Fight against spam part 3 – Postfix DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email validation system designed to detect and prevent email spoofing. It provides a mechanism which allows a receiving organization to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport – Wikipedia

 

This is a continuation of topic about fighting against spam when you are self-hosting your mail server which in this case should be Postfix, previously we did finish confguration of SPF and DKIM.

 

Install needed package:

#debian/ubuntu
apt-get install opendmarc

Configure it with basic configuration:

#vim /etc/opendmarc.conf

AuthservID mail.example.com
PidFile /var/run/opendmarc.pid #Debian default
RejectFailures false
Syslog true
TrustedAuthservIDs mail.example.com,mail2.example.com
UMask 0002
UserID opendmarc:opendmarc
IgnoreHosts /etc/opendmarc/ignore.hosts
HistoryFile /var/run/opendmarc/opendmarc.dat
#only for debugging we can add the line below
SoftwareHeader true

But thats not all, lets create folder:

mkdir /etc/opendmarc/

And add host that will be excluded from scanning – us !?!

#vim /etc/opendmarc/ignore.hosts

localhost
ip_address_of_our_server

Assuming we used previous post about fighting with spam we should have DKIM on port 12301 so we can user port 54321 for DMARC:

#vim /etc/default/opendmarc
...
SOCKET="inet:54321@localhost"
...

Let us start opendmarc to ensure we don’t have any typo in configuration file:

/etc/init.d/opendmarc start

 

We need to enable support for this technic in postfix:

#vim /etc/postfix/main.cf

...
smtpd_milters=inet:localhost:12345,inet:localhost:54321
non_smtpd_milters=inet:localhost:12345,inet:localhost:54321
...

Remamber that smtpd-milters and non_smtpd_milters was previously configurated with DKIM so now we have two values as the second is DMARC 🙂

Reload our postfix so he can use DMARC:

/etc/init.d/postfix reload

 

Knowing that DMARC use DKIM and SPF we will have to add another TXT record to our DNS. Internet is full of DMARC wizards to create different configuration, for now we can use the one provided here:

_dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400"

 

Normaly alot of people end the configuration here but that is not fully implemented DMARC. They forget about exchanging reports between mail servers. This is way we can fix this:

#vim /usr/share/doc/opendmarc/schema.mysql
...
CREATE USER 'opendmarc'@'localhost' IDENTIFIED BY 'changeme';
GRANT ALL ON opendmarc.* to 'opendmarc'@'localhost';
...

Those line and in schema.mysql but are commented, just uncomment them so we will create proper user for opendmarc

Read and execute schema:

mysql -u root -p < schema.mysql

Create script that will make reports for us:

#vim /etc/opendmarc/report_script

#!/bin/bash

DB_SERVER='database.example.com'
DB_USER='opendmarc'
DB_PASS='password
DB_NAME='opendmarc'
WORK_DIR='/var/run/opendmarc'
REPORT_EMAIL='dmarc@example.com'
REPORT_ORG=example.com'

mv ${WORK_DIR}/opendmarc.dat ${WORK_DIR}/opendmarc_import.dat -f
cat /dev/null > ${WORK_DIR}/opendmarc.dat

/usr/sbin/opendmarc-import --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose < ${WORK_DIR}/opendmarc_import.dat
/usr/sbin/opendmarc-reports --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose --interval=86400 --report-email $REPORT_EMAIL --report-org $REPORT_ORG
/usr/sbin/opendmarc-expire --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose

We need to add that script to cron to make it work multiply times:

chmod +x /etc/opendmarc/report_script

# first test the script before adding it to cron
su -c "/etc/opendmarc/report_script" -s /bin/bash opendmarc

#vim /etc/crontab

1 0 * * * opendmarc /etc/opendmarc/report_script

 

It is a good practice to view reports that we send to external mail servers, we will achive this in postfix this way:

#vim /etc/postfix/main.cf

...
sender_bcc_maps = hash:/etc/postfix/bcc_map
...

#vim /etc/postfix/bcc_map
dmarc@example.com mailboxforbcc@example.com


postmap /etc/postfix/bcc_map

Just one more restart of service and we are ready to go:

/etc/init.d/postfix restart

 

To test DMARC we need to send email from our server to external server that support DMARC and send it from there to us. For example GMail does support this.

In mail header there should be DMARC header. But remamber to delete debug header in configuration after checking if our configuration works alright:

#vim /etc/opendmarc.conf

#SoftwareHeader true

Quick restart:

/etc/init.d/opendmarc restart

 

 

Rest post related to this topic:

Postfix i Dovecot – perfect duo for mail server

Fight against spam part 1 – Postfix SPF

Fight against spam part 2 – Postfix DKIM

Fight against spam part 4 – Postfix SpamAssassin

Fight against spam part 5 – Dovecot Sieve

 

Leave a Reply

Your email address will not be published.

*