A second attempt at opendmarc

lost_touristHaving failed in my first attempt (my blog) so i decided to try again looking at blogs who confirmed my suspicions that it did not work too well i looked at how others had got the thing to ‘work’

The zoo has dane,dkim and other stuff for some time so i will not be discussing that..

There’s a public suffix list some use which is not included in the debain packaging which was fun and indicates that maybe this is a compiled from source thing rather than an os package to install – ala here is one i prepared earlier.

My first days attempts seemed to work, but i had socket problems with postfix and logging changing ownership and creating the file because that is the sort of thing that it probably needs but won’t automatically do.

On my second day i still have no damm clue as to what opendmarc should be doing. and despite my best efforts

smtpd[*]: warning: connect to Milter service unix:/var/run/opendmarc/opendmarc.sock: No such file or directory

I changed unix to local as specified in /etc/default/opendmarc making the required change to posfix and still nothing happened

so eventually i went with it takes an hour or so to get a message from postfix about the broken socket on a not that busy mail server.


in opendmarc.conf , /etc/default/opendmarc and in the correct main.cf and that seemed to work in version 1.3.0 (current debian stable version)  at time of writing 1.3.1 is debian testing, and 1.3.2. in experimental so there’s no reason to expect massive changes down the release cycle.

I just have it running on four mail hosts

Here is what a correct mail log looks like

date* 17:57:49 host opendmarc[1047]: 1XX8BD6310: gmail.com pass
date* 07:30:15 host opendmarc[1047]: 5XX35BD6310: plexiglas.de none
date* 08:24:20 host opendmarc[1047]: 0XX85BD6310: factoringforless.eu none

not seen it

not seen it

That covers most use cases if hosts do not have dmarc hey that is not my fault.

Errors (or huh) are stated as

opendmarc[*]: *314: unable to parse From header field

So even the dmarc milter has problems with crap email.

For tls signed email

<example.com> SSL

is the response.

If your internal email does not outbound via a public internet address and then return* It seems opendmarc bitches and whines like

opendmarc[1047]: 23XXEBD6310: zoo** fail

However since i route fail2ban email from internal mail to a real email server those messages seem be ignored if you do not specify the opendmarc milter in the internal postfix handler we have.

I might have to add ignore hosts to a file (not done) – or fix internal relaying which is what i did

I am not sure if i can turn off rejectfailures option in opendmarc without perhaps some additional postfix plumbing but that;s my problem not yours since i am probably doing that the wrong way.

Things i have yet to do reporting***, see if the spf thing is broken in opendmarc – works.  But its working with postfix

*i see no point  ** our domains (my blog) are zoo,zoo1,zoo2,zoo3 *** needs mysql (fucking crap software) i will save for another post.

Does the monkey house save the day or will it go wrong, stay tuned for the next episode of opendmarc in draft as we attempt speak with some noteworthy retards with dmarc.

One response

  1. Pingback: opendmarc reporting and extended thoughts | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.