msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

19 May 15 Installing DMARC filtering in Debian Wheezy

Principle: DMARC is a bit of a strange animal. It serves as a filter against SPAM but only according to the rules given by the owner of the domain sending emails. So, for example, if I send emails as sender me@example.com using a mail client program via my mail server , in order that my mails be seen as ‘good’ mail, I need to set-up the SPF and DKIM and DMARC TXT records in the DNS of the domain example.com. This way the receiving server will verify the validity of the SPF and DKIM of my domain and the using the DMARC record, decide what to do with the mails that fail the SPF or DKIM validation. In other words I instruct the receiving server what to do(and how) with emails that try to personify me sending emails. Of course the receiving server needs to have the DMARC vadidation mechanism installed to read my DNS DMARC record and act on the validation results.
This article provides instructions on how to install this mechanism only.
Installing DKIM(needed on the sending and receiving servers) is covered in this article:
//tipstricks.itmatrix.eu/installing-opendkim-in-debian-squeeze/
I don’t cover the SPF here since there are a lot of info on the Internet which covers it.

STEPS:

Install the needed libraries:
apt-get install libmilter-dev
Check out the latest version of opendmarc in Source forge and use the link to download it:
//downloads.sourceforge.net/project/opendmarc/
eg. For version 1.3.1 you run the command:
wget //downloads.sourceforge.net/project/opendmarc/opendmarc-1.3.1.tar.gz
tar xfvz opendmarc-1.3.1.tar.gz
cd opendmarc-1.3.1
./configure --prefix=/usr --with-spf --enable-live-tests
make && make install

Prepare the system user etc.
adduser --quiet --system --group --home /var/run/opendmarc opendmarc
chown opendmarc:opendmarc /var/run/opendmarc

Enter the sender host names that should be ignored by the filter
mkdir /etc/opendmarc/
echo -e "localshost\nmail.myserver.com\nmail2.myserver.com\nmail3.myserver.com" > /etc/opendmarc/ignore.hosts

Edit the configuration file
vi /etc/opendmarc/opendmarc.conf
Set the parameters accordingly and issue the following command to get a short overview of the configuration:
grep -v '#' /etc/opendmarc.conf | egrep -v '^ *$'
For example content of my configuration file(/etc/opendmarc.conf):
AuthservID mail5.myserver.com
AuthservIDWithJobID true
BaseDirectory /var/run/opendmarc
CopyFailuresTo admin@myserver.com
FailureReports true
FailureReportsBcc admin@myserver.com
FailureReportsOnNone true
FailureReportsSentBy opendmarc@myserver.com
HistoryFile /var/run/opendmarc/opendmarc.dat
IgnoreAuthenticatedClients true
IgnoreHosts /etc/opendmarc/ignore.hosts
IgnoreMailFrom myserver.com,myserver.net
PidFile /var/run/opendmarc.pid
RecordAllMessages false
ReportCommand /usr/sbin/sendmail -t
Socket inet:8893@localhost
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
TrustedAuthservIDs mail5.myserver.com
UserID opendmarc

The data files must be now created incl. access rights:
mkdir -p /var/run/opendmarc/
touch /var/run/opendmarc/opendmarc.dat
chown opendmarc.opendmarc /var/run/opendmarc/opendmarc.dat
chmod 600 /var/run/opendmarc/opendmarc.dat

Prepare the init start/stop script
cd /etc/init.d
cp skeleton opendmarc
chmod 755 opendmarc
vim opendmarc

Adapt the following parameters as appropriate to your settings:
### BEGIN INIT INFO
# Provides: opendmarc
# Required-Start: $syslog
# Required-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: opendmarc milter init script
# Description: Start stop of opendmarc postfix milter
#
### END INIT INFO
#
#
# Please remove the "Author" lines above and replace them
# with your own name if you copy and modify this script.
#
# Do NOT "set -e"
#
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="OpenDMARC milter"
NAME=opendmarc
DAEMON=/usr/sbin/$NAME
DAEMON_ARGS="-c /etc/opendmarc/opendmarc.conf -u opendmarc"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

And in the same file in function do_stop():
Replace:
#start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
With:
killall opendmarc
Example:
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
#start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
killall opendmarc
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}

Save the file.
Check the opendmarc configuration file:
opendmarc -c /etc/opendmarc/opendmarc.conf -u opendmarc -n && echo OK
If all OK then start the service:
service opendmarc start

Postfix configuration:
Edit /etc/postfix/main.cf and add the following lines. If already existing because of openDKIM, then simply add the missing parameters as follows:
smtpd_milters = inet:127.0.0.1:12345, inet:localhost:8893
non_smtpd_milters = inet:127.0.0.1:12345, inet:localhost:8893

Restart postfix
service postfix restart

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: