opendmarc for Debian ------------------- Configuration Notes for Debian systes -------------------------------------------- The DMARC protocol is built on top of SPF and DKIM. OpenDMARC needs SPF and DKIM verification results as an input. OpenDMARC uses RFC 5451 Authentication Results header fields to get those results. OpenDMARC will use header fields with an AuthservID that matches either the one specified in /etc/opendmarc.conf or the system hostname. It is important to verify that the AuthservID provided by SPF and DKIM verifiers matches the one that opendmarc expects. In Debian, postfix-policyd-spf-python and opendkim have been tested to generate appropriate A-R header fields. For postfix-policyd-spf-python, however, it is not the default configuration. See man 5 policyd-spf.conf for information on how to configure it to generate A-R header fields. To generate aggregate feedback reports a MySQL database is needed. See the man pages for opendmarc-expire, opendmarc-import, opendmarc-params, and opendmarc-reports for details on how the aggregate report data collection and report generation works. The database schema, setup script, and README.schema files can be found in /usr/share/doc/opendmarc. Notes for Postfix users ----------------------- Postfix users who wish to access the opendmarc service via UNIX socket may need to add the postfix user to the opendmarc group and ensure that UMask is set to 002 in /etc/opendmarc.conf, in order to make the socket readable by Posfix. Users may also need to move the socket into a directory accessible by the Postfix chroot; this can be accomplished by setting the SOCKET variable in /etc/systemd/system/opendmarc.service.d/overrride.conf (if systemd is used) or in /etc/default/opendmarc (if SysV is used). Alternately, it can be set in the installed configuration file, /etc/opendmarc.conf. If opendmarc fails to start during boot, add After=network-online.target to /etc/systemd/system/opendmarc.service.d/overrride.conf (if systemd is used) to ensure the network is fully initialized before openmarc is started. This is not likely to be an issue with SysV. The default is to connect to the filter over a Unix socket. It can also use TCP sockets. The filter can be bound to localhost to prevent other hosts from accessing it. For example, to bind to port 8892, specify "inet:8892@localhost". In order to use a TCP socket for a specific IP address, that address has to be bound to an active network connection. Changing group ownership of socket ---------------------------------- The group ID of the UNIX socket created by openmarc can be changed by changing the primary GID of the opendmarc user, e.g.: $ usermod -g mail opendmarc