DMARC check on Debian Wheezy 16

I have already described in DMARC Record (Domain-based Message Authentication, Reporting & Conformance), how to set up a DMARC record and why this makes sense.
Now we need to pay attention to such DMARC record in the delivery of mail. The verification of a DMARC Records requires valid SPF and DKIM values.
To verify DKIM I use opendkim. With opendmarc SPF and DMARC be verified.

Note: If the DKIM signature to be verified by amavis, then amavis may not be included as smtpd_proxy_filter in postfix. This is only possible if amavis runs as content_filter.

First we install opendkim:
apt-get install opendkim opendkim-tools

On Debian the socket file is stored in the default-config:
echo 'SOCKET="inet:12345@localhost"' >> /etc/default/opendkim

Add the following entries to /etc/opendkim.conf
LogWhy yes
MilterDebug 0
Mode v
SyslogSuccess yes

My full config looks like this:
Syslog yes
UMask 002
OversignHeaders From
LogWhy yes
MilterDebug 0
Mode v
SyslogSuccess yes
AddAllSignatureResults true
AuthservIDWithJobID true
LogResults true
LogWhy true
SyslogSuccess true

Then opendkim is restarted with service opendkim restart.
With netstat -tap|grep dkim can be tested if everything is running properly. The output should look something like this:
tcp 0 0 localhost.localdo:12345 *:* LISTEN 1834/opendkim

Now we just need opendkim integrated into postfix:
vi /etc/postfix/

smtpd_milters = inet:
non_smtpd_milters = inet:

Finally restart postfix: service postfix restart

The installation of opendmarc is a bit more complicated. We need the dev-packages from libmilter
apt-get install libmilter-dev

and then download and install opendmarc opendmarc in /usr

cd /tmp
wget -O - > opendmarc-1.3.0.tar.gz
tar xfvz opendmarc-1.3.0.tar.gz
cd opendmarc-1.3.0
./configure --prefix=/usr --with-spf --enable-live-tests
make install

A few modifications are needed:

adduser --quiet --system --group --home /var/run/opendmarc opendmarc
chown opendmarc:opendmarc /var/run/opendmarc
echo 'SOCKET="inet:8893@localhost"' > /etc/default/opendmarc

We copy the sample config and adjust them accordingly.
cp /usr/share/doc/opendmarc/opendmarc.conf.sample /etc/opendmarc.conf
vi /etc/opendmarc.conf

My config looks shortened as follows:
AuthservIDWithJobID true
BaseDirectory /var/run/opendmarc
FailureReportsOnNone true
HistoryFile /var/run/opendmarc/opendmarc.dat
IgnoreAuthenticatedClients true
PidFile /var/run/
RecordAllMessages false
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
UserID opendmarc

The .dat files must still be created with the corresponding permissions:
touch /var/run/opendmarc/opendmarc.dat
chown opendmarc.opendmarc /var/run/opendmarc/opendmarc.dat
chmod 600 /var/run/opendmarc/opendmarc.dat

Last will still need an Start-Script:
wget -O /etc/init.d/opendmarc
chmod +x /etc/init.d/opendmarc
update-rc.d opendmarc defaults

Restart opendmarc with service opendmarc start and check if everything works as aspected netstat -tap|grep dmarc.

Finally integrate opendmarc in postfix:

vi /etc/postfix/
smtpd_milters = inet:, inet:localhost:8893
non_smtpd_milters = inet:, inet:localhost:8893
und postfix neu gestartet: service postfix restart

You can not check in respect of the DMARC Records, but also create and send appropriate reports for incoming mail. How to do this.

Leave a comment

Your email address will not be published. Required fields are marked *

16 thoughts on “DMARC check on Debian Wheezy

  • Djerk Geurts

    Hi, any issues with following this on ISPConfig 3.1, assuming not if it worked fine with v3.0. This article was written nearly 2 years ago so trying to gauge how much has changed since.

  • Christophe D

    Hi, i try to configure opendmarc in my mail server (debian/postfix/amavis-new/opendkim…) and have this error

    Apr 18 00:21:47 greenhouse postfix/smtps/smtpd[28222]: warning: connect to Milter service inet:localhost:8893: Connection refused

    Thank for your tuto.

      • Christophe D

        yes opendkim run and sign mail with
        # nano -w /etc/default/opendkim


        # nano -w /etc/default/opendmarc.conf


        # nano /etc/postfix/

        smtpd_milters = inet:localhost:8893, inet:localhost:8891
        non_smtpd_milters = inet:localhost:8893, inet:localhost:8891

        • Christophe D

          i found … need to insert directly in /etc/opendmarc.conf
          the line :
          Socket inet:8893@localhost

          Thank you for your tuto and help

  • gesci

    In your tutorial the conf file /etc/opendmarc.conf you write : PidFile /var/run/ it’s an error ? but in my other server it’s good ! the file is in /var/run/opendmarc/

  • gesci

    Helo thank’s for your patch it’s work well but i have this error Jan 20 14:54:43 (hostname) opendmarc[13041]: 015963E5236E: /var/run/opendmarc.dat: fopen(): Permission denied and permission are correct : drwxr-xr-x 2 opendmarc opendmarc 80 janv. 19 17:00 opendmarc

    • Florian Schaal Post author

      And the permissions for the files in /var/run/opendmarc? Should be 644 for opendmarc.opendmarc. Are you using a chrooted-setup?

      • gesci

        hello in my opendmarc.conf HistoryFile /var/run/opendmarc.dat changed to /var/run/opendmarc/opendmarc.dat (my error) chmod 644 -R /var/run/opendmarc/ and restarted service postfix et dmarc but i have same error :
        /var/run/opendmarc/opendmarc.dat: fopen(): Permission denied
        root@ns3323989:/var/run/opendmarc# ll
        total 0
        drw-r–r– 2 opendmarc opendmarc 60 janv. 21 11:41 .
        drwxr-xr-x 23 root root 840 janv. 21 00:31 ..
        -rw-r–r– 1 opendmarc opendmarc 0 janv. 21 11:42 opendmarc.dat
        chrooted setup how to ?

          • Florian Schaal Post author

            The init-script uses PIDFILE=$RUNDIR/$ (/var/run/opendmarc/

          • gesci

            hello i deleted folder and remake this and it’s work !!! thank’s for your support