mirror of
https://github.com/internetstandards/toolbox-wiki.git
synced 2024-11-25 12:31:36 +01:00
Update DMARC-how-to.md
This commit is contained in:
parent
ef7a49befb
commit
53f2e895a4
@ -31,13 +31,71 @@ ruf: forensic reports
|
|||||||
| DMARC configuration tag | Required? | Value(s) | Explanation |
|
| DMARC configuration tag | Required? | Value(s) | Explanation |
|
||||||
| --- | --- | --- | --- |
|
| --- | --- | --- | --- |
|
||||||
| v | mandatory | DMARC1; | |
|
| v | mandatory | DMARC1; | |
|
||||||
| p | mandatory | none<br>quaritine<br>reject | |
|
| p | mandatory | none<br>quaritine<br>reject | None: don't do anything if DMARC verification fails (used for testing)<br>quarantine: treat mail that fails DMARC check as suspicious<br>reject: reject mail that fail DMARC check |
|
||||||
| rua | optional | rua@example.nl | This field contains an e-mail address |
|
| rua | optional | rua@example.nl | This field contains the e-mail address used to send aggregate reports to |
|
||||||
| ruf | optional |ruf@example.nl | This field contains an e-mail address |
|
| ruf | optional |ruf@example.nl | This field contains the e-mail address used to send forensic reports to |
|
||||||
| fo | mandatory | 0<br>1<br>s<br>d | reporting oprions for |
|
| fo | mandatory | <br>0<br>1<br>s<br>d | Reporting options for failure reports. Generates a report if:<br>- both SPF and DKIM tests fail (0)<br>- either SPF or DKIM test fail (1)<br>- SPF test fails (s)<br>- DKIM test fails (d) |
|
||||||
| adkim | optional | s<br>r | |
|
| adkim | optional | s<br>r | Controls how strict the result of DKIM verification should be intepreted. Strict or relaxed. |
|
||||||
| aspf | optional | s<br>r | |
|
| aspf | optional | s<br>r | Controls how strict the result of SPF verification should be intepreted. Strict or relaxed. |
|
||||||
| pct | optional | | |
|
| pct | optional | 0..100 | Determine percentage of mail from your domain to have the DMARC verificaton done by other mail providers. Default is 100. |
|
||||||
| rf | optional | | |
|
| rf | optional | | |
|
||||||
| ri | optional | | |
|
| ri | optional | | |
|
||||||
| sp | optional | | |
|
| sp | optional | | |
|
||||||
|
|
||||||
|
# Reporting
|
||||||
|
to-do
|
||||||
|
|
||||||
|
# Implementing DKIM with OpenDKIM for Postfix with SpamAssassin
|
||||||
|
**Specifics for this setup**
|
||||||
|
* Linux Debian 9.8 (Stretch)
|
||||||
|
* Postfix 3.4.5
|
||||||
|
* BIND 9.10.3-P4-Debian
|
||||||
|
* OpenDMARC v1.3.2
|
||||||
|
|
||||||
|
**Assumptions**
|
||||||
|
* DNSSEC is used
|
||||||
|
* Mail server is operational
|
||||||
|
* Software packages are already installed
|
||||||
|
|
||||||
|
## Outbound e-mail traffic
|
||||||
|
DMARC for outbound e-mail traffic can be accomplished by publishing a DMARC policy as a TXT record in a domain name's DNS zone.
|
||||||
|
|
||||||
|
## Inbound e-mail traffic
|
||||||
|
DMARC for inbound e-mail traffic can be accomplished by setting up OpenDMARC and integrate it with Postfix.
|
||||||
|
|
||||||
|
### Set up OpenDMARC
|
||||||
|
Make sure the file **/etc/opendmarc.conf** has a least the following configuration options.
|
||||||
|
|
||||||
|
AuthservID mail.example.nl
|
||||||
|
PidFile /var/run/opendmarc/opendmarc.pid
|
||||||
|
RejectFailures false
|
||||||
|
Syslog true
|
||||||
|
TrustedAuthservIDs mail.example.nl,mail2.example.nl,localhost,127.0.0.1
|
||||||
|
UMask 0002
|
||||||
|
UserID opendmarc:opendmarc
|
||||||
|
IgnoreAuthenticatedClients true
|
||||||
|
IgnoreHosts /etc/opendmarc/ignore.hosts
|
||||||
|
HistoryFile /var/run/opendmarc/opendmarc.dat
|
||||||
|
Socket inet:54321@localhost
|
||||||
|
|
||||||
|
Make sure the file **/etc/opendmarc/ignore.hosts** contains all hosts that you trust. The e-mail coming from these hosts will not be checked by OpenDMARC:
|
||||||
|
|
||||||
|
127.0.0.1
|
||||||
|
localhost
|
||||||
|
|
||||||
|
Make sure the default file **/etc/default/opendmarc** contains:
|
||||||
|
|
||||||
|
RUNDIR=/var/run/opendmarc
|
||||||
|
SOCKET=inet:54321@localhost
|
||||||
|
USER=opendmarc
|
||||||
|
GROUP=opendmarc
|
||||||
|
PIDFILE=$RUNDIR/opendmarc.pid
|
||||||
|
|
||||||
|
### Integrate with Postfix
|
||||||
|
Now we need to tell Postfix to use OpenDMARC as a mail filter in order to use its functionality. This is done by making sure that **/etc/postfix/main.cf** contains the configuration values as listed below. Notice that the DKIM check (localhost:12301) is done _before_ DMARC (localhost:54321) since DMARC relies on the DKIM results.
|
||||||
|
|
||||||
|
smtpd_milters = inet:localhost:12301,inet:localhost:54321
|
||||||
|
non_smtpd_milters = inet:localhost:12301,inet:localhost:54321
|
||||||
|
|
||||||
|
### Set up reporting
|
||||||
|
to-do
|
||||||
|
Loading…
Reference in New Issue
Block a user