Install OpenDMARC on Ubuntu 18.04

image_print
apt update && apt -y upgrade && apt -y install opendmarc

Modify opendmarc.service

 vi /lib/systemd/system/opendmarc.service
[Unit]
Description=OpenDMARC Milter
Documentation=man:opendmarc(8) man:opendmarc.conf(5)
After=network.target nss-lookup.target

[Service]
EnvironmentFile=/etc/default/opendmarc
Type=forking
PIDFile=/var/run/opendmarc/opendmarc.pid
User=opendmarc
ExecStart=/usr/sbin/opendmarc -p $SOCKET -c /etc/opendmarc.conf  -u opendmarc -P /var/run/opendmarc/opendmarc.pid
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID

[Install]
WantedBy=multi-user.target
systemctl daemon-reload

Edit /etc/opendmarc.conf

vi /etc/opendmarc.conf
AuthservID mail.domain.xx
FailureReports true
PidFile /var/run/opendmarc/opendmarc.pid
PublicSuffixList /usr/share/publicsuffix
#RejectFailures false
RejectFailures true
Syslog true
TrustedAuthservIDs post.domain.xx, smtp.domain.yy
UMask 0002
UserID opendmarc:opendmarc
IgnoreAuthenticatedClients true
IgnoreHosts /etc/opendmarc/ignore.hosts
SoftwareHeader false
HistoryFile /var/run/opendmarc/opendmarc.dat
CopyFailuresTo admin@domain.xx
FailureReportsSentBy postmaster@domain.xx
RequiredHeaders true
SPFSelfValidate true
SPFIgnoreResults true
MilterDebug 0

Adjust mail.domain.xx to your FQDN

Create ignore.hosts

mkdir -p /etc/opendmarc
vi /etc/opendmarc/ignore.hosts
localhost
127.0.0.1/8
192.168.0.0/24

Edit /etc/default/opendmarc

vi /etc/default/opendmarc
RUNDIR=/var/run/opendmarc
SOCKET="inet:8892@localhost"
USER=opendmarc
GROUP=opendmarc
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=

Restart OpenDMARC

service opendmarc restart

Add port to services

vi /etc/services
opendmarc       8892/tcp

OpenDMARC is up and running

netstat -putan | grep 8892
tcp        0      0 127.0.0.1:8892          0.0.0.0:*               LISTEN      2959/opendmarc

Add OpenDMARC milter to Postfix

vi /etc/postfix/main.cf
opendmarc_milter = inet:localhost:8892
vi /etc/postfix/master.cf
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
  -o smtpd_milters=${opendmarc_milter}
#smtp      inet  n       -       y       -       1       postscreen
service postfix restart

Test OpenDMARC

Send a test email from Gmail

tail -f /var/log/mail.log | grep opendmarc
opendmarc[13133]: 9CA09500A3E: SPF(mailfrom): mailtest@gmail.com pass
opendmarc[13133]: 9CA09500A3E: gmail.com pass

Mail header:

Authentication-Results: mail.domain.xx; dmarc=pass header.from=gmail.com

Add Sieve Rule to IMAP Account

if header :regex ["Authentication-Results"] [".*(spf\=fail|spf\=none|dkim\=fail|dkim\=none|dmarc\=fail|dmarc\=none).*"] {
    fileinto "Junk";
    stop;
}

See also