010039.intra.nausch.org
Group       : System Environment/Daemons    Source RPM: opendmarc-1.3.0-beta0.el6.src.rpm
Size        : 175607                           License: BSD and Sendmail
Signature   : RSA/SHA1, Mon 28 Apr 2014 05:46:35 PM CEST, Key ID 31b4758f7c65ab27
Packager    : Django
URL         : http://http://www.trusteddomain.org/opendmarc.html
Summary     : DMARC milter and library
Description :
OpenDMARC (Domain-based Message Authentication, Reporting & Conformance)
provides an open source library that implements the DMARC verification
service plus a milter-based filter application that can plug in to any
milter-aware MTA, including sendmail, Postfix, or any other MTA that supports
the milter protocol.

The DMARC sender authentication system is still a draft standard, working
towards RFC status.
/etc/opendmarc.conf
/etc/rc.d/init.d/opendmarc
/etc/tmpfiles.d/opendmarc.conf
/usr/sbin/opendmarc
/usr/sbin/opendmarc-check
/usr/sbin/opendmarc-expire
/usr/sbin/opendmarc-import
/usr/sbin/opendmarc-importstats
/usr/sbin/opendmarc-params
/usr/sbin/opendmarc-reports
/usr/share/doc/opendmarc-1.3.0
/usr/share/doc/opendmarc-1.3.0/INSTALL
/usr/share/doc/opendmarc-1.3.0/README
/usr/share/doc/opendmarc-1.3.0/README.schema
/usr/share/doc/opendmarc-1.3.0/RELEASE_NOTES
/usr/share/doc/opendmarc-1.3.0/schema.mysql
/usr/share/man/man5/opendmarc.conf.5.gz
/usr/share/man/man8/opendmarc-check.8.gz
/usr/share/man/man8/opendmarc-expire.8.gz
/usr/share/man/man8/opendmarc-import.8.gz
/usr/share/man/man8/opendmarc-importstats.8.gz
/usr/share/man/man8/opendmarc-params.8.gz
/usr/share/man/man8/opendmarc-reports.8.gz
/usr/share/man/man8/opendmarc.8.gz
/var/run/opendmarc
/var/spool/opendmarc

# rpm -qil libopendmarc

Name        : libopendmarc                 Relocations: (not relocatable)
Version     : 1.3.0                             Vendor: Django
Release     : beta0.el6                     Build Date: Mon 28 Apr 2014 05:46:34 PM CEST
Install Date: Mon 28 Apr 2014 05:50:46 PM CEST      Build Host: vml010039.intra.nausch.org
Group       : System Environment/Libraries   Source RPM: opendmarc-1.3.0-beta0.el6.src.rpm
Size        : 69016                            License: BSD and Sendmail
Signature   : RSA/SHA1, Mon 28 Apr 2014 05:46:35 PM CEST, Key ID 31b4758f7c65ab27
Packager    : Django
URL         : http://http://www.trusteddomain.org/opendmarc.html
Summary     : An open source DMARC library
Description :
This package contains the library files required for running services built
using libopendmarc.
/usr/lib64/libopendmarc.so.1
/usr/lib64/libopendmarc.so.1.0.2

Viele hilfreiche Informationen zur Konfiguration von OpenDMARC finden sich in den nachfolgenden Dateien.

 # less /usr/share/doc/opendmarc-1.2.0/README

OPENDMARC README
================
 
This directory has the latest open source DMARC software from The Trusted
Domain Project.
 
There is a web site at http://www.trusteddomain.org/opendmarc that is home for
the latest updates.
 
 
+--------------+
| INTRODUCTION |
+--------------+
 
The OpenDMARC project is a community effort to develop and maintain an open
source package for providing DMARC report generation and policy enforcement
services.  It includes a library for handling DMARC record parsing,
a database schema and tools for aggregating and processing transaction
history to produce DMARC reports, and a filter that ties it all together
with an MTA using the milter protocol.
 
"milter" is a portmanteau of "mail filter" and refers to a protocol and API
for communicating mail traffic information between MTAs and mail filtering
plug-in applications.  It was originally invented at Sendmail, Inc. but
has also been adapted to other MTAs.
 
+--------------+
| DEPENDENCIES |
+--------------+
 
To compile and operate, this package requires the following:
 
o OpenDBX (http://www.linuxnetworks.de/doc/index.php/OpenDBX) which
  acts as a middleware layer between OpenDMARC and your SQL backend
  of choice
 
o sendmail v8.13.0 (or later), or Postfix 2.3, (or later) and libmilter.
  (These are only required if you are building the filter.)
 
o Access to a working nameserver (required only for signature verification).
 
o If you are interested in tinkering with the build and packaging structure,
  you may need to upgrade to these versions of GNU's "autotools" components:
	autoconf (GNU Autoconf) 2.61
	automake (GNU automake) 1.7 (or 1.9 to avoid warnings)
	ltmain.sh (GNU libtool) 2.2.6 (or 1.5.26 after make maintainer-clean)
 
 
+-----------------------+
| RELATED DOCUMENTATION |
+-----------------------+
 
The man page for opendmarc (the actual filter program) is present in the
opendmarc directory of this source distribution.  There is additional
information in the INSTALL and FEATURES files, and in the README file in the
opendmarc directory.  Changes are documented in the RELEASE_NOTES file.
 
HTML-style documentation for libopendmarc is available in libopendmarc/docs in
this source distribution.
 
General information about DMARC can be found at http://www.dmarc.org
 
Mailing lists discussing and supporting the DMARC software found in this
package are maintained via a list server at trusteddomain.org.  Visit
http://www.trusteddomain.org to subscribe or browse archives.  The available
lists are:
 
	opendmarc-announce	(moderated) Release announcements.
 
	opendmarc-users		General OpenDMARC user questions and answers.
 
	opendmarc-dev		Chatter among OpenDMARC developers.
 
	opendmarc-code		Automated source code change announcements.
 
Bug tracking is done via the trackers on SourceForge at
http://sourceforge.net/projects/opendmarc.  You can enter new bug
reports there, but please check first for older bugs already open,
or even already closed, before opening a new issue.
 
 
+---------------------+
| DIRECTORY STRUCTURE |
+---------------------+
 
contrib		A collection of user contributed scripts that may be useful.
 
db		Database schema and tools for generating DMARC reports based
		upon accumulated data.
 
docs		A collection of RFCs and drafts related to opendmarc.
 
libopendmarc	A library that implements the proposed DMARC standard.
 
libopendmarc/docs
		HTML documentation describing the API provided by libopendmarc.
 
opendmarc	A milter-based filter application which uses libopendmarc (and
		optionally libar) to provide DMARC service via an MTA using
		the milter protocol.
 
 
+----------------+
| RUNTIME ISSUES |
+----------------+
 
WARNING: symbol 'X' not available
 
 The filter attempted to get some information from the MTA that the MTA
 did not provide.
 
 At various points in the interaction between the MTA and the filter, certain
 macros containing information about the job in progress or the connection
 being handled are passed from the MTA to the filter.
 
 In the case of sendmail, the names of the macros the MTA should pass to the
 filter are defined by the "Milter.macros" settings in sendmail.cf, e.g.
 "Milter.macros.connect", "Milter.macros.envfrom", etc.  This message
 indicates that the filter needed the contents of macro X, but that macro
 was not passed down from the MTA.
 
 Typically the values needed by this filter are passed from the MTA if the
 sendmail.cf was generated by the usual m4 method.  If you do not have
 those options defined in your sendmail.cf, make sure your M4 configuration
 files are current and rebuild your sendmail.cf to get appropriate lines
 added to your sendmail.cf, and then restart sendmail.
 
MTA timeouts
 
 By default, the MTA is configured to wait up to ten seconds for a response
 from a filter before giving up.  When querying remote nameservers
 for key and policy data, the DMARC filter may not get a response from the
 resolver within that time frame, and thus this MTA timeout will occur.
 This can cause messages to be rejected, temp-failed or delivered without
 verification, depending on the failure mode selected for the filter.
 
 When using the standard resolver library provided with your system, the
 DNS timeout cannot be adjusted.  If you encounter this problem, you must
 increase the time the MTA waits for replies.  See the documentation in
 the sendmail open source distribution (libmilter/README in particular)
 for instructions on changing these timeouts.
 
 When using the provided asynchronous resolver library, you can use the
 "-T" command line option to change the timeout so that it is shorter than
 the MTA timeout.
 
Other OpenDMARC issues:
 
 Report any bugs to the email address opendmarc-users@trusteddomain.org or to
 the SourceForge issue tracker accessible at:
 
 http://sourceforge.net/p/opendmarc/tickets/
 
 
--
Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.
 
$Id: README,v 1.13 2010/10/25 20:41:55 cm-msk Exp $

 # less /usr/share/doc/opendmarc-1.2.0/README.schema

This directory contains the OpenDMARC schema plus any related files.
 
The tables in this schema are populated by the opendmarc filter as it processes
messages and downloads policies.  The rows are then consumed by the scripts
in the "reports" directory to generate regular aggregate reports.
 
The tables are summarized here:
 
domains		A table that maps domain names to unique integer IDs.
		Automatically tracks a "first seen" timestamp, and includes
		a column to record when the last report was sent.
 
reporters	A table mapping reporting hosts to unique integer IDs.
		Intended for use by multi-MX systems so it's possible to tell
		where an inbound message landed.
 
ipaddr		A table mapping IP addresses (as strings) to unique IDs.
		Also tracks the "first seen" timestamp for each.
 
messages	A table tracking salient properties of all messages received.
		A messages is uniquely identified by a {date, jobid, reporter}
		tuple.  Includes references to the "domains" table to track
		the RFC5321.MailFrom domain, the RFC5322.From domain.
		Also records the count of DKIM signatures, the SPF result,
		and whether or not the SPF result was aligned with the
		RFC5322.From domain.
 
signatures	A table tracking DKIM signatures, each of which refers to
		a rown in the "messages" table.  Tracks the signing domain,
		whether the signature passed, whether there was a verification
		error other than a broken signature, and whether or not the
		signing domain aligned with the RFC5322.From domain.
 
requests	A table containing a cache of DMARC reporting requests.
		For each domain, the destination reporting URI for aggregate
		reports is recorded along with a "last report sent" timestamp.
 
--
Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

 # man opendmarc.conf

opendmarc.conf(5)                                            opendmarc.conf(5)

NAME
       opendmarc.conf - Configuration file for opendmarc

LOCATION
       /etc/opendmarc.conf

DESCRIPTION
       opendmarc(8)  implements  the proposed DMARC specification for message authentication, policy
       enforcement, and reporting.  This file is its configuration file.

       Blank lines are ignored.  Lines containing a hash ("#") character are truncated at  the  hash
       character to allow for comments in the file.

       Other  content  should  be  the name of a parameter, followed by white space, followed by the
       value of that parameter, each on a separate line.

       For parameters that are Boolean in nature, only the first byte of  the  value  is  processed.
       For  positive values, the following are accepted: "T", "t", "Y", "y", "1".  For negative val-
       ues, the following are accepted: "F", "f", "N", "n", "0".

       Some, but not all, of these parameters are also available as command line options  to  opend-
       marc(8).  However, new parameters are generally not added as command line options so the com-
       plete set of options is available here, and thus use of the configuration file is encouraged.
       In some future release, the set of available command line options is likely to get trimmed.

       See  the opendmarc(8) man page for details about how and when the configuration file contents
       are reloaded.

       Unless otherwise stated, Boolean values default to "false", integer values default to 0,  and
       string and dataset values default to being undefined.

PARAMETERS
       AuthservID (string)
              Sets the "authserv-id" to use when generating the Authentication-Results: header field
              after verifying a message.  The default is to use the name of the MTA  processing  the
              message.   If the string "HOSTNAME" is provided, the name of the host running the fil-
              ter (as returned by the gethostname(3) function) will be used.

       AuthservIDWithJobID (Boolean)
              If "true", requests that the authserv-id portion of the added  Authentication-Results:
              header fields contain the job ID of the message being evaluated.

       AutoRestart (Boolean)
              Automatically  re-start  on failures.  Use with caution; if the filter fails instantly
              after it starts, this can cause a tight fork(2) loop.

       AutoRestartCount (integer)
              Sets the maximum automatic restart count.  After this number  of  automatic  restarts,
              the  filter  will  give  up and terminate.  A value of 0 implies no limit; this is the
              default.

       AutoRestartRate (string)
              Sets the maximum automatic restart rate.  If the filter begins restarting faster  than
              the  rate  defined  here, it will give up and terminate.  This is a string of the form
              n/t[u] where n is an integer limiting the count of restarts in the given interval  and
              t[u]  defines  the time interval through which the rate is calculated; t is an integer
              and u defines the units thus represented ("s" or "S" for seconds, the default; "m"  or
              "M"  for minutes; "h" or "H" for hours; "d" or "D" for days).  For example, a value of
              "10/1h" limits the restarts to 10 in one hour.  There is no default,  meaning  restart
              rate is not limited.

       Background (Boolean)
              Causes  opendmarc  to  fork  and exits immediately, leaving the service running in the
              background.  The default is "true".
       BaseDirectory (string)
              If set, instructs the filter to change  to  the  specified  directory  using  chdir(2)
              before doing anything else.  This means any files referenced elsewhere in the configu-
              ration file can be specified relative to this directory.  It’s also useful for arrang-
              ing that any crash dumps will be saved to a specific location.

       ChangeRootDirectory (string)
              Requests  that the operating system change the effective root directory of the process
              to the one specified here prior to beginning execution.  chroot (2) requires superuser
              access. A warning will be generated if UserID is not also set.

       CopyFailuresTo (string)
              Adds  the  specified recipient to the message’s envelope if it fails the DMARC evalua-
              tion.

       DNSTimeout (integer)
              Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.   The  default
              is 5.  Ignored if not using an asynchronous resolver package.

       EnableCoredumps (Boolean)
              On  systems  that  have  such  support, make an explicit request to the kernel to dump
              cores when the filter crashes for some reason.  Some modern UNIX systems suppress core
              dumps  during crashes for security reasons if the user ID has changed during the life-
              time of the process.  Currently only supported on Linux.

       ForensicReports (Boolean)
              Enables generation of forensic reports when the DMARC test  fails  and  the  purported
              sender  of the message has requested such reports.  Reports are formatted per RFC6591.

       ForensicReportsBcc (string)
              When forensic reports are enabled and one is to be generated, always send one  to  the
              address(es)  specified  here.   If a forensic report is requested by the domain owner,
              the address(es) are added in a Bcc: field.  If no request is  made,  they  address(es)
              are used in a To: field.  There is no default.

       ForensicReportsOnNone (Boolean)
              Supplementary  to  the  previous  setting,  enables generation of forensic reports for
              sending domains that publish a "none" policy.

       ForensicReportsSentBy (string)
              Sets the value of the From: field to  be  used  when  sending  forensic  reports  (see
              above).   The  default  is  to use the userid of the user executing the filter and the
              local host name to construct an email address.

       HistoryFile (string)
              If set, specifies the location of a text file to which records are written that can be
              used  to  generate  DMARC  aggregate  reports.  Records are batches of rows containing
              information about a single received message,  and  include  all  relevant  information
              needed  to  generate  a  DMARC aggregate report.  It is expected that this will not be
              used in its raw form, but rather periodically imported into a relational database from
              which the aggregate reports can be extracted.

       IgnoreHosts (string)
              Specifies  the  path to a file that contains a list of hostnames, IP addresses, and/or
              CIDR expressions identifying hosts whose SMTP connections are to  be  ignored  by  the
              filter.  If not specified, defaults to "127.0.0.1" only.

       IgnoreMailFrom (string)
              Gives  a  list of domain names whose mail (based on the From: domain) is to be ignored
              by the filter.  The list should be comma-separated.  Matching  against  this  list  is
              case-insensitive.  The default is an empty list, meaning no mail is ignored.

       MilterDebug (integer)
              Sets the debug level to be requested from the milter library.  The default is 0.

       PidFile (string)
              Specifies  the  path  to a file that should be created at process start containing the
              process ID.

       PublicSuffixList (string)
              Specifies the path to a file that contains top-level domains (TLDs) that will be  used
              to  compute  the  Organizational  Domain  for a given domain name, as described in the
              DMARC specification.  If not provided, the filter will not be able  to  determine  the
              Organizational Domain and only the presented domain will be evaluated.

       RecordAllMessages (Boolean)
              If  set  and  HistoryFile is in use, all received messages are recorded to the history
              file.  If not set (the default), only messages for which the From: domain published  a
              DMARC record will be recorded in the history file.

       RejectFailures (Boolean)
              If set, messages will be rejected if they fail the DMARC evaluation, or temp-failed if
              evaluation could not be completed.  By default, no message will be rejected  or  temp-
              failed  regardless of the outcome of the DMARC evaluation of the message.  Instead, an
              Authentication-Results header field will be added.  The default is "false".

       ReportCommand (string)
              Indicates the shell command to which forensic reports should be  passed  for  delivery
              when ForensicReports is enabled.  Defaults to /usr/sbin/sendmail.

       RequiredHeaders (Boolean)
              If  set, the filter will ensure the header of the message conforms to the basic header
              field count restrictions laid out in RFC5322, Section 3.6.  Messages failing this test
              are  rejected  without  further  processing.   A From: field from which no domain name
              could be extracted will also be rejected.

       Socket (string)
              Specifies the socket that should be established by the filter to  receive  connections
              from  sendmail(8)  in  order  to  provide service.  socketspec is in one of two forms:
              local:path,  which  creates  a  UNIX  domain  socket  at  the   specified   path,   or
              inet:port[@host] or inet6:port[@host] which creates a TCP socket on the specified port
              for the appropriate protocol family.  If the host is not given as either a hostname or
              an  IP address, the socket will be listening on all interfaces.  This option is manda-
              tory either in the configuration file or on the command line.  If  an  IP  address  is
              used, it must be enclosed in square brackets.

       SoftwareHeader (Boolean)
              Causes  opendmarc to add a "DMARC-Filter" header field indicating the presence of this
              filter in the path of the message from injection to  delivery.   The  product’s  name,
              version, and the job ID are included in the header field’s contents.

       Syslog (Boolean)
              Log via calls to syslog(3) any interesting activity.

       SyslogFacility (string)
              Log  via calls to syslog(3) using the named facility.  The facility names are the same
              as the ones allowed in syslog.conf(5).  The default is "mail".

       TemporaryDirectory (string)
              Specifies the directory in which temporary files should be written.   The  default  is
              /var/tmp.

       TrustedAuthservIDs (string)
              Provides a list of authserv-ids that are to be used to identify Authentication-Results
              header fields whose contents are to be assumed as valid input for  the  DMARC  assess-
              ment.  To provide a list, separate values by commas.  If the string "HOSTNAME" is pro-
              vided, the name of the host running the filter  (as  returned  by  the  gethostname(3)
              function)  will be used.  Matching against this list is case-insensitive.  The default
              is to use the value of AuthservID.

       UMask (integer)
              Requests a specific permissions mask to be used for file creation.  This  only  really
              applies  to  creation of the socket when Socket specifies a UNIX domain socket, and to
              the PidFile (if any); temporary files are created  by  the  mkstemp(3)  function  that
              enforces  a  specific  file  mode  on  creation  regardless of the process umask.  See
              umask(2) for more information.

       UserID (string)
              Attempts to become the specified userid before starting operations.  The value  is  of
              the  form  userid[:group].  The process will be assigned all of the groups and primary
              group ID of the named userid unless an alternate group is specified.

FILES
       /etc/opendmarc.conf
              Default location of this file.

VERSION
       This man page covers version 1.2.0 of opendmarc.

COPYRIGHT
       Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       opendmarc(8), sendmail(8)

       RFC4408 - Sender Policy Framework

       RFC5451 - Message Header Field for Indicating Message Authentication Status

       RFC5965 - An Extensible Format for Email Feedback Reports

       RFC6376 - DomainKeys Identified Mail

       RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format
                          The Trusted Domain Project         opendmarc.conf(5)

 # man 8 opendmarc

opendmarc(8)                                                      opendmarc(8)

NAME
       opendmarc - DMARC email policy filter for MTAs

SYNOPSIS
       opendmarc   [-A]   [-c   configfile]   [-f]  [-l]  [-n]  [-p  socketspec]  [-P  pidfile]  [-t
       file[,file[...]]]  [-u userid[:group]] [-v] [-V]

DESCRIPTION
       opendmarc implements the prooposed DMARC specification  for  authentication  of  message  and
       reporting of observed traffic.

       opendmarc  uses the milter interface, originally distributed as part of version 8.11 of send-
       mail(8), to provide a DMARC processing service for mail transiting a milter-aware MTA.

       Most, if not all, of the command line options listed below can also be set using a configura-
       tion file.  See the -c option for details.

       opendmarc  relies  on addition of Authentication-Results fields by upsteam filters on trusted
       hosts to collect input to the DMARC algorithm.  It does not itself do DKIM or SPF evaluation.

OPTIONS
       -A     Automatically  re-start  on failures.  Use with caution; if the filter fails instantly
              after it starts, this can cause a tight fork(2) loop.  This  can  be  mitigated  using
              some values in the configuration file to limit restarting.  See opendmarc.conf(5).

       -c configfile
              Read  the  named  configuration file.  See the opendmarc.conf(5) man page for details.
              Values in the configuration file are overridden when their equivalents are provided on
              the command line until a configuration reload occurs.  The OPERATION section describes
              how reloads are  triggered.   The  default  is  to  read  a  configuration  file  from
              /etc/opendmarc.conf if one exists, or otherwise to apply defaults to all values.
       -f     Normally  opendmarc  forks  and  exits immediately, leaving the service running in the
              background.  This flag suppresses that behaviour so that it runs in the foreground.

       -l     Log via calls to syslog(3) any interesting activity.

       -n     Parse the configuration file and command line arguments, reporting any  errors  found,
              and  then  exit.   The  exit value will be 0 if the filter would start up without com-
              plaint, or non-zero otherwise.

       -p socketspec
              Specifies the socket that should be established by the filter to  receive  connections
              from  sendmail(8)  in  order  to  provide service.  socketspec is in one of two forms:
              local:path  which  creates  a  UNIX  domain  socket  at   the   specified   path,   or
              inet:port[@host] or inet6:port[@host] which creates a TCP socket on the specified port
              within the specified protocol family.  If the host is not given as either  a  hostname
              or  an  IP address, the socket will be listening on all interfaces.  If neither socket
              type is specified, local is assumed, meaning the parameter is interpreted as a path at
              which  the socket should be created.  If an IP address is used, it must be enclosed in
              square brackets.  This parameter is mandatory.

       -P pidfile
              Specifies a file into which the filter should write its process ID at startup.

       -t file[,file[,...]]
              Reads email messages from the named files and processes them as if they were  received
              by  the filter.  The service is not started, and actions normally sent back to the MTA
              will instead be printed on standard output.

       -u userid[:group]
              Attempts to be come the specified userid before starting operations.  The process will
              be  assigned  all  of  the  groups  and primary group ID of the named userid unless an
              alternate group is specified.  See the FILE PERMISSIONS section for more  information.
       -v     Increase  verbose  output during test mode (see -t above).  May be specified more than
              once to request increasing amounts of output.

       -V     Print the version number and supported canonicalization and signature algorithms,  and
              then exit without doing anything else.

SIGNALS
       Upon  receiving  SIGUSR1, if the filter was started with a configuration file, it will be re-
       read and the new values used.  Note that any command line overrides provided at startup  time
       will  be  lost  when  this is done.  Also, the following configuration file values (and their
       corresponding command line items, if any) are not reloaded through this process:  AutoRestart
       (-A),  AutoRestartCount, AutoRestartRate, Background, MilterDebug, PidFile (-P), Socket (-p),
       UMask, UserID (-u).  The filter does not  automatically  check  the  configuration  file  for
       changes and reload.

VERSION
       This man page covers version 1.2.0 of opendmarc.

COPYRIGHT
       Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       opendmarc.conf(5), sendmail(8)

       Sendmail Operations Guide

       RFC4408 - Sender Policy Framework

       RFC5321 - Simple Mail Transfer Protocol

       RFC5322 - Internet Messages

       RFC5451 - Message Header Field for Indicating Message Authentication Status

       RFC6376 - DomainKeys Identified Mail

       RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format

                          The Trusted Domain Project              opendmarc(8)

 # elinks http://www.trusteddomain.org/opendmarc/reports-README

OPENDMARC REPORTS
=================

This directory contains tools necessary to generate DMARC reports at regular
intervals.  It includes the following:

	mkdb.mysql		sequence of MySQL commands that will create
				tables needed to provide DMARC reporting
				service via the scripts below

	opendmarc-expire	perl script to expire old DMARC records from
				the database; meant to be run from cron

	opendmarc-expire.8	man page for the above

	opendmarc-import	perl script to import opendmarc history files
				into the database; meant to be run from cron

	opendmarc-import.8	man page for the above

	opendmarc-params	perl script to adjust domain-specific opendmarc
				data in the database

	opendmarc-params.8	man page for the above

	opendmarc-reports	perl script to generate DMARC reports
				whenever it is run; meant to be run from cron

	opendmarc-reports.8	man page for the above

The adjacent "db" directory contains an SQL schema to be used with this
package.  The opendmarc filter populates the tables in that schema as messages
are received and DMARC policies evaluated.  The scripts in here use the
accumulated information to generate reports, and age out old data.

To use mkdb.mysql, enter the MySQL command line tool, connect to the database
in which you want to create the required tables, and type "source mkdb.mysql".

SETUP
=====

1) From within the MySQL command line environment, "source mkdb.mysql" to
   create the required database and tables.  You may also wish to set up
   users and access grants for users that will access this data.

2) Add a HistoryFile entry to opendmarc.conf referring to the location where
   per-message DMARC details should be recorded.  This location should be
   readable and writable by the user running the filter, but nobody else.

3) Add a cron job that will use opendmarc-import to import the history file's
   contents at regular and fairly frequent intervals (each minute or at least
   every five minutes).  The included opendmarc-importstats script might be
   useful here.  Ensure the appropriate database access parameters (names,
   users, passwords) are set in the script.

4) Add a cron job that will run opendmarc-reports to generate and send the
   XML reports based on recent database entries.

--
Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.

 # man opendmarc-import

opendmarc-import(8)                                        opendmarc-import(8)

NAME
       opendmarc-import - OpenDMARC aggregate report data import tool

SYNOPSIS
       opendmarc-import [options]

DESCRIPTION
       opendmarc-import  reads  per-message data recorded by an instance of opendmarc(8) and inserts it into an SQL database, for
       later use by opendmarc-reports(8) to generate aggregate reports.

       Records are read from standard input.

OPTIONS
       --dbhost=hostname
              Specifies the hostname on which the SQL server is running.  Defaults to  the  value  of  the  environment  variable
              OPENDMARC_DBHOST, or "localhost" if the environment variable is not set.

       --dbname=name
              Specifies the SQL database name to be accessed.  Defaults to the value of the environment variable OPENDMARC_DB, or
              "opendmarc" if the environment variable is not set.

       --dbpasswd=password
              Specifies the password for the SQL database to be accessed.  Defaults to the  value  of  the  environment  variable
              OPENDMARC_PASSWORD, or "opendmarc" if the environment variable is not set.

       --dbport=port
              Specifies  the TCP port on which the SQL server is expected to be listening.  Defaults to the value of the environ-
              ment variable OPENDMARC_PORT, or 3306 if the environment variable is not set.

       --dbuser=user
              Specifies the SQL user to be used to access the database.  Defaults to the value of the environment variable OPEND-
              MARC_USER, or "opendmarc" if the environment variable is not set.

       --help Prints a help message and terminates.

       --verbose
              Increase the amount of verbosity written to standard output.

       --version
              Print version number and exit.

VERSION
       This man page covers the version of opendmarc-import that shipped with version 1.2.0 of OpenDMARC.

COPYRIGHT
       Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       opendmarc(8), opendmarc.conf(5) opendmarc-reports(8)

                          The Trusted Domain Project       opendmarc-import(8)

 # man opendmarc-reports

opendmarc-reports(8) opendmarc-reports(8)

NAME
opendmarc-reports - OpenDMARC aggregate report generation tool

SYNOPSIS
opendmarc-reports [options]

DESCRIPTION
opendmarc-reports pulls data from an OpenDMARC database and generates periodic aggregate reports. The database is popu-
lated by a running opendmarc-import(8) on a message history file generated by an opendmarc(8) filter as messages arrive
and are processed. This includes the collection of reporting URIs, which this script uses to make reports available to
those that request them.

OPTIONS
--dbhost=hostname
Specifies the hostname on which the SQL server is running. Defaults to the value of the environment variable
OPENDMARC_DBHOST, or "localhost" if the environment variable is not set.

--dbname=name
Specifies the SQL database name to be accessed. Defaults to the value of the environment variable OPENDMARC_DB, or
"opendmarc" if the environment variable is not set.

--dbpasswd=password
Specifies the password for the SQL database to be accessed. Defaults to the value of the environment variable
OPENDMARC_PASSWORD, or "opendmarc" if the environment variable is not set.

--dbport=port
Specifies the TCP port on which the SQL server is expected to be listening. Defaults to the value of the environ-
ment variable OPENDMARC_PORT, or 3306 if the environment variable is not set.

--dbuser=user
Specifies the SQL user to be used to access the database. Defaults to the value of the environment variable OPEND-
MARC_USER, or "opendmarc" if the environment variable is not set.

--domain=name
Generates a report (if one is due) for the named domain, rather than checking all of them.

--help Prints a help message and terminates.

--interval=secs
Generates reports only for hosts that have not had a report generated in at least the last secs seconds.

--nodomain=name
Skips generating a report for the named domain. Can be specified multiple times to skip multiple reporting
domains.

--noupdate
Suppresses marking the time of the transmission of the report in the database. Normally this would be done to pre-
vent reports from being sent too close together.

--smtp-host=host
Causes reports to be sent by transmitting them using SMTP to the named host which can be an IP address or a host-
name. The default is "127.0.0.1".

--smtp-port=port
Causes reports to be sent by transmitting them using SMTP to the specified port. The default is 25.

--verbose
Increase the amount of verbosity written to standard output.

--version
Print version number and exit.

VERSION
This man page covers the version of opendmarc-reports that shipped with version 1.2.0 of OpenDMARC.

COPYRIGHT
Copyright (c) 2012, The Trusted Domain Project. All rights reserved.

SEE ALSO
opendmarc(8), opendmarc.conf(5), opendmarc-import(8)

The Trusted Domain Project opendmarc-reports(8)

Die Konfiguration von OpenDMARC erfolgt über die Konfigurationsdatei opendmarc.conf im Verzeichnis /etc.

/etc/opendmarc.conf

 # vim /etc/opendmarc.conf

/etc/opendmarc.conf

##
## opendmarc.conf -- configuration file for OpenDMARC filter
##
## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
##
 
##  AuthservID (string)
##      defaults to MTA name
##
##  Sets the "authserv-id" to use when generating the Authentication-Results:
##  header field after verifying a message.  If the string "HOSTNAME" is
##  provided, the name of the host running the filter (as returned by the
##  gethostname(3) function) will be used.  
#
# AuthservID name
# Django : 2013-03-18
AuthservID mx01.nausch.org
 
##  AuthservIDWithJobID { true | false }
##      default "false"
##
##  If "true", requests that the authserv-id portion of the added
##  Authentication-Results header fields contain the job ID of the message
##  being evaluated.
#
# AuthservIDWithJobID false
# Django : 2013-03-18
AuthservIDWithJobID true
 
##  AutoRestart { true | false }
##      default "false"
##
##  Automatically re-start on failures. Use with caution; if the filter fails
##  instantly after it starts, this can cause a tight fork(2) loop.
#
# AutoRestart false
 
##  AutoRestartCount n
##      default 0
##
##  Sets the maximum automatic restart count.  After this number of automatic
##  restarts, the filter will give up and terminate.  A value of 0 implies no
##  limit.
#
# AutoRestartCount 0
 
##  AutoRestartRate n/t[u]
##      default (no limit)
##
##  Sets the maximum automatic restart rate.  If the filter begins restarting
##  faster than the rate defined here, it will give up and terminate.  This
##  is a string of the form n/t[u] where n is an integer limiting the count
##  of restarts in the given interval and t[u] defines the time interval
##  through which the rate is calculated; t is an integer and u defines the
##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
##  value of "10/1h" limits the restarts to 10 in one hour. There is no
##  default, meaning restart rate is not limited.
#
# AutoRestartRate n/t[u]
 
##  Background { true | false }
##      default "true"
##
##  Causes opendmarc to fork and exits immediately, leaving the service
##  running in the background.
#
# Background true
 
##  BaseDirectory (string)
##      default (none)
##
##  If set, instructs the filter to change to the specified directory using
##  chdir(2) before doing anything else.  This means any files referenced
##  elsewhere in the configuration file can be specified relative to this
##  directory.  It's also useful for arranging that any crash dumps will be
##  saved to a specific location.
#
# BaseDirectory /var/run/opendmarc
 
##  ChangeRootDirectory (string)
##      default (none)
##
##  Requests that the operating system change the effective root directory of
##  the process to the one specified here prior to beginning execution.
##  chroot(2) requires superuser access.  A warning will be generated if
##  UserID is not also set.
# 
# ChangeRootDirectory /var/chroot/opendmarc
 
##  CopyFailuresTo (string)
##      default (none)
##
##  Requests addition of the specified email address to the envelope of
##  any message that fails the DMARC evaluation.
#
# CopyFailuresTo postmaster@localhost
 
##  DNSTimeout (integer)
##      default 5
## 
##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
##  (NOT YET IMPLEMENTED)
#
# DNSTimeout 5
 
##  EnableCoredumps { true | false }
##      default "false"
##
##  On systems that have such support, make an explicit request to the kernel
##  to dump cores when the filter crashes for some reason.  Some modern UNIX
##  systems suppress core dumps during crashes for security reasons if the
##  user ID has changed during the lifetime of the process.  Currently only
##  supported on Linux.
#
# EnableCoreDumps false
 
##  ForensicReports { true | false }
##      default "false"
##
##  Enables generation of forensic reports when the DMARC test fails and the
##  purported sender of the message has requested such reports.  Reports are
##  formatted per RFC6591.
# 
# ForensicReports false
#  Django : 2014-03-18
ForensicReports true
 
##  ForensicReportsBcc (string)
##      default (none)
##
##  When forensic reports are enabled and one is to be generated, always
##  send one to the address(es) specified here.  If a forensic report is
##  requested by the domain owner, the address(es) are added in a Bcc: field.
##  If no request is made, they address(es) are used in a To: field.  There
##  is no default.
# 
# ForensicReportsBcc postmaster@example.coom
# Django : 2014-03-18
ForensicReportsBcc postmaster@nausch.org
 
##  ForensicReportsOnNone { true | false }
##      default "false"
##
##  Supplements the "ForensicReports" setting by generating reports for
##  domains that advertise "none" policies.  By default, reports are only
##  generated (when enabled) for sending domains advertising a "quarantine"
##  or "reject" policy.
# 
# ForensicReportsOnNone false
 
##  ForensicReportsSentBy string
##      default "USER@HOSTNAME"
##
##  Specifies the email address to use in the From: field of forensic
##  reports generated by the filter.  The default is to use the userid of
##  the user running the filter and the local hostname to construct an
##  email address.  "postmaster" is used in place of the userid if a name
##  could not be determined.
# 
# ForensicReportsSentBy USER@HOSTNAME
# Django : 2014-03-18
ForensicReportsSentBy dmarc-admin@nausch.org
 
##  HistoryFile path
##      default (none)
##
##  If set, specifies the location of a text file to which records are written
##  that can be used to generate DMARC aggregate reports.  Records are groups
##  of rows containing information about a single received message, and
##  include all relevant information needed to generate a DMARC aggregate
##  report.  It is expected that this will not be used in its raw form, but
##  rather periodically imported into a relational database from which the
##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
#
HistoryFile /var/run/opendmarc/opendmarc.dat
 
 
##  IgnoreHosts path
##      default (internal)
##
##  Specifies the path to a file that contains a list of hostnames, IP
##  addresses, and/or CIDR expressions identifying hosts whose SMTP
##  connections are to be ignored by the filter.  If not specified, defaults
##  to "127.0.0.1" only.
#
# IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts
# Django : 2014-03-19
IgnoreHosts /etc/opendmarc/ignore.hosts
 
##  IgnoreMailFrom domain[,...]
##      default (none)
##
##  Gives a list of domain names whose mail (based on the From: domain) is to
##  be ignored by the filter.  The list should be comma-separated.  Matching
##  against this list is case-insensitive.  The default is an empty list,
##  meaning no mail is ignored.
#
# IgnoreMailFrom example.com
 
##  MilterDebug (integer)
##      default 0
##
##  Sets the debug level to be requested from the milter library.
#
# MilterDebug 0
# Django : 2014-04-28
MilterDebug 5
 
##  PidFile path
##      default (none)
##
##  Specifies the path to a file that should be created at process start
##  containing the process ID.
##
#
# PidFile /var/run/opendmarc.pid
# Django : 2014-03-18
PidFile /var/run/opendmarc.pid
 
##  PublicSuffixList path
##      default (none)
##
##  Specifies the path to a file that contains top-level domains (TLDs) that
##  will be used to compute the Organizational Domain for a given domain name,
##  as described in the DMARC specification.  If not provided, the filter will
##  not be able to determine the Organizational Domain and only the presented
##  domain will be evaluated.
#
# PublicSuffixList path
 
##  RecordAllMessages { true | false }
##      default "false"
##
##  If set and "HistoryFile" is in use, all received messages are recorded
##  to the history file.  If not set (the default), only messages for which
##  the From: domain published a DMARC record will be recorded in the
##  history file.
#
# RecordAllMessages false
 
##  RejectFailures { true | false }
##      default "false"
##
##  If set, messages will be rejected if they fail the DMARC evaluation, or
##  temp-failed if evaluation could not be completed.  By default, no message
##  will be rejected or temp-failed regardless of the outcome of the DMARC
##  evaluation of the message.  Instead, an Authentication-Results header
##  field will be added.
#
# RejectFailures false
# Django : 2014-03-24
RejectFailures true
 
##  ReportCommand string
##      default "/usr/sbin/sendmail -t"
##
##  Indicates the shell command to which forensic reports should be passed for
##  delivery when "ForensicReports" is enabled.
#
# ReportCommand /usr/sbin/sendmail -t
 
##  RequiredHeaders { true | false }
##      default "false"
##
##  If set, the filter will ensure the header of the message conforms to the
##  basic header field count restrictions laid out in RFC5322, Section 3.6.
##  Messages failing this test are rejected without further processing.  A
##  From: field from which no domain name could be extracted will also be
##  rejected.
#
# RequiredHeaders false
 
##  Socket socketspec
##      default (none)
##
##  Specifies the socket that should be established by the filter to receive
##  connections from sendmail(8) in order to provide service.  socketspec is
##  in one of two forms: local:path, which creates a UNIX domain socket at
##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
##  a TCP socket on the specified port for the appropriate protocol family.
##  If the host is not given as either a hostname or an IP address, the
##  socket will be listening on all interfaces.  This option is mandatory
##  either in the configuration file or on the command line.  If an IP
##  address is used, it must be enclosed in square brackets.
#
# Socket inet:8893@localhost
# Django : 2014-03-19
Socket inet:10012@localhost
 
##  SoftwareHeader { true | false }
##      default "false"
##
##  Causes the filter to add a "DMARC-Filter" header field indicating the
##  presence of this filter in the path of the message from injection to
##  delivery.  The product's name, version, and the job ID are included in
##  the header field's contents.
#
# SoftwareHeader false
# Django : 2014-03-18
SoftwareHeader true
 
##  SPFIgnoreResults { true | false }
##      default "false"
##
##  Causes the filter to ignore any SPF results in the header of the
##  message.  This is useful if you want the filter to perfrom SPF checks
##  itself, or because you don't trust the arriving header.
#
# SPFIgnoreResults false
 
##  SPFSelfValidate { true | false }
##      default false
##
##  Causes the filter to perform a fallback SPF check itself when
##  it can find no SPF results in the message header.  If SPFIgnoreResults
##  is also set, it never looks for SPF results in headers and
##  always performs the SPF check itself when this is set.
#
# SPFSelfValidate false
# Django : 2014-04-28
SPFSelfValidate true
 
##  Syslog { true | false }
##      default "false"
##
##  Log via calls to syslog(3) any interesting activity.
#
# Syslog false
# Django : 2014-03-18
Syslog true
 
##  SyslogFacility facility-name
##      default "mail"
##
##  Log via calls to syslog(3) using the named facility.  The facility names
##  are the same as the ones allowed in syslog.conf(5).
#
# SyslogFacility mail
 
##  TemporaryDirectory path
##      default /var/tmp
##
##  Specifies the directory in which temporary files should be written.
#
# TemporaryDirectory /var/tmp
 
##  TrustedAuthservIDs string
##      default HOSTNAME
##
##  Specifies one or more "authserv-id" values to trust as relaying true
##  upstream DKIM and SPF results.  The default is to use the name of
##  the MTA processing the message.  To specify a list, separate each entry
##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
##  the host running the filter as reported by the gethostname(3) function.
#
# TrustedAuthservIDs HOSTNAME
 
 
##  UMask mask
##      default (none)
##
##  Requests a specific permissions mask to be used for file creation.  This
##  only really applies to creation of the socket when Socket specifies a
##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
##  files are normally created by the mkstemp(3) function that enforces a
##  specific file mode on creation regardless of the process umask.  See
##  umask(2) for more information.
#
# UMask 077
# Django : 2014-03-23
UMask 007
 
##  UserID user[:group]
##      default (none)
##
##  Attempts to become the specified userid before starting operations.
##  The process will be assigned all of the groups and primary group ID of
##  the named userid unless an alternate group is specified.
#
# UserID opendmarc
# Django : 2014-03-23
UserID opendmarc:dmarc

 # mkdir /etc/opendmarc

 # vim /etc/opendmarc/ignore.hosts

/etc/opendmarc/ignore.hosts

localhost
amavis.dmz.nausch.org

Besonderen Augenmerk legen wir dabei auf folgende Parameter:

AuthservID Hier setzen wir den Namen unseres Mailservers.
HistoryFile Name und Pfad, in dem OpenDMARC die Statistikdaten ablegen wird.
PidFile Name und Pfad, in dem der Daemon sein PID-File ablegen soll.
Socket Über diesen Socket wird später unser Postfix-Mailserver den OpenDMARC-Daemon ansprechen.
UserID UserID und GroupID, die der Daemon beim Anlegen der Dateien HistoryFile und PidFile nutzen soll. So können wir später einfacher die Daten von den einzelnen MX-Hosts abholen:

Alle anderen Parameter definieren wir noch entsprechen der Gegebenheiten unserer Installation/Infrastruktur. Einen kompakten Überblick über die gewählten Optionen fragen wir einfach mit folgendem Aufruf ab.

 # egrep -v '(^#|^$)' /etc/opendmarc.conf

AuthservID mx01.nausch.org
AuthservIDWithJobID true
ForensicReports true
ForensicReportsBcc postmaster@nausch.org
ForensicReportsOnNone true
ForensicReportsSentBy dmarc-admin@nausch.org
HistoryFile /var/run/opendmarc/opendmarc.dat
IgnoreHosts /etc/opendmarc/ignore.hosts
PidFile /var/run/opendmarc.pid
Socket inet:10012@localhost
SoftwareHeader true
Syslog true
UserID opendmarc:dmarc

/etc/opendmarc/ignore.hosts

In der Datei ignore.hosts definieren wir die Hostnamen, oder IP-Adressen, die von der DMARC-Überprüfung und Bewertung ausgenommen werden sollen.

 # vim /etc/opendmarc/ignore.hosts

/etc/opendmarc/ignore.hosts

# Django : 2013-03-20
# folgende Hosts sollen von der DMARC-Überprüfung und Bewertung ausgenommen werden.
localhost
amavis.dmz.nausch.org

Eigentlich könnten wir nun schon unseren DMARC-Daemon starten. Jedoch wollen wir noch kurz die nötige mySQL-Datenbank anlegen, damit der Daemon die gewünschten aufbereiteten Statiskdaten und forensischen Berichte generieren und dann per eMail verschicken kann.

Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an.

 # mysql -h localhost -u root -p

Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1942
Server version: 5.1.67 Source distribution

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Dort legen wir als aller erst einmal eine Datenbank mit dem Namen opendmarc an.

 mysql> CREATE DATABASE opendmarc;

Anschließend legen wir uns dann einen Datenbankuser an, dem wir entsprechende Rechte an der Datenbank opendmarc einräumen.

 mysql> CREATE USER 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';

Query OK, 0 rows affected (0.00 sec)

 mysql> CREATE USER 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';

Query OK, 0 rows affected (0.00 sec)

Anschließend setzen wir noch die Nutzerberechtigungen unseres Datenbanknutzers opendmarc_user für die Datenbank opendmarc

 mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

Query OK, 0 rows affected (0.00 sec)

Zur Aktivierung weisen wir nun noch die Berechtigungen zu:

mysql> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.00 sec)

Abschließend melden wir uns wieder von unserem Datenbankhost ab.

mysql> quit

Bye

Bevor wir die benötigten Tabellen anlegen, testen wir noch, ob der Zugriff von unserem Mail- bzw. Datenimportserver funktioniert.

 # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p

Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2889
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

 mysql> show databases;

+--------------------+
| Database           |
+--------------------+
| information_schema |
| opendmarc          |
+--------------------+
2 rows in set (0.00 sec)

 mysql> quit

Bye

Mit Hilfe der Datei /usr/share/doc/opendmarc-1.2.0/schema.mysql legen wir nun abschließend die Tabellen in der Datenbank opendmarc an.

 # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p < /usr/share/doc/opendmarc-1.2.0/schema.mysql

Auch hier können wir uns bei Bedarf noch überprüfen, welche Tabellen angelegt wurden.

 # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p

Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2933
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

 mysql> show databases;

+--------------------+
| Database           |
+--------------------+
| information_schema |
| opendmarc          |
+--------------------+
2 rows in set (0.00 sec)

mysql>

 mysql> use opendmarc;

Database changed
mysql>

 mysql> show tables;

+---------------------+
| Tables_in_opendmarc |
+---------------------+
| domains             |
| ipaddr              |
| messages            |
| reporters           |
| requests            |
| signatures          |
+---------------------+
6 rows in set (0.00 sec)

mysql>

 mysql> quit

Bye

Nicht immer möchte oder kann man von seinem oder seinen Mailservern eine Verbindung zum Datenbankhost ermöglichen. Um jetzt nicht von jedem einzelnen MX-Server einzurichten, verwenden wir einen User, den wir zum Einsammeln der Daten degradieren.

Wir legen uns nun unseren Nutzer an. Als UID und GID verwenden wir eine entsprechend freie Nummer, die wir entsprechend vorher abprüfen.

 # grep 487 /etc/group

 # grep 487 /etc/passwd

Anschließend legen wir uns unseren User an.

 # groupadd -g 489 dmarc && useradd dmarc -c "DMARC" -g 489 -u 489 -m

Anschließend erzeugen wir uns noch einen entsprechenden SSH-Key und verteilen diesen auf unseren Mailservern. Entsprechende Schritte sind im Wiki hier beschrieben.

Zum Einsammeln der Statistikdaten legen wir uns nun ein einfaches Shellscript an.

 # vim /usr/local/bin/dmarc-report>

/usr/local/bin/dmarc-report

#!/bin/sh 
# Script zum Importieren der DMARC-Daten aus dem lokalen cache-Datei in die mySQL Datenbank
# und Generieren der DMARC-reports 
# Das Script wird um 03:33 Uhr via cronjob aufgerufen.
#
# crontab
# einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen.
# 33 3 * * * /usr/local/bin/dmarc-report 1>/dev/null 2>&1
#
# Django : 2014-03-20 
 
WORKDIR="/home/dmarc/"
WORKFILE="opendmarc_all_hosts.dat"
SSHKEYFILE=".ssh/id_rsa"
MXHOSTS="mx01.nausch.org mx02.nausch.org mx03.nausch.org"
DBFILE="opendmarc.dat"
DBHOST="mysql.dmz.nausch.org"
DBPORT="3306"
DBUSER="opendmarc_user"
DBPASSWD="ALLHs6blVwd8eHoSk2J3WZsT"
DBNAME="opendmarc"
 
# DMARC Datenfile von den Mailservern abholen
cd $WORKDIR
for HOST in $MXHOSTS; do
    scp -i $WORKDIR$SSHKEYFILE dmarc@${HOST}:/var/run/opendmarc/$DBFILE ${HOST}.dat
    ssh -i $WORKDIR$SSHKEYFILE dmarc@${HOST} "/bin/cat /dev/null > /var/run/opendmarc/$DBFILE"
    cat ${HOST}.dat >> $WORKFILE
done
 
# DMARC Daten in die mySQL-Datenbank opendmarc schreiben
/usr/sbin/opendmarc-import --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
  --dbpasswd=$DBPASSWD < $WORKDIR$WORKFILE 
 
# DMARC Statistik-Report erstellen
/usr/sbin/opendmarc-reports --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
  --dbpasswd=$DBPASSWD --verbose --interval=86400 --report-email 'postmaster@nausch.org' --report-org 'nausch.org'
 
# DMARC Datenbank aufräumen, Datensätze die älter als 90 Tage sind werden gelöscht
/usr/sbin/opendmarc-expire --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
  --dbpasswd=$DBPASSWD --verbose --expire=90 
 
# Work-Verzeichnis wieder aufräumen
cd $WORKDIR
rm $WORKDIR*.dat -rf

Anschließen setzen wir die Ausführungsrechte unseres neuen Scriptes.

 # chmod +x /usr/local/bin/dmarc-report

Zu guter Letzt aktivieren wir dann noch einen Cronjob für die tägliche Ausführung.

 # vim /etc/crontab

/etc/crontab

...
 
# Django : 2014-03-20
# einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen.
33 3 * * * /usr/local/bin/dmarc-report 1>/dev/null 2>&1
 
...

Postfix

Die Konfiguration auf Seiten unseres Postfix-Mailserver gestaltet sich relativ einfach, muss doch nur ein zusätzlicher Mailfilter angelegt werden. Hier geben wir dann den Port an, den wir bei der Konfiguration von OpenDMARC definiert haben.

 # vim /etc/postfix/main.cf

/etc/postfix/main.cf

...
 
# Django : 2014-03-19
# SPF-Check und DKIM-Signaturüberprüfung via SMF-SPF- und DKIM-Milter einbinden.
smtpd_milters =
# SMF-SPF-Milter   : 
   inet:127.0.0.1:10010,
# DKIM-Milter: 
   inet:127.0.0.1:10011,
# DMARC-Milter   : 
   inet:127.0.0.1:10012
 
...

Nun ist es an der Zeit unseren DMARC-Daemon das erste mal zu starten.

 # service opendmarc start

Im /var/log/maillog wird der erfolgreiche Start ausreichend dokumentiert:

Apr 28 19:32:24 vml000080 opendmarc[28728]: OpenDMARC Filter: Opening listen socket on conn inet:10012@localhost
Apr 28 19:32:24 vml000080 opendmarc[28729]: OpenDMARC Filter v1.3.0 starting (args: -c /etc/opendmarc.conf -P /var/run/opendmarc/opendmarc.pid)
Apr 28 19:32:24 vml000080 opendmarc[28729]: trusted authentication services: mx01.nausch.org

Über den Port 10012 sollte nun unser daemon ansprechbar sein. Was wir auch sehr einfach mittels lsof überprüfen können:

 # lsof -i :10003

COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
opendmarc 13533 root    3u  IPv4 115489      0t0  TCP localhost:documentum_s (LISTEN)

Auch mit Hilfe von netstat können wir abfragen, ob der Port 1003 in Verwendung ist.

 # netstat -tulpen | grep 10012

tcp        0      0 127.0.0.1:10012             0.0.0.0:*                   LISTEN      0          115489     13533/opendmarc

Anschließend können wir nun auch unseren Postfix-Mailserver durchstarten, damit die Änderungen an seiner Konfiguration auch wirksam wird.

Damit nun unser DMARC-Daemon beim Booten unseres Servers automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.

 # chkconfig opendmarc on

Anschließend überprüfen wir noch unsere Änderung:

 # chkconfig --list | grep opendmarc

opendmarc       0:Aus   1:Aus   2:Ein   3:Ein   4:Ein   5:Ein   6:Aus

Im Maillog werden entsprechend unserer zuvor festgelegten Konfiguration, vom DMARC-Daemon logeinträge erzeugt. Folgender Logeintrag zeigt einen erfolgreiche DMARC-Überprüfung.

Mar 23 22:46:01 vml000080 opendmarc[25914]: C198981: gmail.com pass

Im Mailheader der Nachricht, wird dies auch entsprechend vermerkt.

DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org C198981
Authentication-Results: mx01.nausch.org/C198981; dmarc=pass header.from=gmail.com

Hat der Domainbetreiber keinen DMARC-Eintrag im DNS hinterlegt, sieht die betreffende Zeile im Maillog entsprechend so aus.

Mar 19 00:22:36 vml000080 opendmarc[14508]: D9B6D83: piratenpartei-bayern.de none

Auch dies wird im Mailheader entsprechend vermerkt.

DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org D9B6D83
Authentication-Results: mx01.nausch.org/D9B6D83; dmarc=none header.from=piratenpartei-bayern.de

¹⁾

Domain-based Message Authentication, Reporting & Conformance

²⁾

Sender Policy Framework

³⁾

DomainKeys Identified Mail

⁴⁾

The Internet Engineering Task Force

⁵⁾

Mail-Filter

⁶⁾

Authentication Failure Reporting Format

⁷⁾

Incident Object Description Exchange Format

DMARC - Domain-based Message Authentication, Reporting & Conformance

Zusammenspiel von DKIM, SPF und DMARC

DMARC-Record

Beschreibung des Datensatzes

Generierung unseres DMARC-Records

Testen der DMARC Definitionen

Download

Installation

Konfigurations-Dokumentation

README

README.schema

opendmarc.conf

opendmarc

reports-README

opendmarc.import

opendmarc-reports

Konfiguration

opendmarc Konfiguration

/etc/opendmarc.conf

/etc/opendmarc/ignore.hosts

mysql Konfiguration

dbCollecting User einrichten

dbCollecting Script anlegen

Postfix

erster manueller Programmstart

automatisches Starten des Dienste beim Systemstart

Logging / Mailheader

Linux - Wissensdatenbank