Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:mail_c7:spam_12 [17.12.2014 20:32. ] – [Testen der DMARC Definitionen] django
+++ centos:mail_c7:spam_12 [18.11.2024 19:13. ] (aktuell) – Externe Bearbeitung 127.0.0.1
@@ Zeile 1: / Zeile 1: @@
-<WRAP center round info 60%>
+<WRAP center round info 60%> \\
 Artikel befindet sich gerade in der Bearbeitung!
 </WRAP>
@@ Zeile 21: / Zeile 21: @@
 Das nachfolgende Schaubild zeigt den Bearbeitungsverlauf einer eMail mit Berücksichtigung auf DMARC auf.
-<uml width=900 title="DMARC - Verarbeitungsschritte einer eMail">
+<uml>
 skinparam defaultFontName Courier
 state "Absender Klaus generiert eMail" as sender
@@ Zeile 54: / Zeile 54: @@
   smtpd_b : Bewertung der eMail
   smtpd_b : mit Hilfe von Blacklists
-  smtpd_b : und greylisting
+  smtpd_b : und postscreen
   state "SPAM- und Virenüberprüfung" as amavis1
@@ Zeile 174: / Zeile 174: @@
   regelmäßiger forensischer
   Bericht an den im DMARC-Record
-  hinterlegten "ruaf=mailto"-
+  hinterlegten "rua=mailto"-
   Adresse des Mailserver-
   betreibers des Absender-
@@ Zeile 289: / Zeile 289: @@
 ===== Installation =====
+Die einfachste und schnellste Variante bei der Installation ist die aus dem Repository **[[centos:nausch.org|nausch.org]]**. Hier reicht ein einfacher Aufruf von **yum** und alles wird automatisch installiert inkl. der Paketabhängigkeiten.
+   # yum install opendmarc
+Will oder kann man nicht auf das Repository **[[centos:nausch.org|nausch.org]]** zurückgreifen, steht immer noch der Installation per Hand nichts im Wege.
+   # yum localinstall http://repo7.nausch.org/7/x86_64/libopendmarc-1.3.0-1.el7.centos.x86_64.rpm \
+                      http://repo7.nausch.org/7/x86_64/opendmarc-1.3.0-1.el7.centos.x86_64.rpm
+Was das RPM alle mitbrachte zeigt ein Blick in die RPM-Datenbank.
+   # rpm -qil opendmarc
+<code>Name        : opendmarc
+Version     : 1.3.0
+Release     : 1.el7.centos
+Architecture: x86_64
+Install Date: Wed 17 Dec 2014 08:58:08 PM CET
+Group       : System Environment/Daemons
+Size        : 517881
+License     : BSD and Sendmail
+Signature   : RSA/SHA1, Wed 17 Dec 2014 08:38:39 PM CET, Key ID 60ecfb9e8195aea0
+Source RPM  : opendmarc-1.3.0-1.el7.centos.src.rpm
+Build Date  : Wed 17 Dec 2014 08:38:11 PM CET
+Build Host  : vml000200.dmz.nausch.org
+Relocations : (not relocatable)
+Packager    : Django
+URL         : http://www.trusteddomain.org/opendmarc.html
+Summary     : DMARC milter and library
+Description :
+OpenDMARC (Domain-based Message Authentication, Reporting & Conformance)
+provides an open source library that implements the DMARC verification
+service plus a milter-based filter application that can plug in to any
+milter-aware MTA, including sendmail, Postfix, or any other MTA that supports
+the milter protocol.
+The DMARC sender authentication system is still a draft standard, working
+towards RFC status.
+/etc/opendmarc/ignore.hosts
+/etc/opendmarc/opendmarc.conf
+/etc/tmpfiles.d/opendmarc.conf
+/usr/lib/systemd/system/opendmarc.service
+/usr/sbin/opendmarc
+/usr/sbin/opendmarc-check
+/usr/sbin/opendmarc-expire
+/usr/sbin/opendmarc-import
+/usr/sbin/opendmarc-importstats
+/usr/sbin/opendmarc-params
+/usr/sbin/opendmarc-reports
+/usr/share/doc/opendmarc-1.3.0
+/usr/share/doc/opendmarc-1.3.0/INSTALL
+/usr/share/doc/opendmarc-1.3.0/LICENSE
+/usr/share/doc/opendmarc-1.3.0/LICENSE.Sendmail
+/usr/share/doc/opendmarc-1.3.0/README
+/usr/share/doc/opendmarc-1.3.0/README.rddmarc
+/usr/share/doc/opendmarc-1.3.0/README.schema
+/usr/share/doc/opendmarc-1.3.0/RELEASE_NOTES
+/usr/share/doc/opendmarc-1.3.0/dmarc_policy_t.html
+/usr/share/doc/opendmarc-1.3.0/dmarcfail.py
+/usr/share/doc/opendmarc-1.3.0/dmarcfail.pyc
+/usr/share/doc/opendmarc-1.3.0/dmarcfail.pyo
+/usr/share/doc/opendmarc-1.3.0/draft-dmarc-base-03.txt
+/usr/share/doc/opendmarc-1.3.0/index.html
+/usr/share/doc/opendmarc-1.3.0/mkdb.mysql
+/usr/share/doc/opendmarc-1.3.0/mkdmarc
+/usr/share/doc/opendmarc-1.3.0/mysql_ip6.c
+/usr/share/doc/opendmarc-1.3.0/opendmarc
+/usr/share/doc/opendmarc-1.3.0/opendmarc.conf.sample
+/usr/share/doc/opendmarc-1.3.0/opendmarc.spec.in
+/usr/share/doc/opendmarc-1.3.0/opendmarc_dns_fake_record.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_get_policy_to_enforce.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_lib_t.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_clear.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_init.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_rset.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_shutdown.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_adkim.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_alignment.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_aspf.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_fo.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_p.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_pct.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_rf.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_rua.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_ruf.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_sp.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_utilized_domain.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_library_init.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_library_shutdown.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_parse_dmarc.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_query_dmarc.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_status_to_str.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_dkim.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_dmarc.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_from_domain.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_spf.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_to_buf.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_spf_test.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_status_t.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_tld_read_file.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_tld_shutdown.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_util_clearargv.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_xml.html
+/usr/share/doc/opendmarc-1.3.0/opendmarc_xml_parse.html
+/usr/share/doc/opendmarc-1.3.0/overview.html
+/usr/share/doc/opendmarc-1.3.0/rddmarc
+/usr/share/doc/opendmarc-1.3.0/schema.mysql
+/usr/share/man/man5/opendmarc.conf.5.gz
+/usr/share/man/man8/opendmarc-check.8.gz
+/usr/share/man/man8/opendmarc-expire.8.gz
+/usr/share/man/man8/opendmarc-import.8.gz
+/usr/share/man/man8/opendmarc-importstats.8.gz
+/usr/share/man/man8/opendmarc-params.8.gz
+/usr/share/man/man8/opendmarc-reports.8.gz
+/usr/share/man/man8/opendmarc.8.gz
+/var/run/opendmarc
+/var/spool/opendmarc
+</code>
+   # rpm -qil libopendmarc
+<code>Name        : libopendmarc
+Version     : 1.3.0
+Release     : 1.el7.centos
+Architecture: x86_64
+Install Date: Wed 17 Dec 2014 08:40:49 PM CET
+Group       : System Environment/Libraries
+Size        : 48888
+License     : BSD and Sendmail
+Signature   : RSA/SHA1, Wed 17 Dec 2014 08:38:40 PM CET, Key ID 60ecfb9e8195aea0
+Source RPM  : opendmarc-1.3.0-1.el7.centos.src.rpm
+Build Date  : Wed 17 Dec 2014 08:38:11 PM CET
+Build Host  : vml000200.dmz.nausch.org
+Relocations : (not relocatable)
+Packager    : Django
+URL         : http://www.trusteddomain.org/opendmarc.html
+Summary     : An open source DMARC library
+Description :
+This package contains the library files required for running services built
+using libopendmarc.
+/usr/lib64/libopendmarc.so.2
+/usr/lib64/libopendmarc.so.2.0.0
+</code>
+===== Konfigurations-Dokumentation =====
+==== README ====
+Viele hilfreiche Informationen zur Konfiguration von OpenDMARC finden sich in den nachfolgenden Dateien.
+   # less /usr/share/doc/opendmarc-1.3.0/README
+<code>OPENDMARC README
+================
+This directory has the latest open source DMARC software from The Trusted
+Domain Project.
+There is a web site at http://www.trusteddomain.org/opendmarc that is home for
+the latest updates.
++--------------+
+| INTRODUCTION |
++--------------+
+The OpenDMARC project is a community effort to develop and maintain an open
+source package for providing DMARC report generation and policy enforcement
+services.  It includes a library for handling DMARC record parsing,
+a database schema and tools for aggregating and processing transaction
+history to produce DMARC reports, and a filter that ties it all together
+with an MTA using the milter protocol.
+"milter" is a portmanteau of "mail filter" and refers to a protocol and API
+for communicating mail traffic information between MTAs and mail filtering
+plug-in applications.  It was originally invented at Sendmail, Inc. but
+has also been adapted to other MTAs.
++--------------+
+| DEPENDENCIES |
++--------------+
+To compile and operate, this package requires the following:
+o OpenDBX (http://www.linuxnetworks.de/doc/index.php/OpenDBX) which
+  acts as a middleware layer between OpenDMARC and your SQL backend
+  of choice
+o sendmail v8.13.0 (or later), or Postfix 2.3, (or later) and libmilter.
+  (These are only required if you are building the filter.)
+o Access to a working nameserver (required only for signature verification).
+o If you are interested in tinkering with the build and packaging structure,
+  you may need to upgrade to these versions of GNU's "autotools" components:
+        autoconf (GNU Autoconf) 2.61
+        automake (GNU automake) 1.7 (or 1.9 to avoid warnings)
+        ltmain.sh (GNU libtool) 2.2.6 (or 1.5.26 after make maintainer-clean)
++-----------------------+
+| RELATED DOCUMENTATION |
++-----------------------+
+The man page for opendmarc (the actual filter program) is present in the
+opendmarc directory of this source distribution.  There is additional
+information in the INSTALL and FEATURES files, and in the README file in the
+opendmarc directory.  Changes are documented in the RELEASE_NOTES file.
+HTML-style documentation for libopendmarc is available in libopendmarc/docs in
+this source distribution.
+General information about DMARC can be found at http://www.dmarc.org
+Mailing lists discussing and supporting the DMARC software found in this
+package are maintained via a list server at trusteddomain.org.  Visit
+http://www.trusteddomain.org to subscribe or browse archives.  The available
+lists are:
+        opendmarc-announce      (moderated) Release announcements.
+        opendmarc-users         General OpenDMARC user questions and answers.
+        opendmarc-dev           Chatter among OpenDMARC developers.
+        opendmarc-code          Automated source code change announcements.
+Bug tracking is done via the trackers on SourceForge at
+http://sourceforge.net/projects/opendmarc.  You can enter new bug
+reports there, but please check first for older bugs already open,
+or even already closed, before opening a new issue.
++---------------------+
+| DIRECTORY STRUCTURE |
++---------------------+
+contrib         A collection of user contributed scripts that may be useful.
+db              Database schema and tools for generating DMARC reports based
+                upon accumulated data.
+docs            A collection of RFCs and drafts related to opendmarc.
+libopendmarc    A library that implements the proposed DMARC standard.
+libopendmarc/docs
+                HTML documentation describing the API provided by libopendmarc.
+opendmarc       A milter-based filter application which uses libopendmarc (and
+                optionally libar) to provide DMARC service via an MTA using
+                the milter protocol.
++----------------+
+| RUNTIME ISSUES |
++----------------+
+WARNING: symbol 'X' not available
+ The filter attempted to get some information from the MTA that the MTA
+ did not provide.
+ At various points in the interaction between the MTA and the filter, certain
+ macros containing information about the job in progress or the connection
+ being handled are passed from the MTA to the filter.
+ In the case of sendmail, the names of the macros the MTA should pass to the
+ filter are defined by the "Milter.macros" settings in sendmail.cf, e.g.
+ "Milter.macros.connect", "Milter.macros.envfrom", etc.  This message
+ indicates that the filter needed the contents of macro X, but that macro
+ was not passed down from the MTA.
+ Typically the values needed by this filter are passed from the MTA if the
+ sendmail.cf was generated by the usual m4 method.  If you do not have
+ those options defined in your sendmail.cf, make sure your M4 configuration
+ files are current and rebuild your sendmail.cf to get appropriate lines
+ added to your sendmail.cf, and then restart sendmail.
+MTA timeouts
+ By default, the MTA is configured to wait up to ten seconds for a response
+ from a filter before giving up.  When querying remote nameservers
+ for key and policy data, the DMARC filter may not get a response from the
+ resolver within that time frame, and thus this MTA timeout will occur.
+ This can cause messages to be rejected, temp-failed or delivered without
+ verification, depending on the failure mode selected for the filter.
+ When using the standard resolver library provided with your system, the
+ DNS timeout cannot be adjusted.  If you encounter this problem, you must
+ increase the time the MTA waits for replies.  See the documentation in
+ the sendmail open source distribution (libmilter/README in particular)
+ for instructions on changing these timeouts.
+ When using the provided asynchronous resolver library, you can use the
+ "-T" command line option to change the timeout so that it is shorter than
+ the MTA timeout.
+Other OpenDMARC issues:
+ Report any bugs to the email address opendmarc-users@trusteddomain.org or to
+ the SourceForge issue tracker accessible at:
+ http://sourceforge.net/p/opendmarc/tickets/
+--
+Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.
+$Id: README,v 1.13 2010/10/25 20:41:55 cm-msk Exp $
+</code>
+==== README.schema ====
+   # less /usr/share/doc/opendmarc-1.3.0/README.schema
+<file /usr/share/doc/opendmarc-1.3.0/README.schema>This directory contains the OpenDMARC schema plus any related files.
+The tables in this schema are populated by the opendmarc filter as it processes
+messages and downloads policies.  The rows are then consumed by the scripts
+in the "reports" directory to generate regular aggregate reports.
+The tables are summarized here:
+domains         A table that maps domain names to unique integer IDs.
+                Automatically tracks a "first seen" timestamp, and includes
+                a column to record when the last report was sent.
+reporters       A table mapping reporting hosts to unique integer IDs.
+                Intended for use by multi-MX systems so it's possible to tell
+                where an inbound message landed.
+ipaddr          A table mapping IP addresses (as strings) to unique IDs.
+                Also tracks the "first seen" timestamp for each.
+messages        A table tracking salient properties of all messages received.
+                A messages is uniquely identified by a {date, jobid, reporter}
+                tuple.  Includes references to the "domains" table to track
+                the RFC5321.MailFrom domain, the RFC5322.From domain.
+                Also records the count of DKIM signatures, the SPF result,
+                and whether or not the SPF result was aligned with the
+                RFC5322.From domain.
+signatures      A table tracking DKIM signatures, each of which refers to
+                a rown in the "messages" table.  Tracks the signing domain,
+                whether the signature passed, whether there was a verification
+                error other than a broken signature, and whether or not the
+                signing domain aligned with the RFC5322.From domain.
+requests        A table containing a cache of DMARC reporting requests.
+                For each domain, the destination reporting URI for aggregate
+                reports is recorded along with a "last report sent" timestamp.
+--
+Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.
+</file>
+==== README.rddmarc ====
+   # less /usr/share/doc/opendmarc-1.3.0/README.rddmarc
+<file /usr/share/doc/opendmarc-1.3.0/README.rddmarc>These are little scripts to parse DMARC reports.
+The first, rddmarc, is a perl script that take an incoming DMARC
+summary report email, extracts and unpacks the gzip or ZIP file,
+parses the XML, and puts the parts about received mail into a MySQL
+database.  The database is set up to handle reports about multiple
+domains from multiple reporters. It's handling reports from Google,
+Yahoo, xs4all and Netease.
+It expects filenames on the command line, each of which contains a
+mail message, but it'd easy enough to adjust it to read stdin or
+anywhere else.
+It works great on FreeBSD, can probably be made to work on linux with
+modest effort, no clue about other systems.  It needs the
+MIME::Parser, XML::Simple, and DBI perl modules and the freeware unzip
+program to extract stuff from the gzip or ZIP file.
+It now handles both IPv4 and IPv6 addresses.  If you have been
+running the ipv4 version, see mkdmarc for instructions on how
+to update your database.  The file mysql_ip6.c is a plugin for a
+mysql server to add some IPv6 formatting functions that can be
+handy when analyzing the reports.  It's not needed for rddmarc.
+The second is a python script to parse failure reports.  It expects
+file names on the command line, or if no arguments, it reads stdin. It
+needs the usual MySQLdb module.  It handles reports from Netease,
+which are currently the only ones I'm getting.
+mkdmarc - SQL to create the tables
+rddmarc - the script to parse summary reports (Perl)
+dmarcfail.py - the script to parse failure reports (python)
+mysql_ip6.c - C language source for MySQL plugin for IPv6
+        formatting functions
+</file>
+===== man-pages =====
+==== opendmarc ====
+   # man opendmarc
+<code>opendmarc(8)                       System Manager's Manual                      opendmarc(8)
+NAME
+       opendmarc - DMARC email policy filter for MTAs
+SYNOPSIS
+       opendmarc  [-A]  [-c  configfile]  [-f]  [-l]  [-n]  [-p socketspec] [-P pidfile] [-t
+       file[,file[...]]]  [-u userid[:group]] [-v] [-V]
+DESCRIPTION
+       opendmarc implements the prooposed DMARC specification for authentication of  message
+       and reporting of observed traffic.
+       opendmarc  uses  the milter interface, originally distributed as part of version 8.11
+       of sendmail(8), to provide a DMARC processing service for mail transiting  a  milter-
+       aware MTA.
+       Most,  if  not  all, of the command line options listed below can also be set using a
+       configuration file.  See the -c option for details.
+       opendmarc relies on addition of Authentication-Results fields by upsteam  filters  on
+       trusted hosts to collect input to the DMARC algorithm.  It does not itself do DKIM or
+       SPF evaluation.
+OPTIONS
+       -A     Automatically re-start on failures.  Use with caution;  if  the  filter  fails
+              instantly  after  it starts, this can cause a tight fork(2) loop.  This can be
+              mitigated using some values in the configuration  file  to  limit  restarting.
+              See opendmarc.conf(5).
+       -c configfile
+              Read  the  named  configuration  file.  See the opendmarc.conf(5) man page for
+              details.  Values in the configuration file are overridden when  their  equiva‐
+              lents  are  provided  on the command line until a configuration reload occurs.
+              The OPERATION section describes how reloads are triggered.  The default is  to
+              read a configuration file from /etc/opendmarc.conf if one exists, or otherwise
+              to apply defaults to all values.
+       -f     Normally opendmarc forks and exits immediately, leaving the service running in
+              the  background.   This  flag suppresses that behaviour so that it runs in the
+              foreground.
+       -l     Log via calls to syslog(3) any interesting activity.
+       -n     Parse the configuration file and command line arguments, reporting any  errors
+              found,  and  then exit.  The exit value will be 0 if the filter would start up
+              without complaint, or non-zero otherwise.
+       -p socketspec
+              Specifies the socket that should be established by the filter to receive  con‐
+              nections  from  sendmail(8) in order to provide service.  socketspec is in one
+              of two forms: local:path which creates a UNIX domain socket at  the  specified
+              path,  or  inet:port[@host] or inet6:port[@host] which creates a TCP socket on
+              the specified port within the specified protocol family.  If the host  is  not
+              given  as  either a hostname or an IP address, the socket will be listening on
+              all interfaces.  If neither socket type is specified, local is assumed,  mean‐
+              ing  the parameter is interpreted as a path at which the socket should be cre‐
+              ated.  If an IP address is used, it must be enclosed in square brackets.  This
+              parameter is mandatory.
+       -P pidfile
+              Specifies a file into which the filter should write its process ID at startup.
+       -t file[,file[,...]]
+              Reads  email  messages from the named files and processes them as if they were
+              received by the filter.  The service is not started, and actions normally sent
+              back to the MTA will instead be printed on standard output.
+       -u userid[:group]
+              Attempts  to  be  come  the  specified userid before starting operations.  The
+              process will be assigned all of the groups and primary group ID of  the  named
+              userid  unless an alternate group is specified.  See the FILE PERMISSIONS sec‐
+              tion for more information.
+       -v     Increase verbose output during test mode (see -t  above).   May  be  specified
+              more than once to request increasing amounts of output.
+       -V     Print  the  version  number and supported canonicalization and signature algo‐
+              rithms, and then exit without doing anything else.
+SIGNALS
+       Upon receiving SIGUSR1, if the filter was started with a configuration file, it  will
+       be re-read and the new values used.  Note that any command line overrides provided at
+       startup time will be lost when this is done.  Also, the following configuration  file
+       values  (and their corresponding command line items, if any) are not reloaded through
+       this process: AutoRestart (-A), AutoRestartCount, AutoRestartRate,  Background,  Mil‐
+       terDebug,  PidFile  (-P), Socket (-p), UMask, UserID (-u).  The filter does not auto‐
+       matically check the configuration file for changes and reload.
+VERSION
+       This man page covers version 1.3.0 of opendmarc.
+COPYRIGHT
+       Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.
+SEE ALSO
+       opendmarc.conf(5), sendmail(8)
+       Sendmail Operations Guide
+       RFC4408 - Sender Policy Framework
+       RFC5321 - Simple Mail Transfer Protocol
+       RFC5322 - Internet Messages
+       RFC5451 - Message Header Field for Indicating Message Authentication Status
+       RFC6376 - DomainKeys Identified Mail
+       RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format
+                                 The Trusted Domain Project                     opendmarc(8)
+</code>
+==== opendmarc.conf ====
+   # man opendmarc.conf
+<code>opendmarc.conf(5)                    File Formats Manual                   opendmarc.conf(5)
+NAME
+       opendmarc.conf - Configuration file for opendmarc
+LOCATION
+       /etc/opendmarc.conf
+DESCRIPTION
+       opendmarc(8)  implements the proposed DMARC specification for message authentication,
+       policy enforcement, and reporting.  This file is its configuration file.
+       Blank lines are ignored.  Lines containing a hash ("#") character  are  truncated  at
+       the hash character to allow for comments in the file.
+       Other content should be the name of a parameter, followed by white space, followed by
+       the value of that parameter, each on a separate line.
+       For parameters that are Boolean in nature, only the first byte of the value  is  pro‐
+       cessed.   For  positive  values, the following are accepted: "T", "t", "Y", "y", "1".
+       For negative values, the following are accepted: "F", "f", "N", "n", "0".
+       Some, but not all, of these parameters are also available as command line options  to
+       opendmarc(8).   However,  new  parameters  are  generally  not  added as command line
+       options so the complete set of options is available here, and thus use of the config‐
+       uration  file  is  encouraged.   In some future release, the set of available command
+       line options is likely to get trimmed.
+       See the opendmarc(8) man page for details about how and when the  configuration  file
+       contents are reloaded.
+       Unless otherwise stated, Boolean values default to "false", integer values default to
+, and string and dataset values default to being undefined.
+PARAMETERS
+       AuthservID (string)
+              Sets the "authserv-id" to  use  when  generating  the  Authentication-Results:
+              header field after verifying a message.  The default is to use the name of the
+              MTA processing the message.  If the string "HOSTNAME" is provided, the name of
+              the  host running the filter (as returned by the gethostname(3) function) will
+              be used.
+       AuthservIDWithJobID (Boolean)
+              If "true", requests that the authserv-id portion of the added  Authentication-
+              Results: header fields contain the job ID of the message being evaluated.
+       AutoRestart (Boolean)
+              Automatically  re-start  on  failures.   Use with caution; if the filter fails
+              instantly after it starts, this can cause a tight fork(2) loop.
+       AutoRestartCount (integer)
+              Sets the maximum automatic restart count.   After  this  number  of  automatic
+              restarts,  the  filter  will  give  up and terminate.  A value of 0 implies no
+              limit; this is the default.
+       AutoRestartRate (string)
+              Sets the maximum automatic restart rate.   If  the  filter  begins  restarting
+              faster  than  the rate defined here, it will give up and terminate.  This is a
+              string of the form n/t[u] where n is an integer limiting the count of restarts
+              in  the  given  interval  and t[u] defines the time interval through which the
+              rate is calculated; t is an integer and u defines the units  thus  represented
+              ("s"  or  "S" for seconds, the default; "m" or "M" for minutes; "h" or "H" for
+              hours; "d" or "D" for days).  For example,  a  value  of  "10/1h"  limits  the
+              restarts  to 10 in one hour.  There is no default, meaning restart rate is not
+              limited.
+       Background (Boolean)
+              Causes opendmarc to fork and exits immediately, leaving the service running in
+              the background.  The default is "true".
+       BaseDirectory (string)
+              If  set,  instructs  the  filter  to  change  to the specified directory using
+              chdir(2) before doing anything else.  This means any  files  referenced  else‐
+              where  in  the configuration file can be specified relative to this directory.
+              It's also useful for arranging that any crash dumps will be saved  to  a  spe‐
+              cific location.
+       ChangeRootDirectory (string)
+              Requests  that the operating system change the effective root directory of the
+              process to the one specified here prior to beginning  execution.   chroot  (2)
+              requires  superuser  access. A warning will be generated if UserID is not also
+              set.
+       CopyFailuresTo (string)
+              Adds the specified recipient to the message's envelope if it fails  the  DMARC
+              evaluation.
+       DNSTimeout (integer)
+              Sets  the  DNS timeout in seconds.  A value of 0 causes an infinite wait.  The
+              default is 5.  Ignored if not using an asynchronous resolver package.
+       EnableCoredumps (Boolean)
+              On systems that have such support, make an explicit request to the  kernel  to
+              dump  cores when the filter crashes for some reason.  Some modern UNIX systems
+              suppress core dumps during crashes for security reasons if  the  user  ID  has
+              changed  during  the  lifetime  of  the  process.  Currently only supported on
+              Linux.
+       FailureReports (Boolean)
+              Enables generation of failure reports when the DMARC test fails and  the  pur‐
+              ported  sender of the message has requested such reports.  Reports are format‐
+              ted per RFC6591.
+       FailureReportsBcc (string)
+              When failure reports are enabled and one is to be generated, always  send  one
+              to  the  address(es)  specified here.  If a failure report is requested by the
+              domain owner, the address(es) are added in a Bcc: field.   If  no  request  is
+              made, they address(es) are used in a To: field.  There is no default.
+       FailureReportsOnNone (Boolean)
+              Supplementary  to  the previous setting, enables generation of failure reports
+              for sending domains that publish a "none" policy.
+       FailureReportsSentBy (string)
+              Sets the value of the From: field to be used when sending failure reports (see
+              above).  The default is to use the userid of the user executing the filter and
+              the local host name to construct an email address.
+       HistoryFile (string)
+              If set, specifies the location of a text file to  which  records  are  written
+              that  can be used to generate DMARC aggregate reports.  Records are batches of
+              rows containing information about a single received message, and  include  all
+              relevant  information  needed  to  generate  a  DMARC aggregate report.  It is
+              expected that this will not be used in its raw form, but  rather  periodically
+              imported  into  a  relational database from which the aggregate reports can be
+              extracted.
+       IgnoreAuthenticatedClients (Boolean)
+              If set, causes mail from authenticated clients (i.e.,  those  that  used  SMTP
+              AUTH) to be ignored by the filter.  The default is "false".
+       IgnoreHosts (string)
+              Specifies  the path to a file that contains a list of hostnames, IP addresses,
+              and/or CIDR expressions identifying hosts whose SMTP  connections  are  to  be
+              ignored by the filter.  If not specified, defaults to "127.0.0.1" only.
+       IgnoreMailFrom (string)
+              Gives  a  list of domain names whose mail (based on the From: domain) is to be
+              ignored by the filter.  The list should be comma-separated.  Matching  against
+              this  list is case-insensitive.  The default is an empty list, meaning no mail
+              is ignored.
+       MilterDebug (integer)
+              Sets the debug level to be requested from the milter library.  The default  is
+.
+       PidFile (string)
+              Specifies  the path to a file that should be created at process start contain‐
+              ing the process ID.
+       PublicSuffixList (string)
+              Specifies the path to a file that contains top-level domains (TLDs) that  will
+              be  used  to  compute  the  Organizational  Domain for a given domain name, as
+              described in the DMARC specification.  If not provided, the filter will not be
+              able to determine the Organizational Domain and only the presented domain will
+              be evaluated.
+       RecordAllMessages (Boolean)
+              If set and HistoryFile is in use, all received messages are  recorded  to  the
+              history  file.   If  not  set (the default), only messages for which the From:
+              domain published a DMARC record will be recorded in the history file.
+       RejectFailures (Boolean)
+              If set, messages will be rejected if they fail the DMARC evaluation, or  temp-
+              failed  if  evaluation could not be completed.  By default, no message will be
+              rejected or temp-failed regardless of the outcome of the DMARC  evaluation  of
+              the  message.   Instead, an Authentication-Results header field will be added.
+              The default is "false".
+       ReportCommand (string)
+              Indicates the shell command to which failure  reports  should  be  passed  for
+              delivery when FailureReports is enabled.  Defaults to /usr/sbin/sendmail.
+       RequiredHeaders (Boolean)
+              If set, the filter will ensure the header of the message conforms to the basic
+              header field count restrictions laid out in RFC5322,  Section  3.6.   Messages
+              failing this test are rejected without further processing.  A From: field from
+              which no domain name could be extracted will also be rejected.
+       Socket (string)
+              Specifies the socket that should be established by the filter to receive  con‐
+              nections  from  sendmail(8) in order to provide service.  socketspec is in one
+              of two forms: local:path, which creates a UNIX domain socket at the  specified
+              path,  or  inet:port[@host] or inet6:port[@host] which creates a TCP socket on
+              the specified port for the appropriate protocol family.  If the  host  is  not
+              given  as  either a hostname or an IP address, the socket will be listening on
+              all interfaces.  This option is mandatory either in the configuration file  or
+              on  the command line.  If an IP address is used, it must be enclosed in square
+              brackets.
+       SoftwareHeader (Boolean)
+              Causes opendmarc to add a "DMARC-Filter" header field indicating the  presence
+              of  this  filter  in  the path of the message from injection to delivery.  The
+              product's name, version, and the job ID are included  in  the  header  field's
+              contents.
+       SPFIgnoreResults (Boolean)
+              Causes  the  filter  to  ignore  any SPF results in the header of the message.
+              This is useful if you want the filter to perfrom SPF checks itself, or because
+              you don't trust the arriving header.  The default is "false".
+       SPFSelfValidate (Boolean)
+              Causes  the  filter to perform a fallback SPF check itself when it can find no
+              SPF results in the message header.  If SPFIgnoreResults is also set, it  never
+              looks for SPF results in headers and always performs the SPF check itself when
+              this is set.  The default is "false".
+       Syslog (Boolean)
+              Log via calls to syslog(3) any interesting activity.
+       SyslogFacility (string)
+              Log via calls to syslog(3) using the named facility.  The facility  names  are
+              the same as the ones allowed in syslog.conf(5).  The default is "mail".
+       TemporaryDirectory (string)
+              Specifies  the  directory  in  which  temporary  files should be written.  The
+              default is /var/tmp.
+       TrustedAuthservIDs (string)
+              Provides a list of authserv-ids that are to be used  to  identify  Authentica‐
+              tion-Results header fields whose contents are to be assumed as valid input for
+              the DMARC assessment.  To provide a list, separate values by commas.   If  the
+              string  "HOSTNAME"  is  provided,  the name of the host running the filter (as
+              returned by the gethostname(3) function) will be used.  Matching against  this
+              list is case-insensitive.  The default is to use the value of AuthservID.
+       UMask (integer)
+              Requests  a specific permissions mask to be used for file creation.  This only
+              really applies to creation of the socket when Socket specifies a  UNIX  domain
+              socket,  and  to  the  PidFile  (if  any);  temporary files are created by the
+              mkstemp(3) function that enforces a specific file mode on creation  regardless
+              of the process umask.  See umask(2) for more information.
+       UserID (string)
+              Attempts to become the specified userid before starting operations.  The value
+              is of the form userid[:group].  The process will be assigned all of the groups
+              and  primary  group ID of the named userid unless an alternate group is speci‐
+              fied.
+FILES
+       /etc/opendmarc.conf
+              Default location of this file.
+VERSION
+       This man page covers version 1.3.0 of opendmarc.
+COPYRIGHT
+       Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
+SEE ALSO
+       opendmarc(8), sendmail(8)
+       RFC4408 - Sender Policy Framework
+       RFC5451 - Message Header Field for Indicating Message Authentication Status
+       RFC5965 - An Extensible Format for Email Feedback Reports
+       RFC6376 - DomainKeys Identified Mail
+       RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format
+                                 The Trusted Domain Project                opendmarc.conf(5)
+</code>
+==== opendmarc-check ====
+   # man opendmarc-check
+<code>opendmarc-check(8)                 System Manager's Manual                opendmarc-check(8)
+NAME
+       opendmarc-check - DMARC record check tool
+SYNOPSIS
+       opendmarc-check domain [domain [...]]
+DESCRIPTION
+       opendmarc-check  queries  the DNS for a DMARC record for the named domain(s) and then
+       translates the content found to a human-readable form.  This can be  used  to  ensure
+       that the DMARC policy you have placed in the nameserver is what you intended for oth‐
+       ers to see.
+VERSION
+       This man page covers version 1.3.0 of opendmarc.
+COPYRIGHT
+       Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.
+SEE ALSO
+       opendmarc.conf(5), opendmarc(8)
+                                 The Trusted Domain Project               opendmarc-check(8)
+</code>
+==== opendmarc-expire ====
+   # man opendmarc-expire
+<code>opendmarc-expire(8)                System Manager's Manual               opendmarc-expire(8)
+NAME
+       opendmarc-expire - OpenDMARC history data expiration tool
+SYNOPSIS
+       opendmarc-expire [options]
+DESCRIPTION
+       opendmarc-expire  expires old records from the database that is part of the OpenDMARC
+       aggregate reporting feature.
+OPTIONS
+       --alltables
+              Expire records in all tables rather than only the large ones.
+       --dbhost=host
+              Attempts to connect to the database server on the named host.  The default  is
+              "localhost".
+       --dbname=name
+              Requests  a  connection  to  the database called name.  The default is "opend‐
+              marc".
+       --dbpasswd=password
+              Attempts to authenticate to the database server using the specified  password.
+              The default is "opendmarc".
+       --dbport=port
+              Tries  to  connect  to the database at the specified TCP port.  The default is
+.
+       --dbuser=user
+              Attempts to authenticate to the database server as the  specified  user.   The
+              default is "opendmarc".
+       --expire=days
+              Indicates the number of days of data to keep.  The default is 180.
+       --help Prints a usage message and exits.
+       --verbose
+              Requests verbose output.
+       --version
+              Prints version number and exits.
+VERSION
+       This  man page covers the version of opendmarc-expire that shipped with version 1.3.0
+       of OpenDMARC.
+COPYRIGHT
+       Copyright (c) 2012, 2014, The Trusted Domain Project.  All rights reserved.
+SEE ALSO
+       opendmarc(8), opendmarc-import(8)
+                                 The Trusted Domain Project              opendmarc-expire(8)
+</code>
+==== opendmarc-import ====
+   # man opendmarc-import
+<code>opendmarc-import(8)                System Manager's Manual               opendmarc-import(8)
+NAME
+       opendmarc-import - OpenDMARC aggregate report data import tool
+SYNOPSIS
+       opendmarc-import [options]
+DESCRIPTION
+       opendmarc-import  reads  per-message data recorded by an instance of opendmarc(8) and
+       inserts it into an SQL database, for later use by  opendmarc-reports(8)  to  generate
+       aggregate reports.
+       Records are read from standard input.
+OPTIONS
+       --dbhost=hostname
+              Specifies  the  hostname  on which the SQL server is running.  Defaults to the
+              value of the environment variable  OPENDMARC_DBHOST,  or  "localhost"  if  the
+              environment variable is not set.
+       --dbname=name
+              Specifies  the SQL database name to be accessed.  Defaults to the value of the
+              environment variable OPENDMARC_DB, or "opendmarc" if the environment  variable
+              is not set.
+       --dbpasswd=password
+              Specifies  the  password for the SQL database to be accessed.  Defaults to the
+              value of the environment variable OPENDMARC_PASSWORD, or  "opendmarc"  if  the
+              environment variable is not set.
+       --dbport=port
+              Specifies  the  TCP  port on which the SQL server is expected to be listening.
+              Defaults to the value of the environment variable OPENDMARC_PORT, or  3306  if
+              the environment variable is not set.
+       --dbuser=user
+              Specifies  the  SQL  user  to be used to access the database.  Defaults to the
+              value of the environment variable OPENDMARC_USER, or "opendmarc" if the  envi‐
+              ronment variable is not set.
+       --help Prints a help message and terminates.
+       --verbose
+              Increase the amount of verbosity written to standard output.
+       --version
+              Print version number and exit.
+VERSION
+       This  man page covers the version of opendmarc-import that shipped with version 1.3.0
+       of OpenDMARC.
+COPYRIGHT
+       Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.
+SEE ALSO
+       opendmarc(8), opendmarc.conf(5) opendmarc-reports(8)
+                                 The Trusted Domain Project              opendmarc-import(8)
+</code>
+==== opendmarc-importstats ====
+   # man opendmarc-importstats
+<code>opendmarc-importstats(8)           System Manager's Manual          opendmarc-importstats(8)
+NAME
+       opendmarc-importstats - import OpenDMARC statistics/history data
+SYNOPSIS
+       opendmarc-importstats
+DESCRIPTION
+       opendmarc-importstats  is  a  fairly  trivial  shell  script,  typically  executed by
+       cron(8), that rotates an OpenDMARC statistics/history data file to a unique  filename
+       and  then attempts to import it to a local database for later processing by executing
+       opendmarc-import(8).  On successful import, the unique file is removed;  on  failure,
+       the  script  executes  ls(1)  on the file and exits without removing the unique file.
+       The intent of this last step is to cause cron to generate a message to a  responsible
+       party so that the failure will be investigated.
+VERSION
+       This  man  page covers the version of opendmarc-importstats that shipped with version
+.3.0 of OpenDMARC.
+COPYRIGHT
+       Copyright (c) 2013, The Trusted Domain Project.  All rights reserved.
+SEE ALSO
+       cron(8), opendmarc(8), opendmarc-import(8)
+                                 The Trusted Domain Project         opendmarc-importstats(8)
+</code>
+==== opendmarc-params ====
+   # man opendmarc-params
+<code>opendmarc-params(8)                System Manager's Manual               opendmarc-params(8)
+NAME
+       opendmarc-params - OpenDMARC reporting parameters setup tool
+SYNOPSIS
+       opendmarc-params [options] domain
+DESCRIPTION
+       opendmarc-params records a specific reporting address for aggregate reports about the
+       named domain and flags it as "locked" in the reporting requests  database.   This  is
+       done to allow an administrator to force generation of reports and have them sent to a
+       specific address regardless of what data may (or may not) be found in the DNS for the
+       named domain.
+OPTIONS
+       --dbhost=host
+              Attempts  to connect to the database server on the named host.  The default is
+              "localhost".
+       --dbname=name
+              Requests a connection to the database called name.   The  default  is  "opend‐
+              marc".
+       --dbpasswd=password
+              Attempts  to authenticate to the database server using the specified password.
+              The default is "opendmarc".
+       --dbport=port
+              Tries to connect to the database at the specified TCP port.   The  default  is
+.
+       --dbuser=user
+              Attempts  to  authenticate  to the database server as the specified user.  The
+              default is "opendmarc".
+       --help Prints a usage message and exits.
+       --rua=string
+              Sets the reporting URI for the named domain to the specified string.
+       --unlock
+              Unlocks the record for the named domain.
+       --verbose
+              Requests verbose output.
+       --version
+              Prints version number and exits.
+VERSION
+       This man page covers the version of opendmarc-params that shipped with version  1.3.0
+       of OpenDMARC.
+COPYRIGHT
+       Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.
+SEE ALSO
+       opendmarc(8), opendmarc-import(8), opendmarc-reports(8)
+                                 The Trusted Domain Project              opendmarc-params(8)
+</code>
+==== opendmarc-reports ====
+   # man opendmarc-reports
+<code>opendmarc-reports(8)               System Manager's Manual              opendmarc-reports(8)
+NAME
+       opendmarc-reports - OpenDMARC aggregate report generation tool
+SYNOPSIS
+       opendmarc-reports [options]
+DESCRIPTION
+       opendmarc-reports pulls data from an OpenDMARC database and generates periodic aggre‐
+       gate reports.  The database is populated by a running opendmarc-import(8) on  a  mes‐
+       sage history file generated by an opendmarc(8) filter as messages arrive and are pro‐
+       cessed.  This includes the collection of reporting URIs, which this  script  uses  to
+       make reports available to those that request them.
+OPTIONS
+       --daybound
+              Generate  reports  on  day boundaries.  Overrides the value of --interval (see
+              below).  --dbhost=hostname Specifies the hostname on which the SQL  server  is
+              running.   Defaults to the value of the environment variable OPENDMARC_DBHOST,
+              or "localhost" if the environment variable is not set.
+       --dbname=name
+              Specifies the SQL database name to be accessed.  Defaults to the value of  the
+              environment  variable OPENDMARC_DB, or "opendmarc" if the environment variable
+              is not set.
+       --dbpasswd=password
+              Specifies the password for the SQL database to be accessed.  Defaults  to  the
+              value  of  the  environment variable OPENDMARC_PASSWORD, or "opendmarc" if the
+              environment variable is not set.
+       --dbport=port
+              Specifies the TCP port on which the SQL server is expected  to  be  listening.
+              Defaults  to  the value of the environment variable OPENDMARC_PORT, or 3306 if
+              the environment variable is not set.
+       --dbuser=user
+              Specifies the SQL user to be used to access the  database.   Defaults  to  the
+              value  of the environment variable OPENDMARC_USER, or "opendmarc" if the envi‐
+              ronment variable is not set.
+       --domain=name
+              Generates a report (if one is due) for the named domain, rather than  checking
+              all of them.
+       --help Prints a help message and terminates.
+       --interval=secs
+              Generates  reports  only  for hosts that have not had a report generated in at
+              least the last secs seconds.
+       --nodomain=name
+              Skips generating a report for the named domain.   Can  be  specified  multiple
+              times to skip multiple reporting domains.
+       --noupdate
+              Suppresses marking the time of the transmission of the report in the database.
+              Normally this would be done to prevent  reports  from  being  sent  too  close
+              together.
+       --smtp-host=host
+              Causes  reports  to  be sent by transmitting them using SMTP to the named host
+              which can be an IP address or a hostname.  The default is "127.0.0.1".
+       --smtp-port=port
+              Causes reports to be sent by transmitting them using  SMTP  to  the  specified
+              port.  The default is 25.
+       --utc  Instructs  the  database to change to the UTC timezone when generating output.
+              Otherwise, the database default is used.
+       --verbose
+              Increase the amount of verbosity written to standard output.
+       --version
+              Print version number and exit.
+VERSION
+       This man page covers the version of opendmarc-reports that shipped with version 1.3.0
+       of OpenDMARC.
+COPYRIGHT
+       Copyright (c) 2012, 2014, The Trusted Domain Project.  All rights reserved.
+SEE ALSO
+       opendmarc(8), opendmarc.conf(5), opendmarc-import(8)
+                                 The Trusted Domain Project             opendmarc-reports(8)
+</code>
+===== Konfiguration =====
+==== opendmarc ====
+=== opendmarc.conf ===
+Die Konfiguration von OpenDMARC erfolgt über die Konfigurationsdatei **opendmarc.conf** im Verzeichnis //**/etc/opendmarc/**//.
+   # vim /etc/opendmarc/opendmarc.conf
+<file bash /etc/opendmarc/opendmarc.conf>##
+## opendmarc.conf -- configuration file for OpenDMARC filter
+##
+## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
+##
+##  AuthservID (string)
+##      defaults to MTA name
+##
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
+##  header field after verifying a message.  If the string "HOSTNAME" is
+##  provided, the name of the host running the filter (as returned by the
+##  gethostname(3) function) will be used.
+#
+# AuthservID name
+# Django : 2014-12-17
+AuthservID mx01.nausch.org
+##  AuthservIDWithJobID { true | false }
+##      default "false"
+##
+##  If "true", requests that the authserv-id portion of the added
+##  Authentication-Results header fields contain the job ID of the message
+##  being evaluated.
+#
+# AuthservIDWithJobID false
+# Django : 2014-02-17
+AuthservIDWithJobID true
+##  AutoRestart { true | false }
+##      default "false"
+##
+##  Automatically re-start on failures. Use with caution; if the filter fails
+##  instantly after it starts, this can cause a tight fork(2) loop.
+#
+# AutoRestart false
+##  AutoRestartCount n
+##      default 0
+##
+##  Sets the maximum automatic restart count.  After this number of automatic
+##  restarts, the filter will give up and terminate.  A value of 0 implies no
+##  limit.
+#
+# AutoRestartCount 0
+##  AutoRestartRate n/t[u]
+##      default (no limit)
+##
+##  Sets the maximum automatic restart rate.  If the filter begins restarting
+##  faster than the rate defined here, it will give up and terminate.  This
+##  is a string of the form n/t[u] where n is an integer limiting the count
+##  of restarts in the given interval and t[u] defines the time interval
+##  through which the rate is calculated; t is an integer and u defines the
+##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
+##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
+##  value of "10/1h" limits the restarts to 10 in one hour. There is no
+##  default, meaning restart rate is not limited.
+#
+# AutoRestartRate n/t[u]
+##  Background { true | false }
+##      default "true"
+##
+##  Causes opendmarc to fork and exits immediately, leaving the service
+##  running in the background.
+#
+# Background true
+##  BaseDirectory (string)
+##      default (none)
+##
+##  If set, instructs the filter to change to the specified directory using
+##  chdir(2) before doing anything else.  This means any files referenced
+##  elsewhere in the configuration file can be specified relative to this
+##  directory.  It's also useful for arranging that any crash dumps will be
+##  saved to a specific location.
+#
+# BaseDirectory /var/run/opendmarc
+##  ChangeRootDirectory (string)
+##      default (none)
+##
+##  Requests that the operating system change the effective root directory of
+##  the process to the one specified here prior to beginning execution.
+##  chroot(2) requires superuser access.  A warning will be generated if
+##  UserID is not also set.
+#
+# ChangeRootDirectory /var/chroot/opendmarc
+##  CopyFailuresTo (string)
+##      default (none)
+##
+##  Requests addition of the specified email address to the envelope of
+##  any message that fails the DMARC evaluation.
+#
+# CopyFailuresTo postmaster@localhost
+##  DNSTimeout (integer)
+##      default 5
+##
+##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
+##  (NOT YET IMPLEMENTED)
+#
+# DNSTimeout 5
+##  EnableCoredumps { true | false }
+##      default "false"
+##
+##  On systems that have such support, make an explicit request to the kernel
+##  to dump cores when the filter crashes for some reason.  Some modern UNIX
+##  systems suppress core dumps during crashes for security reasons if the
+##  user ID has changed during the lifetime of the process.  Currently only
+##  supported on Linux.
+#
+# EnableCoreDumps false
+##  FailureReports { true | false }
+##      default "false"
+##
+##  Enables generation of failure reports when the DMARC test fails and the
+##  purported sender of the message has requested such reports.  Reports are
+##  formatted per RFC6591.
+#
+# FailureReports false
+# Django : 2014-12-17
+FailureReports true
+##  FailureReportsBcc (string)
+##      default (none)
+##
+##  When failure reports are enabled and one is to be generated, always
+##  send one to the address(es) specified here.  If a failure report is
+##  requested by the domain owner, the address(es) are added in a Bcc: field.
+##  If no request is made, they address(es) are used in a To: field.  There
+##  is no default.
+#
+# FailureReportsBcc postmaster@example.coom
+##  FailureReportsOnNone { true | false }
+##      default "false"
+##
+##  Supplements the "FailureReports" setting by generating reports for
+##  domains that advertise "none" policies.  By default, reports are only
+##  generated (when enabled) for sending domains advertising a "quarantine"
+##  or "reject" policy.
+#
+# FailureReportsOnNone false
+##  FailureReportsSentBy string
+##      default "USER@HOSTNAME"
+##
+##  Specifies the email address to use in the From: field of failure
+##  reports generated by the filter.  The default is to use the userid of
+##  the user running the filter and the local hostname to construct an
+##  email address.  "postmaster" is used in place of the userid if a name
+##  could not be determined.
+#
+# FailureReportsSentBy USER@HOSTNAME
+# Django : 2014-12-17
+FailureReportsSentBy dmarc-admin@nausch.org
+##  HistoryFile path
+##      default (none)
+##
+##  If set, specifies the location of a text file to which records are written
+##  that can be used to generate DMARC aggregate reports.  Records are groups
+##  of rows containing information about a single received message, and
+##  include all relevant information needed to generate a DMARC aggregate
+##  report.  It is expected that this will not be used in its raw form, but
+##  rather periodically imported into a relational database from which the
+##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
+#
+HistoryFile /var/run/opendmarc/opendmarc.dat
+##  IgnoreAuthenticatedClients { true | false }
+##      default "false"
+##
+##  If set, causes mail from authenticated clients (i.e., those that used
+##  SMTP AUTH) to be ignored by the filter.
+#
+# IgnoreAuthenticatedClients false
+##  IgnoreHosts path
+##      default (internal)
+##
+##  Specifies the path to a file that contains a list of hostnames, IP
+##  addresses, and/or CIDR expressions identifying hosts whose SMTP
+##  connections are to be ignored by the filter.  If not specified, defaults
+##  to "127.0.0.1" only.
+#
+# IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts
+# Django : 2014-12-17
+IgnoreHosts /etc/opendmarc/ignore.hosts
+##  IgnoreMailFrom domain[,...]
+##      default (none)
+##
+##  Gives a list of domain names whose mail (based on the From: domain) is to
+##  be ignored by the filter.  The list should be comma-separated.  Matching
+##  against this list is case-insensitive.  The default is an empty list,
+##  meaning no mail is ignored.
+#
+# IgnoreMailFrom example.com
+##  MilterDebug (integer)
+##      default 0
+##
+##  Sets the debug level to be requested from the milter library.
+#
+# MilterDebug 0
+# Django : 2014-12-17
+MilterDebug 5
+##  PidFile path
+##      default (none)
+##
+##  Specifies the path to a file that should be created at process start
+##  containing the process ID.
+##
+#
+# PidFile /var/run/opendmarc/opendmarc.pid
+##  PublicSuffixList path
+##      default (none)
+##
+##  Specifies the path to a file that contains top-level domains (TLDs) that
+##  will be used to compute the Organizational Domain for a given domain name,
+##  as described in the DMARC specification.  If not provided, the filter will
+##  not be able to determine the Organizational Domain and only the presented
+##  domain will be evaluated.
+#
+# PublicSuffixList path
+##  RecordAllMessages { true | false }
+##      default "false"
+##
+##  If set and "HistoryFile" is in use, all received messages are recorded
+##  to the history file.  If not set (the default), only messages for which
+##  the From: domain published a DMARC record will be recorded in the
+##  history file.
+#
+# RecordAllMessages false
+##  RejectFailures { true | false }
+##      default "false"
+##
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
+##  temp-failed if evaluation could not be completed.  By default, no message
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
+##  evaluation of the message.  Instead, an Authentication-Results header
+##  field will be added.
+#
+# RejectFailures false
+##  ReportCommand string
+##      default "/usr/sbin/sendmail -t"
+##
+##  Indicates the shell command to which failure reports should be passed for
+##  delivery when "FailureReports" is enabled.
+#
+# ReportCommand /usr/sbin/sendmail -t
+##  RequiredHeaders { true | false }
+##      default "false"
+##
+##  If set, the filter will ensure the header of the message conforms to the
+##  basic header field count restrictions laid out in RFC5322, Section 3.6.
+##  Messages failing this test are rejected without further processing.  A
+##  From: field from which no domain name could be extracted will also be
+##  rejected.
+#
+# RequiredHeaders false
+##  Socket socketspec
+##      default (none)
+##
+##  Specifies the socket that should be established by the filter to receive
+##  connections from sendmail(8) in order to provide service.  socketspec is
+##  in one of two forms: local:path, which creates a UNIX domain socket at
+##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
+##  a TCP socket on the specified port for the appropriate protocol family.
+##  If the host is not given as either a hostname or an IP address, the
+##  socket will be listening on all interfaces.  This option is mandatory
+##  either in the configuration file or on the command line.  If an IP
+##  address is used, it must be enclosed in square brackets.
+#
+# Socket inet:8893@localhost
+# Django : 2014-12-17
+Socket inet:8893@localhost
+##  SoftwareHeader { true | false }
+##      default "false"
+##
+##  Causes the filter to add a "DMARC-Filter" header field indicating the
+##  presence of this filter in the path of the message from injection to
+##  delivery.  The product's name, version, and the job ID are included in
+##  the header field's contents.
+#
+# SoftwareHeader false
+# Django : 2014-12-17
+SoftwareHeader true
+##  SPFIgnoreResults { true | false }
+##      default "false"
+##
+##  Causes the filter to ignore any SPF results in the header of the
+##  message.  This is useful if you want the filter to perfrom SPF checks
+##  itself, or because you don't trust the arriving header.
+#
+# SPFIgnoreResults false
+##  SPFSelfValidate { true | false }
+##      default false
+##
+##  Enable internal spf checking with --with-spf
+##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
+##
+##  Causes the filter to perform a fallback SPF check itself when
+##  it can find no SPF results in the message header.  If SPFIgnoreResults
+##  is also set, it never looks for SPF results in headers and
+##  always performs the SPF check itself when this is set.
+#
+# SPFSelfValidate false
+##  Syslog { true | false }
+##      default "false"
+##
+##  Log via calls to syslog(3) any interesting activity.
+#
+# Syslog false
+# Django : 2014-12-17
+Syslog true
+##  SyslogFacility facility-name
+##      default "mail"
+##
+##  Log via calls to syslog(3) using the named facility.  The facility names
+##  are the same as the ones allowed in syslog.conf(5).
+#
+# SyslogFacility mail
+##  TemporaryDirectory path
+##      default /var/tmp
+##
+##  Specifies the directory in which temporary files should be written.
+#
+# TemporaryDirectory /var/tmp
+##  TrustedAuthservIDs string
+##      default HOSTNAME
+##
+##  Specifies one or more "authserv-id" values to trust as relaying true
+##  upstream DKIM and SPF results.  The default is to use the name of
+##  the MTA processing the message.  To specify a list, separate each entry
+##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
+##  the host running the filter as reported by the gethostname(3) function.
+#
+# TrustedAuthservIDs HOSTNAME
+##  UMask mask
+##      default (none)
+##
+##  Requests a specific permissions mask to be used for file creation.  This
+##  only really applies to creation of the socket when Socket specifies a
+##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
+##  files are normally created by the mkstemp(3) function that enforces a
+##  specific file mode on creation regardless of the process umask.  See
+##  umask(2) for more information.
+#
+# UMask 077
+# Django : 2014-12-17
+UMask 007
+##  UserID user[:group]
+##      default (none)
+##
+##  Attempts to become the specified userid before starting operations.
+##  The process will be assigned all of the groups and primary group ID of
+##  the named userid unless an alternate group is specified.
+#
+# UserID opendmarc
+# Django : 2014-12-17
+#UserID opendmarc:dmarc
+</file>
+=== ignore.hosts ====
+   # vim /etc/opendmarc/ignore.hosts
+<file bash /etc/opendmarc/ignore.hosts>#  Specifies a file that contains a list of hostnames, IP addresses and/or
+#  CIDR expressions identifying hosts whose SMTP connections are to be
+# ignored by the filter.  If not specified, defaults
+#  to "127.0.0.1" only.
+.0.0.1
+</file>
+=== Public Suffix List ====
+Im [[https://tools.ietf.org/html/rfc7489|RFC 7489]] wird die optionale Verwendung einer Public Suffix List im Kapitel **[[https://tools.ietf.org/html/rfc7489#appendix-A.6.1|Appendix A.6.1]]** beschrieben. Wir werden dieser Konfigurationsoption nun entsprechend aktivieren.
+Zuvor holen wir uns aber erst einmal diese Liste von der Webseite **[[https://publicsuffix.org/list/|Public Suffix List]]** der [[http://www.mozilla.org/|Mozilla Foundation]] herunter.
+   # wget --no-check-certificate -q -N https://publicsuffix.org/list/effective_tld_names.dat -O /etc/opendmarc/effective_tld_names.dat
+In unregelmäßigen Abständen, meist mehrmals pro Monat, wird diese Liste aktualisiert. Damit wir nun nicht händisch für die Aktualität dieser Liste sorgen müssen, legen wir uns einen kleinen cronjob an, der 1x pro Woche ausgeführt werden soll.
+   # vim /etc/cron.weekly/update_PublicSuffixList
+<file bash /etc/cron.weekly/update_PublicSuffixList>#!/bin/bash
+# Script zum Aktualisieren der Public Suffix List für opendmarc
+# Django <django@nausch.org> (c) 2015
+#
+/user/bin/wget --no-check-certificate -q -N https://publicsuffix.org/list/effective_tld_names.dat -O /etc/opendmarc/effective_tld_names.dat</file>
+Was nun noch fehlt, ist die Aktivierung dieser Option in der Konfigurationsdatei von **opendmarc**.
+   # vim /etc/opendmarc.conf
+<code bash /etc/opendmarc.conf>...
+##  PublicSuffixList path
+##      default (none)
+##
+##  Specifies the path to a file that contains top-level domains (TLDs) that
+##  will be used to compute the Organizational Domain for a given domain name,
+##  as described in the DMARC specification.  If not provided, the filter will
+##  not be able to determine the Organizational Domain and only the presented
+##  domain will be evaluated.
+#
+# Django : 2015-12-10
+# default: unset
+PublicSuffixList /etc/opendmarc/effective_tld_names.dat
+...
+</code>
+Zum Aktivieren der **Public Suffix List** brauchen wir dann nur noch den Daemon 1x durchstarten.
+   # systemctl restart opendmarc.service
+==== mysql Konfiguration ====
+Eigentlich könnten wir nun schon unseren DMARC-Daemon starten. Jedoch wollen wir noch kurz die nötige mySQL-Datenbank anlegen, damit der Daemon die gewünschten aufbereiteten Statiskdaten und forensischen Berichte generieren und dann per eMail verschicken kann.
+Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an.
+   # mysql -h localhost -u root -p
+<code>Enter password:
+Welcome to the MySQL monitor.  Commands end with ; or \g.
+Your MySQL connection id is 1942
+Server version: 5.1.67 Source distribution
+Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+Oracle is a registered trademark of Oracle Corporation and/or its
+affiliates. Other names may be trademarks of their respective
+owners.
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+mysql>
+</code>
+Dort legen wir als aller erst einmal eine Datenbank mit dem Namen **opendmarc** an.
+   mysql> CREATE DATABASE opendmarc;
+Anschließend legen wir uns dann einen Datenbankuser an, dem wir entsprechende Rechte an der Datenbank **opendmarc** einräumen.
+   mysql> CREATE USER 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';
+  Query OK, 0 rows affected (0.00 sec)
+   mysql> CREATE USER 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';
+  Query OK, 0 rows affected (0.00 sec)
+Anschließend setzen wir noch die Nutzerberechtigungen unseres Datenbanknutzers **opendmarc_user** für die Datenbank **opendmarc**
+   mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
+  Query OK, 0 rows affected (0.00 sec)
+  mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
+  Query OK, 0 rows affected (0.00 sec)
+Zur Aktivierung weisen wir nun noch die Berechtigungen zu:
+  mysql> FLUSH PRIVILEGES;
+  Query OK, 0 rows affected (0.00 sec)
+Abschließend melden wir uns wieder von unserem Datenbankhost ab.
+  mysql> quit
+  Bye
+Bevor wir die benötigten Tabellen anlegen, testen wir noch, ob der Zugriff von unserem Mail- bzw. Datenimportserver funktioniert.
+   # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p
+<code>Enter password:
+Welcome to the MySQL monitor.  Commands end with ; or \g.
+Your MySQL connection id is 2889
+Server version: 5.1.73 Source distribution
+Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+Oracle is a registered trademark of Oracle Corporation and/or its
+affiliates. Other names may be trademarks of their respective
+owners.
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+mysql>
+</code>
+   mysql> show databases;
+<code>+--------------------+
+| Database           |
++--------------------+
+| information_schema |
+| opendmarc          |
++--------------------+
+rows in set (0.00 sec)
+</code>
+   mysql> quit
+  Bye
+Mit Hilfe der Datei //**/usr/share/doc/opendmarc-1.3.0/schema.mysql**// legen wir nun abschließend die Tabellen in der Datenbank **opendmarc** an.
+   # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p < /usr/share/doc/opendmarc-1.3.0/schema.mysql
+Auch hier können wir uns bei Bedarf noch überprüfen, welche Tabellen angelegt wurden.
+   # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p
+<code>Enter password:
+Reading table information for completion of table and column names
+You can turn off this feature to get a quicker startup with -A
+Welcome to the MySQL monitor.  Commands end with ; or \g.
+Your MySQL connection id is 2933
+Server version: 5.1.73 Source distribution
+Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+Oracle is a registered trademark of Oracle Corporation and/or its
+affiliates. Other names may be trademarks of their respective
+owners.
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+mysql>
+</code>
+   mysql> show databases;
+<code>+--------------------+
+| Database           |
++--------------------+
+| information_schema |
+| opendmarc          |
++--------------------+
+rows in set (0.00 sec)
+mysql>
+</code>
+   mysql> use opendmarc;
+  Database changed
+  mysql>
+   mysql> show tables;
+<code>+---------------------+
+| Tables_in_opendmarc |
++---------------------+
+| domains             |
+| ipaddr              |
+| messages            |
+| reporters           |
+| requests            |
+| signatures          |
++---------------------+
+rows in set (0.00 sec)
+mysql>
+</code>
+   mysql> quit
+  Bye
+==== dbCollecting User einrichten ====
+Nicht immer möchte oder kann man von seinem oder seinen Mailservern eine Verbindung zum Datenbankhost ermöglichen. Um jetzt nicht von jedem einzelnen MX-Server einzurichten, verwenden wir einen User, den wir zum Einsammeln der Daten degradieren.
+Wir legen uns nun unseren Nutzer an. Als UID und GID verwenden wir eine entsprechend freie Nummer, die wir entsprechend vorher abprüfen.
+   # grep 989 /etc/group
+   # grep 989 /etc/passwd
+Anschließend legen wir uns unseren User an.
+   # groupadd -g 989 dmarc && useradd dmarc -c "DMARC" -g 989 -u 989 -m
+Anschließend erzeugen wir uns noch einen entsprechenden SSH-Key und verteilen diesen auf unseren Mailservern. Entsprechende Schritte sind im Wiki [[https://dokuwiki.nausch.org/doku.php/centos:ssh-install|hier]] beschrieben.
+==== dbCollecting Script anlegen ====
+Zum Einsammeln der Statistikdaten legen wir uns nun ein einfaches Shellscript an.
+   # vim /root/bin/dmarc-report>
+<file bash /root/bin/dmarc-report>#!/bin/sh
+# Script zum Importieren der DMARC-Daten aus dem lokalen cache-Datei in die mySQL Datenbank
+# und Generieren der DMARC-reports
+# Das Script wird um 03:33 Uhr via cronjob aufgerufen.
+#
+# crontab
+# einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen.
+# 33 3 * * * /usr/local/bin/dmarc-report 1>/dev/null 2>&1
+#
+# Django : 2014-03-20
+WORKDIR="/home/dmarc/"
+WORKFILE="opendmarc_all_hosts.dat"
+SSHKEYFILE=".ssh/id_rsa"
+MXHOSTS="mx01.nausch.org mx02.nausch.org mx03.nausch.org"
+DBFILE="opendmarc.dat"
+DBHOST="mysql.dmz.nausch.org"
+DBPORT="3306"
+DBUSER="opendmarc_user"
+DBPASSWD="ALLHs6blVwd8eHoSk2J3WZsT"
+DBNAME="opendmarc"
+# DMARC Datenfile von den Mailservern abholen
+cd $WORKDIR
+for HOST in $MXHOSTS; do
+    scp -i $WORKDIR$SSHKEYFILE dmarc@${HOST}:/var/run/opendmarc/$DBFILE ${HOST}.dat
+    ssh -i $WORKDIR$SSHKEYFILE dmarc@${HOST} "/bin/cat /dev/null > /var/run/opendmarc/$DBFILE"
+    cat ${HOST}.dat >> $WORKFILE
+done
+# DMARC Daten in die mySQL-Datenbank opendmarc schreiben
+/usr/sbin/opendmarc-import --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
+  --dbpasswd=$DBPASSWD < $WORKDIR$WORKFILE
+# DMARC Statistik-Report erstellen
+/usr/sbin/opendmarc-reports --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
+  --dbpasswd=$DBPASSWD --verbose --interval=86400 --report-email 'postmaster@nausch.org' --report-org 'nausch.org'
+# DMARC Datenbank aufräumen, Datensätze die älter als 90 Tage sind werden gelöscht
+/usr/sbin/opendmarc-expire --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
+  --dbpasswd=$DBPASSWD --verbose --expire=90
+# Work-Verzeichnis wieder aufräumen
+cd $WORKDIR
+rm $WORKDIR*.dat -rf
+</file>
+Anschließen setzen wir die Ausführungsrechte unseres neuen Scriptes.
+   # chmod +x /root/bin/dmarc-report
+Zu guter Letzt aktivieren wir dann noch einen Cronjob für die tägliche Ausführung.
+   # crontab -e
+<code bash>...
+# Django : 2014-03-20
+# einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen.
+3 * * * /root/bin/dmarc-report 1>/dev/null 2>&1
+...
+</code>
+==== Postfix ====
+In der Konfigurationsdatei **main.cf** unseres Postfix-Mailserver definieren wir uns nun eine eigene Variable, die wir dann in der Datei //**/etc/postfix/master.cf**// dann verwenden wollen. Wir tragen also nun in der Section **MILTER** nachfolgende Zeilen ein.
+   # vim /etc/postfix/main.cf
+<file bash /etc/postfix/main.cf>...
+################################################################################
+## MILTER
+# Django : 2014-11-18
+# DMARC Test
+spf_milter       = inet:127.0.0.1:8890
+opendkim_milter  = inet:127.0.0.1:8891
+opendmarc_milter = inet:127.0.0.1:8893
+amavisd_milter   = inet:10.0.0.67:8899
+...
+</file>
+In der Konfigurationsdatei //**/etc/postfix/master.cf**// legen wir nun fest, dass bei der Annahme auf Port **25** unser gerade definierte **smf-spf**-milter verwendet werden soll.
+   # vim /etc/postfix/master.cf
+<code>...
+smtp      inet  n       -       n       -       1       postscreen
+smtpd     pass  -       -       n       -       -       smtpd
+  -o smtpd_milters=${spf_milter},${opendkim_milter},${opendmarc_milter},${amavisd_milter}
+  -o smtpd_sasl_auth_enable=no
+dnsblog   unix  -       -       n       -       0       dnsblog
+tlsproxy  unix  -       -       n       -       0       tlspr
+</code>
+===== Programmstart =====
+Das Starten des Daemon erfolgt über folgenden Aufruf.
+   # systemctl start opendmarc
+Den erfolgreichen Start bzw. den Status des **smf-spf**-Daemon können wir bei Bedarf mit folgendem Aufruf abfragen.
+   # systemctl status opendmarc
+<code>opendmarc.service - opendmarc - DMARC email policy filter for MTAs.
+   Loaded: loaded (/usr/lib/systemd/system/opendmarc.service; disabled)
+   Active: active (running) since Wed 2014-12-17 20:58:56 CET; 1h 45min ago
+ Main PID: 2370 (opendmarc)
+   CGroup: /system.slice/opendmarc.service
+           └─2370 /usr/sbin/opendmarc -f -c /etc/opendmarc/opendmarc.conf
+Dec 17 20:58:56 vml000087.dmz.nausch.org systemd[1]: Starting opendmarc - DMARC email policy filter for MTAs....
+Dec 17 20:58:56 vml000087.dmz.nausch.org systemd[1]: Started opendmarc - DMARC email policy filter for MTAs..
+Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: OpenDMARC Filter: Opening listen socket on conn inet:8893@localhost
+Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: OpenDMARC Filter v1.3.0 starting (args: -f -c /etc/opendmarc/opendmarc.conf)
+Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: trusted authentication services: mx01.nausch.org
+</code>
+Im Maillog wird der Start des Daemon entsprechend dokumentiert.
+   # less /var/log/maillog
+   Dec 17 22:45:08 vml000087 opendmarc[2912]: OpenDMARC Filter: Opening listen socket on conn inet:8893@localhost
+   Dec 17 22:45:08 vml000087 opendmarc[2912]: OpenDMARC Filter v1.3.0 starting (args: -f -c /etc/opendmarc/opendmarc.conf)
+   Dec 17 22:45:08 vml000087 opendmarc[2912]: trusted authentication services: mx01.nausch.org
+Mit Hilfe von **netstat** können wir überprüfen, ob der Port **8893** geöffnet wurde.
+   # netstat -tulpen
+<code>Active Internet connections (only servers)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
+tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      0          37485      2476/master
+tcp        0      0 127.0.0.1:8890          0.0.0.0:*               LISTEN      993        24732      1441/smf-spf
+tcp        0      0 127.0.0.1:8891          0.0.0.0:*               LISTEN      991        25040      1680/opendkim
+tcp        0      0 127.0.0.1:8893          0.0.0.0:*               LISTEN      0          40337      2912/opendmarc
+</code>
+Gleiches können wir natürlich auch mit dem Befehl **lsof** erreichen.
+   # lsof -i:8893
+   COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
+   opendmarc 2912 root    4u  IPv4  40337      0t0  TCP localhost:ddi-tcp-6 (LISTEN)
+Damit der Daemon automatisch beim Hochfahren des Servers gestartet wird, nutzen wir folgenden Aufruf.
+   # systemctl enable opendmarc.service
+   ln -s '/usr/lib/systemd/system/opendmarc.service' '/etc/systemd/system/multi-user.target.wants/opendmarc.service'
+Wollen wir überprüfen ob der Dienst automatisch startet, verwenden wir folgenden Aufruf.
+   # systemctl is-enabled opendmarc.service
+   enabled
+Die Rückmeldung **enabled** zeigt an, dass der Dienst automatisch startet; ein **disabled** zeigt entsprechend an, dass der Dienst __nicht__ automatisch startet.
+===== Logging / Mailheader =====
+Im Maillog werden entsprechend unserer zuvor festgelegten Konfiguration, vom DMARC-Daemon logeinträge erzeugt.
+Folgender Logeintrag zeigt einen erfolgreiche DMARC-Überprüfung.
+  Mar 23 22:46:01 vml000080 opendmarc[25914]: C198981: gmail.com pass
+Im Mailheader der Nachricht, wird dies auch entsprechend vermerkt.
+  DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org C198981
+  Authentication-Results: mx01.nausch.org/C198981; dmarc=pass header.from=gmail.com
+Hat der Domainbetreiber keinen DMARC-Eintrag im DNS hinterlegt, sieht die betreffende Zeile im Maillog entsprechend so aus.
+  Mar 19 00:22:36 vml000080 opendmarc[14508]: D9B6D83: piratenpartei-bayern.de none
+Auch dies wird im Mailheader entsprechend vermerkt.
+  DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org D9B6D83
+  Authentication-Results: mx01.nausch.org/D9B6D83; dmarc=none header.from=piratenpartei-bayern.de
+<WRAP center round alert 35%> \\
+FIXME //... do geds weida!//
+</WRAP>