Deploy OpenDMARC to your postfix server

-

As a MTA lover, I always try to encourage people (especially "IT-people") to host their own mailserver. Mostly so they actually can learn something and also that I do not like how the big providers like Google, Microsoft, Amazon etc keep eating up the market.
Diversity is a key to a healthy market - but that is another topic.

This guide will mostly apply to Debian-based distros like Debian (9 or newer), Ubuntu (16.04 or newer) or any other serverdistro. I do assume that you already have a working mailserver that do both deliver and receive emails that are DKIM signed (or atleast perform validation with OpenDKIM), otherwhise you can read my short guide here (coming soon).

  1. First, install OpenDMARC from the repository.
    apt update
    apt install opendmarc -y
    Verify that the user and group "opendmarc" has been created by checking /etc/passwd and /etc/group. Otherwhise, create them.
  2. When you have installed it, verify the installation by running this:
    opendmarc -V
    You will get something like this (the version number is not that important yet):
    opendmarc: OpenDMARC Filter v1.3.2       
    SMFI_VERSION 0x1000001       
    libmilter version 1.0.1       
    Active code options:               
    WITH_SPF               
    WITH_SPF2

    Great! Let's proceed to configuring opendmarc
  3. First, take a backup of the current opendmarc.conf, it will save some headache in the future if you want to redo it:
    cp /etc/opendmarc.conf /etc/opendmarc.conf.BAK

    Edit /etc/opendmarc.conf with the following:

    AuthservID [SERVERHOSTNAME]
    FailureReports true
    PidFile /var/run/opendmarc.pid
    RejectFailures false
    SPFSelfValidate yes
    Socket inet:8893@localhost
    SoftwareHeader true
    Syslog true
    SyslogFacility mail
    TrustedAuthservIDs [SERVERHOSTNAME]
    HistoryFile /var/run/opendmarc/opendmarc.dat
    UMask 0002
    UserID opendmarc

    Dont forget to restart opendmarc

    service opendmarc restart
  4. Proceed with adding opendmarc as a milter in postfix. I am assuming that you already have opendkim enabled as a milter like this:

    smtpd_milters = inet:localhost:8891
    non_smtpd_milters = inet:localhost:8891

    We now need to add the opendmarc milter into the postfix configuration, it is important that you add it AFTER the opendkim milter, otherwhise opendmarc will not be able to check if the DKIM key is valid.

    smtpd_milters = inet:localhost:8891,inet:localhost:8893
    non_smtpd_milters = inet:localhost:8891,inet:localhost:8893milter_default_action   = accept
    The last one is pretty important, so if one of your milters does not work for some reason - Postfix will still let it throu.
    Restart postfix
    service postfix restart
  5. We should now be able to test the configuration by sending an email from example a gmail.com account to an email address on your email-server and check your logs if opendmarc actually works.

    tail -f /var/log/mail.log | grep "opendmarc"

    You should be able to see this:

    Apr 26 12:16:38 mx opendmarc[31490]: 5155751C32: SPF(mailfrom): support@portsgroup.com pass
    Apr 26 12:16:39 mx opendmarc[31490]: 5155751C32: portsgroup.com pass
    Great! Your server does now validate DMARC policies! If you just wanted this basic functionality, you are done now.
    But there is always room for improvement!

    Adding a Public-suffix list
    This can be achieved in X simple steps:

  6. Create a catalogue (and change ownership) for the list to be downloaded to:

    mkdir -p /etc/opendmarc/
    chown opendmarc: /etc/opendmarc
  7. Set up a cronjob to download the suffix list once a week

    crontab -u opendmarc -e

    And this line:

    @weekly/usr/bin/wget -k -q -N -P /etc/opendmarc https://publicsuffix.org/list/effective_tld_names.dat

    Also, just download the list so you have it before you configure opendmarc to use it:

    wget -k -q -N -P /etc/opendmarc https://publicsuffix.org/list/effective_tld_names.dat
  8.  Finally, configure opendmarc to actually use that list, put this on the bottom in /etc/opendmarc.conf and restart opendmarc

    PublicSuffixList /etc/opendmarc/effective_tld_names.dat

    service opendmarc restart

Kommentarer

  1. dakarufer7 november 2022 kl. 05:08

    S/he has introduced educational research on transgender youth health advocacy and menstrual biohacking, and is passionate about normalizing wholesome discussions of sexuality in on a regular basis} life. Deysach suggests storing silicone anal toys in “something breathable ,” to chop down on odor. Toys should be saved in a cool, darkish, dry place, corresponding to a shelf or drawer. Keep toys out of direct sunlight or wherever they could get moist, corresponding to the lavatory. If the toy is nonmechanized , or mechanized but dildos rated as being splashproof or waterproof, it’s secure to rinse the toy with water within the sink. A strap-on with pleasure on both finish is bound to be a hit with any couple looking for a sexual thrill.

    SvaraRadera
  2. yashovarmanvacek7 november 2022 kl. 07:28

    At MYB Casino, find a way to|you probably can} choose between a bank card, MoneyGram, or cryptocurrency as https://www.kmg21.net/ your deposit methodology. If you go down the route of utilizing a bank card, the minimum transaction is sort of|is sort of} hefty at $45. It drops down to just $20 should you go for one of the crypto options. There additionally be|can be} no scarcity of promos out there to existing customers. Check out everything from 10% weekly cashback on losses, weekly reload bonuses, and monthly prize draws. When you join a Café Casino account, Bitcoin depositors will get a 350% deposit bonus of a lot as} $2,500.

    SvaraRadera
  3. samuelezalenski8 november 2022 kl. 19:27

    Even in free slots for fun, have the ability to|you presumably can} manage your bankroll to see how good the sport is long-term. If the slot has a stop-win or stop-loss restrict, use it to see how frequently you win or lose. The prize trail is a 썬시티카지노 second-screen bonus triggered by hitting three or extra scatters. You should then work your method along a road or trail, picking up money, multipliers, and free spins. – permits players to reset their rating as many times as they want until they are happy with the outcome.

    SvaraRadera

Skicka en kommentar

Populära inlägg i den här bloggen

How to properly generate a .csr file

-
During my short IT-career, I have dealt with alot people who struggle with generating a .csr file (certificate signing request) on Linux. Windows (especially IIS) have a more clearer approach so that can most of the people figure out by themselves without having to ask to many stupid questions :) The following example generates a .csr and a .key file for the Company "Company Name", located in some country in the city "City". Just replace the variables to your liking. DOMAIN=www.example.com COUNTRY=2 letter country code ORG="Company Name" CITY="City" openssl req -utf8 -nameopt multiline,utf8 -new -newkey rsa:2048 -nodes -sha256 -out $DOMAIN.csr -keyout $DOMAIN.key -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORG}/OU=IT/CN=$DOMAIN" Sometimes, you do want to generare a .csr file that includes two or more domains - a SAN certificate. Using the same variable as above, we can now add more CN's to the .csr: openssl req -u...
Läs mer