centos:mail_c7:spam_12

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
centos:mail_c7:spam_12 [17.12.2014 20:54. ] – [Installation] djangocentos:mail_c7:spam_12 [18.11.2024 19:13. ] (aktuell) – Externe Bearbeitung 127.0.0.1
Zeile 1: Zeile 1:
-<WRAP center round info 60%>+<WRAP center round info 60%> \\ 
 Artikel befindet sich gerade in der Bearbeitung! Artikel befindet sich gerade in der Bearbeitung!
 </WRAP> </WRAP>
Zeile 21: Zeile 21:
 Das nachfolgende Schaubild zeigt den Bearbeitungsverlauf einer eMail mit Berücksichtigung auf DMARC auf. Das nachfolgende Schaubild zeigt den Bearbeitungsverlauf einer eMail mit Berücksichtigung auf DMARC auf.
  
-<uml width=900 title="DMARC - Verarbeitungsschritte einer eMail">+<uml>
 skinparam defaultFontName Courier skinparam defaultFontName Courier
 state "Absender Klaus generiert eMail" as sender state "Absender Klaus generiert eMail" as sender
Zeile 54: Zeile 54:
   smtpd_b : Bewertung der eMail   smtpd_b : Bewertung der eMail
   smtpd_b : mit Hilfe von Blacklists     smtpd_b : mit Hilfe von Blacklists  
-  smtpd_b : und greylisting+  smtpd_b : und postscreen
  
   state "SPAM- und Virenüberprüfung" as amavis1   state "SPAM- und Virenüberprüfung" as amavis1
Zeile 174: Zeile 174:
   regelmäßiger forensischer    regelmäßiger forensischer 
   Bericht an den im DMARC-Record    Bericht an den im DMARC-Record 
-  hinterlegten "ruaf=mailto"-+  hinterlegten "rua=mailto"-
   Adresse des Mailserver-   Adresse des Mailserver-
   betreibers des Absender-   betreibers des Absender-
Zeile 289: Zeile 289:
  
 ===== Installation ===== ===== Installation =====
-Die einfachste und schnellste Variante bei der Installation ist die aus dem Repository **[[centos:mailserver.guru|mailserver.guru]]**. Hier reicht ein einfacher Aufruf von **yum** und alles wird automatisch installiert inkl. der Paketabhängigkeiten. +Die einfachste und schnellste Variante bei der Installation ist die aus dem Repository **[[centos:nausch.org|nausch.org]]**. Hier reicht ein einfacher Aufruf von **yum** und alles wird automatisch installiert inkl. der Paketabhängigkeiten. 
    # yum install opendmarc    # yum install opendmarc
  
-Will oder kann man nicht auf das Repository **[[centos:mailserver.guru|mailserver.guru]]** zurückgreifen, steht immer noch der Installation per Hand nichts im Wege. +Will oder kann man nicht auf das Repository **[[centos:nausch.org|nausch.org]]** zurückgreifen, steht immer noch der Installation per Hand nichts im Wege. 
-   # yum localinstall http://repo7.mailserver.guru/7/x86_64/libopendmarc-1.3.0-1.el7.centos.x86_64.rpm \  +   # yum localinstall http://repo7.nausch.org/7/x86_64/libopendmarc-1.3.0-1.el7.centos.x86_64.rpm \  
-                      http://repo7.mailserver.guru/7/x86_64/opendmarc-1.3.0-1.el7.centos.x86_64.rpm+                      http://repo7.nausch.org/7/x86_64/opendmarc-1.3.0-1.el7.centos.x86_64.rpm
  
 Was das RPM alle mitbrachte zeigt ein Blick in die RPM-Datenbank. Was das RPM alle mitbrachte zeigt ein Blick in die RPM-Datenbank.
Zeile 1414: Zeile 1414:
 </code> </code>
  
 +===== Konfiguration =====
 +==== opendmarc ====
 +=== opendmarc.conf ===
 +Die Konfiguration von OpenDMARC erfolgt über die Konfigurationsdatei **opendmarc.conf** im Verzeichnis //**/etc/opendmarc/**//.
 +   # vim /etc/opendmarc/opendmarc.conf
 +
 +<file bash /etc/opendmarc/opendmarc.conf>##
 +## opendmarc.conf -- configuration file for OpenDMARC filter
 +##
 +## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
 +##
 +
 +##  AuthservID (string)
 +##      defaults to MTA name
 +##
 +##  Sets the "authserv-id" to use when generating the Authentication-Results:
 +##  header field after verifying a message.  If the string "HOSTNAME" is
 +##  provided, the name of the host running the filter (as returned by the
 +##  gethostname(3) function) will be used.  
 +#
 +# AuthservID name
 +# Django : 2014-12-17
 +AuthservID mx01.nausch.org
 +
 +##  AuthservIDWithJobID { true | false }
 +##      default "false"
 +##
 +##  If "true", requests that the authserv-id portion of the added
 +##  Authentication-Results header fields contain the job ID of the message
 +##  being evaluated.
 +#
 +# AuthservIDWithJobID false
 +# Django : 2014-02-17
 +AuthservIDWithJobID true
 +
 +##  AutoRestart { true | false }
 +##      default "false"
 +##
 +##  Automatically re-start on failures. Use with caution; if the filter fails
 +##  instantly after it starts, this can cause a tight fork(2) loop.
 +#
 +# AutoRestart false
 +
 +##  AutoRestartCount n
 +##      default 0
 +##
 +##  Sets the maximum automatic restart count.  After this number of automatic
 +##  restarts, the filter will give up and terminate.  A value of 0 implies no
 +##  limit.
 +#
 +# AutoRestartCount 0
 +
 +##  AutoRestartRate n/t[u]
 +##      default (no limit)
 +##
 +##  Sets the maximum automatic restart rate.  If the filter begins restarting
 +##  faster than the rate defined here, it will give up and terminate.  This
 +##  is a string of the form n/t[u] where n is an integer limiting the count
 +##  of restarts in the given interval and t[u] defines the time interval
 +##  through which the rate is calculated; t is an integer and u defines the
 +##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
 +##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
 +##  value of "10/1h" limits the restarts to 10 in one hour. There is no
 +##  default, meaning restart rate is not limited.
 +#
 +# AutoRestartRate n/t[u]
 +
 +##  Background { true | false }
 +##      default "true"
 +##
 +##  Causes opendmarc to fork and exits immediately, leaving the service
 +##  running in the background.
 +#
 +# Background true
 +
 +##  BaseDirectory (string)
 +##      default (none)
 +##
 +##  If set, instructs the filter to change to the specified directory using
 +##  chdir(2) before doing anything else.  This means any files referenced
 +##  elsewhere in the configuration file can be specified relative to this
 +##  directory.  It's also useful for arranging that any crash dumps will be
 +##  saved to a specific location.
 +#
 +# BaseDirectory /var/run/opendmarc
 +
 +##  ChangeRootDirectory (string)
 +##      default (none)
 +##
 +##  Requests that the operating system change the effective root directory of
 +##  the process to the one specified here prior to beginning execution.
 +##  chroot(2) requires superuser access.  A warning will be generated if
 +##  UserID is not also set.
 +
 +# ChangeRootDirectory /var/chroot/opendmarc
 +
 +##  CopyFailuresTo (string)
 +##      default (none)
 +##
 +##  Requests addition of the specified email address to the envelope of
 +##  any message that fails the DMARC evaluation.
 +#
 +# CopyFailuresTo postmaster@localhost
 +
 +##  DNSTimeout (integer)
 +##      default 5
 +## 
 +##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
 +##  (NOT YET IMPLEMENTED)
 +#
 +# DNSTimeout 5
 +
 +##  EnableCoredumps { true | false }
 +##      default "false"
 +##
 +##  On systems that have such support, make an explicit request to the kernel
 +##  to dump cores when the filter crashes for some reason.  Some modern UNIX
 +##  systems suppress core dumps during crashes for security reasons if the
 +##  user ID has changed during the lifetime of the process.  Currently only
 +##  supported on Linux.
 +#
 +# EnableCoreDumps false
 +
 +##  FailureReports { true | false }
 +##      default "false"
 +##
 +##  Enables generation of failure reports when the DMARC test fails and the
 +##  purported sender of the message has requested such reports.  Reports are
 +##  formatted per RFC6591.
 +
 +# FailureReports false
 +# Django : 2014-12-17
 +FailureReports true
 +
 +##  FailureReportsBcc (string)
 +##      default (none)
 +##
 +##  When failure reports are enabled and one is to be generated, always
 +##  send one to the address(es) specified here.  If a failure report is
 +##  requested by the domain owner, the address(es) are added in a Bcc: field.
 +##  If no request is made, they address(es) are used in a To: field.  There
 +##  is no default.
 +
 +# FailureReportsBcc postmaster@example.coom
 +
 +##  FailureReportsOnNone { true | false }
 +##      default "false"
 +##
 +##  Supplements the "FailureReports" setting by generating reports for
 +##  domains that advertise "none" policies.  By default, reports are only
 +##  generated (when enabled) for sending domains advertising a "quarantine"
 +##  or "reject" policy.
 +
 +# FailureReportsOnNone false
 +
 +##  FailureReportsSentBy string
 +##      default "USER@HOSTNAME"
 +##
 +##  Specifies the email address to use in the From: field of failure
 +##  reports generated by the filter.  The default is to use the userid of
 +##  the user running the filter and the local hostname to construct an
 +##  email address.  "postmaster" is used in place of the userid if a name
 +##  could not be determined.
 +
 +# FailureReportsSentBy USER@HOSTNAME
 +# Django : 2014-12-17
 +FailureReportsSentBy dmarc-admin@nausch.org
 +
 +##  HistoryFile path
 +##      default (none)
 +##
 +##  If set, specifies the location of a text file to which records are written
 +##  that can be used to generate DMARC aggregate reports.  Records are groups
 +##  of rows containing information about a single received message, and
 +##  include all relevant information needed to generate a DMARC aggregate
 +##  report.  It is expected that this will not be used in its raw form, but
 +##  rather periodically imported into a relational database from which the
 +##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
 +#
 +HistoryFile /var/run/opendmarc/opendmarc.dat
 +
 +##  IgnoreAuthenticatedClients { true | false }
 +##      default "false"
 +##
 +##  If set, causes mail from authenticated clients (i.e., those that used
 +##  SMTP AUTH) to be ignored by the filter.
 +#
 +# IgnoreAuthenticatedClients false
 +
 +##  IgnoreHosts path
 +##      default (internal)
 +##
 +##  Specifies the path to a file that contains a list of hostnames, IP
 +##  addresses, and/or CIDR expressions identifying hosts whose SMTP
 +##  connections are to be ignored by the filter.  If not specified, defaults
 +##  to "127.0.0.1" only.
 +#
 +# IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts
 +# Django : 2014-12-17
 +IgnoreHosts /etc/opendmarc/ignore.hosts
 +
 +##  IgnoreMailFrom domain[,...]
 +##      default (none)
 +##
 +##  Gives a list of domain names whose mail (based on the From: domain) is to
 +##  be ignored by the filter.  The list should be comma-separated.  Matching
 +##  against this list is case-insensitive.  The default is an empty list,
 +##  meaning no mail is ignored.
 +#
 +# IgnoreMailFrom example.com
 +
 +##  MilterDebug (integer)
 +##      default 0
 +##
 +##  Sets the debug level to be requested from the milter library.
 +#
 +# MilterDebug 0
 +# Django : 2014-12-17
 +MilterDebug 5
 +
 +##  PidFile path
 +##      default (none)
 +##
 +##  Specifies the path to a file that should be created at process start
 +##  containing the process ID.
 +##
 +#
 +# PidFile /var/run/opendmarc/opendmarc.pid
 +
 +##  PublicSuffixList path
 +##      default (none)
 +##
 +##  Specifies the path to a file that contains top-level domains (TLDs) that
 +##  will be used to compute the Organizational Domain for a given domain name,
 +##  as described in the DMARC specification.  If not provided, the filter will
 +##  not be able to determine the Organizational Domain and only the presented
 +##  domain will be evaluated.
 +#
 +# PublicSuffixList path
 +
 +##  RecordAllMessages { true | false }
 +##      default "false"
 +##
 +##  If set and "HistoryFile" is in use, all received messages are recorded
 +##  to the history file.  If not set (the default), only messages for which
 +##  the From: domain published a DMARC record will be recorded in the
 +##  history file.
 +#
 +# RecordAllMessages false
 +
 +##  RejectFailures { true | false }
 +##      default "false"
 +##
 +##  If set, messages will be rejected if they fail the DMARC evaluation, or
 +##  temp-failed if evaluation could not be completed.  By default, no message
 +##  will be rejected or temp-failed regardless of the outcome of the DMARC
 +##  evaluation of the message.  Instead, an Authentication-Results header
 +##  field will be added.
 +#
 +# RejectFailures false
 +
 +##  ReportCommand string
 +##      default "/usr/sbin/sendmail -t"
 +##
 +##  Indicates the shell command to which failure reports should be passed for
 +##  delivery when "FailureReports" is enabled.
 +#
 +# ReportCommand /usr/sbin/sendmail -t
 +
 +##  RequiredHeaders { true | false }
 +##      default "false"
 +##
 +##  If set, the filter will ensure the header of the message conforms to the
 +##  basic header field count restrictions laid out in RFC5322, Section 3.6.
 +##  Messages failing this test are rejected without further processing.  A
 +##  From: field from which no domain name could be extracted will also be
 +##  rejected.
 +#
 +# RequiredHeaders false
 +
 +##  Socket socketspec
 +##      default (none)
 +##
 +##  Specifies the socket that should be established by the filter to receive
 +##  connections from sendmail(8) in order to provide service.  socketspec is
 +##  in one of two forms: local:path, which creates a UNIX domain socket at
 +##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
 +##  a TCP socket on the specified port for the appropriate protocol family.
 +##  If the host is not given as either a hostname or an IP address, the
 +##  socket will be listening on all interfaces.  This option is mandatory
 +##  either in the configuration file or on the command line.  If an IP
 +##  address is used, it must be enclosed in square brackets.
 +#
 +# Socket inet:8893@localhost
 +# Django : 2014-12-17
 +Socket inet:8893@localhost
 +
 +##  SoftwareHeader { true | false }
 +##      default "false"
 +##
 +##  Causes the filter to add a "DMARC-Filter" header field indicating the
 +##  presence of this filter in the path of the message from injection to
 +##  delivery.  The product's name, version, and the job ID are included in
 +##  the header field's contents.
 +#
 +# SoftwareHeader false
 +# Django : 2014-12-17
 +SoftwareHeader true
 +
 +##  SPFIgnoreResults { true | false }
 +##      default "false"
 +##
 +##  Causes the filter to ignore any SPF results in the header of the
 +##  message.  This is useful if you want the filter to perfrom SPF checks
 +##  itself, or because you don't trust the arriving header.
 +#
 +# SPFIgnoreResults false
 +
 +##  SPFSelfValidate { true | false }
 +##      default false
 +##
 +##  Enable internal spf checking with --with-spf
 +##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
 +##
 +##  Causes the filter to perform a fallback SPF check itself when
 +##  it can find no SPF results in the message header.  If SPFIgnoreResults
 +##  is also set, it never looks for SPF results in headers and
 +##  always performs the SPF check itself when this is set.
 +#
 +# SPFSelfValidate false
 +
 +##  Syslog { true | false }
 +##      default "false"
 +##
 +##  Log via calls to syslog(3) any interesting activity.
 +#
 +# Syslog false
 +# Django : 2014-12-17
 +Syslog true
 +
 +##  SyslogFacility facility-name
 +##      default "mail"
 +##
 +##  Log via calls to syslog(3) using the named facility.  The facility names
 +##  are the same as the ones allowed in syslog.conf(5).
 +#
 +# SyslogFacility mail
 +
 +##  TemporaryDirectory path
 +##      default /var/tmp
 +##
 +##  Specifies the directory in which temporary files should be written.
 +#
 +# TemporaryDirectory /var/tmp
 +
 +##  TrustedAuthservIDs string
 +##      default HOSTNAME
 +##
 +##  Specifies one or more "authserv-id" values to trust as relaying true
 +##  upstream DKIM and SPF results.  The default is to use the name of
 +##  the MTA processing the message.  To specify a list, separate each entry
 +##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
 +##  the host running the filter as reported by the gethostname(3) function.
 +#
 +# TrustedAuthservIDs HOSTNAME
 +
 +
 +##  UMask mask
 +##      default (none)
 +##
 +##  Requests a specific permissions mask to be used for file creation.  This
 +##  only really applies to creation of the socket when Socket specifies a
 +##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
 +##  files are normally created by the mkstemp(3) function that enforces a
 +##  specific file mode on creation regardless of the process umask.  See
 +##  umask(2) for more information.
 +#
 +# UMask 077
 +# Django : 2014-12-17
 +UMask 007
 +
 +##  UserID user[:group]
 +##      default (none)
 +##
 +##  Attempts to become the specified userid before starting operations.
 +##  The process will be assigned all of the groups and primary group ID of
 +##  the named userid unless an alternate group is specified.
 +#
 +# UserID opendmarc
 +# Django : 2014-12-17
 +#UserID opendmarc:dmarc
 +</file>
 +
 +=== ignore.hosts ====
 +   # vim /etc/opendmarc/ignore.hosts
 +<file bash /etc/opendmarc/ignore.hosts>#  Specifies a file that contains a list of hostnames, IP addresses and/or
 +#  CIDR expressions identifying hosts whose SMTP connections are to be 
 +# ignored by the filter.  If not specified, defaults
 +#  to "127.0.0.1" only.
 +127.0.0.1
 +</file>
 +
 +=== Public Suffix List ====
 +Im [[https://tools.ietf.org/html/rfc7489|RFC 7489]] wird die optionale Verwendung einer Public Suffix List im Kapitel **[[https://tools.ietf.org/html/rfc7489#appendix-A.6.1|Appendix A.6.1]]** beschrieben. Wir werden dieser Konfigurationsoption nun entsprechend aktivieren. 
 +
 +Zuvor holen wir uns aber erst einmal diese Liste von der Webseite **[[https://publicsuffix.org/list/|Public Suffix List]]** der [[http://www.mozilla.org/|Mozilla Foundation]] herunter. 
 +   # wget --no-check-certificate -q -N https://publicsuffix.org/list/effective_tld_names.dat -O /etc/opendmarc/effective_tld_names.dat
 +
 +In unregelmäßigen Abständen, meist mehrmals pro Monat, wird diese Liste aktualisiert. Damit wir nun nicht händisch für die Aktualität dieser Liste sorgen müssen, legen wir uns einen kleinen cronjob an, der 1x pro Woche ausgeführt werden soll.
 +   # vim /etc/cron.weekly/update_PublicSuffixList
 +
 +<file bash /etc/cron.weekly/update_PublicSuffixList>#!/bin/bash
 +# Script zum Aktualisieren der Public Suffix List für opendmarc
 +# Django <django@nausch.org> (c) 2015
 +#
 +/user/bin/wget --no-check-certificate -q -N https://publicsuffix.org/list/effective_tld_names.dat -O /etc/opendmarc/effective_tld_names.dat</file>
 +
 +Was nun noch fehlt, ist die Aktivierung dieser Option in der Konfigurationsdatei von **opendmarc**.
 +   # vim /etc/opendmarc.conf
 +<code bash /etc/opendmarc.conf>...
 +
 +##  PublicSuffixList path
 +##      default (none)
 +##
 +##  Specifies the path to a file that contains top-level domains (TLDs) that
 +##  will be used to compute the Organizational Domain for a given domain name,
 +##  as described in the DMARC specification.  If not provided, the filter will
 +##  not be able to determine the Organizational Domain and only the presented
 +##  domain will be evaluated.
 +#
 +# Django : 2015-12-10
 +# default: unset
 +PublicSuffixList /etc/opendmarc/effective_tld_names.dat
 +
 +...
 +</code>
 +
 +Zum Aktivieren der **Public Suffix List** brauchen wir dann nur noch den Daemon 1x durchstarten.
 +   # systemctl restart opendmarc.service
 +
 +==== mysql Konfiguration ====
 +Eigentlich könnten wir nun schon unseren DMARC-Daemon starten. Jedoch wollen wir noch kurz die nötige mySQL-Datenbank anlegen, damit der Daemon die gewünschten aufbereiteten Statiskdaten und forensischen Berichte generieren und dann per eMail verschicken kann.
 +
 +Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an. 
 +   # mysql -h localhost -u root -p
 +
 +<code>Enter password: 
 +Welcome to the MySQL monitor.  Commands end with ; or \g.
 +Your MySQL connection id is 1942
 +Server version: 5.1.67 Source distribution
 +
 +Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
 +
 +Oracle is a registered trademark of Oracle Corporation and/or its
 +affiliates. Other names may be trademarks of their respective
 +owners.
 +
 +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 +
 +mysql>
 +</code>
 +Dort legen wir als aller erst einmal eine Datenbank mit dem Namen **opendmarc** an. 
 +   mysql> CREATE DATABASE opendmarc;
 +
 +Anschließend legen wir uns dann einen Datenbankuser an, dem wir entsprechende Rechte an der Datenbank **opendmarc** einräumen. 
 +   mysql> CREATE USER 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';
 +
 +  Query OK, 0 rows affected (0.00 sec)
 +
 +   mysql> CREATE USER 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';
 +
 +  Query OK, 0 rows affected (0.00 sec)
 +
 +Anschließend setzen wir noch die Nutzerberechtigungen unseres Datenbanknutzers **opendmarc_user** für die Datenbank **opendmarc**
 +   mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
 +
 +  Query OK, 0 rows affected (0.00 sec)
 +
 +  mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
 +
 +  Query OK, 0 rows affected (0.00 sec)
 +
 +Zur Aktivierung weisen wir nun noch die Berechtigungen zu: 
 +  mysql> FLUSH PRIVILEGES;
 +
 +  Query OK, 0 rows affected (0.00 sec)
 +
 +Abschließend melden wir uns wieder von unserem Datenbankhost ab. 
 +  mysql> quit
 +
 +  Bye
 +
 +Bevor wir die benötigten Tabellen anlegen, testen wir noch, ob der Zugriff von unserem Mail- bzw. Datenimportserver funktioniert.
 +   # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p
 +
 +<code>Enter password: 
 +Welcome to the MySQL monitor.  Commands end with ; or \g.
 +Your MySQL connection id is 2889
 +Server version: 5.1.73 Source distribution
 +
 +Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
 +
 +Oracle is a registered trademark of Oracle Corporation and/or its
 +affiliates. Other names may be trademarks of their respective
 +owners.
 +
 +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 +
 +mysql>
 +</code>
 +   mysql> show databases;
 +<code>+--------------------+
 +| Database           |
 ++--------------------+
 +| information_schema |
 +| opendmarc          |
 ++--------------------+
 +2 rows in set (0.00 sec)
 +</code>
 +   mysql> quit
 +
 +  Bye
 +
 +Mit Hilfe der Datei //**/usr/share/doc/opendmarc-1.3.0/schema.mysql**// legen wir nun abschließend die Tabellen in der Datenbank **opendmarc** an.
 +   # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p < /usr/share/doc/opendmarc-1.3.0/schema.mysql
 +
 +Auch hier können wir uns bei Bedarf noch überprüfen, welche Tabellen angelegt wurden.
 +   # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p
 +
 +<code>Enter password: 
 +Reading table information for completion of table and column names
 +You can turn off this feature to get a quicker startup with -A
 +
 +Welcome to the MySQL monitor.  Commands end with ; or \g.
 +Your MySQL connection id is 2933
 +Server version: 5.1.73 Source distribution
 +
 +Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
 +
 +Oracle is a registered trademark of Oracle Corporation and/or its
 +affiliates. Other names may be trademarks of their respective
 +owners.
 +
 +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 +
 +mysql>
 +</code>
 +   mysql> show databases;
 +
 +<code>+--------------------+
 +| Database           |
 ++--------------------+
 +| information_schema |
 +| opendmarc          |
 ++--------------------+
 +2 rows in set (0.00 sec)
 +
 +mysql>
 +</code>
 +   mysql> use opendmarc;
 +
 +  Database changed
 +  mysql>
 +
 +   mysql> show tables;
 +<code>+---------------------+
 +| Tables_in_opendmarc |
 ++---------------------+
 +| domains             |
 +| ipaddr              |
 +| messages            |
 +| reporters           |
 +| requests            |
 +| signatures          |
 ++---------------------+
 +6 rows in set (0.00 sec)
 +
 +mysql>
 +</code>
 +   mysql> quit
 +
 +  Bye
 +
 +
 +==== dbCollecting User einrichten ====
 +Nicht immer möchte oder kann man von seinem oder seinen Mailservern eine Verbindung zum Datenbankhost ermöglichen. Um jetzt nicht von jedem einzelnen MX-Server einzurichten, verwenden wir einen User, den wir zum Einsammeln der Daten degradieren.
 +
 +Wir legen uns nun unseren Nutzer an. Als UID und GID verwenden wir eine entsprechend freie Nummer, die wir entsprechend vorher abprüfen.
 +   # grep 989 /etc/group
 +
 +   # grep 989 /etc/passwd
 +
 +Anschließend legen wir uns unseren User an.
 +   # groupadd -g 989 dmarc && useradd dmarc -c "DMARC" -g 989 -u 989 -m
 +
 +Anschließend erzeugen wir uns noch einen entsprechenden SSH-Key und verteilen diesen auf unseren Mailservern. Entsprechende Schritte sind im Wiki [[https://dokuwiki.nausch.org/doku.php/centos:ssh-install|hier]] beschrieben.
 +
 +==== dbCollecting Script anlegen ====
 +Zum Einsammeln der Statistikdaten legen wir uns nun ein einfaches Shellscript an.
 +   # vim /root/bin/dmarc-report>
 +<file bash /root/bin/dmarc-report>#!/bin/sh 
 +# Script zum Importieren der DMARC-Daten aus dem lokalen cache-Datei in die mySQL Datenbank
 +# und Generieren der DMARC-reports 
 +# Das Script wird um 03:33 Uhr via cronjob aufgerufen.
 +#
 +# crontab
 +# einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen.
 +# 33 3 * * * /usr/local/bin/dmarc-report 1>/dev/null 2>&1
 +#
 +# Django : 2014-03-20 
 +
 +WORKDIR="/home/dmarc/"
 +WORKFILE="opendmarc_all_hosts.dat"
 +SSHKEYFILE=".ssh/id_rsa"
 +MXHOSTS="mx01.nausch.org mx02.nausch.org mx03.nausch.org"
 +DBFILE="opendmarc.dat"
 +DBHOST="mysql.dmz.nausch.org"
 +DBPORT="3306"
 +DBUSER="opendmarc_user"
 +DBPASSWD="ALLHs6blVwd8eHoSk2J3WZsT"
 +DBNAME="opendmarc"
 +
 +# DMARC Datenfile von den Mailservern abholen
 +cd $WORKDIR
 +for HOST in $MXHOSTS; do
 +    scp -i $WORKDIR$SSHKEYFILE dmarc@${HOST}:/var/run/opendmarc/$DBFILE ${HOST}.dat
 +    ssh -i $WORKDIR$SSHKEYFILE dmarc@${HOST} "/bin/cat /dev/null > /var/run/opendmarc/$DBFILE"
 +    cat ${HOST}.dat >> $WORKFILE
 +done
 +
 +# DMARC Daten in die mySQL-Datenbank opendmarc schreiben
 +/usr/sbin/opendmarc-import --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
 +  --dbpasswd=$DBPASSWD < $WORKDIR$WORKFILE 
 +
 +# DMARC Statistik-Report erstellen
 +/usr/sbin/opendmarc-reports --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
 +  --dbpasswd=$DBPASSWD --verbose --interval=86400 --report-email 'postmaster@nausch.org' --report-org 'nausch.org'
 +
 +# DMARC Datenbank aufräumen, Datensätze die älter als 90 Tage sind werden gelöscht
 +/usr/sbin/opendmarc-expire --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
 +  --dbpasswd=$DBPASSWD --verbose --expire=90 
 +
 +# Work-Verzeichnis wieder aufräumen
 +cd $WORKDIR
 +rm $WORKDIR*.dat -rf
 +</file>
 +Anschließen setzen wir die Ausführungsrechte unseres neuen Scriptes.
 +   # chmod +x /root/bin/dmarc-report
 +
 +Zu guter Letzt aktivieren wir dann noch einen Cronjob für die tägliche Ausführung.
 +   # crontab -e
 +<code bash>...
 +
 +# Django : 2014-03-20
 +# einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen.
 +33 3 * * * /root/bin/dmarc-report 1>/dev/null 2>&1
 +
 +...
 +</code>
 +
 +==== Postfix ====
 +In der Konfigurationsdatei **main.cf** unseres Postfix-Mailserver definieren wir uns nun eine eigene Variable, die wir dann in der Datei //**/etc/postfix/master.cf**// dann verwenden wollen. Wir tragen also nun in der Section **MILTER** nachfolgende Zeilen ein.
 +   # vim /etc/postfix/main.cf
 +<file bash /etc/postfix/main.cf>...
 +
 +################################################################################
 +## MILTER
 +# Django : 2014-11-18
 +# DMARC Test
 +spf_milter       = inet:127.0.0.1:8890
 +opendkim_milter  = inet:127.0.0.1:8891
 +opendmarc_milter = inet:127.0.0.1:8893
 +amavisd_milter   = inet:10.0.0.67:8899
 +...
 +</file>
 +
 +In der Konfigurationsdatei //**/etc/postfix/master.cf**// legen wir nun fest, dass bei der Annahme auf Port **25** unser gerade definierte **smf-spf**-milter verwendet werden soll.
 +   # vim /etc/postfix/master.cf
 +
 +<code>...
 +
 +smtp      inet  n                               postscreen
 +smtpd     pass  -                               smtpd
 +  -o smtpd_milters=${spf_milter},${opendkim_milter},${opendmarc_milter},${amavisd_milter}
 +  -o smtpd_sasl_auth_enable=no
 +dnsblog   unix  -                               dnsblog
 +tlsproxy  unix  -                               tlspr
 +</code>
 +
 +===== Programmstart =====
 +Das Starten des Daemon erfolgt über folgenden Aufruf.
 +   # systemctl start opendmarc
 +
 +Den erfolgreichen Start bzw. den Status des **smf-spf**-Daemon können wir bei Bedarf mit folgendem Aufruf abfragen.
 +   # systemctl status opendmarc
 +
 +<code>opendmarc.service - opendmarc - DMARC email policy filter for MTAs.
 +   Loaded: loaded (/usr/lib/systemd/system/opendmarc.service; disabled)
 +   Active: active (running) since Wed 2014-12-17 20:58:56 CET; 1h 45min ago
 + Main PID: 2370 (opendmarc)
 +   CGroup: /system.slice/opendmarc.service
 +           └─2370 /usr/sbin/opendmarc -f -c /etc/opendmarc/opendmarc.conf
 +
 +Dec 17 20:58:56 vml000087.dmz.nausch.org systemd[1]: Starting opendmarc - DMARC email policy filter for MTAs....
 +Dec 17 20:58:56 vml000087.dmz.nausch.org systemd[1]: Started opendmarc - DMARC email policy filter for MTAs..
 +Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: OpenDMARC Filter: Opening listen socket on conn inet:8893@localhost
 +Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: OpenDMARC Filter v1.3.0 starting (args: -f -c /etc/opendmarc/opendmarc.conf)
 +Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: trusted authentication services: mx01.nausch.org
 +</code>
 +
 +
 +Im Maillog wird der Start des Daemon entsprechend dokumentiert.
 +   # less /var/log/maillog
 +
 +   Dec 17 22:45:08 vml000087 opendmarc[2912]: OpenDMARC Filter: Opening listen socket on conn inet:8893@localhost
 +   Dec 17 22:45:08 vml000087 opendmarc[2912]: OpenDMARC Filter v1.3.0 starting (args: -f -c /etc/opendmarc/opendmarc.conf)
 +   Dec 17 22:45:08 vml000087 opendmarc[2912]: trusted authentication services: mx01.nausch.org
 +
 +Mit Hilfe von **netstat** können wir überprüfen, ob der Port **8893** geöffnet wurde.
 +   # netstat -tulpen
 +
 +<code>Active Internet connections (only servers)
 +Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
 +tcp        0      0 0.0.0.0:25              0.0.0.0:              LISTEN      0          37485      2476/master         
 +tcp        0      0 127.0.0.1:8890          0.0.0.0:              LISTEN      993        24732      1441/smf-spf        
 +tcp        0      0 127.0.0.1:8891          0.0.0.0:              LISTEN      991        25040      1680/opendkim       
 +tcp        0      0 127.0.0.1:8893          0.0.0.0:              LISTEN      0          40337      2912/opendmarc
 +</code>
 +
 +Gleiches können wir natürlich auch mit dem Befehl **lsof** erreichen.
 +   # lsof -i:8893
 +
 +   COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
 +   opendmarc 2912 root    4u  IPv4  40337      0t0  TCP localhost:ddi-tcp-6 (LISTEN)
 +
 +Damit der Daemon automatisch beim Hochfahren des Servers gestartet wird, nutzen wir folgenden Aufruf.
 +   # systemctl enable opendmarc.service
 +
 +   ln -s '/usr/lib/systemd/system/opendmarc.service' '/etc/systemd/system/multi-user.target.wants/opendmarc.service'
 +
 +Wollen wir überprüfen ob der Dienst automatisch startet, verwenden wir folgenden Aufruf. 
 +
 +   # systemctl is-enabled opendmarc.service
 +
 +   enabled
 +
 +Die Rückmeldung **enabled** zeigt an, dass der Dienst automatisch startet; ein **disabled** zeigt entsprechend an, dass der Dienst __nicht__ automatisch startet.
 +
 +===== Logging / Mailheader =====
 +Im Maillog werden entsprechend unserer zuvor festgelegten Konfiguration, vom DMARC-Daemon logeinträge erzeugt.
 +Folgender Logeintrag zeigt einen erfolgreiche DMARC-Überprüfung.
 +  Mar 23 22:46:01 vml000080 opendmarc[25914]: C198981: gmail.com pass
 +
 +Im Mailheader der Nachricht, wird dies auch entsprechend vermerkt.
 +  DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org C198981
 +  Authentication-Results: mx01.nausch.org/C198981; dmarc=pass header.from=gmail.com
 +
 +Hat der Domainbetreiber keinen DMARC-Eintrag im DNS hinterlegt, sieht die betreffende Zeile im Maillog entsprechend so aus.
 +  Mar 19 00:22:36 vml000080 opendmarc[14508]: D9B6D83: piratenpartei-bayern.de none
 +
 +Auch dies wird im Mailheader entsprechend vermerkt.
 +  DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org D9B6D83
 +  Authentication-Results: mx01.nausch.org/D9B6D83; dmarc=none header.from=piratenpartei-bayern.de
 +
 +<WRAP center round alert 35%> \\
 +FIXME //... do geds weida!//
 +</WRAP>
  
  • centos/mail_c7/spam_12.1418849681.txt.gz
  • Zuletzt geändert: 17.12.2014 20:54.
  • von django