opendmarc on stretch

Discussion in 'Tips/Tricks/Mods' started by ztk.me, Oct 5, 2017.

Tags:
  1. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    check later on this page for updated instructions on updated stretch

    now this is kinda tricky since the systemd-file is not respecting the socket-configuration ... buuuut lets start easy

    I'm not covering reporting!

    Code:
    apt-get install opendmarc
    modify ExecStart-Line and add
    EnvironmentFile=/etc/default/opendmarc
    /lib/systemd/system/opendmarc.service
    Code:
    [Unit]
Description=OpenDMARC Milter
Documentation=man:opendmarc(8) man:opendmarc.conf(5)
After=network.target nss-lookup.target

[Service]
EnvironmentFile=/etc/default/opendmarc
Type=forking
PIDFile=/var/run/opendmarc/opendmarc.pid
User=opendmarc
ExecStart=/usr/sbin/opendmarc -p $SOCKET -c /etc/opendmarc.conf  -u opendmarc -P /var/run/opendmarc/opendmarc.pid
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID

[Install]
WantedBy=multi-user.target
    that way it respects the socket config, don't forget to run
    Code:
    systemctl daemon-reload
    Edit /etc/opendmarc.conf
    Code:
    # This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.

#  AuthservID (string)
#      defaults to MTA name

AuthservID <FQDN>
#  FailureReports { true | false }
#      default "false"
#
FailureReports false

PidFile /var/run/opendmarc/opendmarc.pid

#  RejectFailures { true | false }
#      default "false"
#
RejectFailures true

#  Syslog { true | false }
#      default "false"
#
#  Log via calls to syslog(3) any interesting activity.
#
Syslog true

#  SyslogFacility facility-name
#      default "mail"
#
#  Log via calls to syslog(3) using the named facility.  The facility names
#  are the same as the ones allowed in syslog.conf(5).
#
# SyslogFacility mail

#  TrustedAuthservIDs string
#      default HOSTNAME
#
#  Specifies one or more "authserv-id" values to trust as relaying true
#  upstream DKIM and SPF results.  The default is to use the name of
#  the MTA processing the message.  To specify a list, separate each entry
#  with a comma.  The key word "HOSTNAME" will be replaced by the name of
#  the host running the filter as reported by the gethostname(3) function.

# TrustedAuthservIDs HOSTNAME

#  UMask mask
#      default (none)
#
#  Requests a specific permissions mask to be used for file creation.  This
#  only really applies to creation of the socket when Socket specifies a
#  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
#  files are normally created by the mkstemp(3) function that enforces a
#  specific file mode on creation regardless of the process umask.  See
#  umask(2) for more information.
#
UMask 0002

#  UserID user[:group]
#      default (none)
#
#  Attempts to become the specified userid before starting operations.
#  The process will be assigned all of the groups and primary group ID of
#  the named userid unless an alternate group is specified.
#
UserID opendmarc:opendmarc

# Path to system copy of PSL (needed to determine organizational domain)
#
PublicSuffixList /usr/share/publicsuffix/

IgnoreAuthenticatedClients true
#SoftwareHeader true
    If you think you can reproduce on Debian 8, so sorry it's bugging on IgnoreAuthenticatedClients
    change <FQDN> to your hostname
    RejectFailures auf false setzen, wenn das zeug doch nicht abgelehnt werden soll/darf

    /etc/default/opendmarc
    Code:
    # Command-line options specified here will override the contents of
# /etc/opendmarc.conf. See opendmarc(8) for a complete list of options.
#DAEMON_OPTS=""
# Change to /var/spool/postfix/var/run/opendmarc to use a Unix socket with
# postfix in a chroot:
#RUNDIR=/var/spool/postfix/var/run/opendmarc
RUNDIR=/var/run/opendmarc
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
#SOCKET=local:$RUNDIR/opendmarc.sock
SOCKET="inet:8892"
# listen on all interfaces on port 54321:
#SOCKET=inet:54321
# listen on loopback on port 12345:
#SOCKET=inet:12345@localhost
# listen on 192.0.2.1 on port 12345:
#SOCKET=inet:[email protected]
USER=opendmarc
GROUP=opendmarc
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=
    Code:
    service opendmarc restart
    should be up and running now on 127.0.0.1:8892

    Add to your /etc/postfix/main.cf
    Code:
    opendmarc_milter = inet:127.0.0.1:8892
    Compare with your /etc/postfix/master.cf
    Code:
    # ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
  -o smtpd_milters=${opendmarc_milter}
#smtp      inet  n       -       y       -       1       postscreen
[...]
    and gently enforce a reload on the mta
    Code:
    service postfix reload
    get a cup of coffee and watch if everything's throwing errors or not
    Code:
    tail -f /var/log/mail.info
    cheers


    edit: removed from main.cf
    non_smtpd_milters = inet:127.0.0.1:8892
    edit: removed from main.cf
    milter_default_action = accept
    milter_protocol = 6
    smtpd_milters = inet:127.0.0.1:8892
    added to main.cf
    opendmarc_milter = inet:127.0.0.1:8892
    added changes to master.cf
     
    Last edited: Jul 18, 2018
    ztk.me, Oct 5, 2017
    #1
    Jesse Norell and till like this.
  2. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    if you prefer sockets

    run
    Code:
    adduser postfix opendmarc
mkdir /var/spool/postfix/opendmarc
chown opendmarc: /var/spool/postfix/opendmarc
    change /etc/default/opendmarc
    Code:
    SOCKET=local:/var/spool/postfix/opendmarc/opendmarc.sock
    change /etc/postfix/main.cf
    Code:
    opendmarc_milter = unix:opendmarc/opendmarc.sock
    changed main.cf
    Code:
    removed smtpd_milters = unix:opendmarc/opendmarc.sock
     
    Last edited: Oct 7, 2017
    ztk.me, Oct 5, 2017
    #2
  3. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    did some testing and updated instructions :)
     
    ztk.me, Oct 7, 2017
    #3
  4. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    On latest Debian 9:
    Code:
    apt-get install opendmarc
adduser postfix opendmarc
mkdir /etc/opendmarc
mkdir /var/spool/postfix/var/run/opendmarc/ -p
chown opendmarc:opendmarc /var/spool/postfix/var/run/opendmarc/
    check your config in /etc/opendmarc.conf
    Code:
    AuthservID <fqdn>
PidFile /var/run/opendmarc/opendmarc.pid
RejectFailures true
Socket local:/var/spool/postfix/var/run/opendmarc/opendmarc.sock
Syslog true
TrustedAuthservIDs <yourotherServersFQDN>
IgnoreHosts /etc/opendmarc/ignore.hosts
HistoryFile /var/run/opendmarc/opendmarc.dat
SoftwareHeader false
CopyFailuresTo <postmaster>@<domain>
FailureReports false 
FailureReportsBcc <postmaster>@<domain>
FailureReportsSentBy <postmaster>@<domain>
RequiredHeaders true
IgnoreAuthenticatedClients true
SPFSelfValidate true
SPFIgnoreResults true
MilterDebug 0
UMask 0002
UserID opendmarc:postfix
PublicSuffixList /usr/share/publicsuffix/
    /etc/opendmarc/ignore.hosts
    Code:
    localhost
127.0.0.1
    and now what we already know
    Code:
    postconf -P "smtp/inet/smtpd_milters=\${opendmarc_milter}"
postconf -e "opendmarc_milter=unix:var/run/opendmarc/opendmarc.sock"
    Editing the service file is not needed. Just restart opendmarc and postfix
     
    ztk.me, Jul 18, 2018
    #4
    Jesse Norell likes this.

Share This Page