CONFIGURATION DMARC DEBIAN
Paramétrage BIND
> grep dmarc /etc/bind/pri.webologix.com
_dmarc 3600 TXT "v=DMARC1; p=none; rua=mailto:This email address is being protected from spambots. You need JavaScript enabled to view it.; ruf=mailto:This email address is being protected from spambots. You need JavaScript enabled to view it. fo=1 adkim=r; aspf=r; pct=100; rf=afrf;
ri=600"
Where:
- v: DMARC version. This is a required field. For now it will have the value of ‘DMARC1’
- p: DMARC policy. This is an required field as well, you can set it to one of three values:
- none: Means don’t do anything if the DMARC verification fails. This is a good setting while you are still testing your DMARC implementation as it will not disrupt your outgoing mail if you made a mistake in your configuration.
- quarantine: Mail that fails DMARC checks should be treated as suspicious. This is good middle ground setting if you want to ensure that none of your mail gets lost.
- reject: Mail should be rejected If the DMARC verification fails. This is a good setting if your domain is used for phishing or if trust in your E-Mails is more important than occasional lost messages.
- rua: This is an optional parameter and contains the address to which the DMARC aggregate report should be submitted. You can specify web addresses here, but I have not done so so far. If you do not set this option at all, you will not receive DMARC reports.
- ruf: This is similar to the rua field, but these are the addresses for DMARC forensic reports. These reports contain detailed information about failed DMARC verifications of E-mail claiming to be from your domain.
- fo: These are reporting options for the failure reports. This can have four possible values:
- 0: generate a report if both SPF and DKIM tests failed
- 1: generate a report if either the SPF or the DKIM test failed
- s: generate a report if the SPF test failed
- d: generate a report if the DKIM test failed
- adkim: This option is optional and controls how strict the result of the DKIM verification should be interpreted. It defaults to relaxed if it is not present. Possible values are:
- s: strict
- r: relaxed
- aspf: This option is optional and controls how strict the result of the SPF check should be interpreted. It defaults to relaxed if no value is set. Possible values are
- s: strict
- r: relaxed
- pct: This is also optional and determines how many percent of the messages from your domain should have the DMARC verification done by other mail providers. The possible values here are integers between 0 and 100. It defaults to 100 if it is not set.
- rf: This optional field lets you specify your preferred reporting format for forensic reports. It defaults to “afrf”. These are the possible values:
- afrf: Authentication Failure Reporting Format
- aodef: Accident Object Description Exchange Format
- ri: This optional field is the interval at which you want to receive DMARC reports in seconds. It defaults 86400 seconds (one day). According to the DMARC specification every participating organization should be able to send reports at least once every day. Intervals as small as one hour are within the specification. But those smaller intervals are generally served on a best effort basis.
- sp: The last field is also optional (and not present in my example). It is the subdomain policy. If you do not set this, the policy you set in the beginning will apply to your subdomains. If you set this you can use the same values as in the policy field. This can be useful if you know, that you never send mails from one of your subdomains. In that case you can set the subdomain policy to reject without any risk of your legitimate E-Mails being discarded.
Après débugage poser les paramètres définitifs:
> grep dmarc /etc/bind/pri.webologix.com
_dmarc 3600 TXT "v=DMARC1; p=quarantine; fo=1 adkim=r; aspf=r; pct=100; rf=afrf; ri=86400"
INSTALLATION DEBIAN
apt install opendmarc
Paramétrage
Configurationdes sockets par fichiers plutôt que par port pour éviter les Parefeu
> nocomment.sh /etc/opendmarc.conf
AuthservID HOSTNAME
PidFile /var/run/opendmarc/opendmarc.pid
PublicSuffixList /usr/share/publicsuffix
Socket local:/var/run/opendmarc/opendmarc.sock
Syslog true
TrustedAuthservIDs HOSTNAME, mail.webologix.com, imap.webologix.com, smtp.webologix.com, pop.webologix.com, webologix.com
UMask 0002
UserID opendmarc:opendmarc
IgnoreHosts etc/opendmarc/ignore.hosts
SoftwareHeader true
- AuthservID: Sets what is used as AuthservID when processing E-Mails. This should be the hostname of your mail server or another unique string
- PidFile: Path to the PID file
- RejectFailures: This is a Boolean, if this is true E-Mails that fail DMARC verification will be rejected by your mail server. I prefer simply tagging the mail so I set this to false.
- Syslog: true or false. Tells opendmarc, whether it should log to syslog or not
- TrustedAuthservIDs: these AuthservIDs are assumed to be valid inputs for DMARC assessment. This can prevent the DMARC tests from running several times if you have multiple mail servers in your organization
- UMask: the PID file and the socket file are created with this umask
- UserID: the user and group running the opendmarc service separated by a colon.
- IgnoreHosts: The path to the Ignored Hosts list
- HistoryFile: The path under which the History file should be created. This file is necessary if you want to be able to create aggregate reports to send out to other organizations
- SoftwareHeader: adds a “Dmarc-Filter” header with the opendmarc version in every processed mail. This is good to have during testing
- ForensicReporting options seem to be broken in the version of opendmarc that I used. When I tried to uncomment them, opendmarc would not start because of unrecognized parameters.
ignoreHosts:
> cat /etc/opendmarc/ignore.hosts
localhost
xx.23.227.123
xx.21.69.195
Socket configuration:> nocomment.sh /etc/default/opendmarc
RUNDIR=/var/run/opendmarc
SOCKET=local:$RUNDIR/opendmarc.sock
USER=opendmarc
GROUP=opendmarc
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=
Paramétrage Postfix
> grep milters /etc/postfix/main.cf
#smtpd_milters = inet:localhost:8891
#non_smtpd_milters = inet:localhost:8891
smtpd_milters = local:/var/spool/postfix/var/run/opendkim/opendkim.sock, /var/run/opendmarc/opendmarc
non_smtpd_milters = local:/var/spool/postfix/var/run/opendkim/opendkim.sock, /var/run/opendmarc/opendmarc
Vérification
Echanger des mails avec une adresse externe de préférence GMAIL et vérifier le statut "DMAR=pass" dans les headers.