DMARC will use the result of SPF and DKIM verification to prevent spoofing mails.
OpenDMARC will check the SPF and DKIM verification result headers already added by other milters to determine what to do.
# apt install opendmarc
The install will ask for the database configuration. Since MariaDB should be ready, so let the dbconfig-common to set up. This will create the user 'opendmarc'@'localhost' and database 'opendmarc'.
Cf. OpenDMARC official site
The configuration file is located at /etc/opendmarc.conf.
## Socket socketspec ## default (none) ## ## Specifies the socket that should be established by the filter to receive ## connections from sendmail(8) in order to provide service. socketspec is ## in one of two forms: local:path, which creates a UNIX domain socket at ## the specified path, or inet:port[@host] or inet6:port[@host] which creates ## a TCP socket on the specified port for the appropriate protocol family. ## If the host is not given as either a hostname or an IP address, the ## socket will be listening on all interfaces. This option is mandatory ## either in the configuration file or on the command line. If an IP ## address is used, it must be enclosed in square brackets. # Socket local:/var/spool/postfix/opendmarc/opendmarc.sock
The socket location is also defined in /etc/default/opendmarc.
# Change to /var/spool/postfix/var/run/opendmarc to use a Unix socket with # postfix in a chroot: RUNDIR=/var/spool/postfix/var/run/opendmarc
Make socket location and configure ownership.
# mkdir /var/spool/postfix/opendmarc # chown opendmarc:opendmarc /var/spool/postfix/opendmarc # adduser postfix opendmarc
By default, OpenDMARC will check every mails. When checking the mail from authenticated users via submission port, it fails because the mail comes from somewhere else (where the user is). OpenDMARC will add the Authentication-Results header with the "dmarc=fail", which should not be added.
## Skip checks from authenticated clients IgnoreAuthenticatedClients true
# systemctl restart opendmarc
milter-greylist does check SPF, but it doesn't provide the proper "Authentication-Results" header for the SPF. How to add that header can't be found in the manuals, so I went with the hard way. Manually adding the header as a racl.
# And here is the access list racl whitelist list "my network" racl greylist spf self racl continue spf pass addheader "Authentication-Results: %Mj; spf=pass smtp.mailfrom=%f" # Add this line racl whitelist spf pass racl greylist default
Add OpenDMARC milter after SPF and DKIM verification. Edit /etc/postfix/main.cf.
smtpd_milters = unix:/milter-greylist/greylist.sock unix:/opendkim/opendkim.sock unix:/opendmarc/opendmarc.sock unix:/clamav/clamav-milter.ctl
# systemctl restart postfix
When receiving a mail, opendmarc log should appear in the mail.log. In the mail header, the will be the dmarc verification result.
Authentication-Results: mail.example.jp; dmarc=pass (p=none dis=none) header.from=example.com
The failure notice will look like this.
Authentication-Results: mail.examaple.jp; dmarc=fail (p=none dis=none) header.from=example.ne.jp