Skip to content

Rage Against the Shell

Linux tips and other things…

  • Home
  • Contact
  • Privacy Policy

Postfix + OpenDMARC

Posted on June 18, 2016 - December 17, 2019 by Mr. Reboot

OpenDMARC is a spam control mechanism that complements SPF and DKIM checks, including reporting policies. In Debian/Ubuntu you can install opendmarc from repositories:

~ $ apt-get install opendmarc

On Debian wheezy you have to add backports to sources.list file before:

~ $ echo 'deb http://ftp.debian.org/debian wheezy-backports main contrib' >> /etc/apt/sources.list
~ $ apt-get update
~ $ apt-get install opendmarc

Change configuration en /etc/opendmarc.conf, take this as example:

AuthservID mail.server.com
PidFile /var/run/opendmarc.pid
RejectFailures false
Syslog true
TrustedAuthservIDs mail.server.com,mail2.server.com,mail3.server.com
UMask 0002
UserID opendmarc:opendmarc
IgnoreHosts /etc/opendmarc/ignore.hosts
HistoryFile /var/run/opendmarc/opendmarc.dat
SoftwareHeader true

Add hosts to /etc/opendmarc/ignore.hosts:

~ $ mkdir /etc/opendmarc
~ $ vim /etc/opendmarc/ignore.hosts
localhost
192.168.1.0/24

Configure port in /etc/default/opendmarc:

SOCKET="inet:83682@localhost"

And restart opendmarc:

~ $ /etc/init.d/opendmarc restart

Now configure postfix, add milters to existent milters (dkim) in /etc/postfix/main.cf:

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:1234,inet:localhost:83682
non_smtpd_milters = inet:localhost:1234,inet:localhost:83682

Then restart:

~ $ /etc/init.d/postfix restart

Finally add _dmarc TXT dns record to your domain, example:

"v=DMARC1; p=none; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0; adkim=r; aspf=r"

Where:

v=DMARC1: dmarc version
p=none: means do nothing if dmarc check fails, is good for testing. You can use “p=quarantine” or “p=reject” instead.
pct=0: defines the percentage of mail to which policies are applied (0-100)
rua: address for sending reports
ruf: address for sending forensic reports
fo: reporting options, 0 generate a report if both SPF and DKIM checks failed
adkim: DKIM restrictive level (s=strict, r=relaxed)
aspf: SPF restrictive level (s=strict, r=relaxed)

Wait for the TTL refresh time and test if the record was created successfully:

~ $ dig +short txt _dmarc.server.com
"v=DMARC1\; p=none\; rua=mailto:[email protected]\; ruf=mailto:[email protected]\; fo=0\; adkim=r\; aspf=r"
Posted in Postfix

Post navigation

Disable guest user in Ubuntu
MySQL Master-Master replication

1 Comment

  1. Dheeraj M Pai says:
    June 26, 2019 at 6:50 pm

    Thanks

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Search

Calendar

June 2016
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
27282930  
« May   Jul »

Categories

  • Apache
  • Cisco
  • Command line
  • Distros
  • Dovecot
  • File systems
  • Gadgets
  • GlusterFS
  • MySQL
  • Nginx
  • NTP
  • Opendkim
  • Pacemaker + Corosync
  • Postfix
  • Raspberrypi
  • SSH
  • SSL
  • Varnish

RSS RSS

Proudly powered by WordPress | Theme: micro, developed by DevriX.