MAC OS X, Linux, Windows and other IT Tips and Tricks

19 May 15 Installing DMARC filtering in Debian Wheezy

Principle: DMARC is a bit of a strange animal. It serves as a filter against SPAM but only according to the rules given by the owner of the domain sending emails. So, for example, if I send emails as sender using a mail client program via my mail server , in order that my mails be seen as ‘good’ mail, I need to set-up the SPF and DKIM and DMARC TXT records in the DNS of the domain This way the receiving server will verify the validity of the SPF and DKIM of my domain and the using the DMARC record, decide what to do with the mails that fail the SPF or DKIM validation. In other words I instruct the receiving server what to do(and how) with emails that try to personify me sending emails. Of course the receiving server needs to have the DMARC vadidation mechanism installed to read my DNS DMARC record and act on the validation results.
This article provides instructions on how to install this mechanism only.
Installing DKIM(needed on the sending and receiving servers) is covered in this article:
I don’t cover the SPF here since there are a lot of info on the Internet which covers it.


Install the needed libraries:
apt-get install libmilter-dev
Check out the latest version of opendmarc in Source forge and use the link to download it:
eg. For version 1.3.1 you run the command:
wget //
tar xfvz opendmarc-1.3.1.tar.gz
cd opendmarc-1.3.1
./configure --prefix=/usr --with-spf --enable-live-tests
make && make install

Prepare the system user etc.
adduser --quiet --system --group --home /var/run/opendmarc opendmarc
chown opendmarc:opendmarc /var/run/opendmarc

Enter the sender host names that should be ignored by the filter
mkdir /etc/opendmarc/
echo -e "localshost\\\" > /etc/opendmarc/ignore.hosts

Edit the configuration file
vi /etc/opendmarc/opendmarc.conf
Set the parameters accordingly and issue the following command to get a short overview of the configuration:
grep -v '#' /etc/opendmarc.conf | egrep -v '^ *$'
For example content of my configuration file(/etc/opendmarc.conf):
AuthservIDWithJobID true
BaseDirectory /var/run/opendmarc
FailureReports true
FailureReportsOnNone true
HistoryFile /var/run/opendmarc/opendmarc.dat
IgnoreAuthenticatedClients true
IgnoreHosts /etc/opendmarc/ignore.hosts
PidFile /var/run/
RecordAllMessages false
ReportCommand /usr/sbin/sendmail -t
Socket inet:8893@localhost
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
UserID opendmarc

The data files must be now created incl. access rights:
mkdir -p /var/run/opendmarc/
touch /var/run/opendmarc/opendmarc.dat
chown opendmarc.opendmarc /var/run/opendmarc/opendmarc.dat
chmod 600 /var/run/opendmarc/opendmarc.dat

Prepare the init start/stop script
cd /etc/init.d
cp skeleton opendmarc
chmod 755 opendmarc
vim opendmarc

Adapt the following parameters as appropriate to your settings:
# Provides: opendmarc
# Required-Start: $syslog
# Required-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: opendmarc milter init script
# Description: Start stop of opendmarc postfix milter
# Please remove the "Author" lines above and replace them
# with your own name if you copy and modify this script.
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the script
DESC="OpenDMARC milter"
DAEMON_ARGS="-c /etc/opendmarc/opendmarc.conf -u opendmarc"

And in the same file in function do_stop():
#start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
killall opendmarc
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
#start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
killall opendmarc
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"

Save the file.
Check the opendmarc configuration file:
opendmarc -c /etc/opendmarc/opendmarc.conf -u opendmarc -n && echo OK
If all OK then start the service:
service opendmarc start

Postfix configuration:
Edit /etc/postfix/ and add the following lines. If already existing because of openDKIM, then simply add the missing parameters as follows:
smtpd_milters = inet:, inet:localhost:8893
non_smtpd_milters = inet:, inet:localhost:8893

Restart postfix
service postfix restart

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: