opendmarc on stretch

Discussion in 'Tips/Tricks/Mods' started by ztk.me, Oct 5, 2017.

  1. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    check later on this page for updated instructions on updated stretch

    now this is kinda tricky since the systemd-file is not respecting the socket-configuration ... buuuut lets start easy

    I'm not covering reporting!

    Code:
    apt-get install opendmarc
    
    modify ExecStart-Line and add
    EnvironmentFile=/etc/default/opendmarc
    /lib/systemd/system/opendmarc.service
    Code:
    [Unit]
    Description=OpenDMARC Milter
    Documentation=man:opendmarc(8) man:opendmarc.conf(5)
    After=network.target nss-lookup.target
    
    [Service]
    EnvironmentFile=/etc/default/opendmarc
    Type=forking
    PIDFile=/var/run/opendmarc/opendmarc.pid
    User=opendmarc
    ExecStart=/usr/sbin/opendmarc -p $SOCKET -c /etc/opendmarc.conf  -u opendmarc -P /var/run/opendmarc/opendmarc.pid
    Restart=on-failure
    ExecReload=/bin/kill -USR1 $MAINPID
    
    [Install]
    WantedBy=multi-user.target
    
    that way it respects the socket config, don't forget to run
    Code:
    systemctl daemon-reload
    
    Edit /etc/opendmarc.conf
    Code:
    # This is a basic configuration that can easily be adapted to suit a standard
    # installation. For more advanced options, see opendkim.conf(5) and/or
    # /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
    
    #  AuthservID (string)
    #      defaults to MTA name
    
    AuthservID <FQDN>
    #  FailureReports { true | false }
    #      default "false"
    #
    FailureReports false
    
    PidFile /var/run/opendmarc/opendmarc.pid
    
    #  RejectFailures { true | false }
    #      default "false"
    #
    RejectFailures true
    
    #  Syslog { true | false }
    #      default "false"
    #
    #  Log via calls to syslog(3) any interesting activity.
    #
    Syslog true
    
    #  SyslogFacility facility-name
    #      default "mail"
    #
    #  Log via calls to syslog(3) using the named facility.  The facility names
    #  are the same as the ones allowed in syslog.conf(5).
    #
    # SyslogFacility mail
    
    #  TrustedAuthservIDs string
    #      default HOSTNAME
    #
    #  Specifies one or more "authserv-id" values to trust as relaying true
    #  upstream DKIM and SPF results.  The default is to use the name of
    #  the MTA processing the message.  To specify a list, separate each entry
    #  with a comma.  The key word "HOSTNAME" will be replaced by the name of
    #  the host running the filter as reported by the gethostname(3) function.
    
    # TrustedAuthservIDs HOSTNAME
    
    #  UMask mask
    #      default (none)
    #
    #  Requests a specific permissions mask to be used for file creation.  This
    #  only really applies to creation of the socket when Socket specifies a
    #  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
    #  files are normally created by the mkstemp(3) function that enforces a
    #  specific file mode on creation regardless of the process umask.  See
    #  umask(2) for more information.
    #
    UMask 0002
    
    #  UserID user[:group]
    #      default (none)
    #
    #  Attempts to become the specified userid before starting operations.
    #  The process will be assigned all of the groups and primary group ID of
    #  the named userid unless an alternate group is specified.
    #
    UserID opendmarc:opendmarc
    
    # Path to system copy of PSL (needed to determine organizational domain)
    #
    PublicSuffixList /usr/share/publicsuffix/
    
    IgnoreAuthenticatedClients true
    #SoftwareHeader true
    
    If you think you can reproduce on Debian 8, so sorry it's bugging on IgnoreAuthenticatedClients
    change <FQDN> to your hostname
    RejectFailures auf false setzen, wenn das zeug doch nicht abgelehnt werden soll/darf

    /etc/default/opendmarc
    Code:
    # Command-line options specified here will override the contents of
    # /etc/opendmarc.conf. See opendmarc(8) for a complete list of options.
    #DAEMON_OPTS=""
    # Change to /var/spool/postfix/var/run/opendmarc to use a Unix socket with
    # postfix in a chroot:
    #RUNDIR=/var/spool/postfix/var/run/opendmarc
    RUNDIR=/var/run/opendmarc
    #
    # Uncomment to specify an alternate socket
    # Note that setting this will override any Socket value in opendkim.conf
    # default:
    #SOCKET=local:$RUNDIR/opendmarc.sock
    SOCKET="inet:8892"
    # listen on all interfaces on port 54321:
    #SOCKET=inet:54321
    # listen on loopback on port 12345:
    #SOCKET=inet:12345@localhost
    # listen on 192.0.2.1 on port 12345:
    #SOCKET=inet:[email protected]
    USER=opendmarc
    GROUP=opendmarc
    PIDFILE=$RUNDIR/$NAME.pid
    EXTRAAFTER=
    
    Code:
    service opendmarc restart
    
    should be up and running now on 127.0.0.1:8892

    Add to your /etc/postfix/main.cf
    Code:
    opendmarc_milter = inet:127.0.0.1:8892
    
    Compare with your /etc/postfix/master.cf
    Code:
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (no)    (never) (100)
    # ==========================================================================
    smtp      inet  n       -       y       -       -       smtpd
      -o smtpd_milters=${opendmarc_milter}
    #smtp      inet  n       -       y       -       1       postscreen
    [...]
    
    and gently enforce a reload on the mta
    Code:
    service postfix reload
    
    get a cup of coffee and watch if everything's throwing errors or not
    Code:
    tail -f /var/log/mail.info
    
    cheers


    edit: removed from main.cf
    non_smtpd_milters = inet:127.0.0.1:8892
    edit: removed from main.cf
    milter_default_action = accept
    milter_protocol = 6
    smtpd_milters = inet:127.0.0.1:8892
    added to main.cf
    opendmarc_milter = inet:127.0.0.1:8892
    added changes to master.cf
     
    Last edited: Jul 18, 2018
    Jesse Norell and till like this.
  2. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    if you prefer sockets

    run
    Code:
    adduser postfix opendmarc
    mkdir /var/spool/postfix/opendmarc
    chown opendmarc: /var/spool/postfix/opendmarc
    
    change /etc/default/opendmarc
    Code:
    SOCKET=local:/var/spool/postfix/opendmarc/opendmarc.sock
    
    change /etc/postfix/main.cf
    Code:
    opendmarc_milter = unix:opendmarc/opendmarc.sock
    
    changed main.cf
    Code:
    removed smtpd_milters = unix:opendmarc/opendmarc.sock
    
     
    Last edited: Oct 7, 2017
  3. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    did some testing and updated instructions :)
     
  4. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    On latest Debian 9:
    Code:
    apt-get install opendmarc
    adduser postfix opendmarc
    mkdir /etc/opendmarc
    mkdir /var/spool/postfix/var/run/opendmarc/ -p
    chown opendmarc:opendmarc /var/spool/postfix/var/run/opendmarc/
    
    check your config in /etc/opendmarc.conf
    Code:
    AuthservID <fqdn>
    PidFile /var/run/opendmarc/opendmarc.pid
    RejectFailures true
    Socket local:/var/spool/postfix/var/run/opendmarc/opendmarc.sock
    Syslog true
    TrustedAuthservIDs <yourotherServersFQDN>
    IgnoreHosts /etc/opendmarc/ignore.hosts
    HistoryFile /var/run/opendmarc/opendmarc.dat
    SoftwareHeader false
    CopyFailuresTo <postmaster>@<domain>
    FailureReports false 
    FailureReportsBcc <postmaster>@<domain>
    FailureReportsSentBy <postmaster>@<domain>
    RequiredHeaders true
    IgnoreAuthenticatedClients true
    SPFSelfValidate true
    SPFIgnoreResults true
    MilterDebug 0
    UMask 0002
    UserID opendmarc:postfix
    PublicSuffixList /usr/share/publicsuffix/
    
    /etc/opendmarc/ignore.hosts
    Code:
    localhost
    127.0.0.1
    
    and now what we already know
    Code:
    postconf -P "smtp/inet/smtpd_milters=\${opendmarc_milter}"
    postconf -e "opendmarc_milter=unix:var/run/opendmarc/opendmarc.sock"
    
    Editing the service file is not needed. Just restart opendmarc and postfix
     
    Jesse Norell likes this.

Share This Page