I have already described in DMARC Record (Domain-based Message Authentication, Reporting & Conformance), how to set up a DMARC record and why this makes sense.
Now we need to pay attention to such DMARC record in the delivery of mail. The verification of a DMARC Records requires valid SPF and DKIM values.
To verify DKIM I use opendkim. With opendmarc SPF and DMARC be verified.
Note: If the DKIM signature to be verified by amavis, then amavis may not be included as smtpd_proxy_filter in postfix. This is only possible if amavis runs as content_filter.
First we install opendkim:
apt-get install opendkim opendkim-tools
On Debian the socket file is stored in the default-config:
echo 'SOCKET="inet:12345@localhost"' >> /etc/default/opendkim
Add the following entries to /etc/opendkim.conf
LogWhy yes
MilterDebug 0
Mode v
SyslogSuccess yes
My full config looks like this:
Syslog yes
UMask 002
OversignHeaders From
LogWhy yes
MilterDebug 0
Mode v
AuthservID mail.schaal-24.de
SyslogSuccess yes
AddAllSignatureResults true
AuthservIDWithJobID true
LogResults true
LogWhy true
SyslogSuccess true
Then opendkim is restarted with service opendkim restart
.
With netstat -tap|grep dkim
can be tested if everything is running properly. The output should look something like this:
tcp 0 0 localhost.localdo:12345 *:* LISTEN 1834/opendkim
Now we just need opendkim integrated into postfix:
vi /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:12345
non_smtpd_milters = inet:127.0.0.1:12345
Finally restart postfix: service postfix restart
The installation of opendmarc is a bit more complicated. We need the dev-packages from libmilter
apt-get install libmilter-dev
and then download and install opendmarc opendmarc in /usr
cd /tmp
wget -O - http://downloads.sourceforge.net/project/opendmarc/opendmarc-1.3.0.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fopendmarc%2F > opendmarc-1.3.0.tar.gz
tar xfvz opendmarc-1.3.0.tar.gz
cd opendmarc-1.3.0
./configure --prefix=/usr --with-spf --enable-live-tests
make
make install
A few modifications are needed:
adduser --quiet --system --group --home /var/run/opendmarc opendmarc
chown opendmarc:opendmarc /var/run/opendmarc
echo 'SOCKET="inet:8893@localhost"' > /etc/default/opendmarc
We copy the sample config and adjust them accordingly.
cp /usr/share/doc/opendmarc/opendmarc.conf.sample /etc/opendmarc.conf
vi /etc/opendmarc.conf
My config looks shortened as follows:
AuthservID mail.schaal-24.de
AuthservIDWithJobID true
BaseDirectory /var/run/opendmarc
CopyFailuresTo dmarc-report@schaal-24.de
FailureReportsBcc dmarc-report@schaal-24.de
FailureReportsOnNone true
FailureReportsSentBy noreply-dmarc-report@schaal-24.de
HistoryFile /var/run/opendmarc/opendmarc.dat
IgnoreAuthenticatedClients true
IgnoreMailFrom schaal-24.de
PidFile /var/run/opendmarc.pid
RecordAllMessages false
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
TrustedAuthservIDs mail.schaal-24.de
UserID opendmarc
The .dat files must still be created with the corresponding permissions:
touch /var/run/opendmarc/opendmarc.dat
chown opendmarc.opendmarc /var/run/opendmarc/opendmarc.dat
chmod 600 /var/run/opendmarc/opendmarc.dat
Last will still need an Start-Script:
wget blog.schaal-24.de/files/opendmarc -O /etc/init.d/opendmarc
chmod +x /etc/init.d/opendmarc
update-rc.d opendmarc defaults
Restart opendmarc with service opendmarc start
and check if everything works as aspected netstat -tap|grep dmarc
.
Finally integrate opendmarc in postfix:
vi /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:12345, inet:localhost:8893
und postfix neu gestartet:
non_smtpd_milters = inet:127.0.0.1:12345, inet:localhost:8893
service postfix restart
You can not check in respect of the DMARC Records, but also create and send appropriate reports for incoming mail. How to do this.
Hi, any issues with following this on ISPConfig 3.1, assuming not if it worked fine with v3.0. This article was written nearly 2 years ago so trying to gauge how much has changed since.
Hi, i try to configure opendmarc in my mail server (debian/postfix/amavis-new/opendkim…) and have this error
Apr 18 00:21:47 greenhouse postfix/smtps/smtpd[28222]: warning: connect to Milter service inet:localhost:8893: Connection refused
Thank for your tuto.
Is opendkim running? Maybe you find this link usefull.
yes opendkim run and sign mail with
# nano -w /etc/default/opendkim
SOCKET=”inet:8891@localhost”
# nano -w /etc/default/opendmarc.conf
SOCKET=”inet:8893@localhost”
# nano /etc/postfix/main.cf
smtpd_milters = inet:localhost:8893, inet:localhost:8891
non_smtpd_milters = inet:localhost:8893, inet:localhost:8891
i found … need to insert directly in /etc/opendmarc.conf
the line :
Socket inet:8893@localhost
Thank you for your tuto and help
Pingback: DMARC-Reports erstellen | florian @it
In your tutorial the conf file /etc/opendmarc.conf you write : PidFile /var/run/opendmarc.pid it’s an error ? but in my other server it’s good ! the file is in /var/run/opendmarc/opendmarc.pid
nice. does this setup works together with ispconfig3?
Yes. Maybe you have to re-add some settings to postfix after updating ISPConfig WITH reconfigure services.
seem to run with icpconfig3 configuration.
Helo thank’s for your patch it’s work well but i have this error Jan 20 14:54:43 (hostname) opendmarc[13041]: 015963E5236E: /var/run/opendmarc.dat: fopen(): Permission denied and permission are correct : drwxr-xr-x 2 opendmarc opendmarc 80 janv. 19 17:00 opendmarc
And the permissions for the files in /var/run/opendmarc? Should be 644 for opendmarc.opendmarc. Are you using a chrooted-setup?
hello in my opendmarc.conf HistoryFile /var/run/opendmarc.dat changed to /var/run/opendmarc/opendmarc.dat (my error) chmod 644 -R /var/run/opendmarc/ and restarted service postfix et dmarc but i have same error :
/var/run/opendmarc/opendmarc.dat: fopen(): Permission denied
root@ns3323989:/var/run/opendmarc# ll
total 0
drw-r–r– 2 opendmarc opendmarc 60 janv. 21 11:41 .
drwxr-xr-x 23 root root 840 janv. 21 00:31 ..
-rw-r–r– 1 opendmarc opendmarc 0 janv. 21 11:42 opendmarc.dat
chrooted setup how to ?
i not have this file /var/run/opendmarc.pid but in my other same server i have this
The init-script uses PIDFILE=$RUNDIR/$NAME.pid (/var/run/opendmarc/opendmarc.pid)
hello i deleted folder and remake this and it’s work !!! thank’s for your support