opendmarc systemd fun

Had some fun (my blog) with debain 9.4 until  i re-added -p inet:8893:localhost to the systemd file (as marked in bold)

/lib/systemd/system$ cat opendmarc.service
[Unit]
Description=OpenDMARC Milter
Documentation=man:opendmarc(8) man:opendmarc.conf(5)
After=network.target nss-lookup.target

[Service]
Type=forking
PIDFile=/var/run/opendmarc/opendmarc.pid
User=opendmarc
ExecStart=/usr/sbin/opendmarc -p inet:8893:localhost
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID

[Install]
WantedBy=multi-user.target

Check your  groups the group chmod had been returned to read only rather than read write

.Seems to get stuff working but then

&warning: milter inet:127.0.0.1:8893: can’t read SMFIC_OPTNEG reply packet header: Success
warning: milter inet:127.0.0.1:8893: read error in initial handshake

Made life fun again.and i think a restart of opendkim will resolve that.

That got opendmarc ready to write to text file for import in sql (my blog) and then reporting via smtp so back to normal – although debain did not inform me that the systemd file got replaced.

I like being a mindreader

A second attempt at opendmarc

lost_touristHaving failed in my first attempt (my blog) so i decided to try again looking at blogs who confirmed my suspicions that it did not work too well i looked at how others had got the thing to ‘work’

The zoo has dane,dkim and other stuff for some time so i will not be discussing that..

There’s a public suffix list some use which is not included in the debain packaging which was fun and indicates that maybe this is a compiled from source thing rather than an os package to install – ala here is one i prepared earlier.

My first days attempts seemed to work, but i had socket problems with postfix and logging changing ownership and creating the file because that is the sort of thing that it probably needs but won’t automatically do.

On my second day i still have no damm clue as to what opendmarc should be doing. and despite my best efforts

smtpd[*]: warning: connect to Milter service unix:/var/run/opendmarc/opendmarc.sock: No such file or directory

I changed unix to local as specified in /etc/default/opendmarc making the required change to posfix and still nothing happened

so eventually i went with it takes an hour or so to get a message from postfix about the broken socket on a not that busy mail server.

 inet:127.0.0.1:54321

in opendmarc.conf , /etc/default/opendmarc and in the correct main.cf and that seemed to work in version 1.3.0 (current debian stable version)  at time of writing 1.3.1 is debian testing, and 1.3.2. in experimental so there’s no reason to expect massive changes down the release cycle.

I just have it running on four mail hosts

Here is what a correct mail log looks like

date* 17:57:49 host opendmarc[1047]: 1XX8BD6310: gmail.com pass
date* 07:30:15 host opendmarc[1047]: 5XX35BD6310: plexiglas.de none
date* 08:24:20 host opendmarc[1047]: 0XX85BD6310: factoringforless.eu none

not seen it

not seen it

That covers most use cases if hosts do not have dmarc hey that is not my fault.

Errors (or huh) are stated as

opendmarc[*]: *314: unable to parse From header field

So even the dmarc milter has problems with crap email.

For tls signed email

<example.com> SSL

is the response.

If your internal email does not outbound via a public internet address and then return* It seems opendmarc bitches and whines like

opendmarc[1047]: 23XXEBD6310: zoo** fail

However since i route fail2ban email from internal mail to a real email server those messages seem be ignored if you do not specify the opendmarc milter in the internal postfix handler we have.

I might have to add ignore hosts to a file (not done) – or fix internal relaying which is what i did

I am not sure if i can turn off rejectfailures option in opendmarc without perhaps some additional postfix plumbing but that;s my problem not yours since i am probably doing that the wrong way.

Things i have yet to do reporting***, see if the spf thing is broken in opendmarc – works.  But its working with postfix

*i see no point  ** our domains (my blog) are zoo,zoo1,zoo2,zoo3 *** needs mysql (fucking crap software) i will save for another post.

Does the monkey house save the day or will it go wrong, stay tuned for the next episode of opendmarc in draft as we attempt speak with some noteworthy retards with dmarc.