Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email validation system designed to detect and prevent email spoofing. It provides a mechanism which allows a receiving organization to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport – Wikipedia
This is a continuation of topic about fighting against spam when you are self-hosting your mail server which in this case should be Postfix, previously we did finish confguration of SPF and DKIM.
Install needed package:
#debian/ubuntu apt-get install opendmarc
Configure it with basic configuration:
#vim /etc/opendmarc.conf AuthservID mail.example.com PidFile /var/run/opendmarc.pid #Debian default RejectFailures false Syslog true TrustedAuthservIDs mail.example.com,mail2.example.com UMask 0002 UserID opendmarc:opendmarc IgnoreHosts /etc/opendmarc/ignore.hosts HistoryFile /var/run/opendmarc/opendmarc.dat #only for debugging we can add the line below SoftwareHeader true
But thats not all, lets create folder:
mkdir /etc/opendmarc/
And add host that will be excluded from scanning – us !?!
#vim /etc/opendmarc/ignore.hosts localhost ip_address_of_our_server
Assuming we used previous post about fighting with spam we should have DKIM on port 12301 so we can user port 54321 for DMARC:
#vim /etc/default/opendmarc ... SOCKET="inet:54321@localhost" ...
Let us start opendmarc to ensure we don’t have any typo in configuration file:
/etc/init.d/opendmarc start
We need to enable support for this technic in postfix:
#vim /etc/postfix/main.cf ... smtpd_milters=inet:localhost:12345,inet:localhost:54321 non_smtpd_milters=inet:localhost:12345,inet:localhost:54321 ...
Remamber that smtpd-milters and non_smtpd_milters was previously configurated with DKIM so now we have two values as the second is DMARC 🙂
Reload our postfix so he can use DMARC:
/etc/init.d/postfix reload
Knowing that DMARC use DKIM and SPF we will have to add another TXT record to our DNS. Internet is full of DMARC wizards to create different configuration, for now we can use the one provided here:
_dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400"
Normaly alot of people end the configuration here but that is not fully implemented DMARC. They forget about exchanging reports between mail servers. This is way we can fix this:
#vim /usr/share/doc/opendmarc/schema.mysql ... CREATE USER 'opendmarc'@'localhost' IDENTIFIED BY 'changeme'; GRANT ALL ON opendmarc.* to 'opendmarc'@'localhost'; ...
Those line and in schema.mysql but are commented, just uncomment them so we will create proper user for opendmarc
Read and execute schema:
mysql -u root -p < schema.mysql
Create script that will make reports for us:
#vim /etc/opendmarc/report_script
#!/bin/bash
DB_SERVER='database.example.com'
DB_USER='opendmarc'
DB_PASS='password
DB_NAME='opendmarc'
WORK_DIR='/var/run/opendmarc'
REPORT_EMAIL='dmarc@example.com'
REPORT_ORG=example.com'
mv ${WORK_DIR}/opendmarc.dat ${WORK_DIR}/opendmarc_import.dat -f
cat /dev/null > ${WORK_DIR}/opendmarc.dat
/usr/sbin/opendmarc-import --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose < ${WORK_DIR}/opendmarc_import.dat
/usr/sbin/opendmarc-reports --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose --interval=86400 --report-email $REPORT_EMAIL --report-org $REPORT_ORG
/usr/sbin/opendmarc-expire --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose
We need to add that script to cron to make it work multiply times:
chmod +x /etc/opendmarc/report_script # first test the script before adding it to cron su -c "/etc/opendmarc/report_script" -s /bin/bash opendmarc #vim /etc/crontab 1 0 * * * opendmarc /etc/opendmarc/report_script
It is a good practice to view reports that we send to external mail servers, we will achive this in postfix this way:
#vim /etc/postfix/main.cf ... sender_bcc_maps = hash:/etc/postfix/bcc_map ... #vim /etc/postfix/bcc_map dmarc@example.com mailboxforbcc@example.com postmap /etc/postfix/bcc_map
Just one more restart of service and we are ready to go:
/etc/init.d/postfix restart
To test DMARC we need to send email from our server to external server that support DMARC and send it from there to us. For example GMail does support this.
In mail header there should be DMARC header. But remamber to delete debug header in configuration after checking if our configuration works alright:
#vim /etc/opendmarc.conf #SoftwareHeader true
Quick restart:
/etc/init.d/opendmarc restart
Rest post related to this topic:
Postfix i Dovecot – perfect duo for mail server
Fight against spam part 1 – Postfix SPF
Fight against spam part 2 – Postfix DKIM
Fight against spam part 4 – Postfix SpamAssassin
Fight against spam part 5 – Dovecot Sieve