Inhaltsverzeichnis


Artikel befindet sich gerade in der Bearbeitung!

DMARC - Domain-based Message Authentication, Reporting & Conformance unter CentOS 7.x

DMARC Logo

DMARC1) ist an sich kein eigenständiger Prozess in der eMail-Verarbeitung, vielmehr erweitert DMARC auf die beiden Techniken SPF2) und DKIM3). DMARC ergänzt somit DKIM und SPF, ohne die DMARC nicht funktionieren kann. Hinweise zu DMARC findet man bei auch auf der Webseite von DMARC.org, oder im Entwurf der Network Working Group, die der ITF4) Anfang 2012 zur Prüfung vorgelegt wurde.


Obwohl DMARC aktuell noch als Entwurf gilt, wird laut den Angaben der aktuellen DMARC-Präsentation aus 2014 bereits mehr als 60% der weltweiten eMail-Postfächer mit Hilfe von DMARC geschützt.

Die weltgößten eMail-Provider setzen auf DMARC, wie z.B.:

  • GMail, Yahoo, AOL, Comcast, oder Outlook.com
  • Mail.ru (größter eMail-Provider in Russland)
  • NetEase (größter eMail-Provider in China)
  • XS4All (größter eMail-Provider in den Niederlanden)

Alles gute Gründe, sich dem Thema DMARC dennoch intensiver zu widmen!

Bei DMARC kann definiert werden, wie ein empfangender Mailserver Nachrichten behandeln und verarbeiten soll, insbesondere mit Hinblick auf die Bewertung der Versandberechtigung des einliefernden Mailservers (SPF) und der nicht veränderten Nachricht (DKIM). Fällt eine oder beide Überprüfungen negativ aus, definiert DMARC, ob die eMail in Quarantäne gestellt, die Annahme der eMail abgelehnt (reject) oder eben dennoch zugestellt werden soll.

Das nachfolgende Schaubild zeigt den Bearbeitungsverlauf einer eMail mit Berücksichtigung auf DMARC auf.

Mailserver_des_AbsendersMailserver_des_EmpfängersDMARC_ÜberprüfungenDMARC_Ergebnis_ReportsReport_aggregatReport_forensicMail-EingangAnnahme der eMailnach SPAM- undViren-ÜberprüfungDKIM-SignaturEinfügen der DKIMSignatur (Mailheaderund Mailbody) imHeader der eMailMail-AusgangVersand der eMailzum eMail-Server (MTA)des EmpfängersMail-EingangBewertung der eMailmit Hilfe von Blacklistsund postscreenSPAM- und VirenüberprüfungBewertung der eingehenden Nachrichtdurch SPAM- und/oder VirenfilterSPAM- und VirenüberprüfungBewertung der eingehenden Nachrichtdurch SPAM- und/oder VirenfilterMail-QuarantäneBestätigung (250) der Annahme an densendenen Mailserver und Einstellungder Nachricht in die MAIL-QuarantäneAnnahme der eingehenden NachrichtBestätigung (250) der Annahme an densendenen Mailserver und Zustellungder Nachricht in die INBOX des EmpfängersREJECT der eMailAnnahme der eMail verweigernRückmeldecode 500 an deneinliefernden MailserverDKIM-SignaturÜberprüfen der vorhandenenDKIM-Signatur im Mailheaderder eingehenden NachrichtSPF-ValidierungÜberprüfung ob derVersendene Mailserverzum Mailversand derMaildomäne berechtigt istAnwenden der DMARC-PolicyBewertung der Legitimitätder eingehenden Nachrichtan Hand der DMARC-Policydes absendenden MailserversDMARC CheckTest O.K.DMARC-policy -> ZustellungDMARC CheckTest nicht O.K.!DMARC-policy -> QuarantäneDMARC CheckTest nicht O.K.!DMARC-policy -> REJECTAbsender Klaus generiert eMail-----------From: klaus@tachtler.netTo: michael@nausch.orgSubject: Gratulation!Date: Thu, 20 Mar 2014 18:40:18 +0100-----------NachrichtentextStandard Validierungs-Überprüfung, wie z.B.IP-Blacklists, greylistingund policyd-weightund ggf. weiteren FilternAbfrage des DKIM public-keys("DKIM"-TXT-Record) und derberechtigten Sender der Mail-Domäne ("SPF"-/TXT-Record)beim zuständigen Nameserverder AbsendedomäneAbfrage der DMARC-Policydes absendenden Mail-Servers durch Abfragedes DMARC-/TXT-Recordbeim zuständigenNameserverregelmäßig aggregierterBericht an den im DMARC-Record hinterlegten"rua=mailto"-Adresse desMailserverbetreibers desAbsender-Mailserversregelmäßiger forensischerBericht an den im DMARC-Recordhinterlegten "rua=mailto"-Adresse des Mailserver-betreibers des Absender-Mailservers

Zusammenspiel von DKIM, SPF und DMARC


Auch wenn DMARC noch immer im Status DRAFT5) ist, macht es doch Sinn, sich mit DMARC näher zu beschäftigen!


Möchten wir DMARC bei unserem Mailserver einsetzen, ist es wichtig, dass alle drei Komponenten via Milter6) an unseren Postfix-Mailserver angebunden werden. Nur so stehen dem DMARC-Daemon alle relevanten Headerinformationen zur Bewertung zur Verfügung.

Wir setzen daher bei unserer Installation jeweils folgende Pakete ein:

Die Installation von SPF-Milter ist im Kapitel SPF - Sender Policy Framework und OpenDKIM-Milter im Kapitel DKIM - Domain Key Identified Mail genauer beschrieben.

DMARC-Record

Beschreibung des Datensatzes

Mit Hilfe des DMARC Record Assistant kann man sich sehr leicht und einfach den nötigen DMARC-Record generieren lassen, den man dann über einen TXT-Record der Subdomain _dmarc in seinem DNS einträgt. Im Kapitel 6.2. General Record Format des DMARC Standardisierungs-Entwurf ist die

Als Beispiel sehen wir uns nun den aktuellen DMARC-Record von nausch.org an, den wir u.a. mit dem Aufruf des Befehls host vom DNS-Server abfrsagen können.

 # host -t TXT _dmarc.nausch.org
_dmarc.nausch.org descriptive text "v=DMARC1\; p=reject\; rua=mailto:postmaster@nausch.org\; ruf=mailto:django@nausch.org\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400\; sp=reject"

Die einzelnen Werte haben nun folgende Bedeutung.

Parameter Art Wert Bedeutung
v Plaintext; REQUIRED DMARC1 Identifiziert den Datensatz als DMARC-Record. Der Parameter muss als erster wert im DMARC-Record gesetzt sein. Fehlt dieser ist der gesamte DMARC-Record zu verwerfen!
p Plaintext; REQUIRED reject Beschreibt, wie der Empfänger die Nachrichten des Domain-Inhabers verwerten soll. Diese gilt auch für die Subdomains, sofern für diese mit dem Parameter sp keine separate Definition vorliegt. Mögliche Werte sind:
:OK:none : Der Domaininhaber hat keine Vorgaben zur Verabeitung/Zustellung der eMails.
:BRK:quarantine : Der Domaininhaber wünscht, dass eMails, die die DMARC-Bewertung nicht bestehen, als verdächtig gewertet werden sollen. Abhängig vom Empfänger können diese als verdächtig markiert werden, mit weiteren/zusätzlichen SPAM prüfungen zu belegen ist, oder in einen SPAM-Ordner verschoben werden soll.
:NOK:reject : Der Domaininhaber wünscht, dass eMails, die die DMARC-Bewertung nicht bestehen, rejected, also nicht angenommen werden sollen. Dies sollte, wenn möglich, noch während des SMTP-Dialogs passieren.
sp Plaintext;OPTIONAL reject Beschreibt, wie der Empfänger die Nachrichten des Domain-Inhabers einer Subdomäne verwerten soll. Der Parameter beschreibt nur die abgefragte Subdomäne, nicht die Domäne an sich! Der Syntax entspricht dem Parameter p. Wird der Paramter sp nicht gesetzt, gelten die Definitionen des Parameters p auch für alle Subdomänen.
rua Kommaseparierte plain-text Liste von DMARC URIs; OPTIONAL mailto:postmaster@nausch.org Der Domaininhaber wünscht, per eMail mit aufbereiteten Statiskdaten der verarbeiteten eMails, informiert zu werden. Ist dieser Parameter nicht gesetzt, braucht der Empfänger keine Statistikdaten aufbereiten.
ruf Kommaseparierte Plaintext Liste von DMARC URIs; OPTIONAL mailto:django@nausch.org Der Domaininhaber wünscht, per eMail mit detailierten forensischen Statiskdaten der verarbeiteten eMails, informiert zu werden. Ist dieser Parameter nicht gesetzt, braucht der Empfänger keine Statistikdaten aufbereiten.
adkim Plaintext; OPTIONAL; Default = relaxed r Definiert, wie konservativ das Ergebnis der DKIM-Signaturprüfung bewertet werden soll. Mögliche Werte sind entweder r=relaxed oder s=strikt.
aspf Plaintext; OPTIONAL; Default = relaxed r Definiert, wie konservativ das Ergebnis der SPF-Prüfung bewertet werden soll. Mögliche Werte sind entweder r=relaxed oder s=strikt.
pct Plaintext/Zahlenwert zwischen 0 und 100; OPTIONAL; Default = 100 100 Der Domaininhaber wünscht, daß der angegebene Prozentwert an Nachrichten von den DMARC-Prüfungen benutzt werden soll. Der Wert beschreibt nicht das Verhältnis in den DMARC-Reports.
rf Kommaseparierte Plaintext Liste; OPTIONAL; Default = afrf afrf Der Domaininhaber wünscht, dass die aufbereiteten forensischen Prüfberichte im Format AFRF7) oder IODEF8) zu erhalten, wenn sowohl der DKIM- wie auch der SPF-Test negativ ausfällt.
ri Plaintext; OPTIONAL; Default = 86400 86400 Der Domaininhaber wünscht, dass die aufbereiteten Statistik- und Forensikdaten spätestens alle „n“ Sekunden verschickt werden sollen.

Generierung unseres DMARC-Records

Nach Erstellung des DMARC-Records von Hand oder über den DMARC Record Assistant, tragen wir demnach bei unserem zuständigen DNS entsprechenden eigenen und richtigen Daten ein.

 _dmarc.nausch.org                        IN      TXT     "v=DMARC1\; p=reject\; rua=mailto:postmaster@nausch.org\; ruf=mailto:django@nausch.org\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400\; sp=reject"

Testen der DMARC Definitionen

Über die URL OTA Query Tool for SPF & DMARC Records der Online trust Alliance kann man online bei Bedarf testen, ob der DMARC-Eintrag soweit richtig ist.

Mit Hilfe der DMARC Inspectors kann man (s)einen DMARC-Record testen und sich die Optionen die der Domaininhaber gesetzt hat, beschreiben lassen. Möchte man seinen SPF-Record testen lassen, steht einem der SPF Surveyor zur Verfügung.

Zu guter Letzt kann mit dem DKIM Key Checker der, im DNS hinterlegte, DKIM-Schlüssel einer Domäne getestet werden.

Möchte man dann noch testen, ob der eigene Mailserver alle Voraussetzungen für eine DMARC-policy hat, schickt man einfach eine „leere eMail“ an checkmyauth@auth.returnpath.net, so erhält man anschließen einen ausführlichen Prüfbericht.

From: "Return Path" <noreply@returnpath.net>
Subject: Return Path DKIM/SPF Reflector Report
Date: Fri, 21 Mar 2014 03:58:12 -0600 (MDT)
To: undisclosed-recipients:;

Return Path DKIM/SPF Reflector Report
=====================================
Source IP = 217.91.103.190
Mail From = django@nausch.org

Identity Alignment Results
==========================
SPF Domain Alignment Result = PASS
	The From domain 'nausch.org' is an exact match with the SPF domain 'nausch.org'.
	Note that the alignment policy is set to relaxed in your DMARC record.

DKIM Domain Alignment Results:
	Result for DNS Record: 140224._domainkey.nausch.org = PASS
	The From domain 'nausch.org' is an exact match with the DKIM domain 'nausch.org'.
	Note that the alignment policy is set to relaxed in your DMARC record.

DKIM Results
============
Result = pass
Domain = nausch.org
Selector = 140224
DNS Record(s) =
	140224._domainkey.nausch.org TXT v=DKIM1; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuJ3/CruOs3fCU0ujOStcNN85TJh+5HvMa9m99C5XuRBlxOr+fp5BeIEtiPO0szKvvPojwrueCq0oOuEzjR/i2ObpRkzKRUXmAa0qVezUZwQIbKeiuKII0PnpQclDrmQrzSXcQWPT57tkPg17Q9WamFUUaHeN3+pVGtMyjYekRaAoRlV+a1gD111kXMPhiaFTMIncoRBS/gYN8FjfekH+ezqbLHLB8DLJQBZEGUILvJjAHX0722XyqYtkn1qfv63nPRGw/qqAW1072Gchq4ZS4ZPQ89SrK4KcHt/XptSlztXMWtmRFQriHdvbjr1Fx7ZwXdTQ+ik2AUZLMdhMrQe6/1GujQiMD6po81NpYbrjnfd+QF4sUbus4wPQKVNzsctiuzGlWsFexSHP4dAZtKnImJhVDnzZODQy0nSafedlr5g4VR36vgm0YPWjSyRNnC/APHyw0DtHIrzTqfKuDeGv80uMPbEdujrw9gLbK3H8ow42iTicmgPgT3J5j70ZOo4o4FMtpZ/AEQw+VnWpSfw7bkMjufLc29XHbtp22wfgq2Lmarr3+psaHokFaQrImkMbzdSL9CdabkLptanAilLScvq8UaKVC+G1+vHDgaweq3BhXD5+YcJnJlp4msUqqxGYlnx4RSvv8PipMU2DsVFbNJSH5NJuS7GuzplNg+f20ysCAwEAAQ==
	Public Key Length = 4096

DomainKeys Results
==================
No DomainKeys signature(s) found.

SPF Results
===========
Result = pass
Domain = nausch.org
DNS Record(s) =
	nausch.org TXT v=spf1 ip4:217.91.103.190/32 mx ?all

DMARC Results
=============
Domain = _dmarc.nausch.org
DNS Record = 
	_dmarc.nausch.org TXT v=DMARC1; p=reject; rua=mailto:postmaster@nausch.org; ruf=mailto:django@nausch.org; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=reject

DMARC Record Validation Results
===============================
DMARC Errors Detected: None.
Non-DMARC flags encountered (skipped): None.

Visit http://www.returnpath.com/solution-content/dmarc-support/ for more information on DMARC record creation and validation.

Installation

Die einfachste und schnellste Variante bei der Installation ist die aus dem Repository nausch.org. Hier reicht ein einfacher Aufruf von yum und alles wird automatisch installiert inkl. der Paketabhängigkeiten.

 # yum install opendmarc

Will oder kann man nicht auf das Repository nausch.org zurückgreifen, steht immer noch der Installation per Hand nichts im Wege.

 # yum localinstall http://repo7.nausch.org/7/x86_64/libopendmarc-1.3.0-1.el7.centos.x86_64.rpm \ 
                    http://repo7.nausch.org/7/x86_64/opendmarc-1.3.0-1.el7.centos.x86_64.rpm

Was das RPM alle mitbrachte zeigt ein Blick in die RPM-Datenbank.

 # rpm -qil opendmarc
Name        : opendmarc
Version     : 1.3.0
Release     : 1.el7.centos
Architecture: x86_64
Install Date: Wed 17 Dec 2014 08:58:08 PM CET
Group       : System Environment/Daemons
Size        : 517881
License     : BSD and Sendmail
Signature   : RSA/SHA1, Wed 17 Dec 2014 08:38:39 PM CET, Key ID 60ecfb9e8195aea0
Source RPM  : opendmarc-1.3.0-1.el7.centos.src.rpm
Build Date  : Wed 17 Dec 2014 08:38:11 PM CET
Build Host  : vml000200.dmz.nausch.org
Relocations : (not relocatable)
Packager    : Django
URL         : http://www.trusteddomain.org/opendmarc.html
Summary     : DMARC milter and library
Description :
OpenDMARC (Domain-based Message Authentication, Reporting & Conformance)
provides an open source library that implements the DMARC verification
service plus a milter-based filter application that can plug in to any
milter-aware MTA, including sendmail, Postfix, or any other MTA that supports
the milter protocol.

The DMARC sender authentication system is still a draft standard, working
towards RFC status.
/etc/opendmarc/ignore.hosts
/etc/opendmarc/opendmarc.conf
/etc/tmpfiles.d/opendmarc.conf
/usr/lib/systemd/system/opendmarc.service
/usr/sbin/opendmarc
/usr/sbin/opendmarc-check
/usr/sbin/opendmarc-expire
/usr/sbin/opendmarc-import
/usr/sbin/opendmarc-importstats
/usr/sbin/opendmarc-params
/usr/sbin/opendmarc-reports
/usr/share/doc/opendmarc-1.3.0
/usr/share/doc/opendmarc-1.3.0/INSTALL
/usr/share/doc/opendmarc-1.3.0/LICENSE
/usr/share/doc/opendmarc-1.3.0/LICENSE.Sendmail
/usr/share/doc/opendmarc-1.3.0/README
/usr/share/doc/opendmarc-1.3.0/README.rddmarc
/usr/share/doc/opendmarc-1.3.0/README.schema
/usr/share/doc/opendmarc-1.3.0/RELEASE_NOTES
/usr/share/doc/opendmarc-1.3.0/dmarc_policy_t.html
/usr/share/doc/opendmarc-1.3.0/dmarcfail.py
/usr/share/doc/opendmarc-1.3.0/dmarcfail.pyc
/usr/share/doc/opendmarc-1.3.0/dmarcfail.pyo
/usr/share/doc/opendmarc-1.3.0/draft-dmarc-base-03.txt
/usr/share/doc/opendmarc-1.3.0/index.html
/usr/share/doc/opendmarc-1.3.0/mkdb.mysql
/usr/share/doc/opendmarc-1.3.0/mkdmarc
/usr/share/doc/opendmarc-1.3.0/mysql_ip6.c
/usr/share/doc/opendmarc-1.3.0/opendmarc
/usr/share/doc/opendmarc-1.3.0/opendmarc.conf.sample
/usr/share/doc/opendmarc-1.3.0/opendmarc.spec.in
/usr/share/doc/opendmarc-1.3.0/opendmarc_dns_fake_record.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_get_policy_to_enforce.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_lib_t.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_clear.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_init.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_rset.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_shutdown.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_adkim.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_alignment.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_aspf.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_fo.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_p.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_pct.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_rf.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_rua.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_ruf.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_sp.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_utilized_domain.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_library_init.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_library_shutdown.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_parse_dmarc.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_query_dmarc.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_status_to_str.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_dkim.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_dmarc.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_from_domain.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_spf.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_to_buf.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_spf_test.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_status_t.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_tld_read_file.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_tld_shutdown.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_util_clearargv.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_xml.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_xml_parse.html
/usr/share/doc/opendmarc-1.3.0/overview.html
/usr/share/doc/opendmarc-1.3.0/rddmarc
/usr/share/doc/opendmarc-1.3.0/schema.mysql
/usr/share/man/man5/opendmarc.conf.5.gz
/usr/share/man/man8/opendmarc-check.8.gz
/usr/share/man/man8/opendmarc-expire.8.gz
/usr/share/man/man8/opendmarc-import.8.gz
/usr/share/man/man8/opendmarc-importstats.8.gz
/usr/share/man/man8/opendmarc-params.8.gz
/usr/share/man/man8/opendmarc-reports.8.gz
/usr/share/man/man8/opendmarc.8.gz
/var/run/opendmarc
/var/spool/opendmarc
 # rpm -qil libopendmarc
Name        : libopendmarc
Version     : 1.3.0
Release     : 1.el7.centos
Architecture: x86_64
Install Date: Wed 17 Dec 2014 08:40:49 PM CET
Group       : System Environment/Libraries
Size        : 48888
License     : BSD and Sendmail
Signature   : RSA/SHA1, Wed 17 Dec 2014 08:38:40 PM CET, Key ID 60ecfb9e8195aea0
Source RPM  : opendmarc-1.3.0-1.el7.centos.src.rpm
Build Date  : Wed 17 Dec 2014 08:38:11 PM CET
Build Host  : vml000200.dmz.nausch.org
Relocations : (not relocatable)
Packager    : Django
URL         : http://www.trusteddomain.org/opendmarc.html
Summary     : An open source DMARC library
Description :
This package contains the library files required for running services built
using libopendmarc.
/usr/lib64/libopendmarc.so.2
/usr/lib64/libopendmarc.so.2.0.0

Konfigurations-Dokumentation

README

Viele hilfreiche Informationen zur Konfiguration von OpenDMARC finden sich in den nachfolgenden Dateien.

 # less /usr/share/doc/opendmarc-1.3.0/README
OPENDMARC README
================

This directory has the latest open source DMARC software from The Trusted
Domain Project.

There is a web site at http://www.trusteddomain.org/opendmarc that is home for
the latest updates.


+--------------+
| INTRODUCTION |
+--------------+

The OpenDMARC project is a community effort to develop and maintain an open
source package for providing DMARC report generation and policy enforcement
services.  It includes a library for handling DMARC record parsing,
a database schema and tools for aggregating and processing transaction
history to produce DMARC reports, and a filter that ties it all together
with an MTA using the milter protocol.

"milter" is a portmanteau of "mail filter" and refers to a protocol and API
for communicating mail traffic information between MTAs and mail filtering
plug-in applications.  It was originally invented at Sendmail, Inc. but
has also been adapted to other MTAs.

+--------------+
| DEPENDENCIES |
+--------------+

To compile and operate, this package requires the following:

o OpenDBX (http://www.linuxnetworks.de/doc/index.php/OpenDBX) which
  acts as a middleware layer between OpenDMARC and your SQL backend
  of choice

o sendmail v8.13.0 (or later), or Postfix 2.3, (or later) and libmilter.
  (These are only required if you are building the filter.)

o Access to a working nameserver (required only for signature verification).

o If you are interested in tinkering with the build and packaging structure,
  you may need to upgrade to these versions of GNU's "autotools" components:
        autoconf (GNU Autoconf) 2.61
        automake (GNU automake) 1.7 (or 1.9 to avoid warnings)
        ltmain.sh (GNU libtool) 2.2.6 (or 1.5.26 after make maintainer-clean)


+-----------------------+
| RELATED DOCUMENTATION |
+-----------------------+

The man page for opendmarc (the actual filter program) is present in the
opendmarc directory of this source distribution.  There is additional
information in the INSTALL and FEATURES files, and in the README file in the
opendmarc directory.  Changes are documented in the RELEASE_NOTES file.

HTML-style documentation for libopendmarc is available in libopendmarc/docs in
this source distribution.

General information about DMARC can be found at http://www.dmarc.org

Mailing lists discussing and supporting the DMARC software found in this
package are maintained via a list server at trusteddomain.org.  Visit
http://www.trusteddomain.org to subscribe or browse archives.  The available
lists are:

        opendmarc-announce      (moderated) Release announcements.

        opendmarc-users         General OpenDMARC user questions and answers.

        opendmarc-dev           Chatter among OpenDMARC developers.

        opendmarc-code          Automated source code change announcements.

Bug tracking is done via the trackers on SourceForge at
http://sourceforge.net/projects/opendmarc.  You can enter new bug
reports there, but please check first for older bugs already open,
or even already closed, before opening a new issue.


+---------------------+
| DIRECTORY STRUCTURE |
+---------------------+

contrib         A collection of user contributed scripts that may be useful.

db              Database schema and tools for generating DMARC reports based
                upon accumulated data.

docs            A collection of RFCs and drafts related to opendmarc.

libopendmarc    A library that implements the proposed DMARC standard.

libopendmarc/docs
                HTML documentation describing the API provided by libopendmarc.

opendmarc       A milter-based filter application which uses libopendmarc (and
                optionally libar) to provide DMARC service via an MTA using
                the milter protocol.


+----------------+
| RUNTIME ISSUES |
+----------------+

WARNING: symbol 'X' not available

 The filter attempted to get some information from the MTA that the MTA
 did not provide.

 At various points in the interaction between the MTA and the filter, certain
 macros containing information about the job in progress or the connection
 being handled are passed from the MTA to the filter.

 In the case of sendmail, the names of the macros the MTA should pass to the
 filter are defined by the "Milter.macros" settings in sendmail.cf, e.g.
 "Milter.macros.connect", "Milter.macros.envfrom", etc.  This message
 indicates that the filter needed the contents of macro X, but that macro
 was not passed down from the MTA.

 Typically the values needed by this filter are passed from the MTA if the
 sendmail.cf was generated by the usual m4 method.  If you do not have
 those options defined in your sendmail.cf, make sure your M4 configuration
 files are current and rebuild your sendmail.cf to get appropriate lines
 added to your sendmail.cf, and then restart sendmail.

MTA timeouts

 By default, the MTA is configured to wait up to ten seconds for a response
 from a filter before giving up.  When querying remote nameservers
 for key and policy data, the DMARC filter may not get a response from the
 resolver within that time frame, and thus this MTA timeout will occur.
 This can cause messages to be rejected, temp-failed or delivered without
 verification, depending on the failure mode selected for the filter.

 When using the standard resolver library provided with your system, the
 DNS timeout cannot be adjusted.  If you encounter this problem, you must
 increase the time the MTA waits for replies.  See the documentation in
 the sendmail open source distribution (libmilter/README in particular)
 for instructions on changing these timeouts.

 When using the provided asynchronous resolver library, you can use the
 "-T" command line option to change the timeout so that it is shorter than
 the MTA timeout.

Other OpenDMARC issues:

 Report any bugs to the email address opendmarc-users@trusteddomain.org or to
 the SourceForge issue tracker accessible at:
 
 http://sourceforge.net/p/opendmarc/tickets/


--
Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

$Id: README,v 1.13 2010/10/25 20:41:55 cm-msk Exp $

README.schema

 # less /usr/share/doc/opendmarc-1.3.0/README.schema
This directory contains the OpenDMARC schema plus any related files.
 
The tables in this schema are populated by the opendmarc filter as it processes
messages and downloads policies.  The rows are then consumed by the scripts
in the "reports" directory to generate regular aggregate reports.
 
The tables are summarized here:
 
domains         A table that maps domain names to unique integer IDs.
                Automatically tracks a "first seen" timestamp, and includes
                a column to record when the last report was sent.
 
reporters       A table mapping reporting hosts to unique integer IDs.
                Intended for use by multi-MX systems so it's possible to tell
                where an inbound message landed.
 
ipaddr          A table mapping IP addresses (as strings) to unique IDs.
                Also tracks the "first seen" timestamp for each.
 
messages        A table tracking salient properties of all messages received.
                A messages is uniquely identified by a {date, jobid, reporter}
                tuple.  Includes references to the "domains" table to track
                the RFC5321.MailFrom domain, the RFC5322.From domain.
                Also records the count of DKIM signatures, the SPF result,
                and whether or not the SPF result was aligned with the
                RFC5322.From domain.
 
signatures      A table tracking DKIM signatures, each of which refers to
                a rown in the "messages" table.  Tracks the signing domain,
                whether the signature passed, whether there was a verification
                error other than a broken signature, and whether or not the
                signing domain aligned with the RFC5322.From domain.
 
requests        A table containing a cache of DMARC reporting requests.
                For each domain, the destination reporting URI for aggregate
                reports is recorded along with a "last report sent" timestamp.
 
--
Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

README.rddmarc

 # less /usr/share/doc/opendmarc-1.3.0/README.rddmarc
These are little scripts to parse DMARC reports.
 
The first, rddmarc, is a perl script that take an incoming DMARC
summary report email, extracts and unpacks the gzip or ZIP file,
parses the XML, and puts the parts about received mail into a MySQL
database.  The database is set up to handle reports about multiple
domains from multiple reporters. It's handling reports from Google,
Yahoo, xs4all and Netease.  
 
It expects filenames on the command line, each of which contains a
mail message, but it'd easy enough to adjust it to read stdin or
anywhere else.
 
It works great on FreeBSD, can probably be made to work on linux with
modest effort, no clue about other systems.  It needs the
MIME::Parser, XML::Simple, and DBI perl modules and the freeware unzip
program to extract stuff from the gzip or ZIP file.
 
It now handles both IPv4 and IPv6 addresses.  If you have been
running the ipv4 version, see mkdmarc for instructions on how
to update your database.  The file mysql_ip6.c is a plugin for a
mysql server to add some IPv6 formatting functions that can be
handy when analyzing the reports.  It's not needed for rddmarc.
 
The second is a python script to parse failure reports.  It expects
file names on the command line, or if no arguments, it reads stdin. It
needs the usual MySQLdb module.  It handles reports from Netease,
which are currently the only ones I'm getting.
 
mkdmarc - SQL to create the tables
 
rddmarc - the script to parse summary reports (Perl)
 
dmarcfail.py - the script to parse failure reports (python)
 
mysql_ip6.c - C language source for MySQL plugin for IPv6
        formatting functions

man-pages

opendmarc

 # man opendmarc
opendmarc(8)                       System Manager's Manual                      opendmarc(8)   
                                                                                               
NAME
       opendmarc - DMARC email policy filter for MTAs

SYNOPSIS
       opendmarc  [-A]  [-c  configfile]  [-f]  [-l]  [-n]  [-p socketspec] [-P pidfile] [-t
       file[,file[...]]]  [-u userid[:group]] [-v] [-V]

DESCRIPTION
       opendmarc implements the prooposed DMARC specification for authentication of  message
       and reporting of observed traffic.

       opendmarc  uses  the milter interface, originally distributed as part of version 8.11
       of sendmail(8), to provide a DMARC processing service for mail transiting  a  milter-
       aware MTA.

       Most,  if  not  all, of the command line options listed below can also be set using a
       configuration file.  See the -c option for details.

       opendmarc relies on addition of Authentication-Results fields by upsteam  filters  on
       trusted hosts to collect input to the DMARC algorithm.  It does not itself do DKIM or
       SPF evaluation.

OPTIONS
       -A     Automatically re-start on failures.  Use with caution;  if  the  filter  fails
              instantly  after  it starts, this can cause a tight fork(2) loop.  This can be
              mitigated using some values in the configuration  file  to  limit  restarting.
              See opendmarc.conf(5).

       -c configfile
              Read  the  named  configuration  file.  See the opendmarc.conf(5) man page for
              details.  Values in the configuration file are overridden when  their  equiva‐
              lents  are  provided  on the command line until a configuration reload occurs.
              The OPERATION section describes how reloads are triggered.  The default is  to
              read a configuration file from /etc/opendmarc.conf if one exists, or otherwise
              to apply defaults to all values.

       -f     Normally opendmarc forks and exits immediately, leaving the service running in
              the  background.   This  flag suppresses that behaviour so that it runs in the
              foreground.

       -l     Log via calls to syslog(3) any interesting activity.

       -n     Parse the configuration file and command line arguments, reporting any  errors
              found,  and  then exit.  The exit value will be 0 if the filter would start up
              without complaint, or non-zero otherwise.

       -p socketspec
              Specifies the socket that should be established by the filter to receive  con‐
              nections  from  sendmail(8) in order to provide service.  socketspec is in one
              of two forms: local:path which creates a UNIX domain socket at  the  specified
              path,  or  inet:port[@host] or inet6:port[@host] which creates a TCP socket on
              the specified port within the specified protocol family.  If the host  is  not
              given  as  either a hostname or an IP address, the socket will be listening on
              all interfaces.  If neither socket type is specified, local is assumed,  mean‐
              ing  the parameter is interpreted as a path at which the socket should be cre‐
              ated.  If an IP address is used, it must be enclosed in square brackets.  This
              parameter is mandatory.

       -P pidfile
              Specifies a file into which the filter should write its process ID at startup.

       -t file[,file[,...]]
              Reads  email  messages from the named files and processes them as if they were
              received by the filter.  The service is not started, and actions normally sent
              back to the MTA will instead be printed on standard output.

       -u userid[:group]
              Attempts  to  be  come  the  specified userid before starting operations.  The
              process will be assigned all of the groups and primary group ID of  the  named
              userid  unless an alternate group is specified.  See the FILE PERMISSIONS sec‐
              tion for more information.

       -v     Increase verbose output during test mode (see -t  above).   May  be  specified
              more than once to request increasing amounts of output.

       -V     Print  the  version  number and supported canonicalization and signature algo‐
              rithms, and then exit without doing anything else.

SIGNALS
       Upon receiving SIGUSR1, if the filter was started with a configuration file, it  will
       be re-read and the new values used.  Note that any command line overrides provided at
       startup time will be lost when this is done.  Also, the following configuration  file
       values  (and their corresponding command line items, if any) are not reloaded through
       this process: AutoRestart (-A), AutoRestartCount, AutoRestartRate,  Background,  Mil‐
       terDebug,  PidFile  (-P), Socket (-p), UMask, UserID (-u).  The filter does not auto‐
       matically check the configuration file for changes and reload.

VERSION
       This man page covers version 1.3.0 of opendmarc.

COPYRIGHT
       Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       opendmarc.conf(5), sendmail(8)

       Sendmail Operations Guide

       RFC4408 - Sender Policy Framework

       RFC5321 - Simple Mail Transfer Protocol

       RFC5322 - Internet Messages

       RFC5451 - Message Header Field for Indicating Message Authentication Status

       RFC6376 - DomainKeys Identified Mail

       RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format

                                 The Trusted Domain Project                     opendmarc(8)

opendmarc.conf

 # man opendmarc.conf
opendmarc.conf(5)                    File Formats Manual                   opendmarc.conf(5)

NAME
       opendmarc.conf - Configuration file for opendmarc

LOCATION
       /etc/opendmarc.conf

DESCRIPTION
       opendmarc(8)  implements the proposed DMARC specification for message authentication,
       policy enforcement, and reporting.  This file is its configuration file.

       Blank lines are ignored.  Lines containing a hash ("#") character  are  truncated  at
       the hash character to allow for comments in the file.

       Other content should be the name of a parameter, followed by white space, followed by
       the value of that parameter, each on a separate line.

       For parameters that are Boolean in nature, only the first byte of the value  is  pro‐
       cessed.   For  positive  values, the following are accepted: "T", "t", "Y", "y", "1".
       For negative values, the following are accepted: "F", "f", "N", "n", "0".

       Some, but not all, of these parameters are also available as command line options  to
       opendmarc(8).   However,  new  parameters  are  generally  not  added as command line
       options so the complete set of options is available here, and thus use of the config‐
       uration  file  is  encouraged.   In some future release, the set of available command
       line options is likely to get trimmed.

       See the opendmarc(8) man page for details about how and when the  configuration  file
       contents are reloaded.

       Unless otherwise stated, Boolean values default to "false", integer values default to
       0, and string and dataset values default to being undefined.

PARAMETERS
       AuthservID (string)
              Sets the "authserv-id" to  use  when  generating  the  Authentication-Results:
              header field after verifying a message.  The default is to use the name of the
              MTA processing the message.  If the string "HOSTNAME" is provided, the name of
              the  host running the filter (as returned by the gethostname(3) function) will
              be used.

       AuthservIDWithJobID (Boolean)
              If "true", requests that the authserv-id portion of the added  Authentication-
              Results: header fields contain the job ID of the message being evaluated.

       AutoRestart (Boolean)
              Automatically  re-start  on  failures.   Use with caution; if the filter fails
              instantly after it starts, this can cause a tight fork(2) loop.

       AutoRestartCount (integer)
              Sets the maximum automatic restart count.   After  this  number  of  automatic
              restarts,  the  filter  will  give  up and terminate.  A value of 0 implies no
              limit; this is the default.

       AutoRestartRate (string)
              Sets the maximum automatic restart rate.   If  the  filter  begins  restarting
              faster  than  the rate defined here, it will give up and terminate.  This is a
              string of the form n/t[u] where n is an integer limiting the count of restarts
              in  the  given  interval  and t[u] defines the time interval through which the
              rate is calculated; t is an integer and u defines the units  thus  represented
              ("s"  or  "S" for seconds, the default; "m" or "M" for minutes; "h" or "H" for
              hours; "d" or "D" for days).  For example,  a  value  of  "10/1h"  limits  the
              restarts  to 10 in one hour.  There is no default, meaning restart rate is not
              limited.

       Background (Boolean)
              Causes opendmarc to fork and exits immediately, leaving the service running in
              the background.  The default is "true".

       BaseDirectory (string)
              If  set,  instructs  the  filter  to  change  to the specified directory using
              chdir(2) before doing anything else.  This means any  files  referenced  else‐
              where  in  the configuration file can be specified relative to this directory.
              It's also useful for arranging that any crash dumps will be saved  to  a  spe‐
              cific location.

       ChangeRootDirectory (string)
              Requests  that the operating system change the effective root directory of the
              process to the one specified here prior to beginning  execution.   chroot  (2)
              requires  superuser  access. A warning will be generated if UserID is not also
              set.

       CopyFailuresTo (string)
              Adds the specified recipient to the message's envelope if it fails  the  DMARC
              evaluation.

       DNSTimeout (integer)
              Sets  the  DNS timeout in seconds.  A value of 0 causes an infinite wait.  The
              default is 5.  Ignored if not using an asynchronous resolver package.

       EnableCoredumps (Boolean)
              On systems that have such support, make an explicit request to the  kernel  to
              dump  cores when the filter crashes for some reason.  Some modern UNIX systems
              suppress core dumps during crashes for security reasons if  the  user  ID  has
              changed  during  the  lifetime  of  the  process.  Currently only supported on
              Linux.

       FailureReports (Boolean)
              Enables generation of failure reports when the DMARC test fails and  the  pur‐
              ported  sender of the message has requested such reports.  Reports are format‐
              ted per RFC6591.

       FailureReportsBcc (string)
              When failure reports are enabled and one is to be generated, always  send  one
              to  the  address(es)  specified here.  If a failure report is requested by the
              domain owner, the address(es) are added in a Bcc: field.   If  no  request  is
              made, they address(es) are used in a To: field.  There is no default.

       FailureReportsOnNone (Boolean)
              Supplementary  to  the previous setting, enables generation of failure reports
              for sending domains that publish a "none" policy.

       FailureReportsSentBy (string)
              Sets the value of the From: field to be used when sending failure reports (see
              above).  The default is to use the userid of the user executing the filter and
              the local host name to construct an email address.

       HistoryFile (string)
              If set, specifies the location of a text file to  which  records  are  written
              that  can be used to generate DMARC aggregate reports.  Records are batches of
              rows containing information about a single received message, and  include  all
              relevant  information  needed  to  generate  a  DMARC aggregate report.  It is
              expected that this will not be used in its raw form, but  rather  periodically
              imported  into  a  relational database from which the aggregate reports can be
              extracted.

       IgnoreAuthenticatedClients (Boolean)
              If set, causes mail from authenticated clients (i.e.,  those  that  used  SMTP
              AUTH) to be ignored by the filter.  The default is "false".

       IgnoreHosts (string)
              Specifies  the path to a file that contains a list of hostnames, IP addresses,
              and/or CIDR expressions identifying hosts whose SMTP  connections  are  to  be
              ignored by the filter.  If not specified, defaults to "127.0.0.1" only.

       IgnoreMailFrom (string)
              Gives  a  list of domain names whose mail (based on the From: domain) is to be
              ignored by the filter.  The list should be comma-separated.  Matching  against
              this  list is case-insensitive.  The default is an empty list, meaning no mail
              is ignored.

       MilterDebug (integer)
              Sets the debug level to be requested from the milter library.  The default  is
              0.

       PidFile (string)
              Specifies  the path to a file that should be created at process start contain‐
              ing the process ID.

       PublicSuffixList (string)
              Specifies the path to a file that contains top-level domains (TLDs) that  will
              be  used  to  compute  the  Organizational  Domain for a given domain name, as
              described in the DMARC specification.  If not provided, the filter will not be
              able to determine the Organizational Domain and only the presented domain will
              be evaluated.

       RecordAllMessages (Boolean)
              If set and HistoryFile is in use, all received messages are  recorded  to  the
              history  file.   If  not  set (the default), only messages for which the From:
              domain published a DMARC record will be recorded in the history file.

       RejectFailures (Boolean)
              If set, messages will be rejected if they fail the DMARC evaluation, or  temp-
              failed  if  evaluation could not be completed.  By default, no message will be
              rejected or temp-failed regardless of the outcome of the DMARC  evaluation  of
              the  message.   Instead, an Authentication-Results header field will be added.
              The default is "false".

       ReportCommand (string)
              Indicates the shell command to which failure  reports  should  be  passed  for
              delivery when FailureReports is enabled.  Defaults to /usr/sbin/sendmail.

       RequiredHeaders (Boolean)
              If set, the filter will ensure the header of the message conforms to the basic
              header field count restrictions laid out in RFC5322,  Section  3.6.   Messages
              failing this test are rejected without further processing.  A From: field from
              which no domain name could be extracted will also be rejected.

       Socket (string)
              Specifies the socket that should be established by the filter to receive  con‐
              nections  from  sendmail(8) in order to provide service.  socketspec is in one
              of two forms: local:path, which creates a UNIX domain socket at the  specified
              path,  or  inet:port[@host] or inet6:port[@host] which creates a TCP socket on
              the specified port for the appropriate protocol family.  If the  host  is  not
              given  as  either a hostname or an IP address, the socket will be listening on
              all interfaces.  This option is mandatory either in the configuration file  or
              on  the command line.  If an IP address is used, it must be enclosed in square
              brackets.

       SoftwareHeader (Boolean)
              Causes opendmarc to add a "DMARC-Filter" header field indicating the  presence
              of  this  filter  in  the path of the message from injection to delivery.  The
              product's name, version, and the job ID are included  in  the  header  field's
              contents.

       SPFIgnoreResults (Boolean)
              Causes  the  filter  to  ignore  any SPF results in the header of the message.
              This is useful if you want the filter to perfrom SPF checks itself, or because
              you don't trust the arriving header.  The default is "false".

       SPFSelfValidate (Boolean)
              Causes  the  filter to perform a fallback SPF check itself when it can find no
              SPF results in the message header.  If SPFIgnoreResults is also set, it  never
              looks for SPF results in headers and always performs the SPF check itself when
              this is set.  The default is "false".

       Syslog (Boolean)
              Log via calls to syslog(3) any interesting activity.

       SyslogFacility (string)
              Log via calls to syslog(3) using the named facility.  The facility  names  are
              the same as the ones allowed in syslog.conf(5).  The default is "mail".

       TemporaryDirectory (string)
              Specifies  the  directory  in  which  temporary  files should be written.  The
              default is /var/tmp.

       TrustedAuthservIDs (string)
              Provides a list of authserv-ids that are to be used  to  identify  Authentica‐
              tion-Results header fields whose contents are to be assumed as valid input for
              the DMARC assessment.  To provide a list, separate values by commas.   If  the
              string  "HOSTNAME"  is  provided,  the name of the host running the filter (as
              returned by the gethostname(3) function) will be used.  Matching against  this
              list is case-insensitive.  The default is to use the value of AuthservID.

       UMask (integer)
              Requests  a specific permissions mask to be used for file creation.  This only
              really applies to creation of the socket when Socket specifies a  UNIX  domain
              socket,  and  to  the  PidFile  (if  any);  temporary files are created by the
              mkstemp(3) function that enforces a specific file mode on creation  regardless
              of the process umask.  See umask(2) for more information.

       UserID (string)
              Attempts to become the specified userid before starting operations.  The value
              is of the form userid[:group].  The process will be assigned all of the groups
              and  primary  group ID of the named userid unless an alternate group is speci‐
              fied.

FILES
       /etc/opendmarc.conf
              Default location of this file.

VERSION
       This man page covers version 1.3.0 of opendmarc.

COPYRIGHT
       Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       opendmarc(8), sendmail(8)

       RFC4408 - Sender Policy Framework

       RFC5451 - Message Header Field for Indicating Message Authentication Status

       RFC5965 - An Extensible Format for Email Feedback Reports

       RFC6376 - DomainKeys Identified Mail

       RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format

                                 The Trusted Domain Project                opendmarc.conf(5)

opendmarc-check

 # man opendmarc-check
opendmarc-check(8)                 System Manager's Manual                opendmarc-check(8)

NAME
       opendmarc-check - DMARC record check tool

SYNOPSIS
       opendmarc-check domain [domain [...]]

DESCRIPTION
       opendmarc-check  queries  the DNS for a DMARC record for the named domain(s) and then
       translates the content found to a human-readable form.  This can be  used  to  ensure
       that the DMARC policy you have placed in the nameserver is what you intended for oth‐
       ers to see.

VERSION
       This man page covers version 1.3.0 of opendmarc.

COPYRIGHT
       Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       opendmarc.conf(5), opendmarc(8)

                                 The Trusted Domain Project               opendmarc-check(8)

opendmarc-expire

 # man opendmarc-expire
opendmarc-expire(8)                System Manager's Manual               opendmarc-expire(8)

NAME
       opendmarc-expire - OpenDMARC history data expiration tool

SYNOPSIS
       opendmarc-expire [options]

DESCRIPTION
       opendmarc-expire  expires old records from the database that is part of the OpenDMARC
       aggregate reporting feature.

OPTIONS
       --alltables
              Expire records in all tables rather than only the large ones.

       --dbhost=host
              Attempts to connect to the database server on the named host.  The default  is
              "localhost".

       --dbname=name
              Requests  a  connection  to  the database called name.  The default is "opend‐
              marc".

       --dbpasswd=password
              Attempts to authenticate to the database server using the specified  password.
              The default is "opendmarc".

       --dbport=port
              Tries  to  connect  to the database at the specified TCP port.  The default is
              3306.

       --dbuser=user
              Attempts to authenticate to the database server as the  specified  user.   The
              default is "opendmarc".

       --expire=days
              Indicates the number of days of data to keep.  The default is 180.

       --help Prints a usage message and exits.

       --verbose
              Requests verbose output.

       --version
              Prints version number and exits.

VERSION
       This  man page covers the version of opendmarc-expire that shipped with version 1.3.0
       of OpenDMARC.

COPYRIGHT
       Copyright (c) 2012, 2014, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       opendmarc(8), opendmarc-import(8)

                                 The Trusted Domain Project              opendmarc-expire(8)

opendmarc-import

 # man opendmarc-import
opendmarc-import(8)                System Manager's Manual               opendmarc-import(8)

NAME
       opendmarc-import - OpenDMARC aggregate report data import tool

SYNOPSIS
       opendmarc-import [options]

DESCRIPTION
       opendmarc-import  reads  per-message data recorded by an instance of opendmarc(8) and
       inserts it into an SQL database, for later use by  opendmarc-reports(8)  to  generate
       aggregate reports.

       Records are read from standard input.

OPTIONS
       --dbhost=hostname
              Specifies  the  hostname  on which the SQL server is running.  Defaults to the
              value of the environment variable  OPENDMARC_DBHOST,  or  "localhost"  if  the
              environment variable is not set.

       --dbname=name
              Specifies  the SQL database name to be accessed.  Defaults to the value of the
              environment variable OPENDMARC_DB, or "opendmarc" if the environment  variable
              is not set.

       --dbpasswd=password
              Specifies  the  password for the SQL database to be accessed.  Defaults to the
              value of the environment variable OPENDMARC_PASSWORD, or  "opendmarc"  if  the
              environment variable is not set.

       --dbport=port
              Specifies  the  TCP  port on which the SQL server is expected to be listening.
              Defaults to the value of the environment variable OPENDMARC_PORT, or  3306  if
              the environment variable is not set.

       --dbuser=user
              Specifies  the  SQL  user  to be used to access the database.  Defaults to the
              value of the environment variable OPENDMARC_USER, or "opendmarc" if the  envi‐
              ronment variable is not set.

       --help Prints a help message and terminates.

       --verbose
              Increase the amount of verbosity written to standard output.

       --version
              Print version number and exit.

VERSION
       This  man page covers the version of opendmarc-import that shipped with version 1.3.0
       of OpenDMARC.

COPYRIGHT
       Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       opendmarc(8), opendmarc.conf(5) opendmarc-reports(8)

                                 The Trusted Domain Project              opendmarc-import(8)

opendmarc-importstats

 # man opendmarc-importstats
opendmarc-importstats(8)           System Manager's Manual          opendmarc-importstats(8)

NAME
       opendmarc-importstats - import OpenDMARC statistics/history data

SYNOPSIS
       opendmarc-importstats

DESCRIPTION
       opendmarc-importstats  is  a  fairly  trivial  shell  script,  typically  executed by
       cron(8), that rotates an OpenDMARC statistics/history data file to a unique  filename
       and  then attempts to import it to a local database for later processing by executing
       opendmarc-import(8).  On successful import, the unique file is removed;  on  failure,
       the  script  executes  ls(1)  on the file and exits without removing the unique file.
       The intent of this last step is to cause cron to generate a message to a  responsible
       party so that the failure will be investigated.

VERSION
       This  man  page covers the version of opendmarc-importstats that shipped with version
       1.3.0 of OpenDMARC.

COPYRIGHT
       Copyright (c) 2013, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       cron(8), opendmarc(8), opendmarc-import(8)

                                 The Trusted Domain Project         opendmarc-importstats(8)

opendmarc-params

 # man opendmarc-params
opendmarc-params(8)                System Manager's Manual               opendmarc-params(8)

NAME
       opendmarc-params - OpenDMARC reporting parameters setup tool

SYNOPSIS
       opendmarc-params [options] domain

DESCRIPTION
       opendmarc-params records a specific reporting address for aggregate reports about the
       named domain and flags it as "locked" in the reporting requests  database.   This  is
       done to allow an administrator to force generation of reports and have them sent to a
       specific address regardless of what data may (or may not) be found in the DNS for the
       named domain.

OPTIONS
       --dbhost=host
              Attempts  to connect to the database server on the named host.  The default is
              "localhost".

       --dbname=name
              Requests a connection to the database called name.   The  default  is  "opend‐
              marc".

       --dbpasswd=password
              Attempts  to authenticate to the database server using the specified password.
              The default is "opendmarc".

       --dbport=port
              Tries to connect to the database at the specified TCP port.   The  default  is
              3306.

       --dbuser=user
              Attempts  to  authenticate  to the database server as the specified user.  The
              default is "opendmarc".

       --help Prints a usage message and exits.

       --rua=string
              Sets the reporting URI for the named domain to the specified string.

       --unlock
              Unlocks the record for the named domain.

       --verbose
              Requests verbose output.

       --version
              Prints version number and exits.

VERSION
       This man page covers the version of opendmarc-params that shipped with version  1.3.0
       of OpenDMARC.

COPYRIGHT
       Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       opendmarc(8), opendmarc-import(8), opendmarc-reports(8)

                                 The Trusted Domain Project              opendmarc-params(8)

opendmarc-reports

 # man opendmarc-reports
opendmarc-reports(8)               System Manager's Manual              opendmarc-reports(8)

NAME
       opendmarc-reports - OpenDMARC aggregate report generation tool

SYNOPSIS
       opendmarc-reports [options]

DESCRIPTION
       opendmarc-reports pulls data from an OpenDMARC database and generates periodic aggre‐
       gate reports.  The database is populated by a running opendmarc-import(8) on  a  mes‐
       sage history file generated by an opendmarc(8) filter as messages arrive and are pro‐
       cessed.  This includes the collection of reporting URIs, which this  script  uses  to
       make reports available to those that request them.

OPTIONS
       --daybound
              Generate  reports  on  day boundaries.  Overrides the value of --interval (see
              below).  --dbhost=hostname Specifies the hostname on which the SQL  server  is
              running.   Defaults to the value of the environment variable OPENDMARC_DBHOST,
              or "localhost" if the environment variable is not set.

       --dbname=name
              Specifies the SQL database name to be accessed.  Defaults to the value of  the
              environment  variable OPENDMARC_DB, or "opendmarc" if the environment variable
              is not set.

       --dbpasswd=password
              Specifies the password for the SQL database to be accessed.  Defaults  to  the
              value  of  the  environment variable OPENDMARC_PASSWORD, or "opendmarc" if the
              environment variable is not set.

       --dbport=port
              Specifies the TCP port on which the SQL server is expected  to  be  listening.
              Defaults  to  the value of the environment variable OPENDMARC_PORT, or 3306 if
              the environment variable is not set.

       --dbuser=user
              Specifies the SQL user to be used to access the  database.   Defaults  to  the
              value  of the environment variable OPENDMARC_USER, or "opendmarc" if the envi‐
              ronment variable is not set.

       --domain=name
              Generates a report (if one is due) for the named domain, rather than  checking
              all of them.

       --help Prints a help message and terminates.

       --interval=secs
              Generates  reports  only  for hosts that have not had a report generated in at
              least the last secs seconds.

       --nodomain=name
              Skips generating a report for the named domain.   Can  be  specified  multiple
              times to skip multiple reporting domains.

       --noupdate
              Suppresses marking the time of the transmission of the report in the database.
              Normally this would be done to prevent  reports  from  being  sent  too  close
              together.

       --smtp-host=host
              Causes  reports  to  be sent by transmitting them using SMTP to the named host
              which can be an IP address or a hostname.  The default is "127.0.0.1".

       --smtp-port=port
              Causes reports to be sent by transmitting them using  SMTP  to  the  specified
              port.  The default is 25.

       --utc  Instructs  the  database to change to the UTC timezone when generating output.
              Otherwise, the database default is used.

       --verbose
              Increase the amount of verbosity written to standard output.

       --version
              Print version number and exit.

VERSION
       This man page covers the version of opendmarc-reports that shipped with version 1.3.0
       of OpenDMARC.

COPYRIGHT
       Copyright (c) 2012, 2014, The Trusted Domain Project.  All rights reserved.

SEE ALSO
       opendmarc(8), opendmarc.conf(5), opendmarc-import(8)

                                 The Trusted Domain Project             opendmarc-reports(8)

Konfiguration

opendmarc

opendmarc.conf

Die Konfiguration von OpenDMARC erfolgt über die Konfigurationsdatei opendmarc.conf im Verzeichnis /etc/opendmarc/.

 # vim /etc/opendmarc/opendmarc.conf
/etc/opendmarc/opendmarc.conf
##
## opendmarc.conf -- configuration file for OpenDMARC filter
##
## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
##
 
##  AuthservID (string)
##      defaults to MTA name
##
##  Sets the "authserv-id" to use when generating the Authentication-Results:
##  header field after verifying a message.  If the string "HOSTNAME" is
##  provided, the name of the host running the filter (as returned by the
##  gethostname(3) function) will be used.  
#
# AuthservID name
# Django : 2014-12-17
AuthservID mx01.nausch.org
 
##  AuthservIDWithJobID { true | false }
##      default "false"
##
##  If "true", requests that the authserv-id portion of the added
##  Authentication-Results header fields contain the job ID of the message
##  being evaluated.
#
# AuthservIDWithJobID false
# Django : 2014-02-17
AuthservIDWithJobID true
 
##  AutoRestart { true | false }
##      default "false"
##
##  Automatically re-start on failures. Use with caution; if the filter fails
##  instantly after it starts, this can cause a tight fork(2) loop.
#
# AutoRestart false
 
##  AutoRestartCount n
##      default 0
##
##  Sets the maximum automatic restart count.  After this number of automatic
##  restarts, the filter will give up and terminate.  A value of 0 implies no
##  limit.
#
# AutoRestartCount 0
 
##  AutoRestartRate n/t[u]
##      default (no limit)
##
##  Sets the maximum automatic restart rate.  If the filter begins restarting
##  faster than the rate defined here, it will give up and terminate.  This
##  is a string of the form n/t[u] where n is an integer limiting the count
##  of restarts in the given interval and t[u] defines the time interval
##  through which the rate is calculated; t is an integer and u defines the
##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
##  value of "10/1h" limits the restarts to 10 in one hour. There is no
##  default, meaning restart rate is not limited.
#
# AutoRestartRate n/t[u]
 
##  Background { true | false }
##      default "true"
##
##  Causes opendmarc to fork and exits immediately, leaving the service
##  running in the background.
#
# Background true
 
##  BaseDirectory (string)
##      default (none)
##
##  If set, instructs the filter to change to the specified directory using
##  chdir(2) before doing anything else.  This means any files referenced
##  elsewhere in the configuration file can be specified relative to this
##  directory.  It's also useful for arranging that any crash dumps will be
##  saved to a specific location.
#
# BaseDirectory /var/run/opendmarc
 
##  ChangeRootDirectory (string)
##      default (none)
##
##  Requests that the operating system change the effective root directory of
##  the process to the one specified here prior to beginning execution.
##  chroot(2) requires superuser access.  A warning will be generated if
##  UserID is not also set.
# 
# ChangeRootDirectory /var/chroot/opendmarc
 
##  CopyFailuresTo (string)
##      default (none)
##
##  Requests addition of the specified email address to the envelope of
##  any message that fails the DMARC evaluation.
#
# CopyFailuresTo postmaster@localhost
 
##  DNSTimeout (integer)
##      default 5
## 
##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
##  (NOT YET IMPLEMENTED)
#
# DNSTimeout 5
 
##  EnableCoredumps { true | false }
##      default "false"
##
##  On systems that have such support, make an explicit request to the kernel
##  to dump cores when the filter crashes for some reason.  Some modern UNIX
##  systems suppress core dumps during crashes for security reasons if the
##  user ID has changed during the lifetime of the process.  Currently only
##  supported on Linux.
#
# EnableCoreDumps false
 
##  FailureReports { true | false }
##      default "false"
##
##  Enables generation of failure reports when the DMARC test fails and the
##  purported sender of the message has requested such reports.  Reports are
##  formatted per RFC6591.
# 
# FailureReports false
# Django : 2014-12-17
FailureReports true
 
##  FailureReportsBcc (string)
##      default (none)
##
##  When failure reports are enabled and one is to be generated, always
##  send one to the address(es) specified here.  If a failure report is
##  requested by the domain owner, the address(es) are added in a Bcc: field.
##  If no request is made, they address(es) are used in a To: field.  There
##  is no default.
# 
# FailureReportsBcc postmaster@example.coom
 
##  FailureReportsOnNone { true | false }
##      default "false"
##
##  Supplements the "FailureReports" setting by generating reports for
##  domains that advertise "none" policies.  By default, reports are only
##  generated (when enabled) for sending domains advertising a "quarantine"
##  or "reject" policy.
# 
# FailureReportsOnNone false
 
##  FailureReportsSentBy string
##      default "USER@HOSTNAME"
##
##  Specifies the email address to use in the From: field of failure
##  reports generated by the filter.  The default is to use the userid of
##  the user running the filter and the local hostname to construct an
##  email address.  "postmaster" is used in place of the userid if a name
##  could not be determined.
# 
# FailureReportsSentBy USER@HOSTNAME
# Django : 2014-12-17
FailureReportsSentBy dmarc-admin@nausch.org
 
##  HistoryFile path
##      default (none)
##
##  If set, specifies the location of a text file to which records are written
##  that can be used to generate DMARC aggregate reports.  Records are groups
##  of rows containing information about a single received message, and
##  include all relevant information needed to generate a DMARC aggregate
##  report.  It is expected that this will not be used in its raw form, but
##  rather periodically imported into a relational database from which the
##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
#
HistoryFile /var/run/opendmarc/opendmarc.dat
 
##  IgnoreAuthenticatedClients { true | false }
##      default "false"
##
##  If set, causes mail from authenticated clients (i.e., those that used
##  SMTP AUTH) to be ignored by the filter.
#
# IgnoreAuthenticatedClients false
 
##  IgnoreHosts path
##      default (internal)
##
##  Specifies the path to a file that contains a list of hostnames, IP
##  addresses, and/or CIDR expressions identifying hosts whose SMTP
##  connections are to be ignored by the filter.  If not specified, defaults
##  to "127.0.0.1" only.
#
# IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts
# Django : 2014-12-17
IgnoreHosts /etc/opendmarc/ignore.hosts
 
##  IgnoreMailFrom domain[,...]
##      default (none)
##
##  Gives a list of domain names whose mail (based on the From: domain) is to
##  be ignored by the filter.  The list should be comma-separated.  Matching
##  against this list is case-insensitive.  The default is an empty list,
##  meaning no mail is ignored.
#
# IgnoreMailFrom example.com
 
##  MilterDebug (integer)
##      default 0
##
##  Sets the debug level to be requested from the milter library.
#
# MilterDebug 0
# Django : 2014-12-17
MilterDebug 5
 
##  PidFile path
##      default (none)
##
##  Specifies the path to a file that should be created at process start
##  containing the process ID.
##
#
# PidFile /var/run/opendmarc/opendmarc.pid
 
##  PublicSuffixList path
##      default (none)
##
##  Specifies the path to a file that contains top-level domains (TLDs) that
##  will be used to compute the Organizational Domain for a given domain name,
##  as described in the DMARC specification.  If not provided, the filter will
##  not be able to determine the Organizational Domain and only the presented
##  domain will be evaluated.
#
# PublicSuffixList path
 
##  RecordAllMessages { true | false }
##      default "false"
##
##  If set and "HistoryFile" is in use, all received messages are recorded
##  to the history file.  If not set (the default), only messages for which
##  the From: domain published a DMARC record will be recorded in the
##  history file.
#
# RecordAllMessages false
 
##  RejectFailures { true | false }
##      default "false"
##
##  If set, messages will be rejected if they fail the DMARC evaluation, or
##  temp-failed if evaluation could not be completed.  By default, no message
##  will be rejected or temp-failed regardless of the outcome of the DMARC
##  evaluation of the message.  Instead, an Authentication-Results header
##  field will be added.
#
# RejectFailures false
 
##  ReportCommand string
##      default "/usr/sbin/sendmail -t"
##
##  Indicates the shell command to which failure reports should be passed for
##  delivery when "FailureReports" is enabled.
#
# ReportCommand /usr/sbin/sendmail -t
 
##  RequiredHeaders { true | false }
##      default "false"
##
##  If set, the filter will ensure the header of the message conforms to the
##  basic header field count restrictions laid out in RFC5322, Section 3.6.
##  Messages failing this test are rejected without further processing.  A
##  From: field from which no domain name could be extracted will also be
##  rejected.
#
# RequiredHeaders false
 
##  Socket socketspec
##      default (none)
##
##  Specifies the socket that should be established by the filter to receive
##  connections from sendmail(8) in order to provide service.  socketspec is
##  in one of two forms: local:path, which creates a UNIX domain socket at
##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
##  a TCP socket on the specified port for the appropriate protocol family.
##  If the host is not given as either a hostname or an IP address, the
##  socket will be listening on all interfaces.  This option is mandatory
##  either in the configuration file or on the command line.  If an IP
##  address is used, it must be enclosed in square brackets.
#
# Socket inet:8893@localhost
# Django : 2014-12-17
Socket inet:8893@localhost
 
##  SoftwareHeader { true | false }
##      default "false"
##
##  Causes the filter to add a "DMARC-Filter" header field indicating the
##  presence of this filter in the path of the message from injection to
##  delivery.  The product's name, version, and the job ID are included in
##  the header field's contents.
#
# SoftwareHeader false
# Django : 2014-12-17
SoftwareHeader true
 
##  SPFIgnoreResults { true | false }
##      default "false"
##
##  Causes the filter to ignore any SPF results in the header of the
##  message.  This is useful if you want the filter to perfrom SPF checks
##  itself, or because you don't trust the arriving header.
#
# SPFIgnoreResults false
 
##  SPFSelfValidate { true | false }
##      default false
##
##  Enable internal spf checking with --with-spf
##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
##
##  Causes the filter to perform a fallback SPF check itself when
##  it can find no SPF results in the message header.  If SPFIgnoreResults
##  is also set, it never looks for SPF results in headers and
##  always performs the SPF check itself when this is set.
#
# SPFSelfValidate false
 
##  Syslog { true | false }
##      default "false"
##
##  Log via calls to syslog(3) any interesting activity.
#
# Syslog false
# Django : 2014-12-17
Syslog true
 
##  SyslogFacility facility-name
##      default "mail"
##
##  Log via calls to syslog(3) using the named facility.  The facility names
##  are the same as the ones allowed in syslog.conf(5).
#
# SyslogFacility mail
 
##  TemporaryDirectory path
##      default /var/tmp
##
##  Specifies the directory in which temporary files should be written.
#
# TemporaryDirectory /var/tmp
 
##  TrustedAuthservIDs string
##      default HOSTNAME
##
##  Specifies one or more "authserv-id" values to trust as relaying true
##  upstream DKIM and SPF results.  The default is to use the name of
##  the MTA processing the message.  To specify a list, separate each entry
##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
##  the host running the filter as reported by the gethostname(3) function.
#
# TrustedAuthservIDs HOSTNAME
 
 
##  UMask mask
##      default (none)
##
##  Requests a specific permissions mask to be used for file creation.  This
##  only really applies to creation of the socket when Socket specifies a
##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
##  files are normally created by the mkstemp(3) function that enforces a
##  specific file mode on creation regardless of the process umask.  See
##  umask(2) for more information.
#
# UMask 077
# Django : 2014-12-17
UMask 007
 
##  UserID user[:group]
##      default (none)
##
##  Attempts to become the specified userid before starting operations.
##  The process will be assigned all of the groups and primary group ID of
##  the named userid unless an alternate group is specified.
#
# UserID opendmarc
# Django : 2014-12-17
#UserID opendmarc:dmarc

ignore.hosts

 # vim /etc/opendmarc/ignore.hosts
/etc/opendmarc/ignore.hosts
#  Specifies a file that contains a list of hostnames, IP addresses and/or
#  CIDR expressions identifying hosts whose SMTP connections are to be 
# ignored by the filter.  If not specified, defaults
#  to "127.0.0.1" only.
127.0.0.1

Public Suffix List

Im RFC 7489 wird die optionale Verwendung einer Public Suffix List im Kapitel Appendix A.6.1 beschrieben. Wir werden dieser Konfigurationsoption nun entsprechend aktivieren.

Zuvor holen wir uns aber erst einmal diese Liste von der Webseite Public Suffix List der Mozilla Foundation herunter.

 # wget --no-check-certificate -q -N https://publicsuffix.org/list/effective_tld_names.dat -O /etc/opendmarc/effective_tld_names.dat

In unregelmäßigen Abständen, meist mehrmals pro Monat, wird diese Liste aktualisiert. Damit wir nun nicht händisch für die Aktualität dieser Liste sorgen müssen, legen wir uns einen kleinen cronjob an, der 1x pro Woche ausgeführt werden soll.

 # vim /etc/cron.weekly/update_PublicSuffixList
/etc/cron.weekly/update_PublicSuffixList
#!/bin/bash
# Script zum Aktualisieren der Public Suffix List für opendmarc
# Django <django@nausch.org> (c) 2015
#
/user/bin/wget --no-check-certificate -q -N https://publicsuffix.org/list/effective_tld_names.dat -O /etc/opendmarc/effective_tld_names.dat

Was nun noch fehlt, ist die Aktivierung dieser Option in der Konfigurationsdatei von opendmarc.

 # vim /etc/opendmarc.conf
/etc/opendmarc.conf
...
 
##  PublicSuffixList path
##      default (none)
##
##  Specifies the path to a file that contains top-level domains (TLDs) that
##  will be used to compute the Organizational Domain for a given domain name,
##  as described in the DMARC specification.  If not provided, the filter will
##  not be able to determine the Organizational Domain and only the presented
##  domain will be evaluated.
#
# Django : 2015-12-10
# default: unset
PublicSuffixList /etc/opendmarc/effective_tld_names.dat
 
...

Zum Aktivieren der Public Suffix List brauchen wir dann nur noch den Daemon 1x durchstarten.

 # systemctl restart opendmarc.service

mysql Konfiguration

Eigentlich könnten wir nun schon unseren DMARC-Daemon starten. Jedoch wollen wir noch kurz die nötige mySQL-Datenbank anlegen, damit der Daemon die gewünschten aufbereiteten Statiskdaten und forensischen Berichte generieren und dann per eMail verschicken kann.

Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an.

 # mysql -h localhost -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1942
Server version: 5.1.67 Source distribution

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Dort legen wir als aller erst einmal eine Datenbank mit dem Namen opendmarc an.

 mysql> CREATE DATABASE opendmarc;

Anschließend legen wir uns dann einen Datenbankuser an, dem wir entsprechende Rechte an der Datenbank opendmarc einräumen.

 mysql> CREATE USER 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';
Query OK, 0 rows affected (0.00 sec)
 mysql> CREATE USER 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';
Query OK, 0 rows affected (0.00 sec)

Anschließend setzen wir noch die Nutzerberechtigungen unseres Datenbanknutzers opendmarc_user für die Datenbank opendmarc

 mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
Query OK, 0 rows affected (0.00 sec)

Zur Aktivierung weisen wir nun noch die Berechtigungen zu:

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

Abschließend melden wir uns wieder von unserem Datenbankhost ab.

mysql> quit
Bye

Bevor wir die benötigten Tabellen anlegen, testen wir noch, ob der Zugriff von unserem Mail- bzw. Datenimportserver funktioniert.

 # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2889
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
 mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| opendmarc          |
+--------------------+
2 rows in set (0.00 sec)
 mysql> quit
Bye

Mit Hilfe der Datei /usr/share/doc/opendmarc-1.3.0/schema.mysql legen wir nun abschließend die Tabellen in der Datenbank opendmarc an.

 # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p < /usr/share/doc/opendmarc-1.3.0/schema.mysql

Auch hier können wir uns bei Bedarf noch überprüfen, welche Tabellen angelegt wurden.

 # mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2933
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
 mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| opendmarc          |
+--------------------+
2 rows in set (0.00 sec)

mysql>
 mysql> use opendmarc;
Database changed
mysql>
 mysql> show tables;
+---------------------+
| Tables_in_opendmarc |
+---------------------+
| domains             |
| ipaddr              |
| messages            |
| reporters           |
| requests            |
| signatures          |
+---------------------+
6 rows in set (0.00 sec)

mysql>
 mysql> quit
Bye

dbCollecting User einrichten

Nicht immer möchte oder kann man von seinem oder seinen Mailservern eine Verbindung zum Datenbankhost ermöglichen. Um jetzt nicht von jedem einzelnen MX-Server einzurichten, verwenden wir einen User, den wir zum Einsammeln der Daten degradieren.

Wir legen uns nun unseren Nutzer an. Als UID und GID verwenden wir eine entsprechend freie Nummer, die wir entsprechend vorher abprüfen.

 # grep 989 /etc/group
 # grep 989 /etc/passwd

Anschließend legen wir uns unseren User an.

 # groupadd -g 989 dmarc && useradd dmarc -c "DMARC" -g 989 -u 989 -m

Anschließend erzeugen wir uns noch einen entsprechenden SSH-Key und verteilen diesen auf unseren Mailservern. Entsprechende Schritte sind im Wiki hier beschrieben.

dbCollecting Script anlegen

Zum Einsammeln der Statistikdaten legen wir uns nun ein einfaches Shellscript an.

 # vim /root/bin/dmarc-report>
/root/bin/dmarc-report
#!/bin/sh 
# Script zum Importieren der DMARC-Daten aus dem lokalen cache-Datei in die mySQL Datenbank
# und Generieren der DMARC-reports 
# Das Script wird um 03:33 Uhr via cronjob aufgerufen.
#
# crontab
# einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen.
# 33 3 * * * /usr/local/bin/dmarc-report 1>/dev/null 2>&1
#
# Django : 2014-03-20 
 
WORKDIR="/home/dmarc/"
WORKFILE="opendmarc_all_hosts.dat"
SSHKEYFILE=".ssh/id_rsa"
MXHOSTS="mx01.nausch.org mx02.nausch.org mx03.nausch.org"
DBFILE="opendmarc.dat"
DBHOST="mysql.dmz.nausch.org"
DBPORT="3306"
DBUSER="opendmarc_user"
DBPASSWD="ALLHs6blVwd8eHoSk2J3WZsT"
DBNAME="opendmarc"
 
# DMARC Datenfile von den Mailservern abholen
cd $WORKDIR
for HOST in $MXHOSTS; do
    scp -i $WORKDIR$SSHKEYFILE dmarc@${HOST}:/var/run/opendmarc/$DBFILE ${HOST}.dat
    ssh -i $WORKDIR$SSHKEYFILE dmarc@${HOST} "/bin/cat /dev/null > /var/run/opendmarc/$DBFILE"
    cat ${HOST}.dat >> $WORKFILE
done
 
# DMARC Daten in die mySQL-Datenbank opendmarc schreiben
/usr/sbin/opendmarc-import --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
  --dbpasswd=$DBPASSWD < $WORKDIR$WORKFILE 
 
# DMARC Statistik-Report erstellen
/usr/sbin/opendmarc-reports --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
  --dbpasswd=$DBPASSWD --verbose --interval=86400 --report-email 'postmaster@nausch.org' --report-org 'nausch.org'
 
# DMARC Datenbank aufräumen, Datensätze die älter als 90 Tage sind werden gelöscht
/usr/sbin/opendmarc-expire --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \
  --dbpasswd=$DBPASSWD --verbose --expire=90 
 
# Work-Verzeichnis wieder aufräumen
cd $WORKDIR
rm $WORKDIR*.dat -rf

Anschließen setzen wir die Ausführungsrechte unseres neuen Scriptes.

 # chmod +x /root/bin/dmarc-report

Zu guter Letzt aktivieren wir dann noch einen Cronjob für die tägliche Ausführung.

 # crontab -e
...
 
# Django : 2014-03-20
# einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen.
33 3 * * * /root/bin/dmarc-report 1>/dev/null 2>&1
 
...

Postfix

In der Konfigurationsdatei main.cf unseres Postfix-Mailserver definieren wir uns nun eine eigene Variable, die wir dann in der Datei /etc/postfix/master.cf dann verwenden wollen. Wir tragen also nun in der Section MILTER nachfolgende Zeilen ein.

 # vim /etc/postfix/main.cf
/etc/postfix/main.cf
...
 
################################################################################
## MILTER
# Django : 2014-11-18
# DMARC Test
spf_milter       = inet:127.0.0.1:8890
opendkim_milter  = inet:127.0.0.1:8891
opendmarc_milter = inet:127.0.0.1:8893
amavisd_milter   = inet:10.0.0.67:8899
...

In der Konfigurationsdatei /etc/postfix/master.cf legen wir nun fest, dass bei der Annahme auf Port 25 unser gerade definierte smf-spf-milter verwendet werden soll.

 # vim /etc/postfix/master.cf
...

smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
  -o smtpd_milters=${spf_milter},${opendkim_milter},${opendmarc_milter},${amavisd_milter}
  -o smtpd_sasl_auth_enable=no
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlspr

Programmstart

Das Starten des Daemon erfolgt über folgenden Aufruf.

 # systemctl start opendmarc

Den erfolgreichen Start bzw. den Status des smf-spf-Daemon können wir bei Bedarf mit folgendem Aufruf abfragen.

 # systemctl status opendmarc
opendmarc.service - opendmarc - DMARC email policy filter for MTAs.
   Loaded: loaded (/usr/lib/systemd/system/opendmarc.service; disabled)
   Active: active (running) since Wed 2014-12-17 20:58:56 CET; 1h 45min ago
 Main PID: 2370 (opendmarc)
   CGroup: /system.slice/opendmarc.service
           └─2370 /usr/sbin/opendmarc -f -c /etc/opendmarc/opendmarc.conf

Dec 17 20:58:56 vml000087.dmz.nausch.org systemd[1]: Starting opendmarc - DMARC email policy filter for MTAs....
Dec 17 20:58:56 vml000087.dmz.nausch.org systemd[1]: Started opendmarc - DMARC email policy filter for MTAs..
Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: OpenDMARC Filter: Opening listen socket on conn inet:8893@localhost
Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: OpenDMARC Filter v1.3.0 starting (args: -f -c /etc/opendmarc/opendmarc.conf)
Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: trusted authentication services: mx01.nausch.org

Im Maillog wird der Start des Daemon entsprechend dokumentiert.

 # less /var/log/maillog
 Dec 17 22:45:08 vml000087 opendmarc[2912]: OpenDMARC Filter: Opening listen socket on conn inet:8893@localhost
 Dec 17 22:45:08 vml000087 opendmarc[2912]: OpenDMARC Filter v1.3.0 starting (args: -f -c /etc/opendmarc/opendmarc.conf)
 Dec 17 22:45:08 vml000087 opendmarc[2912]: trusted authentication services: mx01.nausch.org

Mit Hilfe von netstat können wir überprüfen, ob der Port 8893 geöffnet wurde.

 # netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      0          37485      2476/master         
tcp        0      0 127.0.0.1:8890          0.0.0.0:*               LISTEN      993        24732      1441/smf-spf        
tcp        0      0 127.0.0.1:8891          0.0.0.0:*               LISTEN      991        25040      1680/opendkim       
tcp        0      0 127.0.0.1:8893          0.0.0.0:*               LISTEN      0          40337      2912/opendmarc

Gleiches können wir natürlich auch mit dem Befehl lsof erreichen.

 # lsof -i:8893
 COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
 opendmarc 2912 root    4u  IPv4  40337      0t0  TCP localhost:ddi-tcp-6 (LISTEN)

Damit der Daemon automatisch beim Hochfahren des Servers gestartet wird, nutzen wir folgenden Aufruf.

 # systemctl enable opendmarc.service
 ln -s '/usr/lib/systemd/system/opendmarc.service' '/etc/systemd/system/multi-user.target.wants/opendmarc.service'

Wollen wir überprüfen ob der Dienst automatisch startet, verwenden wir folgenden Aufruf.

 # systemctl is-enabled opendmarc.service
 enabled

Die Rückmeldung enabled zeigt an, dass der Dienst automatisch startet; ein disabled zeigt entsprechend an, dass der Dienst nicht automatisch startet.

Logging / Mailheader

Im Maillog werden entsprechend unserer zuvor festgelegten Konfiguration, vom DMARC-Daemon logeinträge erzeugt. Folgender Logeintrag zeigt einen erfolgreiche DMARC-Überprüfung.

Mar 23 22:46:01 vml000080 opendmarc[25914]: C198981: gmail.com pass

Im Mailheader der Nachricht, wird dies auch entsprechend vermerkt.

DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org C198981
Authentication-Results: mx01.nausch.org/C198981; dmarc=pass header.from=gmail.com

Hat der Domainbetreiber keinen DMARC-Eintrag im DNS hinterlegt, sieht die betreffende Zeile im Maillog entsprechend so aus.

Mar 19 00:22:36 vml000080 opendmarc[14508]: D9B6D83: piratenpartei-bayern.de none

Auch dies wird im Mailheader entsprechend vermerkt.

DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org D9B6D83
Authentication-Results: mx01.nausch.org/D9B6D83; dmarc=none header.from=piratenpartei-bayern.de


FIXME … do geds weida!

1)
Domain-based Message Authentication, Reporting & Conformance
2)
Sender Policy Framework
3)
DomainKeys Identified Mail
4)
The Internet Engineering Task Force
5)
Stand Dezember 2014
6)
Mail-Filter
7)
Authentication Failure Reporting Format
8)
Incident Object Description Exchange Format