Having failed in my first attempt (my blog) so i decided to try again looking at blogs who confirmed my suspicions that it did not work too well i looked at how others had got the thing to ‘work’
The zoo has dane,dkim and other stuff for some time so i will not be discussing that..
There’s a public suffix list some use which is not included in the debain packaging which was fun and indicates that maybe this is a compiled from source thing rather than an os package to install – ala here is one i prepared earlier.
My first days attempts seemed to work, but i had socket problems with postfix and logging changing ownership and creating the file because that is the sort of thing that it probably needs but won’t automatically do.
On my second day i still have no damm clue as to what opendmarc should be doing. and despite my best efforts
smtpd[*]: warning: connect to Milter service unix:/var/run/opendmarc/opendmarc.sock: No such file or directory
I changed unix to local as specified in /etc/default/opendmarc making the required change to posfix and still nothing happened
so eventually i went with it takes an hour or so to get a message from postfix about the broken socket on a not that busy mail server.
in opendmarc.conf , /etc/default/opendmarc and in the correct main.cf and that seemed to work in version 1.3.0 (current debian stable version) at time of writing 1.3.1 is debian testing, and 1.3.2. in experimental so there’s no reason to expect massive changes down the release cycle.
I just have it running on four mail hosts
Here is what a correct mail log looks like
date* 17:57:49 host opendmarc: 1XX8BD6310: gmail.com pass
date* 07:30:15 host opendmarc: 5XX35BD6310: plexiglas.de none
date* 08:24:20 host opendmarc: 0XX85BD6310: factoringforless.eu none
not seen it
That covers most use cases if hosts do not have dmarc hey that is not my fault.
Errors (or huh) are stated as
opendmarc[*]: *314: unable to parse From header field
So even the dmarc milter has problems with crap email.
For tls signed email
is the response.
If your internal email does not outbound via a public internet address and then return* It seems opendmarc bitches and whines like
opendmarc: 23XXEBD6310: zoo** fail
However since i route fail2ban email from internal mail to a real email server those messages seem be ignored if you do not specify the opendmarc milter in the internal postfix handler we have.
I might have to add ignore hosts to a file (not done) – or fix internal relaying which is what i did
I am not sure if i can turn off rejectfailures option in opendmarc without perhaps some additional postfix plumbing but that;s my problem not yours since i am probably doing that the wrong way.
Things i have yet to do reporting***, see if the
spf thing is broken in opendmarc – works. But its working with postfix
*i see no point ** our domains (my blog) are zoo,zoo1,zoo2,zoo3 *** needs mysql (fucking crap software) i will save for another post.
Does the monkey house save the day or will it go wrong, stay tuned for the next episode of opendmarc in draft as we attempt speak with some noteworthy retards with dmarc.