Based on Debian 10 "Buster" environment.

OpenDMARC

DMARC will use the result of SPF and DKIM verification to prevent spoofing mails.
OpenDMARC will check the SPF and DKIM verification result headers already added by other milters to determine what to do.

Installation

# apt install opendmarc

The install will ask for the database configuration. Since MariaDB should be ready, so let the dbconfig-common to set up. This will create the user 'opendmarc'@'localhost' and database 'opendmarc'.

Configuration

OpenDMARC

Cf. OpenDMARC official site
The configuration file is located at /etc/opendmarc.conf.

Change socket location for Postfix.

##  Socket socketspec
##      default (none)
##
##  Specifies the socket that should be established by the filter to receive
##  connections from sendmail(8) in order to provide service.  socketspec is
##  in one of two forms: local:path, which creates a UNIX domain socket at
##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
##  a TCP socket on the specified port for the appropriate protocol family.
##  If the host is not given as either a hostname or an IP address, the
##  socket will be listening on all interfaces.  This option is mandatory
##  either in the configuration file or on the command line.  If an IP
##  address is used, it must be enclosed in square brackets.
#
Socket local:/var/spool/postfix/opendmarc/opendmarc.sock

The socket location is also defined in /etc/default/opendmarc.

# Change to /var/spool/postfix/var/run/opendmarc to use a Unix socket with
# postfix in a chroot:
RUNDIR=/var/spool/postfix/var/run/opendmarc

Make socket location and configure ownership.

# mkdir /var/spool/postfix/opendmarc
# chown opendmarc:opendmarc /var/spool/postfix/opendmarc
# adduser postfix opendmarc

Skip checking authenticated mails

By default, OpenDMARC will check every mails. When checking the mail from authenticated users via submission port, it fails because the mail comes from somewhere else (where the user is). OpenDMARC will add the Authentication-Results header with the "dmarc=fail", which should not be added.

##  Skip checks from authenticated clients
IgnoreAuthenticatedClients true

Restart OpenDMARC.

# systemctl restart opendmarc

milter-greylist

milter-greylist does check SPF, but it doesn't provide the proper "Authentication-Results" header for the SPF. How to add that header can't be found in the manuals, so I went with the hard way. Manually adding the header as a racl.

# And here is the access list
racl whitelist list "my network"
racl greylist spf self
racl continue spf pass addheader "Authentication-Results: %Mj; spf=pass smtp.mailfrom=%f"   # Add this line
racl whitelist spf pass
racl greylist default

Postfix

Add OpenDMARC milter after SPF and DKIM verification. Edit /etc/postfix/main.cf.

smtpd_milters = unix:/milter-greylist/greylist.sock unix:/opendkim/opendkim.sock unix:/opendmarc/opendmarc.sock unix:/clamav/clamav-milter.ctl

Restart Postfix.

# systemctl restart postfix

Test

When receiving a mail, opendmarc log should appear in the mail.log. In the mail header, the will be the dmarc verification result.

Authentication-Results: mail.example.jp; dmarc=pass (p=none dis=none) header.from=example.com

The failure notice will look like this.

Authentication-Results: mail.examaple.jp; dmarc=fail (p=none dis=none) header.from=example.ne.jp

Update History

2020-03-28

  • Add "IgnoreAuthenticatedClients" configuration