Dies ist eine alte Version des Dokuments!

Artikel befindet sich gerade in der Bearbeitung!

DMARC - Domain-based Message Authentication, Reporting & Conformance unter CentOS 7.x

DMARC¹⁾ ist an sich kein eigenständiger Prozess in der eMail-Verarbeitung, vielmehr erweitert DMARC auf die beiden Techniken SPF²⁾ und DKIM³⁾. DMARC ergänzt somit DKIM und SPF, ohne die DMARC nicht funktionieren kann. Hinweise zu DMARC findet man bei auch auf der Webseite von DMARC.org, oder im Entwurf der Network Working Group, die der ITF⁴⁾ Anfang 2012 zur Prüfung vorgelegt wurde.

Obwohl DMARC aktuell noch als Entwurf gilt, wird laut den Angaben der aktuellen DMARC-Präsentation aus 2014 bereits mehr als 60% der weltweiten eMail-Postfächer mit Hilfe von DMARC geschützt.

Die weltgößten eMail-Provider setzen auf DMARC, wie z.B.:

GMail, Yahoo, AOL, Comcast, oder Outlook.com
Mail.ru (größter eMail-Provider in Russland)
NetEase (größter eMail-Provider in China)
XS4All (größter eMail-Provider in den Niederlanden)

Alles gute Gründe, sich dem Thema DMARC dennoch intensiver zu widmen!

Bei DMARC kann definiert werden, wie ein empfangender Mailserver Nachrichten behandeln und verarbeiten soll, insbesondere mit Hinblick auf die Bewertung der Versandberechtigung des einliefernden Mailservers (SPF) und der nicht veränderten Nachricht (DKIM). Fällt eine oder beide Überprüfungen negativ aus, definiert DMARC, ob die eMail in Quarantäne gestellt, die Annahme der eMail abgelehnt (reject) oder eben dennoch zugestellt werden soll.

Das nachfolgende Schaubild zeigt den Bearbeitungsverlauf einer eMail mit Berücksichtigung auf DMARC auf.

<uml width=900 title=„DMARC - Verarbeitungsschritte einer eMail“> skinparam defaultFontName Courier state „Absender Klaus generiert eMail“ as sender sender : ——————————————- sender : From: klaus@tachtler.net sender : To: michael@nausch.org sender : Subject: Gratulation! sender : Date: Thu, 20 Mar 2014 18:40:18 +0100 sender : ——————————————- sender : Nachrichtentext

state Mailserver_des_Absenders {

state "Mail-Eingang" as smtpd_a
smtpd_a : Annahme der eMail
smtpd_a : nach SPAM- und 
smtpd_a : Viren-Überprüfung

state "DKIM-Signatur" as dkim_sig
dkim_sig : Einfügen der DKIM
dkim_sig : Signatur (Mailheader
dkim_sig : und Mailbody) im
dkim_sig : Header der eMail

state "Mail-Ausgang" as smtp_a
smtp_a : Versand der eMail
smtp_a : zum eMail-Server (MTA)
smtp_a : des Empfängers

}

state Mailserver_des_Empfängers {

state "Mail-Eingang" as smtpd_b
smtpd_b : Bewertung der eMail
smtpd_b : mit Hilfe von Blacklists  
smtpd_b : und greylisting

state "SPAM- und Virenüberprüfung" as amavis1
amavis1 : Bewertung der eingehenden Nachricht
amavis1 : durch SPAM- und/oder Virenfilter

state "SPAM- und Virenüberprüfung" as amavis2
amavis2 : Bewertung der eingehenden Nachricht
amavis2 : durch SPAM- und/oder Virenfilter

state "Mail-Quarantäne" as quarantäne
quarantäne : Bestätigung (250) der Annahme an den
quarantäne : sendenen Mailserver und Einstellung
quarantäne : der Nachricht in die MAIL-Quarantäne

state "Annahme der eingehenden Nachricht" as imap
imap : Bestätigung (250) der Annahme an den
imap : sendenen Mailserver und Zustellung 
imap : der Nachricht in die INBOX des Empfängers

state "REJECT der eMail" as reject
reject : Annahme der eMail verweigern
reject : Rückmeldecode 500 an den
reject : einliefernden Mailserver

state DMARC_Überprüfungen {
  state "DKIM-Signatur" as dkim_val
  dkim_val : Überprüfen der vorhandenen
  dkim_val : DKIM-Signatur im Mailheader
  dkim_val : der eingehenden Nachricht

  state "SPF-Validierung" as spf_check
  spf_check : Überprüfung ob der
  spf_check : Versendene Mailserver  
  spf_check : zum Mailversand der 
  spf_check : Maildomäne berechtigt ist

  state "Anwenden der DMARC-Policy" as dmarc_check
  dmarc_check : Bewertung der Legitimität
  dmarc_check : der eingehenden Nachricht   
  dmarc_check : an Hand der DMARC-Policy
  dmarc_check : des absendenden Mailservers
}

state DMARC_Ergebnis_Reports {
  state Report_aggregat {
    state "DMARC Check" as ok
    ok : Test O.K.
    ok : DMARC-policy -> Zustellung
  }

  state Report_forensic {
    state "DMARC Check" as nok1
    nok1 : Test nicht O.K.!
    nok1 : DMARC-policy -> Quarantäne

    state "DMARC Check" as nok2
    nok2 : Test nicht O.K.!
    nok2 : DMARC-policy -> REJECT
  }
}

}

sender -down→ smtpd_a smtpd_a -left→ dkim_sig dkim_sig -left→ smtp_a smtp_a -down→ smtpd_b smtpd_b -right→ dkim_val dkim_val -right→ spf_check spf_check -right→ dmarc_check dmarc_check –> ok ok –> amavis1 dmarc_check –> nok1 dmarc_check –> nok2

amavis1 –> imap

nok1 –> amavis2 amavis2 –> quarantäne

nok2 –> reject

note left of smtpd_b

Standard Validierungs-
Überprüfung, wie z.B.
IP-Blacklists, greylisting
und policyd-weight
und ggf. weiteren Filtern

end note

note left of DMARC_Überprüfungen

Abfrage des DKIM public-keys 
("DKIM"-TXT-Record) und der
berechtigten Sender der Mail-
Domäne ("SPF"-/TXT-Record) 
beim zuständigen Nameserver  
der Absendedomäne

end note

note right of dmarc_check

Abfrage der DMARC-Policy  
des absendenden Mail-
Servers durch Abfrage 
des DMARC-/TXT-Record 
beim zuständigen 
Nameserver

end note

note right of Report_aggregat

regelmäßig aggregierter
Bericht an den im DMARC-
Record hinterlegten
"rua=mailto"-Adresse des 
Mailserverbetreibers des 
Absender-Mailservers

end note

note left of Report_forensic

regelmäßiger forensischer 
Bericht an den im DMARC-Record 
hinterlegten "ruaf=mailto"-
Adresse des Mailserver-
betreibers des Absender-
Mailservers

end note

</uml>

Auch wenn DMARC noch immer im Status DRAFT⁵⁾ ist, macht es doch Sinn, sich mit DMARC näher zu beschäftigen!

Möchten wir DMARC bei unserem Mailserver einsetzen, ist es wichtig, dass alle drei Komponenten via Milter⁶⁾ an unseren Postfix-Mailserver angebunden werden. Nur so stehen dem DMARC-Daemon alle relevanten Headerinformationen zur Bewertung zur Verfügung.

Wir setzen daher bei unserer Installation jeweils folgende Pakete ein:

SPF smf-spf aus Djangos-Repository
DKIM opendkim aus dem EPEL
DMARC opendmarc aus Djangos-Repository

Die Installation von SPF-Milter ist im Kapitel SPF - Sender Policy Framework und OpenDKIM-Milter im Kapitel DKIM - Domain Key Identified Mail genauer beschrieben.

Mit Hilfe des DMARC Record Assistant kann man sich sehr leicht und einfach den nötigen DMARC-Record generieren lassen, den man dann über einen TXT-Record der Subdomain _dmarc in seinem DNS einträgt. Im Kapitel 6.2. General Record Format des DMARC Standardisierungs-Entwurf ist die

Als Beispiel sehen wir uns nun den aktuellen DMARC-Record von nausch.org an, den wir u.a. mit dem Aufruf des Befehls host vom DNS-Server abfrsagen können.

 # host -t TXT _dmarc.nausch.org

_dmarc.nausch.org descriptive text "v=DMARC1\; p=reject\; rua=mailto:postmaster@nausch.org\; ruf=mailto:django@nausch.org\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400\; sp=reject"

Die einzelnen Werte haben nun folgende Bedeutung.

Parameter	Art	Wert	Bedeutung
v	Plaintext; REQUIRED	DMARC1	Identifiziert den Datensatz als DMARC-Record. Der Parameter muss als erster wert im DMARC-Record gesetzt sein. Fehlt dieser ist der gesamte DMARC-Record zu verwerfen!
p	Plaintext; REQUIRED	reject	Beschreibt, wie der Empfänger die Nachrichten des Domain-Inhabers verwerten soll. Diese gilt auch für die Subdomains, sofern für diese mit dem Parameter sp keine separate Definition vorliegt. Mögliche Werte sind: none : Der Domaininhaber hat keine Vorgaben zur Verabeitung/Zustellung der eMails. quarantine : Der Domaininhaber wünscht, dass eMails, die die DMARC-Bewertung nicht bestehen, als verdächtig gewertet werden sollen. Abhängig vom Empfänger können diese als verdächtig markiert werden, mit weiteren/zusätzlichen SPAM prüfungen zu belegen ist, oder in einen SPAM-Ordner verschoben werden soll. reject : Der Domaininhaber wünscht, dass eMails, die die DMARC-Bewertung nicht bestehen, rejected, also nicht angenommen werden sollen. Dies sollte, wenn möglich, noch während des SMTP-Dialogs passieren.
sp	Plaintext;OPTIONAL	reject	Beschreibt, wie der Empfänger die Nachrichten des Domain-Inhabers einer Subdomäne verwerten soll. Der Parameter beschreibt nur die abgefragte Subdomäne, nicht die Domäne an sich! Der Syntax entspricht dem Parameter p. Wird der Paramter sp nicht gesetzt, gelten die Definitionen des Parameters p auch für alle Subdomänen.
rua	Kommaseparierte plain-text Liste von DMARC URIs; OPTIONAL	mailto:postmaster@nausch.org	Der Domaininhaber wünscht, per eMail mit aufbereiteten Statiskdaten der verarbeiteten eMails, informiert zu werden. Ist dieser Parameter nicht gesetzt, braucht der Empfänger keine Statistikdaten aufbereiten.
ruf	Kommaseparierte Plaintext Liste von DMARC URIs; OPTIONAL	mailto:django@nausch.org	Der Domaininhaber wünscht, per eMail mit detailierten forensischen Statiskdaten der verarbeiteten eMails, informiert zu werden. Ist dieser Parameter nicht gesetzt, braucht der Empfänger keine Statistikdaten aufbereiten.
adkim	Plaintext; OPTIONAL; Default = relaxed	r	Definiert, wie konservativ das Ergebnis der DKIM-Signaturprüfung bewertet werden soll. Mögliche Werte sind entweder r=relaxed oder s=strikt.
aspf	Plaintext; OPTIONAL; Default = relaxed	r	Definiert, wie konservativ das Ergebnis der SPF-Prüfung bewertet werden soll. Mögliche Werte sind entweder r=relaxed oder s=strikt.
pct	Plaintext/Zahlenwert zwischen 0 und 100; OPTIONAL; Default = 100	100	Der Domaininhaber wünscht, daß der angegebene Prozentwert an Nachrichten von den DMARC-Prüfungen benutzt werden soll. Der Wert beschreibt nicht das Verhältnis in den DMARC-Reports.
rf	Kommaseparierte Plaintext Liste; OPTIONAL; Default = afrf	afrf	Der Domaininhaber wünscht, dass die aufbereiteten forensischen Prüfberichte im Format AFRF⁷⁾ oder IODEF⁸⁾ zu erhalten, wenn sowohl der DKIM- wie auch der SPF-Test negativ ausfällt.
ri	Plaintext; OPTIONAL; Default = 86400	86400	Der Domaininhaber wünscht, dass die aufbereiteten Statistik- und Forensikdaten spätestens alle „n“ Sekunden verschickt werden sollen.

Nach Erstellung des DMARC-Records von Hand oder über den DMARC Record Assistant, tragen wir demnach bei unserem zuständigen DNS entsprechenden eigenen und richtigen Daten ein.

 _dmarc.nausch.org                        IN      TXT     "v=DMARC1\; p=reject\; rua=mailto:postmaster@nausch.org\; ruf=mailto:django@nausch.org\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400\; sp=reject"

Über die URL OTA Query Tool for SPF & DMARC Records der Online trust Alliance kann man online bei Bedarf testen, ob der DMARC-Eintrag soweit richtig ist.

Mit Hilfe der DMARC Inspectors kann man (s)einen DMARC-Record testen und sich die Optionen die der Domaininhaber gesetzt hat, beschreiben lassen. Möchte man seinen SPF-Record testen lassen, steht einem der SPF Surveyor zur Verfügung.

Zu guter Letzt kann mit dem DKIM Key Checker der, im DNS hinterlegte, DKIM-Schlüssel einer Domäne getestet werden.

Möchte man dann noch testen, ob der eigene Mailserver alle Voraussetzungen für eine DMARC-policy hat, schickt man einfach eine „leere eMail“ an checkmyauth@auth.returnpath.net, so erhält man anschließen einen ausführlichen Prüfbericht.

From: "Return Path" <noreply@returnpath.net>
Subject: Return Path DKIM/SPF Reflector Report
Date: Fri, 21 Mar 2014 03:58:12 -0600 (MDT)
To: undisclosed-recipients:;

Return Path DKIM/SPF Reflector Report
=====================================
Source IP = 217.91.103.190
Mail From = django@nausch.org

Identity Alignment Results
==========================
SPF Domain Alignment Result = PASS
	The From domain 'nausch.org' is an exact match with the SPF domain 'nausch.org'.
	Note that the alignment policy is set to relaxed in your DMARC record.

DKIM Domain Alignment Results:
	Result for DNS Record: 140224._domainkey.nausch.org = PASS
	The From domain 'nausch.org' is an exact match with the DKIM domain 'nausch.org'.
	Note that the alignment policy is set to relaxed in your DMARC record.

DKIM Results
============
Result = pass
Domain = nausch.org
Selector = 140224
DNS Record(s) =
	140224._domainkey.nausch.org TXT v=DKIM1; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuJ3/CruOs3fCU0ujOStcNN85TJh+5HvMa9m99C5XuRBlxOr+fp5BeIEtiPO0szKvvPojwrueCq0oOuEzjR/i2ObpRkzKRUXmAa0qVezUZwQIbKeiuKII0PnpQclDrmQrzSXcQWPT57tkPg17Q9WamFUUaHeN3+pVGtMyjYekRaAoRlV+a1gD111kXMPhiaFTMIncoRBS/gYN8FjfekH+ezqbLHLB8DLJQBZEGUILvJjAHX0722XyqYtkn1qfv63nPRGw/qqAW1072Gchq4ZS4ZPQ89SrK4KcHt/XptSlztXMWtmRFQriHdvbjr1Fx7ZwXdTQ+ik2AUZLMdhMrQe6/1GujQiMD6po81NpYbrjnfd+QF4sUbus4wPQKVNzsctiuzGlWsFexSHP4dAZtKnImJhVDnzZODQy0nSafedlr5g4VR36vgm0YPWjSyRNnC/APHyw0DtHIrzTqfKuDeGv80uMPbEdujrw9gLbK3H8ow42iTicmgPgT3J5j70ZOo4o4FMtpZ/AEQw+VnWpSfw7bkMjufLc29XHbtp22wfgq2Lmarr3+psaHokFaQrImkMbzdSL9CdabkLptanAilLScvq8UaKVC+G1+vHDgaweq3BhXD5+YcJnJlp4msUqqxGYlnx4RSvv8PipMU2DsVFbNJSH5NJuS7GuzplNg+f20ysCAwEAAQ==
	Public Key Length = 4096

DomainKeys Results
==================
No DomainKeys signature(s) found.

SPF Results
===========
Result = pass
Domain = nausch.org
DNS Record(s) =
	nausch.org TXT v=spf1 ip4:217.91.103.190/32 mx ?all

DMARC Results
=============
Domain = _dmarc.nausch.org
DNS Record = 
	_dmarc.nausch.org TXT v=DMARC1; p=reject; rua=mailto:postmaster@nausch.org; ruf=mailto:django@nausch.org; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=reject

DMARC Record Validation Results
===============================
DMARC Errors Detected: None.
Non-DMARC flags encountered (skipped): None.

Visit http://www.returnpath.com/solution-content/dmarc-support/ for more information on DMARC record creation and validation.

Die einfachste und schnellste Variante bei der Installation ist die aus dem Repository mailserver.guru. Hier reicht ein einfacher Aufruf von yum und alles wird automatisch installiert inkl. der Paketabhängigkeiten.

 # yum install opendmarc

Will oder kann man nicht auf das Repository mailserver.guru zurückgreifen, steht immer noch der Installation per Hand nichts im Wege.

 # yum localinstall http://repo7.mailserver.guru/7/x86_64/libopendmarc-1.3.0-1.el7.centos.x86_64.rpm \ 
                    http://repo7.mailserver.guru/7/x86_64/opendmarc-1.3.0-1.el7.centos.x86_64.rpm

Was das RPM alle mitbrachte zeigt ein Blick in die RPM-Datenbank.

 # rpm -qil opendmarc

Name        : opendmarc
Version     : 1.3.0
Release     : 1.el7.centos
Architecture: x86_64
Install Date: Wed 17 Dec 2014 08:58:08 PM CET
Group       : System Environment/Daemons
Size        : 517881
License     : BSD and Sendmail
Signature   : RSA/SHA1, Wed 17 Dec 2014 08:38:39 PM CET, Key ID 60ecfb9e8195aea0
Source RPM  : opendmarc-1.3.0-1.el7.centos.src.rpm
Build Date  : Wed 17 Dec 2014 08:38:11 PM CET
Build Host  : vml000200.dmz.nausch.org
Relocations : (not relocatable)
Packager    : Django
URL         : http://www.trusteddomain.org/opendmarc.html
Summary     : DMARC milter and library
Description :
OpenDMARC (Domain-based Message Authentication, Reporting & Conformance)
provides an open source library that implements the DMARC verification
service plus a milter-based filter application that can plug in to any
milter-aware MTA, including sendmail, Postfix, or any other MTA that supports
the milter protocol.

The DMARC sender authentication system is still a draft standard, working
towards RFC status.
/etc/opendmarc/ignore.hosts
/etc/opendmarc/opendmarc.conf
/etc/tmpfiles.d/opendmarc.conf
/usr/lib/systemd/system/opendmarc.service
/usr/sbin/opendmarc
/usr/sbin/opendmarc-check
/usr/sbin/opendmarc-expire
/usr/sbin/opendmarc-import
/usr/sbin/opendmarc-importstats
/usr/sbin/opendmarc-params
/usr/sbin/opendmarc-reports
/usr/share/doc/opendmarc-1.3.0
/usr/share/doc/opendmarc-1.3.0/INSTALL
/usr/share/doc/opendmarc-1.3.0/LICENSE
/usr/share/doc/opendmarc-1.3.0/LICENSE.Sendmail
/usr/share/doc/opendmarc-1.3.0/README
/usr/share/doc/opendmarc-1.3.0/README.rddmarc
/usr/share/doc/opendmarc-1.3.0/README.schema
/usr/share/doc/opendmarc-1.3.0/RELEASE_NOTES
/usr/share/doc/opendmarc-1.3.0/dmarc_policy_t.html
/usr/share/doc/opendmarc-1.3.0/dmarcfail.py
/usr/share/doc/opendmarc-1.3.0/dmarcfail.pyc
/usr/share/doc/opendmarc-1.3.0/dmarcfail.pyo
/usr/share/doc/opendmarc-1.3.0/draft-dmarc-base-03.txt
/usr/share/doc/opendmarc-1.3.0/index.html
/usr/share/doc/opendmarc-1.3.0/mkdb.mysql
/usr/share/doc/opendmarc-1.3.0/mkdmarc
/usr/share/doc/opendmarc-1.3.0/mysql_ip6.c
/usr/share/doc/opendmarc-1.3.0/opendmarc
/usr/share/doc/opendmarc-1.3.0/opendmarc.conf.sample
/usr/share/doc/opendmarc-1.3.0/opendmarc.spec.in
/usr/share/doc/opendmarc-1.3.0/opendmarc_dns_fake_record.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_get_policy_to_enforce.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_lib_t.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_clear.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_init.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_rset.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_shutdown.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_adkim.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_alignment.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_aspf.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_fo.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_p.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_pct.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_rf.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_rua.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_ruf.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_sp.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_utilized_domain.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_library_init.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_library_shutdown.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_parse_dmarc.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_query_dmarc.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_status_to_str.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_dkim.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_dmarc.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_from_domain.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_spf.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_policy_to_buf.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_spf_test.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_status_t.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_tld_read_file.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_tld_shutdown.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_util_clearargv.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_xml.html
/usr/share/doc/opendmarc-1.3.0/opendmarc_xml_parse.html
/usr/share/doc/opendmarc-1.3.0/overview.html
/usr/share/doc/opendmarc-1.3.0/rddmarc
/usr/share/doc/opendmarc-1.3.0/schema.mysql
/usr/share/man/man5/opendmarc.conf.5.gz
/usr/share/man/man8/opendmarc-check.8.gz
/usr/share/man/man8/opendmarc-expire.8.gz
/usr/share/man/man8/opendmarc-import.8.gz
/usr/share/man/man8/opendmarc-importstats.8.gz
/usr/share/man/man8/opendmarc-params.8.gz
/usr/share/man/man8/opendmarc-reports.8.gz
/usr/share/man/man8/opendmarc.8.gz
/var/run/opendmarc
/var/spool/opendmarc

 # rpm -qil libopendmarc

Name        : libopendmarc
Version     : 1.3.0
Release     : 1.el7.centos
Architecture: x86_64
Install Date: Wed 17 Dec 2014 08:40:49 PM CET
Group       : System Environment/Libraries
Size        : 48888
License     : BSD and Sendmail
Signature   : RSA/SHA1, Wed 17 Dec 2014 08:38:40 PM CET, Key ID 60ecfb9e8195aea0
Source RPM  : opendmarc-1.3.0-1.el7.centos.src.rpm
Build Date  : Wed 17 Dec 2014 08:38:11 PM CET
Build Host  : vml000200.dmz.nausch.org
Relocations : (not relocatable)
Packager    : Django
URL         : http://www.trusteddomain.org/opendmarc.html
Summary     : An open source DMARC library
Description :
This package contains the library files required for running services built
using libopendmarc.
/usr/lib64/libopendmarc.so.2
/usr/lib64/libopendmarc.so.2.0.0

Viele hilfreiche Informationen zur Konfiguration von OpenDMARC finden sich in den nachfolgenden Dateien.

 # less /usr/share/doc/opendmarc-1.3.0/README

OPENDMARC README
================

This directory has the latest open source DMARC software from The Trusted
Domain Project.

There is a web site at http://www.trusteddomain.org/opendmarc that is home for
the latest updates.


+--------------+
| INTRODUCTION |
+--------------+

The OpenDMARC project is a community effort to develop and maintain an open
source package for providing DMARC report generation and policy enforcement
services.  It includes a library for handling DMARC record parsing,
a database schema and tools for aggregating and processing transaction
history to produce DMARC reports, and a filter that ties it all together
with an MTA using the milter protocol.

"milter" is a portmanteau of "mail filter" and refers to a protocol and API
for communicating mail traffic information between MTAs and mail filtering
plug-in applications.  It was originally invented at Sendmail, Inc. but
has also been adapted to other MTAs.

+--------------+
| DEPENDENCIES |
+--------------+

To compile and operate, this package requires the following:

o OpenDBX (http://www.linuxnetworks.de/doc/index.php/OpenDBX) which
  acts as a middleware layer between OpenDMARC and your SQL backend
  of choice

o sendmail v8.13.0 (or later), or Postfix 2.3, (or later) and libmilter.
  (These are only required if you are building the filter.)

o Access to a working nameserver (required only for signature verification).

o If you are interested in tinkering with the build and packaging structure,
  you may need to upgrade to these versions of GNU's "autotools" components:
        autoconf (GNU Autoconf) 2.61
        automake (GNU automake) 1.7 (or 1.9 to avoid warnings)
        ltmain.sh (GNU libtool) 2.2.6 (or 1.5.26 after make maintainer-clean)


+-----------------------+
| RELATED DOCUMENTATION |
+-----------------------+

The man page for opendmarc (the actual filter program) is present in the
opendmarc directory of this source distribution.  There is additional
information in the INSTALL and FEATURES files, and in the README file in the
opendmarc directory.  Changes are documented in the RELEASE_NOTES file.

HTML-style documentation for libopendmarc is available in libopendmarc/docs in
this source distribution.

General information about DMARC can be found at http://www.dmarc.org

Mailing lists discussing and supporting the DMARC software found in this
package are maintained via a list server at trusteddomain.org.  Visit
http://www.trusteddomain.org to subscribe or browse archives.  The available
lists are:

        opendmarc-announce      (moderated) Release announcements.

        opendmarc-users         General OpenDMARC user questions and answers.

        opendmarc-dev           Chatter among OpenDMARC developers.

        opendmarc-code          Automated source code change announcements.

Bug tracking is done via the trackers on SourceForge at
http://sourceforge.net/projects/opendmarc.  You can enter new bug
reports there, but please check first for older bugs already open,
or even already closed, before opening a new issue.


+---------------------+
| DIRECTORY STRUCTURE |
+---------------------+

contrib         A collection of user contributed scripts that may be useful.

db              Database schema and tools for generating DMARC reports based
                upon accumulated data.

docs            A collection of RFCs and drafts related to opendmarc.

libopendmarc    A library that implements the proposed DMARC standard.

libopendmarc/docs
                HTML documentation describing the API provided by libopendmarc.

opendmarc       A milter-based filter application which uses libopendmarc (and
                optionally libar) to provide DMARC service via an MTA using
                the milter protocol.


+----------------+
| RUNTIME ISSUES |
+----------------+

WARNING: symbol 'X' not available

 The filter attempted to get some information from the MTA that the MTA
 did not provide.

 At various points in the interaction between the MTA and the filter, certain
 macros containing information about the job in progress or the connection
 being handled are passed from the MTA to the filter.

 In the case of sendmail, the names of the macros the MTA should pass to the
 filter are defined by the "Milter.macros" settings in sendmail.cf, e.g.
 "Milter.macros.connect", "Milter.macros.envfrom", etc.  This message
 indicates that the filter needed the contents of macro X, but that macro
 was not passed down from the MTA.

 Typically the values needed by this filter are passed from the MTA if the
 sendmail.cf was generated by the usual m4 method.  If you do not have
 those options defined in your sendmail.cf, make sure your M4 configuration
 files are current and rebuild your sendmail.cf to get appropriate lines
 added to your sendmail.cf, and then restart sendmail.

MTA timeouts

 By default, the MTA is configured to wait up to ten seconds for a response
 from a filter before giving up.  When querying remote nameservers
 for key and policy data, the DMARC filter may not get a response from the
 resolver within that time frame, and thus this MTA timeout will occur.
 This can cause messages to be rejected, temp-failed or delivered without
 verification, depending on the failure mode selected for the filter.

 When using the standard resolver library provided with your system, the
 DNS timeout cannot be adjusted.  If you encounter this problem, you must
 increase the time the MTA waits for replies.  See the documentation in
 the sendmail open source distribution (libmilter/README in particular)
 for instructions on changing these timeouts.

 When using the provided asynchronous resolver library, you can use the
 "-T" command line option to change the timeout so that it is shorter than
 the MTA timeout.

Other OpenDMARC issues:

 Report any bugs to the email address opendmarc-users@trusteddomain.org or to
 the SourceForge issue tracker accessible at:
 
 http://sourceforge.net/p/opendmarc/tickets/


--
Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

$Id: README,v 1.13 2010/10/25 20:41:55 cm-msk Exp $

 # less /usr/share/doc/opendmarc-1.3.0/README.schema

This directory contains the OpenDMARC schema plus any related files.
 
The tables in this schema are populated by the opendmarc filter as it processes
messages and downloads policies.  The rows are then consumed by the scripts
in the "reports" directory to generate regular aggregate reports.
 
The tables are summarized here:
 
domains         A table that maps domain names to unique integer IDs.
                Automatically tracks a "first seen" timestamp, and includes
                a column to record when the last report was sent.
 
reporters       A table mapping reporting hosts to unique integer IDs.
                Intended for use by multi-MX systems so it's possible to tell
                where an inbound message landed.
 
ipaddr          A table mapping IP addresses (as strings) to unique IDs.
                Also tracks the "first seen" timestamp for each.
 
messages        A table tracking salient properties of all messages received.
                A messages is uniquely identified by a {date, jobid, reporter}
                tuple.  Includes references to the "domains" table to track
                the RFC5321.MailFrom domain, the RFC5322.From domain.
                Also records the count of DKIM signatures, the SPF result,
                and whether or not the SPF result was aligned with the
                RFC5322.From domain.
 
signatures      A table tracking DKIM signatures, each of which refers to
                a rown in the "messages" table.  Tracks the signing domain,
                whether the signature passed, whether there was a verification
                error other than a broken signature, and whether or not the
                signing domain aligned with the RFC5322.From domain.
 
requests        A table containing a cache of DMARC reporting requests.
                For each domain, the destination reporting URI for aggregate
                reports is recorded along with a "last report sent" timestamp.
 
--
Copyright (c) 2012, The Trusted Domain Project.  All rights reserved.

 # less /usr/share/doc/opendmarc-1.3.0/README.rddmarc

These are little scripts to parse DMARC reports.
 
The first, rddmarc, is a perl script that take an incoming DMARC
summary report email, extracts and unpacks the gzip or ZIP file,
parses the XML, and puts the parts about received mail into a MySQL
database.  The database is set up to handle reports about multiple
domains from multiple reporters. It's handling reports from Google,
Yahoo, xs4all and Netease.  
 
It expects filenames on the command line, each of which contains a
mail message, but it'd easy enough to adjust it to read stdin or
anywhere else.
 
It works great on FreeBSD, can probably be made to work on linux with
modest effort, no clue about other systems.  It needs the
MIME::Parser, XML::Simple, and DBI perl modules and the freeware unzip
program to extract stuff from the gzip or ZIP file.
 
It now handles both IPv4 and IPv6 addresses.  If you have been
running the ipv4 version, see mkdmarc for instructions on how
to update your database.  The file mysql_ip6.c is a plugin for a
mysql server to add some IPv6 formatting functions that can be
handy when analyzing the reports.  It's not needed for rddmarc.
 
The second is a python script to parse failure reports.  It expects
file names on the command line, or if no arguments, it reads stdin. It
needs the usual MySQLdb module.  It handles reports from Netease,
which are currently the only ones I'm getting.
 
mkdmarc - SQL to create the tables
 
rddmarc - the script to parse summary reports (Perl)
 
dmarcfail.py - the script to parse failure reports (python)
 
mysql_ip6.c - C language source for MySQL plugin for IPv6
        formatting functions

 # man opendmarc

opendmarc(8) System Manager's Manual opendmarc(8)

NAME
opendmarc - DMARC email policy filter for MTAs

SYNOPSIS
opendmarc [-A] [-c configfile] [-f] [-l] [-n] [-p socketspec] [-P pidfile] [-t
file[,file[...]]] [-u userid[:group]] [-v] [-V]

DESCRIPTION
opendmarc implements the prooposed DMARC specification for authentication of message
and reporting of observed traffic.

opendmarc uses the milter interface, originally distributed as part of version 8.11
of sendmail(8), to provide a DMARC processing service for mail transiting a milter-
aware MTA.

Most, if not all, of the command line options listed below can also be set using a
configuration file. See the -c option for details.

opendmarc relies on addition of Authentication-Results fields by upsteam filters on
trusted hosts to collect input to the DMARC algorithm. It does not itself do DKIM or
SPF evaluation.

OPTIONS
-A Automatically re-start on failures. Use with caution; if the filter fails
instantly after it starts, this can cause a tight fork(2) loop. This can be
mitigated using some values in the configuration file to limit restarting.
See opendmarc.conf(5).

-c configfile
Read the named configuration file. See the opendmarc.conf(5) man page for
details. Values in the configuration file are overridden when their equiva‐
lents are provided on the command line until a configuration reload occurs.
The OPERATION section describes how reloads are triggered. The default is to
read a configuration file from /etc/opendmarc.conf if one exists, or otherwise
to apply defaults to all values.

-f Normally opendmarc forks and exits immediately, leaving the service running in
the background. This flag suppresses that behaviour so that it runs in the
foreground.

-l Log via calls to syslog(3) any interesting activity.

-n Parse the configuration file and command line arguments, reporting any errors
found, and then exit. The exit value will be 0 if the filter would start up
without complaint, or non-zero otherwise.

-p socketspec
Specifies the socket that should be established by the filter to receive con‐
nections from sendmail(8) in order to provide service. socketspec is in one
of two forms: local:path which creates a UNIX domain socket at the specified
path, or inet:port[@host] or inet6:port[@host] which creates a TCP socket on
the specified port within the specified protocol family. If the host is not
given as either a hostname or an IP address, the socket will be listening on
all interfaces. If neither socket type is specified, local is assumed, mean‐
ing the parameter is interpreted as a path at which the socket should be cre‐
ated. If an IP address is used, it must be enclosed in square brackets. This
parameter is mandatory.

-P pidfile
Specifies a file into which the filter should write its process ID at startup.

-t file[,file[,...]]
Reads email messages from the named files and processes them as if they were
received by the filter. The service is not started, and actions normally sent
back to the MTA will instead be printed on standard output.

-u userid[:group]
Attempts to be come the specified userid before starting operations. The
process will be assigned all of the groups and primary group ID of the named
userid unless an alternate group is specified. See the FILE PERMISSIONS sec‐
tion for more information.

-v Increase verbose output during test mode (see -t above). May be specified
more than once to request increasing amounts of output.

-V Print the version number and supported canonicalization and signature algo‐
rithms, and then exit without doing anything else.

SIGNALS
Upon receiving SIGUSR1, if the filter was started with a configuration file, it will
be re-read and the new values used. Note that any command line overrides provided at
startup time will be lost when this is done. Also, the following configuration file
values (and their corresponding command line items, if any) are not reloaded through
this process: AutoRestart (-A), AutoRestartCount, AutoRestartRate, Background, Mil‐
terDebug, PidFile (-P), Socket (-p), UMask, UserID (-u). The filter does not auto‐
matically check the configuration file for changes and reload.

VERSION
This man page covers version 1.3.0 of opendmarc.

COPYRIGHT
Copyright (c) 2012, The Trusted Domain Project. All rights reserved.

SEE ALSO
opendmarc.conf(5), sendmail(8)

Sendmail Operations Guide

RFC4408 - Sender Policy Framework

RFC5321 - Simple Mail Transfer Protocol

RFC5322 - Internet Messages

RFC5451 - Message Header Field for Indicating Message Authentication Status

RFC6376 - DomainKeys Identified Mail

RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format

The Trusted Domain Project opendmarc(8)

 # man opendmarc.conf

opendmarc.conf(5) File Formats Manual opendmarc.conf(5)

NAME
opendmarc.conf - Configuration file for opendmarc

LOCATION
/etc/opendmarc.conf

DESCRIPTION
opendmarc(8) implements the proposed DMARC specification for message authentication,
policy enforcement, and reporting. This file is its configuration file.

Blank lines are ignored. Lines containing a hash ("#") character are truncated at
the hash character to allow for comments in the file.

Other content should be the name of a parameter, followed by white space, followed by
the value of that parameter, each on a separate line.

For parameters that are Boolean in nature, only the first byte of the value is pro‐
cessed. For positive values, the following are accepted: "T", "t", "Y", "y", "1".
For negative values, the following are accepted: "F", "f", "N", "n", "0".

Some, but not all, of these parameters are also available as command line options to
opendmarc(8). However, new parameters are generally not added as command line
options so the complete set of options is available here, and thus use of the config‐
uration file is encouraged. In some future release, the set of available command
line options is likely to get trimmed.

See the opendmarc(8) man page for details about how and when the configuration file
contents are reloaded.

Unless otherwise stated, Boolean values default to "false", integer values default to
0, and string and dataset values default to being undefined.

PARAMETERS
AuthservID (string)
Sets the "authserv-id" to use when generating the Authentication-Results:
header field after verifying a message. The default is to use the name of the
MTA processing the message. If the string "HOSTNAME" is provided, the name of
the host running the filter (as returned by the gethostname(3) function) will
be used.

AuthservIDWithJobID (Boolean)
If "true", requests that the authserv-id portion of the added Authentication-
Results: header fields contain the job ID of the message being evaluated.

AutoRestart (Boolean)
Automatically re-start on failures. Use with caution; if the filter fails
instantly after it starts, this can cause a tight fork(2) loop.

AutoRestartCount (integer)
Sets the maximum automatic restart count. After this number of automatic
restarts, the filter will give up and terminate. A value of 0 implies no
limit; this is the default.

AutoRestartRate (string)
Sets the maximum automatic restart rate. If the filter begins restarting
faster than the rate defined here, it will give up and terminate. This is a
string of the form n/t[u] where n is an integer limiting the count of restarts
in the given interval and t[u] defines the time interval through which the
rate is calculated; t is an integer and u defines the units thus represented
("s" or "S" for seconds, the default; "m" or "M" for minutes; "h" or "H" for
hours; "d" or "D" for days). For example, a value of "10/1h" limits the
restarts to 10 in one hour. There is no default, meaning restart rate is not
limited.

Background (Boolean)
Causes opendmarc to fork and exits immediately, leaving the service running in
the background. The default is "true".

BaseDirectory (string)
If set, instructs the filter to change to the specified directory using
chdir(2) before doing anything else. This means any files referenced else‐
where in the configuration file can be specified relative to this directory.
It's also useful for arranging that any crash dumps will be saved to a spe‐
cific location.

ChangeRootDirectory (string)
Requests that the operating system change the effective root directory of the
process to the one specified here prior to beginning execution. chroot (2)
requires superuser access. A warning will be generated if UserID is not also
set.

CopyFailuresTo (string)
Adds the specified recipient to the message's envelope if it fails the DMARC
evaluation.

DNSTimeout (integer)
Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
default is 5. Ignored if not using an asynchronous resolver package.

EnableCoredumps (Boolean)
On systems that have such support, make an explicit request to the kernel to
dump cores when the filter crashes for some reason. Some modern UNIX systems
suppress core dumps during crashes for security reasons if the user ID has
changed during the lifetime of the process. Currently only supported on
Linux.

FailureReports (Boolean)
Enables generation of failure reports when the DMARC test fails and the pur‐
ported sender of the message has requested such reports. Reports are format‐
ted per RFC6591.

FailureReportsBcc (string)
When failure reports are enabled and one is to be generated, always send one
to the address(es) specified here. If a failure report is requested by the
domain owner, the address(es) are added in a Bcc: field. If no request is
made, they address(es) are used in a To: field. There is no default.

FailureReportsOnNone (Boolean)
Supplementary to the previous setting, enables generation of failure reports
for sending domains that publish a "none" policy.

FailureReportsSentBy (string)
Sets the value of the From: field to be used when sending failure reports (see
above). The default is to use the userid of the user executing the filter and
the local host name to construct an email address.

HistoryFile (string)
If set, specifies the location of a text file to which records are written
that can be used to generate DMARC aggregate reports. Records are batches of
rows containing information about a single received message, and include all
relevant information needed to generate a DMARC aggregate report. It is
expected that this will not be used in its raw form, but rather periodically
imported into a relational database from which the aggregate reports can be
extracted.

IgnoreAuthenticatedClients (Boolean)
If set, causes mail from authenticated clients (i.e., those that used SMTP
AUTH) to be ignored by the filter. The default is "false".

IgnoreHosts (string)
Specifies the path to a file that contains a list of hostnames, IP addresses,
and/or CIDR expressions identifying hosts whose SMTP connections are to be
ignored by the filter. If not specified, defaults to "127.0.0.1" only.

IgnoreMailFrom (string)
Gives a list of domain names whose mail (based on the From: domain) is to be
ignored by the filter. The list should be comma-separated. Matching against
this list is case-insensitive. The default is an empty list, meaning no mail
is ignored.

MilterDebug (integer)
Sets the debug level to be requested from the milter library. The default is
0.

PidFile (string)
Specifies the path to a file that should be created at process start contain‐
ing the process ID.

PublicSuffixList (string)
Specifies the path to a file that contains top-level domains (TLDs) that will
be used to compute the Organizational Domain for a given domain name, as
described in the DMARC specification. If not provided, the filter will not be
able to determine the Organizational Domain and only the presented domain will
be evaluated.

RecordAllMessages (Boolean)
If set and HistoryFile is in use, all received messages are recorded to the
history file. If not set (the default), only messages for which the From:
domain published a DMARC record will be recorded in the history file.

RejectFailures (Boolean)
If set, messages will be rejected if they fail the DMARC evaluation, or temp-
failed if evaluation could not be completed. By default, no message will be
rejected or temp-failed regardless of the outcome of the DMARC evaluation of
the message. Instead, an Authentication-Results header field will be added.
The default is "false".

ReportCommand (string)
Indicates the shell command to which failure reports should be passed for
delivery when FailureReports is enabled. Defaults to /usr/sbin/sendmail.

RequiredHeaders (Boolean)
If set, the filter will ensure the header of the message conforms to the basic
header field count restrictions laid out in RFC5322, Section 3.6. Messages
failing this test are rejected without further processing. A From: field from
which no domain name could be extracted will also be rejected.

Socket (string)
Specifies the socket that should be established by the filter to receive con‐
nections from sendmail(8) in order to provide service. socketspec is in one
of two forms: local:path, which creates a UNIX domain socket at the specified
path, or inet:port[@host] or inet6:port[@host] which creates a TCP socket on
the specified port for the appropriate protocol family. If the host is not
given as either a hostname or an IP address, the socket will be listening on
all interfaces. This option is mandatory either in the configuration file or
on the command line. If an IP address is used, it must be enclosed in square
brackets.

SoftwareHeader (Boolean)
Causes opendmarc to add a "DMARC-Filter" header field indicating the presence
of this filter in the path of the message from injection to delivery. The
product's name, version, and the job ID are included in the header field's
contents.

SPFIgnoreResults (Boolean)
Causes the filter to ignore any SPF results in the header of the message.
This is useful if you want the filter to perfrom SPF checks itself, or because
you don't trust the arriving header. The default is "false".

SPFSelfValidate (Boolean)
Causes the filter to perform a fallback SPF check itself when it can find no
SPF results in the message header. If SPFIgnoreResults is also set, it never
looks for SPF results in headers and always performs the SPF check itself when
this is set. The default is "false".

Syslog (Boolean)
Log via calls to syslog(3) any interesting activity.

SyslogFacility (string)
Log via calls to syslog(3) using the named facility. The facility names are
the same as the ones allowed in syslog.conf(5). The default is "mail".

TemporaryDirectory (string)
Specifies the directory in which temporary files should be written. The
default is /var/tmp.

TrustedAuthservIDs (string)
Provides a list of authserv-ids that are to be used to identify Authentica‐
tion-Results header fields whose contents are to be assumed as valid input for
the DMARC assessment. To provide a list, separate values by commas. If the
string "HOSTNAME" is provided, the name of the host running the filter (as
returned by the gethostname(3) function) will be used. Matching against this
list is case-insensitive. The default is to use the value of AuthservID.

UMask (integer)
Requests a specific permissions mask to be used for file creation. This only
really applies to creation of the socket when Socket specifies a UNIX domain
socket, and to the PidFile (if any); temporary files are created by the
mkstemp(3) function that enforces a specific file mode on creation regardless
of the process umask. See umask(2) for more information.

UserID (string)
Attempts to become the specified userid before starting operations. The value
is of the form userid[:group]. The process will be assigned all of the groups
and primary group ID of the named userid unless an alternate group is speci‐
fied.

FILES
/etc/opendmarc.conf
Default location of this file.

VERSION
This man page covers version 1.3.0 of opendmarc.

DMARC - Domain-based Message Authentication, Reporting & Conformance unter CentOS 7.x

Zusammenspiel von DKIM, SPF und DMARC

DMARC-Record

Beschreibung des Datensatzes

Generierung unseres DMARC-Records

Testen der DMARC Definitionen

Installation

Konfigurations-Dokumentation

README

README.schema

README.rddmarc

man-pages

opendmarc

opendmarc.conf

opendmarc-check

opendmarc-expire

opendmarc-import

opendmarc-importstats

opendmarc-params

opendmarc-reports

Linux - Wissensdatenbank