Artikel befindet sich gerade in der Bearbeitung!
DMARC - Domain-based Message Authentication, Reporting & Conformance unter CentOS 7.x
DMARC1) ist an sich kein eigenständiger Prozess in der eMail-Verarbeitung, vielmehr erweitert DMARC auf die beiden Techniken SPF2) und DKIM3). DMARC ergänzt somit DKIM und SPF, ohne die DMARC nicht funktionieren kann. Hinweise zu DMARC findet man bei auch auf der Webseite von DMARC.org, oder im Entwurf der Network Working Group, die der ITF4) Anfang 2012 zur Prüfung vorgelegt wurde.
Obwohl DMARC aktuell noch als Entwurf gilt, wird laut den Angaben der aktuellen DMARC-Präsentation aus 2014 bereits mehr als 60% der weltweiten eMail-Postfächer mit Hilfe von DMARC geschützt.
Die weltgößten eMail-Provider setzen auf DMARC, wie z.B.:
- GMail, Yahoo, AOL, Comcast, oder Outlook.com
- Mail.ru (größter eMail-Provider in Russland)
- NetEase (größter eMail-Provider in China)
- XS4All (größter eMail-Provider in den Niederlanden)
Alles gute Gründe, sich dem Thema DMARC dennoch intensiver zu widmen!
Bei DMARC kann definiert werden, wie ein empfangender Mailserver Nachrichten behandeln und verarbeiten soll, insbesondere mit Hinblick auf die Bewertung der Versandberechtigung des einliefernden Mailservers (SPF) und der nicht veränderten Nachricht (DKIM). Fällt eine oder beide Überprüfungen negativ aus, definiert DMARC, ob die eMail in Quarantäne gestellt, die Annahme der eMail abgelehnt (reject) oder eben dennoch zugestellt werden soll.
Das nachfolgende Schaubild zeigt den Bearbeitungsverlauf einer eMail mit Berücksichtigung auf DMARC auf.
Zusammenspiel von DKIM, SPF und DMARC
Auch wenn DMARC noch immer im Status DRAFT5) ist, macht es doch Sinn, sich mit DMARC näher zu beschäftigen!
Möchten wir DMARC bei unserem Mailserver einsetzen, ist es wichtig, dass alle drei Komponenten via Milter6) an unseren Postfix-Mailserver angebunden werden. Nur so stehen dem DMARC-Daemon alle relevanten Headerinformationen zur Bewertung zur Verfügung.
Wir setzen daher bei unserer Installation jeweils folgende Pakete ein:
- SPF smf-spf aus Djangos-Repository
- DKIM opendkim aus dem EPEL
- DMARC opendmarc aus Djangos-Repository
Die Installation von SPF-Milter ist im Kapitel SPF - Sender Policy Framework und OpenDKIM-Milter im Kapitel DKIM - Domain Key Identified Mail genauer beschrieben.
DMARC-Record
Beschreibung des Datensatzes
Mit Hilfe des DMARC Record Assistant kann man sich sehr leicht und einfach den nötigen DMARC-Record generieren lassen, den man dann über einen TXT-Record der Subdomain _dmarc in seinem DNS einträgt. Im Kapitel 6.2. General Record Format des DMARC Standardisierungs-Entwurf ist die
Als Beispiel sehen wir uns nun den aktuellen DMARC-Record von nausch.org an, den wir u.a. mit dem Aufruf des Befehls host vom DNS-Server abfrsagen können.
# host -t TXT _dmarc.nausch.org
_dmarc.nausch.org descriptive text "v=DMARC1\; p=reject\; rua=mailto:postmaster@nausch.org\; ruf=mailto:django@nausch.org\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400\; sp=reject"
Die einzelnen Werte haben nun folgende Bedeutung.
| Parameter | Art | Wert | Bedeutung |
|---|---|---|---|
| v | Plaintext; REQUIRED | DMARC1 | Identifiziert den Datensatz als DMARC-Record. Der Parameter muss als erster wert im DMARC-Record gesetzt sein. Fehlt dieser ist der gesamte DMARC-Record zu verwerfen! |
| p | Plaintext; REQUIRED | reject | Beschreibt, wie der Empfänger die Nachrichten des Domain-Inhabers verwerten soll. Diese gilt auch für die Subdomains, sofern für diese mit dem Parameter sp keine separate Definition vorliegt. Mögliche Werte sind:  none : Der Domaininhaber hat keine Vorgaben zur Verabeitung/Zustellung der eMails.  quarantine : Der Domaininhaber wünscht, dass eMails, die die DMARC-Bewertung nicht bestehen, als verdächtig gewertet werden sollen. Abhängig vom Empfänger können diese als verdächtig markiert werden, mit weiteren/zusätzlichen SPAM prüfungen zu belegen ist, oder in einen SPAM-Ordner verschoben werden soll.  reject : Der Domaininhaber wünscht, dass eMails, die die DMARC-Bewertung nicht bestehen, rejected, also nicht angenommen werden sollen. Dies sollte, wenn möglich, noch während des SMTP-Dialogs passieren. |
| sp | Plaintext;OPTIONAL | reject | Beschreibt, wie der Empfänger die Nachrichten des Domain-Inhabers einer Subdomäne verwerten soll. Der Parameter beschreibt nur die abgefragte Subdomäne, nicht die Domäne an sich! Der Syntax entspricht dem Parameter p. Wird der Paramter sp nicht gesetzt, gelten die Definitionen des Parameters p auch für alle Subdomänen. |
| rua | Kommaseparierte plain-text Liste von DMARC URIs; OPTIONAL | mailto:postmaster@nausch.org | Der Domaininhaber wünscht, per eMail mit aufbereiteten Statiskdaten der verarbeiteten eMails, informiert zu werden. Ist dieser Parameter nicht gesetzt, braucht der Empfänger keine Statistikdaten aufbereiten. |
| ruf | Kommaseparierte Plaintext Liste von DMARC URIs; OPTIONAL | mailto:django@nausch.org | Der Domaininhaber wünscht, per eMail mit detailierten forensischen Statiskdaten der verarbeiteten eMails, informiert zu werden. Ist dieser Parameter nicht gesetzt, braucht der Empfänger keine Statistikdaten aufbereiten. |
| adkim | Plaintext; OPTIONAL; Default = relaxed | r | Definiert, wie konservativ das Ergebnis der DKIM-Signaturprüfung bewertet werden soll. Mögliche Werte sind entweder r=relaxed oder s=strikt. |
| aspf | Plaintext; OPTIONAL; Default = relaxed | r | Definiert, wie konservativ das Ergebnis der SPF-Prüfung bewertet werden soll. Mögliche Werte sind entweder r=relaxed oder s=strikt. |
| pct | Plaintext/Zahlenwert zwischen 0 und 100; OPTIONAL; Default = 100 | 100 | Der Domaininhaber wünscht, daß der angegebene Prozentwert an Nachrichten von den DMARC-Prüfungen benutzt werden soll. Der Wert beschreibt nicht das Verhältnis in den DMARC-Reports. |
| rf | Kommaseparierte Plaintext Liste; OPTIONAL; Default = afrf | afrf | Der Domaininhaber wünscht, dass die aufbereiteten forensischen Prüfberichte im Format AFRF7) oder IODEF8) zu erhalten, wenn sowohl der DKIM- wie auch der SPF-Test negativ ausfällt. |
| ri | Plaintext; OPTIONAL; Default = 86400 | 86400 | Der Domaininhaber wünscht, dass die aufbereiteten Statistik- und Forensikdaten spätestens alle „n“ Sekunden verschickt werden sollen. |
Generierung unseres DMARC-Records
Nach Erstellung des DMARC-Records von Hand oder über den DMARC Record Assistant, tragen wir demnach bei unserem zuständigen DNS entsprechenden eigenen und richtigen Daten ein.
_dmarc.nausch.org IN TXT "v=DMARC1\; p=reject\; rua=mailto:postmaster@nausch.org\; ruf=mailto:django@nausch.org\; adkim=r\; aspf=r\; pct=100\; rf=afrf\; ri=86400\; sp=reject"
Testen der DMARC Definitionen
Über die URL OTA Query Tool for SPF & DMARC Records der Online trust Alliance kann man online bei Bedarf testen, ob der DMARC-Eintrag soweit richtig ist.
Mit Hilfe der DMARC Inspectors kann man (s)einen DMARC-Record testen und sich die Optionen die der Domaininhaber gesetzt hat, beschreiben lassen. Möchte man seinen SPF-Record testen lassen, steht einem der SPF Surveyor zur Verfügung.
Zu guter Letzt kann mit dem DKIM Key Checker der, im DNS hinterlegte, DKIM-Schlüssel einer Domäne getestet werden.
Möchte man dann noch testen, ob der eigene Mailserver alle Voraussetzungen für eine DMARC-policy hat, schickt man einfach eine „leere eMail“ an checkmyauth@auth.returnpath.net, so erhält man anschließen einen ausführlichen Prüfbericht.
From: "Return Path" <noreply@returnpath.net> Subject: Return Path DKIM/SPF Reflector Report Date: Fri, 21 Mar 2014 03:58:12 -0600 (MDT) To: undisclosed-recipients:; Return Path DKIM/SPF Reflector Report ===================================== Source IP = 217.91.103.190 Mail From = django@nausch.org Identity Alignment Results ========================== SPF Domain Alignment Result = PASS The From domain 'nausch.org' is an exact match with the SPF domain 'nausch.org'. Note that the alignment policy is set to relaxed in your DMARC record. DKIM Domain Alignment Results: Result for DNS Record: 140224._domainkey.nausch.org = PASS The From domain 'nausch.org' is an exact match with the DKIM domain 'nausch.org'. Note that the alignment policy is set to relaxed in your DMARC record. DKIM Results ============ Result = pass Domain = nausch.org Selector = 140224 DNS Record(s) = 140224._domainkey.nausch.org TXT v=DKIM1; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuJ3/CruOs3fCU0ujOStcNN85TJh+5HvMa9m99C5XuRBlxOr+fp5BeIEtiPO0szKvvPojwrueCq0oOuEzjR/i2ObpRkzKRUXmAa0qVezUZwQIbKeiuKII0PnpQclDrmQrzSXcQWPT57tkPg17Q9WamFUUaHeN3+pVGtMyjYekRaAoRlV+a1gD111kXMPhiaFTMIncoRBS/gYN8FjfekH+ezqbLHLB8DLJQBZEGUILvJjAHX0722XyqYtkn1qfv63nPRGw/qqAW1072Gchq4ZS4ZPQ89SrK4KcHt/XptSlztXMWtmRFQriHdvbjr1Fx7ZwXdTQ+ik2AUZLMdhMrQe6/1GujQiMD6po81NpYbrjnfd+QF4sUbus4wPQKVNzsctiuzGlWsFexSHP4dAZtKnImJhVDnzZODQy0nSafedlr5g4VR36vgm0YPWjSyRNnC/APHyw0DtHIrzTqfKuDeGv80uMPbEdujrw9gLbK3H8ow42iTicmgPgT3J5j70ZOo4o4FMtpZ/AEQw+VnWpSfw7bkMjufLc29XHbtp22wfgq2Lmarr3+psaHokFaQrImkMbzdSL9CdabkLptanAilLScvq8UaKVC+G1+vHDgaweq3BhXD5+YcJnJlp4msUqqxGYlnx4RSvv8PipMU2DsVFbNJSH5NJuS7GuzplNg+f20ysCAwEAAQ== Public Key Length = 4096 DomainKeys Results ================== No DomainKeys signature(s) found. SPF Results =========== Result = pass Domain = nausch.org DNS Record(s) = nausch.org TXT v=spf1 ip4:217.91.103.190/32 mx ?all DMARC Results ============= Domain = _dmarc.nausch.org DNS Record = _dmarc.nausch.org TXT v=DMARC1; p=reject; rua=mailto:postmaster@nausch.org; ruf=mailto:django@nausch.org; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=reject DMARC Record Validation Results =============================== DMARC Errors Detected: None. Non-DMARC flags encountered (skipped): None. Visit http://www.returnpath.com/solution-content/dmarc-support/ for more information on DMARC record creation and validation.
Installation
Die einfachste und schnellste Variante bei der Installation ist die aus dem Repository nausch.org. Hier reicht ein einfacher Aufruf von yum und alles wird automatisch installiert inkl. der Paketabhängigkeiten.
# yum install opendmarc
Will oder kann man nicht auf das Repository nausch.org zurückgreifen, steht immer noch der Installation per Hand nichts im Wege.
# yum localinstall http://repo7.nausch.org/7/x86_64/libopendmarc-1.3.0-1.el7.centos.x86_64.rpm \
http://repo7.nausch.org/7/x86_64/opendmarc-1.3.0-1.el7.centos.x86_64.rpm
Was das RPM alle mitbrachte zeigt ein Blick in die RPM-Datenbank.
# rpm -qil opendmarc
Name : opendmarc Version : 1.3.0 Release : 1.el7.centos Architecture: x86_64 Install Date: Wed 17 Dec 2014 08:58:08 PM CET Group : System Environment/Daemons Size : 517881 License : BSD and Sendmail Signature : RSA/SHA1, Wed 17 Dec 2014 08:38:39 PM CET, Key ID 60ecfb9e8195aea0 Source RPM : opendmarc-1.3.0-1.el7.centos.src.rpm Build Date : Wed 17 Dec 2014 08:38:11 PM CET Build Host : vml000200.dmz.nausch.org Relocations : (not relocatable) Packager : Django URL : http://www.trusteddomain.org/opendmarc.html Summary : DMARC milter and library Description : OpenDMARC (Domain-based Message Authentication, Reporting & Conformance) provides an open source library that implements the DMARC verification service plus a milter-based filter application that can plug in to any milter-aware MTA, including sendmail, Postfix, or any other MTA that supports the milter protocol. The DMARC sender authentication system is still a draft standard, working towards RFC status. /etc/opendmarc/ignore.hosts /etc/opendmarc/opendmarc.conf /etc/tmpfiles.d/opendmarc.conf /usr/lib/systemd/system/opendmarc.service /usr/sbin/opendmarc /usr/sbin/opendmarc-check /usr/sbin/opendmarc-expire /usr/sbin/opendmarc-import /usr/sbin/opendmarc-importstats /usr/sbin/opendmarc-params /usr/sbin/opendmarc-reports /usr/share/doc/opendmarc-1.3.0 /usr/share/doc/opendmarc-1.3.0/INSTALL /usr/share/doc/opendmarc-1.3.0/LICENSE /usr/share/doc/opendmarc-1.3.0/LICENSE.Sendmail /usr/share/doc/opendmarc-1.3.0/README /usr/share/doc/opendmarc-1.3.0/README.rddmarc /usr/share/doc/opendmarc-1.3.0/README.schema /usr/share/doc/opendmarc-1.3.0/RELEASE_NOTES /usr/share/doc/opendmarc-1.3.0/dmarc_policy_t.html /usr/share/doc/opendmarc-1.3.0/dmarcfail.py /usr/share/doc/opendmarc-1.3.0/dmarcfail.pyc /usr/share/doc/opendmarc-1.3.0/dmarcfail.pyo /usr/share/doc/opendmarc-1.3.0/draft-dmarc-base-03.txt /usr/share/doc/opendmarc-1.3.0/index.html /usr/share/doc/opendmarc-1.3.0/mkdb.mysql /usr/share/doc/opendmarc-1.3.0/mkdmarc /usr/share/doc/opendmarc-1.3.0/mysql_ip6.c /usr/share/doc/opendmarc-1.3.0/opendmarc /usr/share/doc/opendmarc-1.3.0/opendmarc.conf.sample /usr/share/doc/opendmarc-1.3.0/opendmarc.spec.in /usr/share/doc/opendmarc-1.3.0/opendmarc_dns_fake_record.html /usr/share/doc/opendmarc-1.3.0/opendmarc_get_policy_to_enforce.html /usr/share/doc/opendmarc-1.3.0/opendmarc_lib_t.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_clear.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_init.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_rset.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_connect_shutdown.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_adkim.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_alignment.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_aspf.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_fo.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_p.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_pct.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_rf.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_rua.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_ruf.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_sp.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_fetch_utilized_domain.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_library_init.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_library_shutdown.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_parse_dmarc.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_query_dmarc.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_status_to_str.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_dkim.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_dmarc.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_from_domain.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_store_spf.html /usr/share/doc/opendmarc-1.3.0/opendmarc_policy_to_buf.html /usr/share/doc/opendmarc-1.3.0/opendmarc_spf_test.html /usr/share/doc/opendmarc-1.3.0/opendmarc_status_t.html /usr/share/doc/opendmarc-1.3.0/opendmarc_tld_read_file.html /usr/share/doc/opendmarc-1.3.0/opendmarc_tld_shutdown.html /usr/share/doc/opendmarc-1.3.0/opendmarc_util_clearargv.html /usr/share/doc/opendmarc-1.3.0/opendmarc_xml.html /usr/share/doc/opendmarc-1.3.0/opendmarc_xml_parse.html /usr/share/doc/opendmarc-1.3.0/overview.html /usr/share/doc/opendmarc-1.3.0/rddmarc /usr/share/doc/opendmarc-1.3.0/schema.mysql /usr/share/man/man5/opendmarc.conf.5.gz /usr/share/man/man8/opendmarc-check.8.gz /usr/share/man/man8/opendmarc-expire.8.gz /usr/share/man/man8/opendmarc-import.8.gz /usr/share/man/man8/opendmarc-importstats.8.gz /usr/share/man/man8/opendmarc-params.8.gz /usr/share/man/man8/opendmarc-reports.8.gz /usr/share/man/man8/opendmarc.8.gz /var/run/opendmarc /var/spool/opendmarc
# rpm -qil libopendmarc
Name : libopendmarc Version : 1.3.0 Release : 1.el7.centos Architecture: x86_64 Install Date: Wed 17 Dec 2014 08:40:49 PM CET Group : System Environment/Libraries Size : 48888 License : BSD and Sendmail Signature : RSA/SHA1, Wed 17 Dec 2014 08:38:40 PM CET, Key ID 60ecfb9e8195aea0 Source RPM : opendmarc-1.3.0-1.el7.centos.src.rpm Build Date : Wed 17 Dec 2014 08:38:11 PM CET Build Host : vml000200.dmz.nausch.org Relocations : (not relocatable) Packager : Django URL : http://www.trusteddomain.org/opendmarc.html Summary : An open source DMARC library Description : This package contains the library files required for running services built using libopendmarc. /usr/lib64/libopendmarc.so.2 /usr/lib64/libopendmarc.so.2.0.0
Konfigurations-Dokumentation
README
Viele hilfreiche Informationen zur Konfiguration von OpenDMARC finden sich in den nachfolgenden Dateien.
# less /usr/share/doc/opendmarc-1.3.0/README
OPENDMARC README ================ This directory has the latest open source DMARC software from The Trusted Domain Project. There is a web site at http://www.trusteddomain.org/opendmarc that is home for the latest updates. +--------------+ | INTRODUCTION | +--------------+ The OpenDMARC project is a community effort to develop and maintain an open source package for providing DMARC report generation and policy enforcement services. It includes a library for handling DMARC record parsing, a database schema and tools for aggregating and processing transaction history to produce DMARC reports, and a filter that ties it all together with an MTA using the milter protocol. "milter" is a portmanteau of "mail filter" and refers to a protocol and API for communicating mail traffic information between MTAs and mail filtering plug-in applications. It was originally invented at Sendmail, Inc. but has also been adapted to other MTAs. +--------------+ | DEPENDENCIES | +--------------+ To compile and operate, this package requires the following: o OpenDBX (http://www.linuxnetworks.de/doc/index.php/OpenDBX) which acts as a middleware layer between OpenDMARC and your SQL backend of choice o sendmail v8.13.0 (or later), or Postfix 2.3, (or later) and libmilter. (These are only required if you are building the filter.) o Access to a working nameserver (required only for signature verification). o If you are interested in tinkering with the build and packaging structure, you may need to upgrade to these versions of GNU's "autotools" components: autoconf (GNU Autoconf) 2.61 automake (GNU automake) 1.7 (or 1.9 to avoid warnings) ltmain.sh (GNU libtool) 2.2.6 (or 1.5.26 after make maintainer-clean) +-----------------------+ | RELATED DOCUMENTATION | +-----------------------+ The man page for opendmarc (the actual filter program) is present in the opendmarc directory of this source distribution. There is additional information in the INSTALL and FEATURES files, and in the README file in the opendmarc directory. Changes are documented in the RELEASE_NOTES file. HTML-style documentation for libopendmarc is available in libopendmarc/docs in this source distribution. General information about DMARC can be found at http://www.dmarc.org Mailing lists discussing and supporting the DMARC software found in this package are maintained via a list server at trusteddomain.org. Visit http://www.trusteddomain.org to subscribe or browse archives. The available lists are: opendmarc-announce (moderated) Release announcements. opendmarc-users General OpenDMARC user questions and answers. opendmarc-dev Chatter among OpenDMARC developers. opendmarc-code Automated source code change announcements. Bug tracking is done via the trackers on SourceForge at http://sourceforge.net/projects/opendmarc. You can enter new bug reports there, but please check first for older bugs already open, or even already closed, before opening a new issue. +---------------------+ | DIRECTORY STRUCTURE | +---------------------+ contrib A collection of user contributed scripts that may be useful. db Database schema and tools for generating DMARC reports based upon accumulated data. docs A collection of RFCs and drafts related to opendmarc. libopendmarc A library that implements the proposed DMARC standard. libopendmarc/docs HTML documentation describing the API provided by libopendmarc. opendmarc A milter-based filter application which uses libopendmarc (and optionally libar) to provide DMARC service via an MTA using the milter protocol. +----------------+ | RUNTIME ISSUES | +----------------+ WARNING: symbol 'X' not available The filter attempted to get some information from the MTA that the MTA did not provide. At various points in the interaction between the MTA and the filter, certain macros containing information about the job in progress or the connection being handled are passed from the MTA to the filter. In the case of sendmail, the names of the macros the MTA should pass to the filter are defined by the "Milter.macros" settings in sendmail.cf, e.g. "Milter.macros.connect", "Milter.macros.envfrom", etc. This message indicates that the filter needed the contents of macro X, but that macro was not passed down from the MTA. Typically the values needed by this filter are passed from the MTA if the sendmail.cf was generated by the usual m4 method. If you do not have those options defined in your sendmail.cf, make sure your M4 configuration files are current and rebuild your sendmail.cf to get appropriate lines added to your sendmail.cf, and then restart sendmail. MTA timeouts By default, the MTA is configured to wait up to ten seconds for a response from a filter before giving up. When querying remote nameservers for key and policy data, the DMARC filter may not get a response from the resolver within that time frame, and thus this MTA timeout will occur. This can cause messages to be rejected, temp-failed or delivered without verification, depending on the failure mode selected for the filter. When using the standard resolver library provided with your system, the DNS timeout cannot be adjusted. If you encounter this problem, you must increase the time the MTA waits for replies. See the documentation in the sendmail open source distribution (libmilter/README in particular) for instructions on changing these timeouts. When using the provided asynchronous resolver library, you can use the "-T" command line option to change the timeout so that it is shorter than the MTA timeout. Other OpenDMARC issues: Report any bugs to the email address opendmarc-users@trusteddomain.org or to the SourceForge issue tracker accessible at: http://sourceforge.net/p/opendmarc/tickets/ -- Copyright (c) 2012, The Trusted Domain Project. All rights reserved. $Id: README,v 1.13 2010/10/25 20:41:55 cm-msk Exp $
README.schema
# less /usr/share/doc/opendmarc-1.3.0/README.schema
This directory contains the OpenDMARC schema plus any related files.
The tables in this schema are populated by the opendmarc filter as it processes
messages and downloads policies. The rows are then consumed by the scripts
in the "reports" directory to generate regular aggregate reports.
The tables are summarized here:
domains A table that maps domain names to unique integer IDs.
Automatically tracks a "first seen" timestamp, and includes
a column to record when the last report was sent.
reporters A table mapping reporting hosts to unique integer IDs.
Intended for use by multi-MX systems so it's possible to tell
where an inbound message landed.
ipaddr A table mapping IP addresses (as strings) to unique IDs.
Also tracks the "first seen" timestamp for each.
messages A table tracking salient properties of all messages received.
A messages is uniquely identified by a {date, jobid, reporter}
tuple. Includes references to the "domains" table to track
the RFC5321.MailFrom domain, the RFC5322.From domain.
Also records the count of DKIM signatures, the SPF result,
and whether or not the SPF result was aligned with the
RFC5322.From domain.
signatures A table tracking DKIM signatures, each of which refers to
a rown in the "messages" table. Tracks the signing domain,
whether the signature passed, whether there was a verification
error other than a broken signature, and whether or not the
signing domain aligned with the RFC5322.From domain.
requests A table containing a cache of DMARC reporting requests.
For each domain, the destination reporting URI for aggregate
reports is recorded along with a "last report sent" timestamp.
--
Copyright (c) 2012, The Trusted Domain Project. All rights reserved.
README.rddmarc
# less /usr/share/doc/opendmarc-1.3.0/README.rddmarc
These are little scripts to parse DMARC reports.
The first, rddmarc, is a perl script that take an incoming DMARC
summary report email, extracts and unpacks the gzip or ZIP file,
parses the XML, and puts the parts about received mail into a MySQL
database. The database is set up to handle reports about multiple
domains from multiple reporters. It's handling reports from Google,
Yahoo, xs4all and Netease.
It expects filenames on the command line, each of which contains a
mail message, but it'd easy enough to adjust it to read stdin or
anywhere else.
It works great on FreeBSD, can probably be made to work on linux with
modest effort, no clue about other systems. It needs the
MIME::Parser, XML::Simple, and DBI perl modules and the freeware unzip
program to extract stuff from the gzip or ZIP file.
It now handles both IPv4 and IPv6 addresses. If you have been
running the ipv4 version, see mkdmarc for instructions on how
to update your database. The file mysql_ip6.c is a plugin for a
mysql server to add some IPv6 formatting functions that can be
handy when analyzing the reports. It's not needed for rddmarc.
The second is a python script to parse failure reports. It expects
file names on the command line, or if no arguments, it reads stdin. It
needs the usual MySQLdb module. It handles reports from Netease,
which are currently the only ones I'm getting.
mkdmarc - SQL to create the tables
rddmarc - the script to parse summary reports (Perl)
dmarcfail.py - the script to parse failure reports (python)
mysql_ip6.c - C language source for MySQL plugin for IPv6
formatting functions
man-pages
opendmarc
# man opendmarc
opendmarc(8) System Manager's Manual opendmarc(8)
NAME
opendmarc - DMARC email policy filter for MTAs
SYNOPSIS
opendmarc [-A] [-c configfile] [-f] [-l] [-n] [-p socketspec] [-P pidfile] [-t
file[,file[...]]] [-u userid[:group]] [-v] [-V]
DESCRIPTION
opendmarc implements the prooposed DMARC specification for authentication of message
and reporting of observed traffic.
opendmarc uses the milter interface, originally distributed as part of version 8.11
of sendmail(8), to provide a DMARC processing service for mail transiting a milter-
aware MTA.
Most, if not all, of the command line options listed below can also be set using a
configuration file. See the -c option for details.
opendmarc relies on addition of Authentication-Results fields by upsteam filters on
trusted hosts to collect input to the DMARC algorithm. It does not itself do DKIM or
SPF evaluation.
OPTIONS
-A Automatically re-start on failures. Use with caution; if the filter fails
instantly after it starts, this can cause a tight fork(2) loop. This can be
mitigated using some values in the configuration file to limit restarting.
See opendmarc.conf(5).
-c configfile
Read the named configuration file. See the opendmarc.conf(5) man page for
details. Values in the configuration file are overridden when their equiva‐
lents are provided on the command line until a configuration reload occurs.
The OPERATION section describes how reloads are triggered. The default is to
read a configuration file from /etc/opendmarc.conf if one exists, or otherwise
to apply defaults to all values.
-f Normally opendmarc forks and exits immediately, leaving the service running in
the background. This flag suppresses that behaviour so that it runs in the
foreground.
-l Log via calls to syslog(3) any interesting activity.
-n Parse the configuration file and command line arguments, reporting any errors
found, and then exit. The exit value will be 0 if the filter would start up
without complaint, or non-zero otherwise.
-p socketspec
Specifies the socket that should be established by the filter to receive con‐
nections from sendmail(8) in order to provide service. socketspec is in one
of two forms: local:path which creates a UNIX domain socket at the specified
path, or inet:port[@host] or inet6:port[@host] which creates a TCP socket on
the specified port within the specified protocol family. If the host is not
given as either a hostname or an IP address, the socket will be listening on
all interfaces. If neither socket type is specified, local is assumed, mean‐
ing the parameter is interpreted as a path at which the socket should be cre‐
ated. If an IP address is used, it must be enclosed in square brackets. This
parameter is mandatory.
-P pidfile
Specifies a file into which the filter should write its process ID at startup.
-t file[,file[,...]]
Reads email messages from the named files and processes them as if they were
received by the filter. The service is not started, and actions normally sent
back to the MTA will instead be printed on standard output.
-u userid[:group]
Attempts to be come the specified userid before starting operations. The
process will be assigned all of the groups and primary group ID of the named
userid unless an alternate group is specified. See the FILE PERMISSIONS sec‐
tion for more information.
-v Increase verbose output during test mode (see -t above). May be specified
more than once to request increasing amounts of output.
-V Print the version number and supported canonicalization and signature algo‐
rithms, and then exit without doing anything else.
SIGNALS
Upon receiving SIGUSR1, if the filter was started with a configuration file, it will
be re-read and the new values used. Note that any command line overrides provided at
startup time will be lost when this is done. Also, the following configuration file
values (and their corresponding command line items, if any) are not reloaded through
this process: AutoRestart (-A), AutoRestartCount, AutoRestartRate, Background, Mil‐
terDebug, PidFile (-P), Socket (-p), UMask, UserID (-u). The filter does not auto‐
matically check the configuration file for changes and reload.
VERSION
This man page covers version 1.3.0 of opendmarc.
COPYRIGHT
Copyright (c) 2012, The Trusted Domain Project. All rights reserved.
SEE ALSO
opendmarc.conf(5), sendmail(8)
Sendmail Operations Guide
RFC4408 - Sender Policy Framework
RFC5321 - Simple Mail Transfer Protocol
RFC5322 - Internet Messages
RFC5451 - Message Header Field for Indicating Message Authentication Status
RFC6376 - DomainKeys Identified Mail
RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format
The Trusted Domain Project opendmarc(8)
opendmarc.conf
# man opendmarc.conf
opendmarc.conf(5) File Formats Manual opendmarc.conf(5)
NAME
opendmarc.conf - Configuration file for opendmarc
LOCATION
/etc/opendmarc.conf
DESCRIPTION
opendmarc(8) implements the proposed DMARC specification for message authentication,
policy enforcement, and reporting. This file is its configuration file.
Blank lines are ignored. Lines containing a hash ("#") character are truncated at
the hash character to allow for comments in the file.
Other content should be the name of a parameter, followed by white space, followed by
the value of that parameter, each on a separate line.
For parameters that are Boolean in nature, only the first byte of the value is pro‐
cessed. For positive values, the following are accepted: "T", "t", "Y", "y", "1".
For negative values, the following are accepted: "F", "f", "N", "n", "0".
Some, but not all, of these parameters are also available as command line options to
opendmarc(8). However, new parameters are generally not added as command line
options so the complete set of options is available here, and thus use of the config‐
uration file is encouraged. In some future release, the set of available command
line options is likely to get trimmed.
See the opendmarc(8) man page for details about how and when the configuration file
contents are reloaded.
Unless otherwise stated, Boolean values default to "false", integer values default to
0, and string and dataset values default to being undefined.
PARAMETERS
AuthservID (string)
Sets the "authserv-id" to use when generating the Authentication-Results:
header field after verifying a message. The default is to use the name of the
MTA processing the message. If the string "HOSTNAME" is provided, the name of
the host running the filter (as returned by the gethostname(3) function) will
be used.
AuthservIDWithJobID (Boolean)
If "true", requests that the authserv-id portion of the added Authentication-
Results: header fields contain the job ID of the message being evaluated.
AutoRestart (Boolean)
Automatically re-start on failures. Use with caution; if the filter fails
instantly after it starts, this can cause a tight fork(2) loop.
AutoRestartCount (integer)
Sets the maximum automatic restart count. After this number of automatic
restarts, the filter will give up and terminate. A value of 0 implies no
limit; this is the default.
AutoRestartRate (string)
Sets the maximum automatic restart rate. If the filter begins restarting
faster than the rate defined here, it will give up and terminate. This is a
string of the form n/t[u] where n is an integer limiting the count of restarts
in the given interval and t[u] defines the time interval through which the
rate is calculated; t is an integer and u defines the units thus represented
("s" or "S" for seconds, the default; "m" or "M" for minutes; "h" or "H" for
hours; "d" or "D" for days). For example, a value of "10/1h" limits the
restarts to 10 in one hour. There is no default, meaning restart rate is not
limited.
Background (Boolean)
Causes opendmarc to fork and exits immediately, leaving the service running in
the background. The default is "true".
BaseDirectory (string)
If set, instructs the filter to change to the specified directory using
chdir(2) before doing anything else. This means any files referenced else‐
where in the configuration file can be specified relative to this directory.
It's also useful for arranging that any crash dumps will be saved to a spe‐
cific location.
ChangeRootDirectory (string)
Requests that the operating system change the effective root directory of the
process to the one specified here prior to beginning execution. chroot (2)
requires superuser access. A warning will be generated if UserID is not also
set.
CopyFailuresTo (string)
Adds the specified recipient to the message's envelope if it fails the DMARC
evaluation.
DNSTimeout (integer)
Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
default is 5. Ignored if not using an asynchronous resolver package.
EnableCoredumps (Boolean)
On systems that have such support, make an explicit request to the kernel to
dump cores when the filter crashes for some reason. Some modern UNIX systems
suppress core dumps during crashes for security reasons if the user ID has
changed during the lifetime of the process. Currently only supported on
Linux.
FailureReports (Boolean)
Enables generation of failure reports when the DMARC test fails and the pur‐
ported sender of the message has requested such reports. Reports are format‐
ted per RFC6591.
FailureReportsBcc (string)
When failure reports are enabled and one is to be generated, always send one
to the address(es) specified here. If a failure report is requested by the
domain owner, the address(es) are added in a Bcc: field. If no request is
made, they address(es) are used in a To: field. There is no default.
FailureReportsOnNone (Boolean)
Supplementary to the previous setting, enables generation of failure reports
for sending domains that publish a "none" policy.
FailureReportsSentBy (string)
Sets the value of the From: field to be used when sending failure reports (see
above). The default is to use the userid of the user executing the filter and
the local host name to construct an email address.
HistoryFile (string)
If set, specifies the location of a text file to which records are written
that can be used to generate DMARC aggregate reports. Records are batches of
rows containing information about a single received message, and include all
relevant information needed to generate a DMARC aggregate report. It is
expected that this will not be used in its raw form, but rather periodically
imported into a relational database from which the aggregate reports can be
extracted.
IgnoreAuthenticatedClients (Boolean)
If set, causes mail from authenticated clients (i.e., those that used SMTP
AUTH) to be ignored by the filter. The default is "false".
IgnoreHosts (string)
Specifies the path to a file that contains a list of hostnames, IP addresses,
and/or CIDR expressions identifying hosts whose SMTP connections are to be
ignored by the filter. If not specified, defaults to "127.0.0.1" only.
IgnoreMailFrom (string)
Gives a list of domain names whose mail (based on the From: domain) is to be
ignored by the filter. The list should be comma-separated. Matching against
this list is case-insensitive. The default is an empty list, meaning no mail
is ignored.
MilterDebug (integer)
Sets the debug level to be requested from the milter library. The default is
0.
PidFile (string)
Specifies the path to a file that should be created at process start contain‐
ing the process ID.
PublicSuffixList (string)
Specifies the path to a file that contains top-level domains (TLDs) that will
be used to compute the Organizational Domain for a given domain name, as
described in the DMARC specification. If not provided, the filter will not be
able to determine the Organizational Domain and only the presented domain will
be evaluated.
RecordAllMessages (Boolean)
If set and HistoryFile is in use, all received messages are recorded to the
history file. If not set (the default), only messages for which the From:
domain published a DMARC record will be recorded in the history file.
RejectFailures (Boolean)
If set, messages will be rejected if they fail the DMARC evaluation, or temp-
failed if evaluation could not be completed. By default, no message will be
rejected or temp-failed regardless of the outcome of the DMARC evaluation of
the message. Instead, an Authentication-Results header field will be added.
The default is "false".
ReportCommand (string)
Indicates the shell command to which failure reports should be passed for
delivery when FailureReports is enabled. Defaults to /usr/sbin/sendmail.
RequiredHeaders (Boolean)
If set, the filter will ensure the header of the message conforms to the basic
header field count restrictions laid out in RFC5322, Section 3.6. Messages
failing this test are rejected without further processing. A From: field from
which no domain name could be extracted will also be rejected.
Socket (string)
Specifies the socket that should be established by the filter to receive con‐
nections from sendmail(8) in order to provide service. socketspec is in one
of two forms: local:path, which creates a UNIX domain socket at the specified
path, or inet:port[@host] or inet6:port[@host] which creates a TCP socket on
the specified port for the appropriate protocol family. If the host is not
given as either a hostname or an IP address, the socket will be listening on
all interfaces. This option is mandatory either in the configuration file or
on the command line. If an IP address is used, it must be enclosed in square
brackets.
SoftwareHeader (Boolean)
Causes opendmarc to add a "DMARC-Filter" header field indicating the presence
of this filter in the path of the message from injection to delivery. The
product's name, version, and the job ID are included in the header field's
contents.
SPFIgnoreResults (Boolean)
Causes the filter to ignore any SPF results in the header of the message.
This is useful if you want the filter to perfrom SPF checks itself, or because
you don't trust the arriving header. The default is "false".
SPFSelfValidate (Boolean)
Causes the filter to perform a fallback SPF check itself when it can find no
SPF results in the message header. If SPFIgnoreResults is also set, it never
looks for SPF results in headers and always performs the SPF check itself when
this is set. The default is "false".
Syslog (Boolean)
Log via calls to syslog(3) any interesting activity.
SyslogFacility (string)
Log via calls to syslog(3) using the named facility. The facility names are
the same as the ones allowed in syslog.conf(5). The default is "mail".
TemporaryDirectory (string)
Specifies the directory in which temporary files should be written. The
default is /var/tmp.
TrustedAuthservIDs (string)
Provides a list of authserv-ids that are to be used to identify Authentica‐
tion-Results header fields whose contents are to be assumed as valid input for
the DMARC assessment. To provide a list, separate values by commas. If the
string "HOSTNAME" is provided, the name of the host running the filter (as
returned by the gethostname(3) function) will be used. Matching against this
list is case-insensitive. The default is to use the value of AuthservID.
UMask (integer)
Requests a specific permissions mask to be used for file creation. This only
really applies to creation of the socket when Socket specifies a UNIX domain
socket, and to the PidFile (if any); temporary files are created by the
mkstemp(3) function that enforces a specific file mode on creation regardless
of the process umask. See umask(2) for more information.
UserID (string)
Attempts to become the specified userid before starting operations. The value
is of the form userid[:group]. The process will be assigned all of the groups
and primary group ID of the named userid unless an alternate group is speci‐
fied.
FILES
/etc/opendmarc.conf
Default location of this file.
VERSION
This man page covers version 1.3.0 of opendmarc.
COPYRIGHT
Copyright (c) 2012-2014, The Trusted Domain Project. All rights reserved.
SEE ALSO
opendmarc(8), sendmail(8)
RFC4408 - Sender Policy Framework
RFC5451 - Message Header Field for Indicating Message Authentication Status
RFC5965 - An Extensible Format for Email Feedback Reports
RFC6376 - DomainKeys Identified Mail
RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format
The Trusted Domain Project opendmarc.conf(5)
opendmarc-check
# man opendmarc-check
opendmarc-check(8) System Manager's Manual opendmarc-check(8)
NAME
opendmarc-check - DMARC record check tool
SYNOPSIS
opendmarc-check domain [domain [...]]
DESCRIPTION
opendmarc-check queries the DNS for a DMARC record for the named domain(s) and then
translates the content found to a human-readable form. This can be used to ensure
that the DMARC policy you have placed in the nameserver is what you intended for oth‐
ers to see.
VERSION
This man page covers version 1.3.0 of opendmarc.
COPYRIGHT
Copyright (c) 2012, The Trusted Domain Project. All rights reserved.
SEE ALSO
opendmarc.conf(5), opendmarc(8)
The Trusted Domain Project opendmarc-check(8)
opendmarc-expire
# man opendmarc-expire
opendmarc-expire(8) System Manager's Manual opendmarc-expire(8)
NAME
opendmarc-expire - OpenDMARC history data expiration tool
SYNOPSIS
opendmarc-expire [options]
DESCRIPTION
opendmarc-expire expires old records from the database that is part of the OpenDMARC
aggregate reporting feature.
OPTIONS
--alltables
Expire records in all tables rather than only the large ones.
--dbhost=host
Attempts to connect to the database server on the named host. The default is
"localhost".
--dbname=name
Requests a connection to the database called name. The default is "opend‐
marc".
--dbpasswd=password
Attempts to authenticate to the database server using the specified password.
The default is "opendmarc".
--dbport=port
Tries to connect to the database at the specified TCP port. The default is
3306.
--dbuser=user
Attempts to authenticate to the database server as the specified user. The
default is "opendmarc".
--expire=days
Indicates the number of days of data to keep. The default is 180.
--help Prints a usage message and exits.
--verbose
Requests verbose output.
--version
Prints version number and exits.
VERSION
This man page covers the version of opendmarc-expire that shipped with version 1.3.0
of OpenDMARC.
COPYRIGHT
Copyright (c) 2012, 2014, The Trusted Domain Project. All rights reserved.
SEE ALSO
opendmarc(8), opendmarc-import(8)
The Trusted Domain Project opendmarc-expire(8)
opendmarc-import
# man opendmarc-import
opendmarc-import(8) System Manager's Manual opendmarc-import(8) NAME opendmarc-import - OpenDMARC aggregate report data import tool SYNOPSIS opendmarc-import [options] DESCRIPTION opendmarc-import reads per-message data recorded by an instance of opendmarc(8) and inserts it into an SQL database, for later use by opendmarc-reports(8) to generate aggregate reports. Records are read from standard input. OPTIONS --dbhost=hostname Specifies the hostname on which the SQL server is running. Defaults to the value of the environment variable OPENDMARC_DBHOST, or "localhost" if the environment variable is not set. --dbname=name Specifies the SQL database name to be accessed. Defaults to the value of the environment variable OPENDMARC_DB, or "opendmarc" if the environment variable is not set. --dbpasswd=password Specifies the password for the SQL database to be accessed. Defaults to the value of the environment variable OPENDMARC_PASSWORD, or "opendmarc" if the environment variable is not set. --dbport=port Specifies the TCP port on which the SQL server is expected to be listening. Defaults to the value of the environment variable OPENDMARC_PORT, or 3306 if the environment variable is not set. --dbuser=user Specifies the SQL user to be used to access the database. Defaults to the value of the environment variable OPENDMARC_USER, or "opendmarc" if the envi‐ ronment variable is not set. --help Prints a help message and terminates. --verbose Increase the amount of verbosity written to standard output. --version Print version number and exit. VERSION This man page covers the version of opendmarc-import that shipped with version 1.3.0 of OpenDMARC. COPYRIGHT Copyright (c) 2012, The Trusted Domain Project. All rights reserved. SEE ALSO opendmarc(8), opendmarc.conf(5) opendmarc-reports(8) The Trusted Domain Project opendmarc-import(8)
opendmarc-importstats
# man opendmarc-importstats
opendmarc-importstats(8) System Manager's Manual opendmarc-importstats(8)
NAME
opendmarc-importstats - import OpenDMARC statistics/history data
SYNOPSIS
opendmarc-importstats
DESCRIPTION
opendmarc-importstats is a fairly trivial shell script, typically executed by
cron(8), that rotates an OpenDMARC statistics/history data file to a unique filename
and then attempts to import it to a local database for later processing by executing
opendmarc-import(8). On successful import, the unique file is removed; on failure,
the script executes ls(1) on the file and exits without removing the unique file.
The intent of this last step is to cause cron to generate a message to a responsible
party so that the failure will be investigated.
VERSION
This man page covers the version of opendmarc-importstats that shipped with version
1.3.0 of OpenDMARC.
COPYRIGHT
Copyright (c) 2013, The Trusted Domain Project. All rights reserved.
SEE ALSO
cron(8), opendmarc(8), opendmarc-import(8)
The Trusted Domain Project opendmarc-importstats(8)
opendmarc-params
# man opendmarc-params
opendmarc-params(8) System Manager's Manual opendmarc-params(8)
NAME
opendmarc-params - OpenDMARC reporting parameters setup tool
SYNOPSIS
opendmarc-params [options] domain
DESCRIPTION
opendmarc-params records a specific reporting address for aggregate reports about the
named domain and flags it as "locked" in the reporting requests database. This is
done to allow an administrator to force generation of reports and have them sent to a
specific address regardless of what data may (or may not) be found in the DNS for the
named domain.
OPTIONS
--dbhost=host
Attempts to connect to the database server on the named host. The default is
"localhost".
--dbname=name
Requests a connection to the database called name. The default is "opend‐
marc".
--dbpasswd=password
Attempts to authenticate to the database server using the specified password.
The default is "opendmarc".
--dbport=port
Tries to connect to the database at the specified TCP port. The default is
3306.
--dbuser=user
Attempts to authenticate to the database server as the specified user. The
default is "opendmarc".
--help Prints a usage message and exits.
--rua=string
Sets the reporting URI for the named domain to the specified string.
--unlock
Unlocks the record for the named domain.
--verbose
Requests verbose output.
--version
Prints version number and exits.
VERSION
This man page covers the version of opendmarc-params that shipped with version 1.3.0
of OpenDMARC.
COPYRIGHT
Copyright (c) 2012, The Trusted Domain Project. All rights reserved.
SEE ALSO
opendmarc(8), opendmarc-import(8), opendmarc-reports(8)
The Trusted Domain Project opendmarc-params(8)
opendmarc-reports
# man opendmarc-reports
opendmarc-reports(8) System Manager's Manual opendmarc-reports(8)
NAME
opendmarc-reports - OpenDMARC aggregate report generation tool
SYNOPSIS
opendmarc-reports [options]
DESCRIPTION
opendmarc-reports pulls data from an OpenDMARC database and generates periodic aggre‐
gate reports. The database is populated by a running opendmarc-import(8) on a mes‐
sage history file generated by an opendmarc(8) filter as messages arrive and are pro‐
cessed. This includes the collection of reporting URIs, which this script uses to
make reports available to those that request them.
OPTIONS
--daybound
Generate reports on day boundaries. Overrides the value of --interval (see
below). --dbhost=hostname Specifies the hostname on which the SQL server is
running. Defaults to the value of the environment variable OPENDMARC_DBHOST,
or "localhost" if the environment variable is not set.
--dbname=name
Specifies the SQL database name to be accessed. Defaults to the value of the
environment variable OPENDMARC_DB, or "opendmarc" if the environment variable
is not set.
--dbpasswd=password
Specifies the password for the SQL database to be accessed. Defaults to the
value of the environment variable OPENDMARC_PASSWORD, or "opendmarc" if the
environment variable is not set.
--dbport=port
Specifies the TCP port on which the SQL server is expected to be listening.
Defaults to the value of the environment variable OPENDMARC_PORT, or 3306 if
the environment variable is not set.
--dbuser=user
Specifies the SQL user to be used to access the database. Defaults to the
value of the environment variable OPENDMARC_USER, or "opendmarc" if the envi‐
ronment variable is not set.
--domain=name
Generates a report (if one is due) for the named domain, rather than checking
all of them.
--help Prints a help message and terminates.
--interval=secs
Generates reports only for hosts that have not had a report generated in at
least the last secs seconds.
--nodomain=name
Skips generating a report for the named domain. Can be specified multiple
times to skip multiple reporting domains.
--noupdate
Suppresses marking the time of the transmission of the report in the database.
Normally this would be done to prevent reports from being sent too close
together.
--smtp-host=host
Causes reports to be sent by transmitting them using SMTP to the named host
which can be an IP address or a hostname. The default is "127.0.0.1".
--smtp-port=port
Causes reports to be sent by transmitting them using SMTP to the specified
port. The default is 25.
--utc Instructs the database to change to the UTC timezone when generating output.
Otherwise, the database default is used.
--verbose
Increase the amount of verbosity written to standard output.
--version
Print version number and exit.
VERSION
This man page covers the version of opendmarc-reports that shipped with version 1.3.0
of OpenDMARC.
COPYRIGHT
Copyright (c) 2012, 2014, The Trusted Domain Project. All rights reserved.
SEE ALSO
opendmarc(8), opendmarc.conf(5), opendmarc-import(8)
The Trusted Domain Project opendmarc-reports(8)
Konfiguration
opendmarc
opendmarc.conf
Die Konfiguration von OpenDMARC erfolgt über die Konfigurationsdatei opendmarc.conf im Verzeichnis /etc/opendmarc/.
# vim /etc/opendmarc/opendmarc.conf
- /etc/opendmarc/opendmarc.conf
## ## opendmarc.conf -- configuration file for OpenDMARC filter ## ## Copyright (c) 2012-2014, The Trusted Domain Project. All rights reserved. ## ## AuthservID (string) ## defaults to MTA name ## ## Sets the "authserv-id" to use when generating the Authentication-Results: ## header field after verifying a message. If the string "HOSTNAME" is ## provided, the name of the host running the filter (as returned by the ## gethostname(3) function) will be used. # # AuthservID name # Django : 2014-12-17 AuthservID mx01.nausch.org ## AuthservIDWithJobID { true | false } ## default "false" ## ## If "true", requests that the authserv-id portion of the added ## Authentication-Results header fields contain the job ID of the message ## being evaluated. # # AuthservIDWithJobID false # Django : 2014-02-17 AuthservIDWithJobID true ## AutoRestart { true | false } ## default "false" ## ## Automatically re-start on failures. Use with caution; if the filter fails ## instantly after it starts, this can cause a tight fork(2) loop. # # AutoRestart false ## AutoRestartCount n ## default 0 ## ## Sets the maximum automatic restart count. After this number of automatic ## restarts, the filter will give up and terminate. A value of 0 implies no ## limit. # # AutoRestartCount 0 ## AutoRestartRate n/t[u] ## default (no limit) ## ## Sets the maximum automatic restart rate. If the filter begins restarting ## faster than the rate defined here, it will give up and terminate. This ## is a string of the form n/t[u] where n is an integer limiting the count ## of restarts in the given interval and t[u] defines the time interval ## through which the rate is calculated; t is an integer and u defines the ## units thus represented ("s" or "S" for seconds, the default; "m" or "M" ## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a ## value of "10/1h" limits the restarts to 10 in one hour. There is no ## default, meaning restart rate is not limited. # # AutoRestartRate n/t[u] ## Background { true | false } ## default "true" ## ## Causes opendmarc to fork and exits immediately, leaving the service ## running in the background. # # Background true ## BaseDirectory (string) ## default (none) ## ## If set, instructs the filter to change to the specified directory using ## chdir(2) before doing anything else. This means any files referenced ## elsewhere in the configuration file can be specified relative to this ## directory. It's also useful for arranging that any crash dumps will be ## saved to a specific location. # # BaseDirectory /var/run/opendmarc ## ChangeRootDirectory (string) ## default (none) ## ## Requests that the operating system change the effective root directory of ## the process to the one specified here prior to beginning execution. ## chroot(2) requires superuser access. A warning will be generated if ## UserID is not also set. # # ChangeRootDirectory /var/chroot/opendmarc ## CopyFailuresTo (string) ## default (none) ## ## Requests addition of the specified email address to the envelope of ## any message that fails the DMARC evaluation. # # CopyFailuresTo postmaster@localhost ## DNSTimeout (integer) ## default 5 ## ## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. ## (NOT YET IMPLEMENTED) # # DNSTimeout 5 ## EnableCoredumps { true | false } ## default "false" ## ## On systems that have such support, make an explicit request to the kernel ## to dump cores when the filter crashes for some reason. Some modern UNIX ## systems suppress core dumps during crashes for security reasons if the ## user ID has changed during the lifetime of the process. Currently only ## supported on Linux. # # EnableCoreDumps false ## FailureReports { true | false } ## default "false" ## ## Enables generation of failure reports when the DMARC test fails and the ## purported sender of the message has requested such reports. Reports are ## formatted per RFC6591. # # FailureReports false # Django : 2014-12-17 FailureReports true ## FailureReportsBcc (string) ## default (none) ## ## When failure reports are enabled and one is to be generated, always ## send one to the address(es) specified here. If a failure report is ## requested by the domain owner, the address(es) are added in a Bcc: field. ## If no request is made, they address(es) are used in a To: field. There ## is no default. # # FailureReportsBcc postmaster@example.coom ## FailureReportsOnNone { true | false } ## default "false" ## ## Supplements the "FailureReports" setting by generating reports for ## domains that advertise "none" policies. By default, reports are only ## generated (when enabled) for sending domains advertising a "quarantine" ## or "reject" policy. # # FailureReportsOnNone false ## FailureReportsSentBy string ## default "USER@HOSTNAME" ## ## Specifies the email address to use in the From: field of failure ## reports generated by the filter. The default is to use the userid of ## the user running the filter and the local hostname to construct an ## email address. "postmaster" is used in place of the userid if a name ## could not be determined. # # FailureReportsSentBy USER@HOSTNAME # Django : 2014-12-17 FailureReportsSentBy dmarc-admin@nausch.org ## HistoryFile path ## default (none) ## ## If set, specifies the location of a text file to which records are written ## that can be used to generate DMARC aggregate reports. Records are groups ## of rows containing information about a single received message, and ## include all relevant information needed to generate a DMARC aggregate ## report. It is expected that this will not be used in its raw form, but ## rather periodically imported into a relational database from which the ## aggregate reports can be extracted by a tool such as opendmarc-import(8). # HistoryFile /var/run/opendmarc/opendmarc.dat ## IgnoreAuthenticatedClients { true | false } ## default "false" ## ## If set, causes mail from authenticated clients (i.e., those that used ## SMTP AUTH) to be ignored by the filter. # # IgnoreAuthenticatedClients false ## IgnoreHosts path ## default (internal) ## ## Specifies the path to a file that contains a list of hostnames, IP ## addresses, and/or CIDR expressions identifying hosts whose SMTP ## connections are to be ignored by the filter. If not specified, defaults ## to "127.0.0.1" only. # # IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts # Django : 2014-12-17 IgnoreHosts /etc/opendmarc/ignore.hosts ## IgnoreMailFrom domain[,...] ## default (none) ## ## Gives a list of domain names whose mail (based on the From: domain) is to ## be ignored by the filter. The list should be comma-separated. Matching ## against this list is case-insensitive. The default is an empty list, ## meaning no mail is ignored. # # IgnoreMailFrom example.com ## MilterDebug (integer) ## default 0 ## ## Sets the debug level to be requested from the milter library. # # MilterDebug 0 # Django : 2014-12-17 MilterDebug 5 ## PidFile path ## default (none) ## ## Specifies the path to a file that should be created at process start ## containing the process ID. ## # # PidFile /var/run/opendmarc/opendmarc.pid ## PublicSuffixList path ## default (none) ## ## Specifies the path to a file that contains top-level domains (TLDs) that ## will be used to compute the Organizational Domain for a given domain name, ## as described in the DMARC specification. If not provided, the filter will ## not be able to determine the Organizational Domain and only the presented ## domain will be evaluated. # # PublicSuffixList path ## RecordAllMessages { true | false } ## default "false" ## ## If set and "HistoryFile" is in use, all received messages are recorded ## to the history file. If not set (the default), only messages for which ## the From: domain published a DMARC record will be recorded in the ## history file. # # RecordAllMessages false ## RejectFailures { true | false } ## default "false" ## ## If set, messages will be rejected if they fail the DMARC evaluation, or ## temp-failed if evaluation could not be completed. By default, no message ## will be rejected or temp-failed regardless of the outcome of the DMARC ## evaluation of the message. Instead, an Authentication-Results header ## field will be added. # # RejectFailures false ## ReportCommand string ## default "/usr/sbin/sendmail -t" ## ## Indicates the shell command to which failure reports should be passed for ## delivery when "FailureReports" is enabled. # # ReportCommand /usr/sbin/sendmail -t ## RequiredHeaders { true | false } ## default "false" ## ## If set, the filter will ensure the header of the message conforms to the ## basic header field count restrictions laid out in RFC5322, Section 3.6. ## Messages failing this test are rejected without further processing. A ## From: field from which no domain name could be extracted will also be ## rejected. # # RequiredHeaders false ## Socket socketspec ## default (none) ## ## Specifies the socket that should be established by the filter to receive ## connections from sendmail(8) in order to provide service. socketspec is ## in one of two forms: local:path, which creates a UNIX domain socket at ## the specified path, or inet:port[@host] or inet6:port[@host] which creates ## a TCP socket on the specified port for the appropriate protocol family. ## If the host is not given as either a hostname or an IP address, the ## socket will be listening on all interfaces. This option is mandatory ## either in the configuration file or on the command line. If an IP ## address is used, it must be enclosed in square brackets. # # Socket inet:8893@localhost # Django : 2014-12-17 Socket inet:8893@localhost ## SoftwareHeader { true | false } ## default "false" ## ## Causes the filter to add a "DMARC-Filter" header field indicating the ## presence of this filter in the path of the message from injection to ## delivery. The product's name, version, and the job ID are included in ## the header field's contents. # # SoftwareHeader false # Django : 2014-12-17 SoftwareHeader true ## SPFIgnoreResults { true | false } ## default "false" ## ## Causes the filter to ignore any SPF results in the header of the ## message. This is useful if you want the filter to perfrom SPF checks ## itself, or because you don't trust the arriving header. # # SPFIgnoreResults false ## SPFSelfValidate { true | false } ## default false ## ## Enable internal spf checking with --with-spf ## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path ## ## Causes the filter to perform a fallback SPF check itself when ## it can find no SPF results in the message header. If SPFIgnoreResults ## is also set, it never looks for SPF results in headers and ## always performs the SPF check itself when this is set. # # SPFSelfValidate false ## Syslog { true | false } ## default "false" ## ## Log via calls to syslog(3) any interesting activity. # # Syslog false # Django : 2014-12-17 Syslog true ## SyslogFacility facility-name ## default "mail" ## ## Log via calls to syslog(3) using the named facility. The facility names ## are the same as the ones allowed in syslog.conf(5). # # SyslogFacility mail ## TemporaryDirectory path ## default /var/tmp ## ## Specifies the directory in which temporary files should be written. # # TemporaryDirectory /var/tmp ## TrustedAuthservIDs string ## default HOSTNAME ## ## Specifies one or more "authserv-id" values to trust as relaying true ## upstream DKIM and SPF results. The default is to use the name of ## the MTA processing the message. To specify a list, separate each entry ## with a comma. The key word "HOSTNAME" will be replaced by the name of ## the host running the filter as reported by the gethostname(3) function. # # TrustedAuthservIDs HOSTNAME ## UMask mask ## default (none) ## ## Requests a specific permissions mask to be used for file creation. This ## only really applies to creation of the socket when Socket specifies a ## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary ## files are normally created by the mkstemp(3) function that enforces a ## specific file mode on creation regardless of the process umask. See ## umask(2) for more information. # # UMask 077 # Django : 2014-12-17 UMask 007 ## UserID user[:group] ## default (none) ## ## Attempts to become the specified userid before starting operations. ## The process will be assigned all of the groups and primary group ID of ## the named userid unless an alternate group is specified. # # UserID opendmarc # Django : 2014-12-17 #UserID opendmarc:dmarc
ignore.hosts
# vim /etc/opendmarc/ignore.hosts
- /etc/opendmarc/ignore.hosts
# Specifies a file that contains a list of hostnames, IP addresses and/or # CIDR expressions identifying hosts whose SMTP connections are to be # ignored by the filter. If not specified, defaults # to "127.0.0.1" only. 127.0.0.1
Public Suffix List
Im RFC 7489 wird die optionale Verwendung einer Public Suffix List im Kapitel Appendix A.6.1 beschrieben. Wir werden dieser Konfigurationsoption nun entsprechend aktivieren.
Zuvor holen wir uns aber erst einmal diese Liste von der Webseite Public Suffix List der Mozilla Foundation herunter.
# wget --no-check-certificate -q -N https://publicsuffix.org/list/effective_tld_names.dat -O /etc/opendmarc/effective_tld_names.dat
In unregelmäßigen Abständen, meist mehrmals pro Monat, wird diese Liste aktualisiert. Damit wir nun nicht händisch für die Aktualität dieser Liste sorgen müssen, legen wir uns einen kleinen cronjob an, der 1x pro Woche ausgeführt werden soll.
# vim /etc/cron.weekly/update_PublicSuffixList
- /etc/cron.weekly/update_PublicSuffixList
#!/bin/bash # Script zum Aktualisieren der Public Suffix List für opendmarc # Django <django@nausch.org> (c) 2015 # /user/bin/wget --no-check-certificate -q -N https://publicsuffix.org/list/effective_tld_names.dat -O /etc/opendmarc/effective_tld_names.dat
Was nun noch fehlt, ist die Aktivierung dieser Option in der Konfigurationsdatei von opendmarc.
# vim /etc/opendmarc.conf
- /etc/opendmarc.conf
... ## PublicSuffixList path ## default (none) ## ## Specifies the path to a file that contains top-level domains (TLDs) that ## will be used to compute the Organizational Domain for a given domain name, ## as described in the DMARC specification. If not provided, the filter will ## not be able to determine the Organizational Domain and only the presented ## domain will be evaluated. # # Django : 2015-12-10 # default: unset PublicSuffixList /etc/opendmarc/effective_tld_names.dat ...
Zum Aktivieren der Public Suffix List brauchen wir dann nur noch den Daemon 1x durchstarten.
# systemctl restart opendmarc.service
mysql Konfiguration
Eigentlich könnten wir nun schon unseren DMARC-Daemon starten. Jedoch wollen wir noch kurz die nötige mySQL-Datenbank anlegen, damit der Daemon die gewünschten aufbereiteten Statiskdaten und forensischen Berichte generieren und dann per eMail verschicken kann.
Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an.
# mysql -h localhost -u root -p
Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1942 Server version: 5.1.67 Source distribution Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
Dort legen wir als aller erst einmal eine Datenbank mit dem Namen opendmarc an.
mysql> CREATE DATABASE opendmarc;
Anschließend legen wir uns dann einen Datenbankuser an, dem wir entsprechende Rechte an der Datenbank opendmarc einräumen.
mysql> CREATE USER 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';
Query OK, 0 rows affected (0.00 sec)
mysql> CREATE USER 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT';
Query OK, 0 rows affected (0.00 sec)
Anschließend setzen wir noch die Nutzerberechtigungen unseres Datenbanknutzers opendmarc_user für die Datenbank opendmarc
mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'10.0.0.80' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO 'opendmarc_user'@'vml000080.dmz.nausch.org' IDENTIFIED BY 'ALLHs6blVwd8eHoSk2J3WZsT' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
Query OK, 0 rows affected (0.00 sec)
Zur Aktivierung weisen wir nun noch die Berechtigungen zu:
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
Abschließend melden wir uns wieder von unserem Datenbankhost ab.
mysql> quit
Bye
Bevor wir die benötigten Tabellen anlegen, testen wir noch, ob der Zugriff von unserem Mail- bzw. Datenimportserver funktioniert.
# mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p
Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2889 Server version: 5.1.73 Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
mysql> show databases;
+--------------------+ | Database | +--------------------+ | information_schema | | opendmarc | +--------------------+ 2 rows in set (0.00 sec)
mysql> quit
Bye
Mit Hilfe der Datei /usr/share/doc/opendmarc-1.3.0/schema.mysql legen wir nun abschließend die Tabellen in der Datenbank opendmarc an.
# mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p < /usr/share/doc/opendmarc-1.3.0/schema.mysql
Auch hier können wir uns bei Bedarf noch überprüfen, welche Tabellen angelegt wurden.
# mysql -h mysql.dmz.nausch.org -D opendmarc -u opendmarc_user -p
Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2933 Server version: 5.1.73 Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
mysql> show databases;
+--------------------+ | Database | +--------------------+ | information_schema | | opendmarc | +--------------------+ 2 rows in set (0.00 sec) mysql>
mysql> use opendmarc;
Database changed mysql>
mysql> show tables;
+---------------------+ | Tables_in_opendmarc | +---------------------+ | domains | | ipaddr | | messages | | reporters | | requests | | signatures | +---------------------+ 6 rows in set (0.00 sec) mysql>
mysql> quit
Bye
dbCollecting User einrichten
Nicht immer möchte oder kann man von seinem oder seinen Mailservern eine Verbindung zum Datenbankhost ermöglichen. Um jetzt nicht von jedem einzelnen MX-Server einzurichten, verwenden wir einen User, den wir zum Einsammeln der Daten degradieren.
Wir legen uns nun unseren Nutzer an. Als UID und GID verwenden wir eine entsprechend freie Nummer, die wir entsprechend vorher abprüfen.
# grep 989 /etc/group
# grep 989 /etc/passwd
Anschließend legen wir uns unseren User an.
# groupadd -g 989 dmarc && useradd dmarc -c "DMARC" -g 989 -u 989 -m
Anschließend erzeugen wir uns noch einen entsprechenden SSH-Key und verteilen diesen auf unseren Mailservern. Entsprechende Schritte sind im Wiki hier beschrieben.
dbCollecting Script anlegen
Zum Einsammeln der Statistikdaten legen wir uns nun ein einfaches Shellscript an.
# vim /root/bin/dmarc-report>
- /root/bin/dmarc-report
#!/bin/sh # Script zum Importieren der DMARC-Daten aus dem lokalen cache-Datei in die mySQL Datenbank # und Generieren der DMARC-reports # Das Script wird um 03:33 Uhr via cronjob aufgerufen. # # crontab # einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen. # 33 3 * * * /usr/local/bin/dmarc-report 1>/dev/null 2>&1 # # Django : 2014-03-20 WORKDIR="/home/dmarc/" WORKFILE="opendmarc_all_hosts.dat" SSHKEYFILE=".ssh/id_rsa" MXHOSTS="mx01.nausch.org mx02.nausch.org mx03.nausch.org" DBFILE="opendmarc.dat" DBHOST="mysql.dmz.nausch.org" DBPORT="3306" DBUSER="opendmarc_user" DBPASSWD="ALLHs6blVwd8eHoSk2J3WZsT" DBNAME="opendmarc" # DMARC Datenfile von den Mailservern abholen cd $WORKDIR for HOST in $MXHOSTS; do scp -i $WORKDIR$SSHKEYFILE dmarc@${HOST}:/var/run/opendmarc/$DBFILE ${HOST}.dat ssh -i $WORKDIR$SSHKEYFILE dmarc@${HOST} "/bin/cat /dev/null > /var/run/opendmarc/$DBFILE" cat ${HOST}.dat >> $WORKFILE done # DMARC Daten in die mySQL-Datenbank opendmarc schreiben /usr/sbin/opendmarc-import --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \ --dbpasswd=$DBPASSWD < $WORKDIR$WORKFILE # DMARC Statistik-Report erstellen /usr/sbin/opendmarc-reports --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \ --dbpasswd=$DBPASSWD --verbose --interval=86400 --report-email 'postmaster@nausch.org' --report-org 'nausch.org' # DMARC Datenbank aufräumen, Datensätze die älter als 90 Tage sind werden gelöscht /usr/sbin/opendmarc-expire --dbhost=$DBHOST --dbport=$DBPORT --dbname=$DBNAME --dbuser=$DBUSER \ --dbpasswd=$DBPASSWD --verbose --expire=90 # Work-Verzeichnis wieder aufräumen cd $WORKDIR rm $WORKDIR*.dat -rf
Anschließen setzen wir die Ausführungsrechte unseres neuen Scriptes.
# chmod +x /root/bin/dmarc-report
Zu guter Letzt aktivieren wir dann noch einen Cronjob für die tägliche Ausführung.
# crontab -e
... # Django : 2014-03-20 # einmal in der Nacht die DMARC-Statistikdaten abholen und die mySQL-Datenbank damit befüllen. 33 3 * * * /root/bin/dmarc-report 1>/dev/null 2>&1 ...
Postfix
In der Konfigurationsdatei main.cf unseres Postfix-Mailserver definieren wir uns nun eine eigene Variable, die wir dann in der Datei /etc/postfix/master.cf dann verwenden wollen. Wir tragen also nun in der Section MILTER nachfolgende Zeilen ein.
# vim /etc/postfix/main.cf
- /etc/postfix/main.cf
... ################################################################################ ## MILTER # Django : 2014-11-18 # DMARC Test spf_milter = inet:127.0.0.1:8890 opendkim_milter = inet:127.0.0.1:8891 opendmarc_milter = inet:127.0.0.1:8893 amavisd_milter = inet:10.0.0.67:8899 ...
In der Konfigurationsdatei /etc/postfix/master.cf legen wir nun fest, dass bei der Annahme auf Port 25 unser gerade definierte smf-spf-milter verwendet werden soll.
# vim /etc/postfix/master.cf
...
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
-o smtpd_milters=${spf_milter},${opendkim_milter},${opendmarc_milter},${amavisd_milter}
-o smtpd_sasl_auth_enable=no
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlspr
Programmstart
Das Starten des Daemon erfolgt über folgenden Aufruf.
# systemctl start opendmarc
Den erfolgreichen Start bzw. den Status des smf-spf-Daemon können wir bei Bedarf mit folgendem Aufruf abfragen.
# systemctl status opendmarc
opendmarc.service - opendmarc - DMARC email policy filter for MTAs.
Loaded: loaded (/usr/lib/systemd/system/opendmarc.service; disabled)
Active: active (running) since Wed 2014-12-17 20:58:56 CET; 1h 45min ago
Main PID: 2370 (opendmarc)
CGroup: /system.slice/opendmarc.service
└─2370 /usr/sbin/opendmarc -f -c /etc/opendmarc/opendmarc.conf
Dec 17 20:58:56 vml000087.dmz.nausch.org systemd[1]: Starting opendmarc - DMARC email policy filter for MTAs....
Dec 17 20:58:56 vml000087.dmz.nausch.org systemd[1]: Started opendmarc - DMARC email policy filter for MTAs..
Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: OpenDMARC Filter: Opening listen socket on conn inet:8893@localhost
Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: OpenDMARC Filter v1.3.0 starting (args: -f -c /etc/opendmarc/opendmarc.conf)
Dec 17 20:58:56 vml000087.dmz.nausch.org opendmarc[2370]: trusted authentication services: mx01.nausch.org
Im Maillog wird der Start des Daemon entsprechend dokumentiert.
# less /var/log/maillog
Dec 17 22:45:08 vml000087 opendmarc[2912]: OpenDMARC Filter: Opening listen socket on conn inet:8893@localhost Dec 17 22:45:08 vml000087 opendmarc[2912]: OpenDMARC Filter v1.3.0 starting (args: -f -c /etc/opendmarc/opendmarc.conf) Dec 17 22:45:08 vml000087 opendmarc[2912]: trusted authentication services: mx01.nausch.org
Mit Hilfe von netstat können wir überprüfen, ob der Port 8893 geöffnet wurde.
# netstat -tulpen
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 37485 2476/master tcp 0 0 127.0.0.1:8890 0.0.0.0:* LISTEN 993 24732 1441/smf-spf tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 991 25040 1680/opendkim tcp 0 0 127.0.0.1:8893 0.0.0.0:* LISTEN 0 40337 2912/opendmarc
Gleiches können wir natürlich auch mit dem Befehl lsof erreichen.
# lsof -i:8893
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME opendmarc 2912 root 4u IPv4 40337 0t0 TCP localhost:ddi-tcp-6 (LISTEN)
Damit der Daemon automatisch beim Hochfahren des Servers gestartet wird, nutzen wir folgenden Aufruf.
# systemctl enable opendmarc.service
ln -s '/usr/lib/systemd/system/opendmarc.service' '/etc/systemd/system/multi-user.target.wants/opendmarc.service'
Wollen wir überprüfen ob der Dienst automatisch startet, verwenden wir folgenden Aufruf.
# systemctl is-enabled opendmarc.service
enabled
Die Rückmeldung enabled zeigt an, dass der Dienst automatisch startet; ein disabled zeigt entsprechend an, dass der Dienst nicht automatisch startet.
Logging / Mailheader
Im Maillog werden entsprechend unserer zuvor festgelegten Konfiguration, vom DMARC-Daemon logeinträge erzeugt. Folgender Logeintrag zeigt einen erfolgreiche DMARC-Überprüfung.
Mar 23 22:46:01 vml000080 opendmarc[25914]: C198981: gmail.com pass
Im Mailheader der Nachricht, wird dies auch entsprechend vermerkt.
DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org C198981 Authentication-Results: mx01.nausch.org/C198981; dmarc=pass header.from=gmail.com
Hat der Domainbetreiber keinen DMARC-Eintrag im DNS hinterlegt, sieht die betreffende Zeile im Maillog entsprechend so aus.
Mar 19 00:22:36 vml000080 opendmarc[14508]: D9B6D83: piratenpartei-bayern.de none
Auch dies wird im Mailheader entsprechend vermerkt.
DMARC-Filter: OpenDMARC Filter v1.2.0 mx01.nausch.org D9B6D83 Authentication-Results: mx01.nausch.org/D9B6D83; dmarc=none header.from=piratenpartei-bayern.de
… do geds weida!
127.0.0.1