check later on this page for updated instructions on updated stretch now this is kinda tricky since the systemd-file is not respecting the socket-configuration ... buuuut lets start easy I'm not covering reporting! Code: apt-get install opendmarc modify ExecStart-Line and add EnvironmentFile=/etc/default/opendmarc /lib/systemd/system/opendmarc.service Code: [Unit] Description=OpenDMARC Milter Documentation=man:opendmarc(8) man:opendmarc.conf(5) After=network.target nss-lookup.target [Service] EnvironmentFile=/etc/default/opendmarc Type=forking PIDFile=/var/run/opendmarc/opendmarc.pid User=opendmarc ExecStart=/usr/sbin/opendmarc -p $SOCKET -c /etc/opendmarc.conf -u opendmarc -P /var/run/opendmarc/opendmarc.pid Restart=on-failure ExecReload=/bin/kill -USR1 $MAINPID [Install] WantedBy=multi-user.target that way it respects the socket config, don't forget to run Code: systemctl daemon-reload Edit /etc/opendmarc.conf Code: # This is a basic configuration that can easily be adapted to suit a standard # installation. For more advanced options, see opendkim.conf(5) and/or # /usr/share/doc/opendmarc/examples/opendmarc.conf.sample. # AuthservID (string) # defaults to MTA name AuthservID <FQDN> # FailureReports { true | false } # default "false" # FailureReports false PidFile /var/run/opendmarc/opendmarc.pid # RejectFailures { true | false } # default "false" # RejectFailures true # Syslog { true | false } # default "false" # # Log via calls to syslog(3) any interesting activity. # Syslog true # SyslogFacility facility-name # default "mail" # # Log via calls to syslog(3) using the named facility. The facility names # are the same as the ones allowed in syslog.conf(5). # # SyslogFacility mail # TrustedAuthservIDs string # default HOSTNAME # # Specifies one or more "authserv-id" values to trust as relaying true # upstream DKIM and SPF results. The default is to use the name of # the MTA processing the message. To specify a list, separate each entry # with a comma. The key word "HOSTNAME" will be replaced by the name of # the host running the filter as reported by the gethostname(3) function. # TrustedAuthservIDs HOSTNAME # UMask mask # default (none) # # Requests a specific permissions mask to be used for file creation. This # only really applies to creation of the socket when Socket specifies a # UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary # files are normally created by the mkstemp(3) function that enforces a # specific file mode on creation regardless of the process umask. See # umask(2) for more information. # UMask 0002 # UserID user[:group] # default (none) # # Attempts to become the specified userid before starting operations. # The process will be assigned all of the groups and primary group ID of # the named userid unless an alternate group is specified. # UserID opendmarc:opendmarc # Path to system copy of PSL (needed to determine organizational domain) # PublicSuffixList /usr/share/publicsuffix/ IgnoreAuthenticatedClients true #SoftwareHeader true If you think you can reproduce on Debian 8, so sorry it's bugging on IgnoreAuthenticatedClients change <FQDN> to your hostname RejectFailures auf false setzen, wenn das zeug doch nicht abgelehnt werden soll/darf /etc/default/opendmarc Code: # Command-line options specified here will override the contents of # /etc/opendmarc.conf. See opendmarc(8) for a complete list of options. #DAEMON_OPTS="" # Change to /var/spool/postfix/var/run/opendmarc to use a Unix socket with # postfix in a chroot: #RUNDIR=/var/spool/postfix/var/run/opendmarc RUNDIR=/var/run/opendmarc # # Uncomment to specify an alternate socket # Note that setting this will override any Socket value in opendkim.conf # default: #SOCKET=local:$RUNDIR/opendmarc.sock SOCKET="inet:8892" # listen on all interfaces on port 54321: #SOCKET=inet:54321 # listen on loopback on port 12345: #SOCKET=inet:12345@localhost # listen on 192.0.2.1 on port 12345: #SOCKET=inet:[email protected] USER=opendmarc GROUP=opendmarc PIDFILE=$RUNDIR/$NAME.pid EXTRAAFTER= Code: service opendmarc restart should be up and running now on 127.0.0.1:8892 Add to your /etc/postfix/main.cf Code: opendmarc_milter = inet:127.0.0.1:8892 Compare with your /etc/postfix/master.cf Code: # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - y - - smtpd -o smtpd_milters=${opendmarc_milter} #smtp inet n - y - 1 postscreen [...] and gently enforce a reload on the mta Code: service postfix reload get a cup of coffee and watch if everything's throwing errors or not Code: tail -f /var/log/mail.info cheers edit: removed from main.cf non_smtpd_milters = inet:127.0.0.1:8892 edit: removed from main.cf milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:127.0.0.1:8892 added to main.cf opendmarc_milter = inet:127.0.0.1:8892 added changes to master.cf
if you prefer sockets run Code: adduser postfix opendmarc mkdir /var/spool/postfix/opendmarc chown opendmarc: /var/spool/postfix/opendmarc change /etc/default/opendmarc Code: SOCKET=local:/var/spool/postfix/opendmarc/opendmarc.sock change /etc/postfix/main.cf Code: opendmarc_milter = unix:opendmarc/opendmarc.sock changed main.cf Code: removed smtpd_milters = unix:opendmarc/opendmarc.sock
On latest Debian 9: Code: apt-get install opendmarc adduser postfix opendmarc mkdir /etc/opendmarc mkdir /var/spool/postfix/var/run/opendmarc/ -p chown opendmarc:opendmarc /var/spool/postfix/var/run/opendmarc/ check your config in /etc/opendmarc.conf Code: AuthservID <fqdn> PidFile /var/run/opendmarc/opendmarc.pid RejectFailures true Socket local:/var/spool/postfix/var/run/opendmarc/opendmarc.sock Syslog true TrustedAuthservIDs <yourotherServersFQDN> IgnoreHosts /etc/opendmarc/ignore.hosts HistoryFile /var/run/opendmarc/opendmarc.dat SoftwareHeader false CopyFailuresTo <postmaster>@<domain> FailureReports false FailureReportsBcc <postmaster>@<domain> FailureReportsSentBy <postmaster>@<domain> RequiredHeaders true IgnoreAuthenticatedClients true SPFSelfValidate true SPFIgnoreResults true MilterDebug 0 UMask 0002 UserID opendmarc:postfix PublicSuffixList /usr/share/publicsuffix/ /etc/opendmarc/ignore.hosts Code: localhost 127.0.0.1 and now what we already know Code: postconf -P "smtp/inet/smtpd_milters=\${opendmarc_milter}" postconf -e "opendmarc_milter=unix:var/run/opendmarc/opendmarc.sock" Editing the service file is not needed. Just restart opendmarc and postfix