DMARC - Domain-based Message Authentication, Reporting & Conformance
DMARC1) ist an sich kein eigenständiger Prozess in der eMail-Verarbeitung, vielmehr erweitert DMARC auf die beiden Techniken SPF2) und DKIM3). DMARC ergänzt somit DKIM und SPF, ohne die DMARC nicht funktionieren kann. Hinweise zu DMARC findet man bei auch auf der Webseite von DMARC.org, oder im Entwurf der Network Working Group, die der ITF4) Anfang 2012 zur Prüfung vorgelegt wurde.
Obwohl DMARC aktuell noch als Entwurf gilt, wird laut den Angaben der aktuellen DMARC-Präsentation aus 2014 bereits mehr als 60% der weltweiten eMail-Postfächer mit Hilfe von DMARC geschützt.
Die weltgößten eMail-Provider setzen auf DMARC, wie z.B.:
- GMail, Yahoo, AOL, Comcast, oder Outlook.com
- Mail.ru (größter eMail-Provider in Russland)
- NetEase (größter eMail-Provider in China)
- XS4All (größter eMail-Provider in den Niederlanden)
Alles gute Gründe, sich dem Thema DMARC dennoch intensiver zu widmen!
Bei DMARC kann definiert werden, wie ein empfangender Mailserver Nachrichten behandeln und verarbeiten soll, insbesondere mit Hinblick auf die Bewertung der Versandberechtigung des einliefernden Mailservers (SPF) und der nicht veränderten Nachricht (DKIM). Fällt eine oder beide Überprüfungen negativ aus, definiert DMARC, ob die eMail in Quarantäne gestellt, die Annahme der eMail abgelehnt (reject) oder eben dennoch zugestellt werden soll.
Das nachfolgende Schaubild zeigt den Bearbeitungsverlauf einer eMail mit Berücksichtigung auf DMARC auf.
Zusammenspiel von DKIM, SPF und DMARC
Möchten wir DMARC bei unserem Mailserver einsetzen, ist es wichtig, dass alle drei Komponenten via Milter5) an unseren Postfix-Mailserver angebunden werden. Nur so stehen dem DMARC-Daemon alle relevanten Headerinformationen zur Bewertung zur Verfügung.
Wir setzen daher bei unserer Installation jeweils folgende Pakete ein:
- SPF smf-spf aus Djangos-Repository
- DKIM opendkim aus dem RPMforge
- DMARC opendmarc aus Djangos-Repository
Die Installation von SPF-Milter ist im Kapitel SPF - Sender Policy Framework und OpenDKIM-Milter im Kapitel DKIM - Domain Key Identified Mail genauer beschrieben.
DMARC-Record
Beschreibung des Datensatzes
Mit Hilfe des DMARC Record Assistant kann man sich sehr leicht und einfach den nötigen DMARC-Record generieren lassen, den man dann über einen TXT-Record der Subdomain _dmarc in seinem DNS einträgt. Im Kapitel 6.2. General Record Format des DMARC Standardisierungs-Entwurf ist die
Als Beispiel sehen wir uns nun den aktuellen DMARC-Record von nausch.org an, den wir u.a. mit dem Aufruf des Befehls host vom DNS-Server abfrsagen können.
# host -t TXT _dmarc.nausch.org
_dmarc.nausch.org descriptive text "v=DMARC1\; p=reject\; rua=mailto:postmaster@nausch.org\; ruf=mailto:django@nausch.org\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400\; sp=reject"
Die einzelnen Werte haben nun folgende Bedeutung.
Parameter | Art | Wert | Bedeutung |
---|---|---|---|
v | Plaintext; REQUIRED | DMARC1 | Identifiziert den Datensatz als DMARC-Record. Der Parameter muss als erster wert im DMARC-Record gesetzt sein. Fehlt dieser ist der gesamte DMARC-Record zu verwerfen! |
p | Plaintext; REQUIRED | reject | Beschreibt, wie der Empfänger die Nachrichten des Domain-Inhabers verwerten soll. Diese gilt auch für die Subdomains, sofern für diese mit dem Parameter sp keine separate Definition vorliegt. Mögliche Werte sind: none : Der Domaininhaber hat keine Vorgaben zur Verabeitung/Zustellung der eMails. quarantine : Der Domaininhaber wünscht, dass eMails, die die DMARC-Bewertung nicht bestehen, als verdächtig gewertet werden sollen. Abhängig vom Empfänger können diese als verdächtig markiert werden, mit weiteren/zusätzlichen SPAM prüfungen zu belegen ist, oder in einen SPAM-Ordner verschoben werden soll. reject : Der Domaininhaber wünscht, dass eMails, die die DMARC-Bewertung nicht bestehen, rejected, also nicht angenommen werden sollen. Dies sollte, wenn möglich, noch während des SMTP-Dialogs passieren. |
sp | Plaintext;OPTIONAL | reject | Beschreibt, wie der Empfänger die Nachrichten des Domain-Inhabers einer Subdomäne verwerten soll. Der Parameter beschreibt nur die abgefragte Subdomäne, nicht die Domäne an sich! Der Syntax entspricht dem Parameter p. Wird der Paramter sp nicht gesetzt, gelten die Definitionen des Parameters p auch für alle Subdomänen. |
rua | Kommaseparierte plain-text Liste von DMARC URIs; OPTIONAL | mailto:postmaster@nausch.org | Der Domaininhaber wünscht, per eMail mit aufbereiteten Statiskdaten der verarbeiteten eMails, informiert zu werden. Ist dieser Parameter nicht gesetzt, braucht der Empfänger keine Statistikdaten aufbereiten. |
ruf | Kommaseparierte Plaintext Liste von DMARC URIs; OPTIONAL | mailto:django@nausch.org | Der Domaininhaber wünscht, per eMail mit detailierten forensischen Statiskdaten der verarbeiteten eMails, informiert zu werden. Ist dieser Parameter nicht gesetzt, braucht der Empfänger keine Statistikdaten aufbereiten. |
adkim | Plaintext; OPTIONAL; Default = relaxed | r | Definiert, wie konservativ das Ergebnis der DKIM-Signaturprüfung bewertet werden soll. Mögliche Werte sind entweder r=relaxed oder s=strikt. |
aspf | Plaintext; OPTIONAL; Default = relaxed | r | Definiert, wie konservativ das Ergebnis der SPF-Prüfung bewertet werden soll. Mögliche Werte sind entweder r=relaxed oder s=strikt. |
pct | Plaintext/Zahlenwert zwischen 0 und 100; OPTIONAL; Default = 100 | 100 | Der Domaininhaber wünscht, daß der angegebene Prozentwert an Nachrichten von den DMARC-Prüfungen benutzt werden soll. Der Wert beschreibt nicht das Verhältnis in den DMARC-Reports. |
rf | Kommaseparierte Plaintext Liste; OPTIONAL; Default = afrf | afrf | Der Domaininhaber wünscht, dass die aufbereiteten forensischen Prüfberichte im Format AFRF6) oder IODEF7) zu erhalten, wenn sowohl der DKIM- wie auch der SPF-Test negativ ausfällt. |
ri | Plaintext; OPTIONAL; Default = 86400 | 86400 | Der Domaininhaber wünscht, dass die aufbereiteten Statistik- und Forensikdaten spätestens alle „n“ Sekunden verschickt werden sollen. |
Generierung unseres DMARC-Records
Nach Erstellung des DMARC-Records von Hand oder über den DMARC Record Assistant, tragen wir demnach bei unserem zuständigen DNS entsprechenden eigenen und richtigen Daten ein.
_dmarc.nausch.org IN TXT "v=DMARC1\; p=reject\; rua=mailto:postmaster@nausch.org\; ruf=mailto:django@nausch.org\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400\; sp=reject"
Testen der DMARC Definitionen
Über die URL OTA Query Tool for SPF & DMARC Records der Online trust Alliance kann man online bei Bedarf testen, ob der DMARC-Eintrag soweit richtig ist.
Mit Hilfe der DMARC Inspectors kann man (s)einen DMARC-Record testen und sich die Optionen die der Domaininhaber gesetzt hat, beschreiben lassen. Möchte man seinen SPF-Record testen lassen, steht einem der SPF Surveyor zur Verfügung.
Zu guter Letzt kann mit dem DKIM Key Checker der, im DNS hinterlegte, DKIM-Schlüssel einer Domäne getestet werden.
Möchte man dann noch testen, ob der eigene Mailserver alle Voraussetzungen für eine DMARC-policy hat, schickt man einfach eine „leere eMail“ an checkmyauth@auth.returnpath.net, so erhält man anschließen einen ausführlichen Prüfbericht.
From: "Return Path" <noreply@returnpath.net> Subject: Return Path DKIM/SPF Reflector Report Date: Fri, 21 Mar 2014 03:58:12 -0600 (MDT) To: undisclosed-recipients:; Return Path DKIM/SPF Reflector Report ===================================== Source IP = 217.91.103.190 Mail From = django@nausch.org Identity Alignment Results ========================== SPF Domain Alignment Result = PASS The From domain 'nausch.org' is an exact match with the SPF domain 'nausch.org'. Note that the alignment policy is set to relaxed in your DMARC record. DKIM Domain Alignment Results: Result for DNS Record: 140224._domainkey.nausch.org = PASS The From domain 'nausch.org' is an exact match with the DKIM domain 'nausch.org'. Note that the alignment policy is set to relaxed in your DMARC record. DKIM Results ============ Result = pass Domain = nausch.org Selector = 140224 DNS Record(s) = 140224._domainkey.nausch.org TXT v=DKIM1; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuJ3/CruOs3fCU0ujOStcNN85TJh+5HvMa9m99C5XuRBlxOr+fp5BeIEtiPO0szKvvPojwrueCq0oOuEzjR/i2ObpRkzKRUXmAa0qVezUZwQIbKeiuKII0PnpQclDrmQrzSXcQWPT57tkPg17Q9WamFUUaHeN3+pVGtMyjYekRaAoRlV+a1gD111kXMPhiaFTMIncoRBS/gYN8FjfekH+ezqbLHLB8DLJQBZEGUILvJjAHX0722XyqYtkn1qfv63nPRGw/qqAW1072Gchq4ZS4ZPQ89SrK4KcHt/XptSlztXMWtmRFQriHdvbjr1Fx7ZwXdTQ+ik2AUZLMdhMrQe6/1GujQiMD6po81NpYbrjnfd+QF4sUbus4wPQKVNzsctiuzGlWsFexSHP4dAZtKnImJhVDnzZODQy0nSafedlr5g4VR36vgm0YPWjSyRNnC/APHyw0DtHIrzTqfKuDeGv80uMPbEdujrw9gLbK3H8ow42iTicmgPgT3J5j70ZOo4o4FMtpZ/AEQw+VnWpSfw7bkMjufLc29XHbtp22wfgq2Lmarr3+psaHokFaQrImkMbzdSL9CdabkLptanAilLScvq8UaKVC+G1+vHDgaweq3BhXD5+YcJnJlp4msUqqxGYlnx4RSvv8PipMU2DsVFbNJSH5NJuS7GuzplNg+f20ysCAwEAAQ== Public Key Length = 4096 DomainKeys Results ================== No DomainKeys signature(s) found. SPF Results =========== Result = pass Domain = nausch.org DNS Record(s) = nausch.org TXT v=spf1 ip4:217.91.103.190/32 mx ?all DMARC Results ============= Domain = _dmarc.nausch.org DNS Record = _dmarc.nausch.org TXT v=DMARC1; p=reject; rua=mailto:postmaster@nausch.org; ruf=mailto:django@nausch.org; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=reject DMARC Record Validation Results =============================== DMARC Errors Detected: None. Non-DMARC flags encountered (skipped): None. Visit http://www.returnpath.com/solution-content/dmarc-support/ for more information on DMARC record creation and validation.
Download
Bei der Implementation von DMARC in unserem eigenen Mailserver, greifen wir auf das Projekt OpenDMARC zurück.
Entweder holt man sich das betreffende Quellpaket auf der sourceforge- Download-Seite oder man greift auf die RPM-Pakete von Djangos Repository] zurück.
Also erstes laden wir uns die beiden benötigten Pakete auf unseren Rechner, zuvor wechseln wir abernoch in unser lokales Programm-Archiv.
# cd /usr/local/src/packages/
Die x86_64-Pakete findet man im Verzeichnis http://repository.nausch.org/public/x86_64/, die Pakete für i686 im Verzeichnis http://repository.nausch.org/public/i686/.
Im Falle der x86_64-Pakete sind dies dann entsprechend folgende Pakete:
# wget http://repository.nausch.org/public/x86_64/libopendmarc-1.3.0-beta0.el6.x86_64.rpm
# wget http://repository.nausch.org/public/x86_64/opendmarc-1.3.0-beta0.el6.x86_64.rpm
Installation
# yum localinstall libopendmarc-1.3.0-beta0.el6.x86_64.rpm opendmarc-1.3.0-beta0.el6.x86_64.rpm
# rpm -qil opendmarc
Version : 1.3.0 Vendor: Django Release : beta0.el6 Build Date: Mon 28 Apr 2014 05:46:34 PM CEST Install Date: Mon 28 Apr 2014 05:50:47 PM CEST Build Host: vml010039.intra.nausch.org Group : System Environment/Daemons Source RPM: opendmarc-1.3.0-beta0.el6.src.rpm Size : 175607 License: BSD and Sendmail Signature : RSA/SHA1, Mon 28 Apr 2014 05:46:35 PM CEST, Key ID 31b4758f7c65ab27 Packager : Django URL : http://http://www.trusteddomain.org/opendmarc.html Summary : DMARC milter and library Description : OpenDMARC (Domain-based Message Authentication, Reporting & Conformance) provides an open source library that implements the DMARC verification service plus a milter-based filter application that can plug in to any milter-aware MTA, including sendmail, Postfix, or any other MTA that supports the milter protocol. The DMARC sender authentication system is still a draft standard, working towards RFC status. /etc/opendmarc.conf /etc/rc.d/init.d/opendmarc /etc/tmpfiles.d/opendmarc.conf /usr/sbin/opendmarc /usr/sbin/opendmarc-check /usr/sbin/opendmarc-expire /usr/sbin/opendmarc-import /usr/sbin/opendmarc-importstats /usr/sbin/opendmarc-params /usr/sbin/opendmarc-reports /usr/share/doc/opendmarc-1.3.0 /usr/share/doc/opendmarc-1.3.0/INSTALL /usr/share/doc/opendmarc-1.3.0/README /usr/share/doc/opendmarc-1.3.0/README.schema /usr/share/doc/opendmarc-1.3.0/RELEASE_NOTES /usr/share/doc/opendmarc-1.3.0/schema.mysql /usr/share/man/man5/opendmarc.conf.5.gz /usr/share/man/man8/opendmarc-check.8.gz /usr/share/man/man8/opendmarc-expire.8.gz /usr/share/man/man8/opendmarc-import.8.gz /usr/share/man/man8/opendmarc-importstats.8.gz /usr/share/man/man8/opendmarc-params.8.gz /usr/share/man/man8/opendmarc-reports.8.gz /usr/share/man/man8/opendmarc.8.gz /var/run/opendmarc /var/spool/opendmarc
# rpm -qil libopendmarc
Name : libopendmarc Relocations: (not relocatable)
Version : 1.3.0 Vendor: Django
Release : beta0.el6 Build Date: Mon 28 Apr 2014 05:46:34 PM CEST
Install Date: Mon 28 Apr 2014 05:50:46 PM CEST Build Host: vml010039.intra.nausch.org
Group : System Environment/Libraries Source RPM: opendmarc-1.3.0-beta0.el6.src.rpm
Size : 69016 License: BSD and Sendmail
Signature : RSA/SHA1, Mon 28 Apr 2014 05:46:35 PM CEST, Key ID 31b4758f7c65ab27
Packager : Django
URL : http://http://www.trusteddomain.org/opendmarc.html
Summary : An open source DMARC library
Description :
This package contains the library files required for running services built
using libopendmarc.
/usr/lib64/libopendmarc.so.1
/usr/lib64/libopendmarc.so.1.0.2
Konfigurations-Dokumentation
README
Viele hilfreiche Informationen zur Konfiguration von OpenDMARC finden sich in den nachfolgenden Dateien.
# less /usr/share/doc/opendmarc-1.2.0/README
OPENDMARC README ================ This directory has the latest open source DMARC software from The Trusted Domain Project. There is a web site at http://www.trusteddomain.org/opendmarc that is home for the latest updates. +--------------+ | INTRODUCTION | +--------------+ The OpenDMARC project is a community effort to develop and maintain an open source package for providing DMARC report generation and policy enforcement services. It includes a library for handling DMARC record parsing, a database schema and tools for aggregating and processing transaction history to produce DMARC reports, and a filter that ties it all together with an MTA using the milter protocol. "milter" is a portmanteau of "mail filter" and refers to a protocol and API for communicating mail traffic information between MTAs and mail filtering plug-in applications. It was originally invented at Sendmail, Inc. but has also been adapted to other MTAs. +--------------+ | DEPENDENCIES | +--------------+ To compile and operate, this package requires the following: o OpenDBX (http://www.linuxnetworks.de/doc/index.php/OpenDBX) which acts as a middleware layer between OpenDMARC and your SQL backend of choice o sendmail v8.13.0 (or later), or Postfix 2.3, (or later) and libmilter. (These are only required if you are building the filter.) o Access to a working nameserver (required only for signature verification). o If you are interested in tinkering with the build and packaging structure, you may need to upgrade to these versions of GNU's "autotools" components: autoconf (GNU Autoconf) 2.61 automake (GNU automake) 1.7 (or 1.9 to avoid warnings) ltmain.sh (GNU libtool) 2.2.6 (or 1.5.26 after make maintainer-clean) +-----------------------+ | RELATED DOCUMENTATION | +-----------------------+ The man page for opendmarc (the actual filter program) is present in the opendmarc directory of this source distribution. There is additional information in the INSTALL and FEATURES files, and in the README file in the opendmarc directory. Changes are documented in the RELEASE_NOTES file. HTML-style documentation for libopendmarc is available in libopendmarc/docs in this source distribution. General information about DMARC can be found at http://www.dmarc.org Mailing lists discussing and supporting the DMARC software found in this package are maintained via a list server at trusteddomain.org. Visit http://www.trusteddomain.org to subscribe or browse archives. The available lists are: opendmarc-announce (moderated) Release announcements. opendmarc-users General OpenDMARC user questions and answers. opendmarc-dev Chatter among OpenDMARC developers. opendmarc-code Automated source code change announcements. Bug tracking is done via the trackers on SourceForge at http://sourceforge.net/projects/opendmarc. You can enter new bug reports there, but please check first for older bugs already open, or even already closed, before opening a new issue. +---------------------+ | DIRECTORY STRUCTURE | +---------------------+ contrib A collection of user contributed scripts that may be useful. db Database schema and tools for generating DMARC reports based upon accumulated data. docs A collection of RFCs and drafts related to opendmarc. libopendmarc A library that implements the proposed DMARC standard. libopendmarc/docs HTML documentation describing the API provided by libopendmarc. opendmarc A milter-based filter application which uses libopendmarc (and optionally libar) to provide DMARC service via an MTA using the milter protocol. +----------------+ | RUNTIME ISSUES | +----------------+ WARNING: symbol 'X' not available The filter attempted to get some information from the MTA that the MTA did not provide. At various points in the interaction between the MTA and the filter, certain macros containing information about the job in progress or the connection being handled are passed from the MTA to the filter. In the case of sendmail, the names of the macros the MTA should pass to the filter are defined by the "Milter.macros" settings in sendmail.cf, e.g. "Milter.macros.connect", "Milter.macros.envfrom", etc. This message indicates that the filter needed the contents of macro X, but that macro was not passed down from the MTA. Typically the values needed by this filter are passed from the MTA if the sendmail.cf was generated by the usual m4 method. If you do not have those options defined in your sendmail.cf, make sure your M4 configuration files are current and rebuild your sendmail.cf to get appropriate lines added to your sendmail.cf, and then restart sendmail. MTA timeouts By default, the MTA is configured to wait up to ten seconds for a response from a filter before giving up. When querying remote nameservers for key and policy data, the DMARC filter may not get a response from the resolver within that time frame, and thus this MTA timeout will occur. This can cause messages to be rejected, temp-failed or delivered without verification, depending on the failure mode selected for the filter. When using the standard resolver library provided with your system, the DNS timeout cannot be adjusted. If you encounter this problem, you must increase the time the MTA waits for replies. See the documentation in the sendmail open source distribution (libmilter/README in particular) for instructions on changing these timeouts. When using the provided asynchronous resolver library, you can use the "-T" command line option to change the timeout so that it is shorter than the MTA timeout. Other OpenDMARC issues: Report any bugs to the email address opendmarc-users@trusteddomain.org or to the SourceForge issue tracker accessible at: http://sourceforge.net/p/opendmarc/tickets/ -- Copyright (c) 2012, The Trusted Domain Project. All rights reserved. $Id: README,v 1.13 2010/10/25 20:41:55 cm-msk Exp $
README.schema
# less /usr/share/doc/opendmarc-1.2.0/README.schema
This directory contains the OpenDMARC schema plus any related files. The tables in this schema are populated by the opendmarc filter as it processes messages and downloads policies. The rows are then consumed by the scripts in the "reports" directory to generate regular aggregate reports. The tables are summarized here: domains A table that maps domain names to unique integer IDs. Automatically tracks a "first seen" timestamp, and includes a column to record when the last report was sent. reporters A table mapping reporting hosts to unique integer IDs. Intended for use by multi-MX systems so it's possible to tell where an inbound message landed. ipaddr A table mapping IP addresses (as strings) to unique IDs. Also tracks the "first seen" timestamp for each. messages A table tracking salient properties of all messages received. A messages is uniquely identified by a {date, jobid, reporter} tuple. Includes references to the "domains" table to track the RFC5321.MailFrom domain, the RFC5322.From domain. Also records the count of DKIM signatures, the SPF result, and whether or not the SPF result was aligned with the RFC5322.From domain. signatures A table tracking DKIM signatures, each of which refers to a rown in the "messages" table. Tracks the signing domain, whether the signature passed, whether there was a verification error other than a broken signature, and whether or not the signing domain aligned with the RFC5322.From domain. requests A table containing a cache of DMARC reporting requests. For each domain, the destination reporting URI for aggregate reports is recorded along with a "last report sent" timestamp. -- Copyright (c) 2012, The Trusted Domain Project. All rights reserved.
opendmarc.conf
# man opendmarc.conf
opendmarc.conf(5) opendmarc.conf(5) NAME opendmarc.conf - Configuration file for opendmarc LOCATION /etc/opendmarc.conf DESCRIPTION opendmarc(8) implements the proposed DMARC specification for message authentication, policy enforcement, and reporting. This file is its configuration file. Blank lines are ignored. Lines containing a hash ("#") character are truncated at the hash character to allow for comments in the file. Other content should be the name of a parameter, followed by white space, followed by the value of that parameter, each on a separate line. For parameters that are Boolean in nature, only the first byte of the value is processed. For positive values, the following are accepted: "T", "t", "Y", "y", "1". For negative val- ues, the following are accepted: "F", "f", "N", "n", "0". Some, but not all, of these parameters are also available as command line options to opend- marc(8). However, new parameters are generally not added as command line options so the com- plete set of options is available here, and thus use of the configuration file is encouraged. In some future release, the set of available command line options is likely to get trimmed. See the opendmarc(8) man page for details about how and when the configuration file contents are reloaded. Unless otherwise stated, Boolean values default to "false", integer values default to 0, and string and dataset values default to being undefined. PARAMETERS AuthservID (string) Sets the "authserv-id" to use when generating the Authentication-Results: header field after verifying a message. The default is to use the name of the MTA processing the message. If the string "HOSTNAME" is provided, the name of the host running the fil- ter (as returned by the gethostname(3) function) will be used. AuthservIDWithJobID (Boolean) If "true", requests that the authserv-id portion of the added Authentication-Results: header fields contain the job ID of the message being evaluated. AutoRestart (Boolean) Automatically re-start on failures. Use with caution; if the filter fails instantly after it starts, this can cause a tight fork(2) loop. AutoRestartCount (integer) Sets the maximum automatic restart count. After this number of automatic restarts, the filter will give up and terminate. A value of 0 implies no limit; this is the default. AutoRestartRate (string) Sets the maximum automatic restart rate. If the filter begins restarting faster than the rate defined here, it will give up and terminate. This is a string of the form n/t[u] where n is an integer limiting the count of restarts in the given interval and t[u] defines the time interval through which the rate is calculated; t is an integer and u defines the units thus represented ("s" or "S" for seconds, the default; "m" or "M" for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a value of "10/1h" limits the restarts to 10 in one hour. There is no default, meaning restart rate is not limited. Background (Boolean) Causes opendmarc to fork and exits immediately, leaving the service running in the background. The default is "true". BaseDirectory (string) If set, instructs the filter to change to the specified directory using chdir(2) before doing anything else. This means any files referenced elsewhere in the configu- ration file can be specified relative to this directory. It’s also useful for arrang- ing that any crash dumps will be saved to a specific location. ChangeRootDirectory (string) Requests that the operating system change the effective root directory of the process to the one specified here prior to beginning execution. chroot (2) requires superuser access. A warning will be generated if UserID is not also set. CopyFailuresTo (string) Adds the specified recipient to the message’s envelope if it fails the DMARC evalua- tion. DNSTimeout (integer) Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The default is 5. Ignored if not using an asynchronous resolver package. EnableCoredumps (Boolean) On systems that have such support, make an explicit request to the kernel to dump cores when the filter crashes for some reason. Some modern UNIX systems suppress core dumps during crashes for security reasons if the user ID has changed during the life- time of the process. Currently only supported on Linux. ForensicReports (Boolean) Enables generation of forensic reports when the DMARC test fails and the purported sender of the message has requested such reports. Reports are formatted per RFC6591. ForensicReportsBcc (string) When forensic reports are enabled and one is to be generated, always send one to the address(es) specified here. If a forensic report is requested by the domain owner, the address(es) are added in a Bcc: field. If no request is made, they address(es) are used in a To: field. There is no default. ForensicReportsOnNone (Boolean) Supplementary to the previous setting, enables generation of forensic reports for sending domains that publish a "none" policy. ForensicReportsSentBy (string) Sets the value of the From: field to be used when sending forensic reports (see above). The default is to use the userid of the user executing the filter and the local host name to construct an email address. HistoryFile (string) If set, specifies the location of a text file to which records are written that can be used to generate DMARC aggregate reports. Records are batches of rows containing information about a single received message, and include all relevant information needed to generate a DMARC aggregate report. It is expected that this will not be used in its raw form, but rather periodically imported into a relational database from which the aggregate reports can be extracted. IgnoreHosts (string) Specifies the path to a file that contains a list of hostnames, IP addresses, and/or CIDR expressions identifying hosts whose SMTP connections are to be ignored by the filter. If not specified, defaults to "127.0.0.1" only. IgnoreMailFrom (string) Gives a list of domain names whose mail (based on the From: domain) is to be ignored by the filter. The list should be comma-separated. Matching against this list is case-insensitive. The default is an empty list, meaning no mail is ignored. MilterDebug (integer) Sets the debug level to be requested from the milter library. The default is 0. PidFile (string) Specifies the path to a file that should be created at process start containing the process ID. PublicSuffixList (string) Specifies the path to a file that contains top-level domains (TLDs) that will be used to compute the Organizational Domain for a given domain name, as described in the DMARC specification. If not provided, the filter will not be able to determine the Organizational Domain and only the presented domain will be evaluated. RecordAllMessages (Boolean) If set and HistoryFile is in use, all received messages are recorded to the history file. If not set (the default), only messages for which the From: domain published a DMARC record will be recorded in the history file. RejectFailures (Boolean) If set, messages will be rejected if they fail the DMARC evaluation, or temp-failed if evaluation could not be completed. By default, no message will be rejected or temp- failed regardless of the outcome of the DMARC evaluation of the message. Instead, an Authentication-Results header field will be added. The default is "false". ReportCommand (string) Indicates the shell command to which forensic reports should be passed for delivery when ForensicReports is enabled. Defaults to /usr/sbin/sendmail. RequiredHeaders (Boolean) If set, the filter will ensure the header of the message conforms to the basic header field count restrictions laid out in RFC5322, Section 3.6. Messages failing this test are rejected without further processing. A From: field from which no domain name could be extracted will also be rejected. Socket (string) Specifies the socket that should be established by the filter to receive connections from sendmail(8) in order to provide service. socketspec is in one of two forms: local:path, which creates a UNIX domain socket at the specified path, or inet:port[@host] or inet6:port[@host] which creates a TCP socket on the specified port for the appropriate protocol family. If the host is not given as either a hostname or an IP address, the socket will be listening on all interfaces. This option is manda- tory either in the configuration file or on the command line. If an IP address is used, it must be enclosed in square brackets. SoftwareHeader (Boolean) Causes opendmarc to add a "DMARC-Filter" header field indicating the presence of this filter in the path of the message from injection to delivery. The product’s name, version, and the job ID are included in the header field’s contents. Syslog (Boolean) Log via calls to syslog(3) any interesting activity. SyslogFacility (string) Log via calls to syslog(3) using the named facility. The facility names are the same as the ones allowed in syslog.conf(5). The default is "mail". TemporaryDirectory (string) Specifies the directory in which temporary files should be written. The default is /var/tmp. TrustedAuthservIDs (string) Provides a list of authserv-ids that are to be used to identify Authentication-Results header fields whose contents are to be assumed as valid input for the DMARC assess- ment. To provide a list, separate values by commas. If the string "HOSTNAME" is pro- vided, the name of the host running the filter (as returned by the gethostname(3) function) will be used. Matching against this list is case-insensitive. The default is to use the value of AuthservID. UMask (integer) Requests a specific permissions mask to be used for file creation. This only really applies to creation of the socket when Socket specifies a UNIX domain socket, and to the PidFile (if any); temporary files are created by the mkstemp(3) function that enforces a specific file mode on creation regardless of the process umask. See umask(2) for more information. UserID (string) Attempts to become the specified userid before starting operations. The value is of the form userid[:group]. The process will be assigned all of the groups and primary group ID of the named userid unless an alternate group is specified. FILES /etc/opendmarc.conf Default location of this file. VERSION This man page covers version 1.2.0 of opendmarc. COPYRIGHT Copyright (c) 2012-2014, The Trusted Domain Project. All rights reserved. SEE ALSO opendmarc(8), sendmail(8) RFC4408 - Sender Policy Framework RFC5451 - Message Header Field for Indicating Message Authentication Status RFC5965 - An Extensible Format for Email Feedback Reports RFC6376 - DomainKeys Identified Mail RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format The Trusted Domain Project opendmarc.conf(5)
opendmarc
# man 8 opendmarc
opendmarc(8) opendmarc(8) NAME opendmarc - DMARC email policy filter for MTAs SYNOPSIS opendmarc [-A] [-c configfile] [-f] [-l] [-n] [-p socketspec] [-P pidfile] [-t file[,file[...]]] [-u userid[:group]] [-v] [-V] DESCRIPTION opendmarc implements the prooposed DMARC specification for authentication of message and reporting of observed traffic. opendmarc uses the milter interface, originally distributed as part of version 8.11 of send- mail(8), to provide a DMARC processing service for mail transiting a milter-aware MTA. Most, if not all, of the command line options listed below can also be set using a configura- tion file. See the -c option for details. opendmarc relies on addition of Authentication-Results fields by upsteam filters on trusted hosts to collect input to the DMARC algorithm. It does not itself do DKIM or SPF evaluation. OPTIONS -A Automatically re-start on failures. Use with caution; if the filter fails instantly after it starts, this can cause a tight fork(2) loop. This can be mitigated using some values in the configuration file to limit restarting. See opendmarc.conf(5). -c configfile Read the named configuration file. See the opendmarc.conf(5) man page for details. Values in the configuration file are overridden when their equivalents are provided on the command line until a configuration reload occurs. The OPERATION section describes how reloads are triggered. The default is to read a configuration file from /etc/opendmarc.conf if one exists, or otherwise to apply defaults to all values. -f Normally opendmarc forks and exits immediately, leaving the service running in the background. This flag suppresses that behaviour so that it runs in the foreground. -l Log via calls to syslog(3) any interesting activity. -n Parse the configuration file and command line arguments, reporting any errors found, and then exit. The exit value will be 0 if the filter would start up without com- plaint, or non-zero otherwise. -p socketspec Specifies the socket that should be established by the filter to receive connections from sendmail(8) in order to provide service. socketspec is in one of two forms: local:path which creates a UNIX domain socket at the specified path, or inet:port[@host] or inet6:port[@host] which creates a TCP socket on the specified port within the specified protocol family. If the host is not given as either a hostname or an IP address, the socket will be listening on all interfaces. If neither socket type is specified, local is assumed, meaning the parameter is interpreted as a path at which the socket should be created. If an IP address is used, it must be enclosed in square brackets. This parameter is mandatory. -P pidfile Specifies a file into which the filter should write its process ID at startup. -t file[,file[,...]] Reads email messages from the named files and processes them as if they were received by the filter. The service is not started, and actions normally sent back to the MTA will instead be printed on standard output. -u userid[:group] Attempts to be come the specified userid before starting operations. The process will be assigned all of the groups and primary group ID of the named userid unless an alternate group is specified. See the FILE PERMISSIONS section for more information. -v Increase verbose output during test mode (see -t above). May be specified more than once to request increasing amounts of output. -V Print the version number and supported canonicalization and signature algorithms, and then exit without doing anything else. SIGNALS Upon receiving SIGUSR1, if the filter was started with a configuration file, it will be re- read and the new values used. Note that any command line overrides provided at startup time will be lost when this is done. Also, the following configuration file values (and their corresponding command line items, if any) are not reloaded through this process: AutoRestart (-A), AutoRestartCount, AutoRestartRate, Background, MilterDebug, PidFile (-P), Socket (-p), UMask, UserID (-u). The filter does not automatically check the configuration file for changes and reload. VERSION This man page covers version 1.2.0 of opendmarc. COPYRIGHT Copyright (c) 2012, The Trusted Domain Project. All rights reserved. SEE ALSO opendmarc.conf(5), sendmail(8) Sendmail Operations Guide RFC4408 - Sender Policy Framework RFC5321 - Simple Mail Transfer Protocol RFC5322 - Internet Messages RFC5451 - Message Header Field for Indicating Message Authentication Status RFC6376 - DomainKeys Identified Mail RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format The Trusted Domain Project opendmarc(8)
reports-README
# elinks http://www.trusteddomain.org/opendmarc/reports-README
OPENDMARC REPORTS ================= This directory contains tools necessary to generate DMARC reports at regular intervals. It includes the following: mkdb.mysql sequence of MySQL commands that will create tables needed to provide DMARC reporting service via the scripts below opendmarc-expire perl script to expire old DMARC records from the database; meant to be run from cron opendmarc-expire.8 man page for the above opendmarc-import perl script to import opendmarc history files into the database; meant to be run from cron opendmarc-import.8 man page for the above opendmarc-params perl script to adjust domain-specific opendmarc data in the database opendmarc-params.8 man page for the above opendmarc-reports perl script to generate DMARC reports whenever it is run; meant to be run from cron opendmarc-reports.8 man page for the above The adjacent "db" directory contains an SQL schema to be used with this package. The opendmarc filter populates the tables in that schema as messages are received and DMARC policies evaluated. The scripts in here use the accumulated information to generate reports, and age out old data. To use mkdb.mysql, enter the MySQL command line tool, connect to the database in which you want to create the required tables, and type "source mkdb.mysql". SETUP ===== 1) From within the MySQL command line environment, "source mkdb.mysql" to create the required database and tables. You may also wish to set up users and access grants for users that will access this data. 2) Add a HistoryFile entry to opendmarc.conf referring to the location where per-message DMARC details should be recorded. This location should be readable and writable by the user running the filter, but nobody else. 3) Add a cron job that will use opendmarc-import to import the history file's contents at regular and fairly frequent intervals (each minute or at least every five minutes). The included opendmarc-importstats script might be useful here. Ensure the appropriate database access parameters (names, users, passwords) are set in the script. 4) Add a cron job that will run opendmarc-reports to generate and send the XML reports based on recent database entries. -- Copyright (c) 2012-2014, The Trusted Domain Project. All rights reserved.
opendmarc.import
# man opendmarc-import
opendmarc-import(8) opendmarc-import(8) NAME opendmarc-import - OpenDMARC aggregate report data import tool SYNOPSIS opendmarc-import [options] DESCRIPTION opendmarc-import reads per-message data recorded by an instance of opendmarc(8) and inserts it into an SQL database, for later use by opendmarc-reports(8) to generate aggregate reports. Records are read from standard input. OPTIONS --dbhost=hostname Specifies the hostname on which the SQL server is running. Defaults to the value of the environment variable OPENDMARC_DBHOST, or "localhost" if the environment variable is not set. --dbname=name Specifies the SQL database name to be accessed. Defaults to the value of the environment variable OPENDMARC_DB, or "opendmarc" if the environment variable is not set. --dbpasswd=password Specifies the password for the SQL database to be accessed. Defaults to the value of the environment variable OPENDMARC_PASSWORD, or "opendmarc" if the environment variable is not set. --dbport=port Specifies the TCP port on which the SQL server is expected to be listening. Defaults to the value of the environ- ment variable OPENDMARC_PORT, or 3306 if the environment variable is not set. --dbuser=user Specifies the SQL user to be used to access the database. Defaults to the value of the environment variable OPEND- MARC_USER, or "opendmarc" if the environment variable is not set. --help Prints a help message and terminates. --verbose Increase the amount of verbosity written to standard output. --version Print version number and exit. VERSION This man page covers the version of opendmarc-import that shipped with version 1.2.0 of OpenDMARC. COPYRIGHT Copyright (c) 2012, The Trusted Domain Project. All rights reserved. SEE ALSO opendmarc(8), opendmarc.conf(5) opendmarc-reports(8) The Trusted Domain Project opendmarc-import(8)
opendmarc-reports
# man opendmarc-reports
opendmarc-reports(8) opendmarc-reports(8) NAME opendmarc-reports - OpenDMARC aggregate report generation tool SYNOPSIS opendmarc-reports [options] DESCRIPTION opendmarc-reports pulls data from an OpenDMARC database and generates periodic aggregate reports. The database is popu- lated by a running opendmarc-import(8) on a message history file generated by an opendmarc(8) filter as messages arrive and are processed. This includes the collection of reporting URIs, which this script uses to make reports available to those that request them. OPTIONS --dbhost=hostname Specifies the hostname on which the SQL server is running. Defaults to the value of the environment variable OPENDMARC_DBHOST, or "localhost" if the environment variable is not set. --dbname=name Specifies the SQL database name to be accessed. Defaults to the value of the environment variable OPENDMARC_DB, or "opendmarc" if the environment variable is not set. --dbpasswd=password Specifies the password for the SQL database to be accessed. Defaults to the value of the environment variable OPENDMARC_PASSWORD, or "opendmarc" if the environment variable is not set. --dbport=port Specifies the TCP port on which the SQL server is expected to be listening. Defaults to the value of the environ- ment variable OPENDMARC_PORT, or 3306 if the environment variable is not set. --dbuser=user Specifies the SQL user to be used to access the database. Defaults to the value of the environment variable OPEND- MARC_USER, or "opendmarc" if the environment variable is not set. --domain=name Generates a report (if one is due) for the named domain, rather than checking all of them. --help Prints a help message and terminates. --interval=secs Generates reports only for hosts that have not had a report generated in at least the last secs seconds. --nodomain=name Skips generating a report for the named domain. Can be specified multiple times to skip multiple reporting domains. --noupdate Suppresses marking the time of the transmission of the report in the database. Normally this would be done to pre- vent reports from being sent too close together. --smtp-host=host Causes reports to be sent by transmitting them using SMTP to the named host which can be an IP address or a host- name. The default is "127.0.0.1". --smtp-port=port Causes reports to be sent by transmitting them using SMTP to the specified port. The default is 25. --verbose Increase the amount of verbosity written to standard output. --version Print version number and exit. VERSION This man page covers the version of opendmarc-reports that shipped with version 1.2.0 of OpenDMARC. COPYRIGHT Copyright (c) 2012, The Trusted Domain Project. All rights reserved. SEE ALSO opendmarc(8), opendmarc.conf(5), opendmarc-import(8) The Trusted Domain Project opendmarc-reports(8)
Konfiguration
opendmarc Konfiguration
Die Konfiguration von OpenDMARC erfolgt über die Konfigurationsdatei opendmarc.conf im Verzeichnis /etc.
/etc/opendmarc.conf
# vim /etc/opendmarc.conf
- /etc/opendmarc.conf
## ## opendmarc.conf -- configuration file for OpenDMARC filter ## ## Copyright (c) 2012-2014, The Trusted Domain Project. All rights reserved. ## ## AuthservID (string) ## defaults to MTA name ## ## Sets the "authserv-id" to use when generating the Authentication-Results: ## header field after verifying a message. If the string "HOSTNAME" is ## provided, the name of the host running the filter (as returned by the ## gethostname(3) function) will be used. # # AuthservID name # Django : 2013-03-18 AuthservID mx01.nausch.org ## AuthservIDWithJobID { true | false } ## default "false" ## ## If "true", requests that the authserv-id portion of the added ## Authentication-Results header fields contain the job ID of the message ## being evaluated. # # AuthservIDWithJobID false # Django : 2013-03-18 AuthservIDWithJobID true ## AutoRestart { true | false } ## default "false" ## ## Automatically re-start on failures. Use with caution; if the filter fails ## instantly after it starts, this can cause a tight fork(2) loop. # # AutoRestart false ## AutoRestartCount n ## default 0 ## ## Sets the maximum automatic restart count. After this number of automatic ## restarts, the filter will give up and terminate. A value of 0 implies no ## limit. # # AutoRestartCount 0 ## AutoRestartRate n/t[u] ## default (no limit) ## ## Sets the maximum automatic restart rate. If the filter begins restarting ## faster than the rate defined here, it will give up and terminate. This ## is a string of the form n/t[u] where n is an integer limiting the count ## of restarts in the given interval and t[u] defines the time interval ## through which the rate is calculated; t is an integer and u defines the ## units thus represented ("s" or "S" for seconds, the default; "m" or "M" ## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a ## value of "10/1h" limits the restarts to 10 in one hour. There is no ## default, meaning restart rate is not limited. # # AutoRestartRate n/t[u] ## Background { true | false } ## default "true" ## ## Causes opendmarc to fork and exits immediately, leaving the service ## running in the background. # # Background true ## BaseDirectory (string) ## default (none) ## ## If set, instructs the filter to change to the specified directory using ## chdir(2) before doing anything else. This means any files referenced ## elsewhere in the configuration file can be specified relative to this ## directory. It's also useful for arranging that any crash dumps will be ## saved to a specific location. # # BaseDirectory /var/run/opendmarc ## ChangeRootDirectory (string) ## default (none) ## ## Requests that the operating system change the effective root directory of ## the process to the one specified here prior to beginning execution. ## chroot(2) requires superuser access. A warning will be generated if ## UserID is not also set. # # ChangeRootDirectory /var/chroot/opendmarc ## CopyFailuresTo (string) ## default (none) ## ## Requests addition of the specified email address to the envelope of ## any message that fails the DMARC evaluation. # # CopyFailuresTo postmaster@localhost ## DNSTimeout (integer) ## default 5 ## ## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. ## (NOT YET IMPLEMENTED) # # DNSTimeout 5 ## EnableCoredumps { true | false } ## default "false" ## ## On systems that have such support, make an explicit request to the kernel ## to dump cores when the filter crashes for some reason. Some modern UNIX ## systems suppress core dumps during crashes for security reasons if the ## user ID has changed during the lifetime of the process. Currently only ## supported on Linux. # # EnableCoreDumps false ## ForensicReports { true | false } ## default "false" ## ## Enables generation of forensic reports when the DMARC test fails and the ## purported sender of the message has requested such reports. Reports are ## formatted per RFC6591. # # ForensicReports false # Django : 2014-03-18 ForensicReports true ## ForensicReportsBcc (string) ## default (none) ## ## When forensic reports are enabled and one is to be generated, always ## send one to the address(es) specified here. If a forensic report is ## requested by the domain owner, the address(es) are added in a Bcc: field. ## If no request is made, they address(es) are used in a To: field. There ## is no default. # # ForensicReportsBcc postmaster@example.coom # Django : 2014-03-18 ForensicReportsBcc postmaster@nausch.org ## ForensicReportsOnNone { true | false } ## default "false" ## ## Supplements the "ForensicReports" setting by generating reports for ## domains that advertise "none" policies. By default, reports are only ## generated (when enabled) for sending domains advertising a "quarantine" ## or "reject" policy. # # ForensicReportsOnNone false ## ForensicReportsSentBy string ## default "USER@HOSTNAME" ## ## Specifies the email address to use in the From: field of forensic ## reports generated by the filter. The default is to use the userid of ## the user running the filter and the local hostname to construct an ## email address. "postmaster" is used in place of the userid if a name ## could not be determined. # # ForensicReportsSentBy USER@HOSTNAME # Django : 2014-03-18 ForensicReportsSentBy dmarc-admin@nausch.org ## HistoryFile path ## default (none) ## ## If set, specifies the location of a text file to which records are written ## that can be used to generate DMARC aggregate reports. Records are groups ## of rows containing information about a single received message, and ## include all relevant information needed to generate a DMARC aggregate ## report. It is expected that this will not be used in its raw form, but ## rather periodically imported into a relational database from which the ## aggregate reports can be extracted by a tool such as opendmarc-import(8). # HistoryFile /var/run/opendmarc/opendmarc.dat ## IgnoreHosts path ## default (internal) ## ## Specifies the path to a file that contains a list of hostnames, IP ## addresses, and/or CIDR expressions identifying hosts whose SMTP ## connections are to be ignored by the filter. If not specified, defaults ## to "127.0.0.1" only. # # IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts # Django : 2014-03-19 IgnoreHosts /etc/opendmarc/ignore.hosts ## IgnoreMailFrom domain[,...] ## default (none) ## ## Gives a list of domain names whose mail (based on the From: domain) is to ## be ignored by the filter. The list should be comma-separated. Matching ## against this list is case-insensitive. The default is an empty list, ## meaning no mail is ignored. # # IgnoreMailFrom example.com ## MilterDebug (integer) ## default 0 ## ## Sets the debug level to be requested from the milter library. # # MilterDebug 0 # Django : 2014-04-28 MilterDebug 5 ## PidFile path ## default (none) ## ## Specifies the path to a file that should be created at process start ## containing the process ID. ## # # PidFile /var/run/opendmarc.pid # Django : 2014-03-18 PidFile /var/run/opendmarc.pid ## PublicSuffixList path ## default (none) ## ## Specifies the path to a file that contains top-level domains (TLDs) that ## will be used to compute the Organizational Domain for a given domain name, ## as described in the DMARC specification. If not provided, the filter will ## not be able to determine the Organizational Domain and only the presented ## domain will be evaluated. # # PublicSuffixList path ## RecordAllMessages { true | false } ## default "false" ## ## If set and "HistoryFile" is in use, all received messages are recorded ## to the history file. If not set (the default), only messages for which ## the From: domain published a DMARC record will be recorded in the ## history file. # # RecordAllMessages false ## RejectFailures { true | false } ## default "false" ## ## If set, messages will be rejected if they fail the DMARC evaluation, or ## temp-failed if evaluation could not be completed. By default, no message ## will be rejected or temp-failed regardless of the outcome of the DMARC ## evaluation of the message. Instead, an Authentication-Results header ## field will be added. # # RejectFailures false # Django : 2014-03-24 RejectFailures true ## ReportCommand string ## default "/usr/sbin/sendmail -t" ## ## Indicates the shell command to which forensic reports should be passed for ## delivery when "ForensicReports" is enabled. # # ReportCommand /usr/sbin/sendmail -t ## RequiredHeaders { true | false } ## default "false" ## ## If set, the filter will ensure the header of the message conforms to the ## basic header field count restrictions laid out in RFC5322, Section 3.6. ## Messages failing this test are rejected without further processing. A ## From: field from which no domain name could be extracted will also be ## rejected. # # RequiredHeaders false ## Socket socketspec ## default (none) ## ## Specifies the socket that should be established by the filter to receive ## connections from sendmail(8) in order to provide service. socketspec is ## in one of two forms: local:path, which creates a UNIX domain socket at ## the specified path, or inet:port[@host] or inet6:port[@host] which creates ## a TCP socket on the specified port for the appropriate protocol family. ## If the host is not given as either a hostname or an IP address, the ## socket will be listening on all interfaces. This option is mandatory ## either in the configuration file or on the command line. If an IP ## address is used, it must be enclosed in square brackets. # # Socket inet:8893@localhost # Django : 2014-03-19 Socket inet:10012@localhost ## SoftwareHeader { true | false } ## default "false" ## ## Causes the filter to add a "DMARC-Filter" header field indicating the ## presence of this filter in the path of the message from injection to ## delivery. The product's name, version, and the job ID are included in ## the header field's contents. # # SoftwareHeader false # Django : 2014-03-18 SoftwareHeader true ## SPFIgnoreResults { true | false } ## default "false" ## ## Causes the filter to ignore any SPF results in the header of the ## message. This is useful if you want the filter to perfrom SPF checks ## itself, or because you don't trust the arriving header. # # SPFIgnoreResults false ## SPFSelfValidate { true | false } ## default false ## ## Causes the filter to perform a fallback SPF check itself when ## it can find no SPF results in the message header. If SPFIgnoreResults ## is also set, it never looks for SPF results in headers and ## always performs the SPF check itself when this is set. # # SPFSelfValidate false # Django : 2014-04-28 SPFSelfValidate true ## Syslog { true | false } ## default "false" ## ## Log via calls to syslog(3) any interesting activity. # # Syslog false # Django : 2014-03-18 Syslog true ## SyslogFacility facility-name ## default "mail" ## ## Log via calls to syslog(3) using the named facility. The facility names ## are the same as the ones allowed in syslog.conf(5). # # SyslogFacility mail ## TemporaryDirectory path ## default /var/tmp ## ## Specifies the directory in which temporary files should be written. # # TemporaryDirectory /var/tmp ## TrustedAuthservIDs string ## default HOSTNAME ## ## Specifies one or more "authserv-id" values to trust as relaying true ## upstream DKIM and SPF results. The default is to use the name of ## the MTA processing the message. To specify a list, separate each entry ## with a comma. The key word "HOSTNAME" will be replaced by the name of ## the host running the filter as reported by the gethostname(3) function. # # TrustedAuthservIDs HOSTNAME ## UMask mask ## default (none) ## ## Requests a specific permissions mask to be used for file creation. This ## only really applies to creation of the socket when Socket specifies a ## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary ## files are normally created by the mkstemp(3) function that enforces a ## specific file mode on creation regardless of the process umask. See ## umask(2) for more information. # # UMask 077 # Django : 2014-03-23 UMask 007 ## UserID user[:group] ## default (none) ## ## Attempts to become the specified userid before starting operations. ## The process will be assigned all of the groups and primary group ID of ## the named userid unless an alternate group is specified. # # UserID opendmarc # Django : 2014-03-23 UserID opendmarc:dmarc
# mkdir /etc/opendmarc
# vim /etc/opendmarc/ignore.hosts
- /etc/opendmarc/ignore.hosts
localhost amavis.dmz.nausch.org
Besonderen Augenmerk legen wir dabei auf folgende Parameter:
- AuthservID Hier setzen wir den Namen unseres Mailservers.
- HistoryFile Name und Pfad, in dem OpenDMARC die Statistikdaten ablegen wird.
- PidFile Name und Pfad, in dem der Daemon sein PID-File ablegen soll.
- Socket Über diesen Socket wird später unser Postfix-Mailserver den OpenDMARC-Daemon ansprechen.
- UserID UserID und GroupID, die der Daemon beim Anlegen der Dateien HistoryFile und PidFile nutzen soll. So können wir später einfacher die Daten von den einzelnen MX-Hosts abholen:
Alle anderen Parameter definieren wir noch entsprechen der Gegebenheiten unserer Installation/Infrastruktur. Einen kompakten Überblick über die gewählten Optionen fragen wir einfach mit folgendem Aufruf ab.
# egrep -v '(^#|^$)' /etc/opendmarc.conf
AuthservID mx01.nausch.org AuthservIDWithJobID true ForensicReports true ForensicReportsBcc postmaster@nausch.org ForensicReportsOnNone true ForensicReportsSentBy dmarc-admin@nausch.org HistoryFile /var/run/opendmarc/opendmarc.dat IgnoreHosts /etc/opendmarc/ignore.hosts PidFile /var/run/opendmarc.pid Socket inet:10012@localhost SoftwareHeader true Syslog true UserID opendmarc:dmarc
/etc/opendmarc/ignore.hosts
In der Datei ignore.hosts definieren wir die Hostnamen, oder IP-Adressen, die von der DMARC-Überprüfung und Bewertung ausgenommen werden sollen.
# vim /etc/opendmarc/ignore.hosts
- /etc/opendmarc/ignore.hosts
# Django : 2013-03-20 # folgende Hosts sollen von der DMARC-Überprüfung und Bewertung ausgenommen werden. localhost amavis.dmz.nausch.org
mysql Konfiguration
Eigentlich könnten wir nun schon unseren DMARC-Daemon starten. Jedoch wollen wir noch kurz die nötige mySQL-Datenbank anlegen, damit der Daemon die gewünschten aufbereiteten Statiskdaten und forensischen Berichte generieren und dann per eMail verschicken kann.
Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an.
# mysql -h localhost -u root -p
Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1942 Server version: 5.1.67 Source distribution Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
Dort legen wir als aller erst einmal eine Datenbank mit dem Namen opendmarc an.
mysql> CREATE DATABASE opendmarc;
Anschließend legen wir uns dann einen Datenbankuser an, dem wir entsprechende Rechte an der Datenbank opendmarc einräumen.
mysql> CREATE USER 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';
Query OK, 0 rows affected (0.00 sec)
mysql> CREATE USER 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';
Query OK, 0 rows affected (0.00 sec)
Anschließend setzen wir noch die Nutzerberechtigungen unseres Datenbanknutzers opendmarc_user für die Datenbank opendmarc
mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
Query OK, 0 rows affected (0.00 sec)
Zur Aktivierung weisen wir nun noch die Berechtigungen zu:
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
Abschließend melden wir uns wieder von unserem Datenbankhost ab.
mysql> quit
Bye
Bevor wir die benötigten Tabellen anlegen, testen wir noch, ob der Zugriff von unserem Mail- bzw. Datenimportserver funktioniert.
# mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p
Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2889 Server version: 5.1.73 Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
mysql> show databases;
+--------------------+ | Database | +--------------------+ | information_schema | | opendmarc | +--------------------+ 2 rows in set (0.00 sec)
mysql> quit
Bye
Mit Hilfe der Datei /usr/share/doc/opendmarc-1.2.0/schema.mysql legen wir nun abschließend die Tabellen in der Datenbank opendmarc an.
# mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p < /usr/share/doc/opendmarc-1.2.0/schema.mysql
Auch hier können wir uns bei Bedarf noch überprüfen, welche Tabellen angelegt wurden.
# mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p
Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2933 Server version: 5.1.73 Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
mysql> show databases;
+--------------------+ | Database | +--------------------+ | information_schema | | opendmarc | +--------------------+ 2 rows in set (0.00 sec) mysql>
mysql> use opendmarc;
Database changed mysql>
mysql> show tables;
+---------------------+ | Tables_in_opendmarc | +---------------------+ | domains | | ipaddr | | messages | | reporters | | requests | | signatures | +---------------------+ 6 rows in set (0.00 sec) mysql>
mysql> quit
Bye
dbCollecting User einrichten
Nicht immer möchte oder kann man von seinem oder seinen Mailservern eine Verbindung zum Datenbankhost ermöglichen. Um jetzt nicht von jedem einzelnen MX-Server einzurichten, verwenden wir einen User, den wir zum Einsammeln der Daten degradieren.
Wir legen uns nun unseren Nutzer an. Als UID und GID verwenden wir eine entsprechend freie Nummer, die wir entsprechend vorher abprüfen.
# grep 487 /etc/group
# grep 487 /etc/passwd
Anschließend legen wir uns unseren User an.
# groupadd -g 489 dmarc && useradd dmarc -c "DMARC" -g 489 -u 489 -m
Anschließend erzeugen wir uns noch einen entsprechenden SSH-Key und verteilen diesen auf unseren Mailservern. Entsprechende Schritte sind im Wiki hier beschrieben.
dbCollecting Script anlegen
Zum Einsammeln der Statistikdaten legen wir uns nun ein einfaches Shellscript an.
# vim /usr/local/bin/dmarc-report>
- /usr/local/bin/dmarc-report
#!/bin/sh # Script zum Importieren der DMARC-Daten aus dem lokalen cache-Datei in die mySQL Datenbank # und Generieren der DMARC-reports # Das Script wird um 03:33 Uhr via cronjob aufgerufen. # # crontab # einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen. # 33 3 * * * /usr/local/bin/dmarc-report 1>/dev/null 2>&1 # # Django : 2014-03-20 WORKDIR="/home/dmarc/" WORKFILE="opendmarc_all_hosts.dat" SSHKEYFILE=".ssh/id_rsa" MXHOSTS="mx01.nausch.org mx02.nausch.org mx03.nausch.org" DBFILE="opendmarc.dat" DBHOST="mysql.dmz.nausch.org" DBPORT="3306" DBUSER="opendmarc_user" DBPASSWD="ALLHs6blVwd8eHoSk2J3WZsT" DBNAME="opendmarc" # DMARC Datenfile von den Mailservern abholen cd $WORKDIR for HOST in $MXHOSTS; do scp -i $WORKDIR$SSHKEYFILE dmarc@${HOST}:/var/run/opendmarc/$DBFILE ${HOST}.dat ssh -i $WORKDIR$SSHKEYFILE dmarc@${HOST} "/bin/cat /dev/null > /var/run/opendmarc/$DBFILE" cat ${HOST}.dat >> $WORKFILE done # DMARC Daten in die mySQL-Datenbank opendmarc schreiben /usr/sbin/opendmarc-import --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \ --dbpasswd=$DBPASSWD < $WORKDIR$WORKFILE # DMARC Statistik-Report erstellen /usr/sbin/opendmarc-reports --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \ --dbpasswd=$DBPASSWD --verbose --interval=86400 --report-email 'postmaster@nausch.org' --report-org 'nausch.org' # DMARC Datenbank aufräumen, Datensätze die älter als 90 Tage sind werden gelöscht /usr/sbin/opendmarc-expire --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \ --dbpasswd=$DBPASSWD --verbose --expire=90 # Work-Verzeichnis wieder aufräumen cd $WORKDIR rm $WORKDIR*.dat -rf
Anschließen setzen wir die Ausführungsrechte unseres neuen Scriptes.
# chmod +x /usr/local/bin/dmarc-report
Zu guter Letzt aktivieren wir dann noch einen Cronjob für die tägliche Ausführung.
# vim /etc/crontab
- /etc/crontab
... # Django : 2014-03-20 # einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen. 33 3 * * * /usr/local/bin/dmarc-report 1>/dev/null 2>&1 ...
Postfix
Die Konfiguration auf Seiten unseres Postfix-Mailserver gestaltet sich relativ einfach, muss doch nur ein zusätzlicher Mailfilter angelegt werden. Hier geben wir dann den Port an, den wir bei der Konfiguration von OpenDMARC definiert haben.
# vim /etc/postfix/main.cf
- /etc/postfix/main.cf
... # Django : 2014-03-19 # SPF-Check und DKIM-Signaturüberprüfung via SMF-SPF- und DKIM-Milter einbinden. smtpd_milters = # SMF-SPF-Milter : inet:127.0.0.1:10010, # DKIM-Milter: inet:127.0.0.1:10011, # DMARC-Milter : inet:127.0.0.1:10012 ...
erster manueller Programmstart
Nun ist es an der Zeit unseren DMARC-Daemon das erste mal zu starten.
# service opendmarc start
Im /var/log/maillog wird der erfolgreiche Start ausreichend dokumentiert:
Apr 28 19:32:24 vml000080 opendmarc[28728]: OpenDMARC Filter: Opening listen socket on conn inet:10012@localhost Apr 28 19:32:24 vml000080 opendmarc[28729]: OpenDMARC Filter v1.3.0 starting (args: -c /etc/opendmarc.conf -P /var/run/opendmarc/opendmarc.pid) Apr 28 19:32:24 vml000080 opendmarc[28729]: trusted authentication services: mx01.nausch.org
Über den Port 10012 sollte nun unser daemon ansprechbar sein. Was wir auch sehr einfach mittels lsof überprüfen können:
# lsof -i :10003
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME opendmarc 13533 root 3u IPv4 115489 0t0 TCP localhost:documentum_s (LISTEN)
Auch mit Hilfe von netstat können wir abfragen, ob der Port 1003 in Verwendung ist.
# netstat -tulpen | grep 10012
tcp 0 0 127.0.0.1:10012 0.0.0.0:* LISTEN 0 115489 13533/opendmarc
Anschließend können wir nun auch unseren Postfix-Mailserver durchstarten, damit die Änderungen an seiner Konfiguration auch wirksam wird.
automatisches Starten des Dienste beim Systemstart
Damit nun unser DMARC-Daemon beim Booten unseres Servers automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
# chkconfig opendmarc on
Anschließend überprüfen wir noch unsere Änderung:
# chkconfig --list | grep opendmarc
opendmarc 0:Aus 1:Aus 2:Ein 3:Ein 4:Ein 5:Ein 6:Aus
Logging / Mailheader
Im Maillog werden entsprechend unserer zuvor festgelegten Konfiguration, vom DMARC-Daemon logeinträge erzeugt. Folgender Logeintrag zeigt einen erfolgreiche DMARC-Überprüfung.
Mar 23 22:46:01 vml000080 opendmarc[25914]: C198981: gmail.com pass
Im Mailheader der Nachricht, wird dies auch entsprechend vermerkt.
DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org C198981 Authentication-Results: mx01.nausch.org/C198981; dmarc=pass header.from=gmail.com
Hat der Domainbetreiber keinen DMARC-Eintrag im DNS hinterlegt, sieht die betreffende Zeile im Maillog entsprechend so aus.
Mar 19 00:22:36 vml000080 opendmarc[14508]: D9B6D83: piratenpartei-bayern.de none
Auch dies wird im Mailheader entsprechend vermerkt.
DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org D9B6D83 Authentication-Results: mx01.nausch.org/D9B6D83; dmarc=none header.from=piratenpartei-bayern.de