Integrate OpenDMARC with Exim to have DMARC checked and report sent out

خرید بک لینک

آخرین مطالب

امکانات وب

Integrate OpenDMARC with Exim to have DMARC checked and report sent out

Hi everyone,
in last few days I have been playing around with DMARC because I wanted to be able to check it, and report it as many providers are already doing, so I started to work on it using OpenDMARC.

Here it is a small How-To that will help you to make this integration, depending on the feedback of this How-To DirectAdmin Staff will decide if include this in CB to allow manage it that way.

This guide is based on CentOS 7, it may be very similar on other OS but I have not them to play with, hopefully someone will want to replicate this guide in Debian and post it here.

First bit, you need to remove sendmail* from the /etc/yum.conf file on line exclude=
Once done let's proceed to install opendmarc and all it's dependencies

Code:

yum -y install opendmarc libopendmarc-devel
Configuration file: /etc/opendmarc.conf
I am using this one: https://repository.crazynetwork.it/d...opendmarc.conf
But you can easly edit it yourself, the important option to set is HistoryFile which should be set to /var/spool/exim/opendmarc.dat

Now we need to customize the exim Makefile to enable two Experimental features (SPF and DMARC) so we start downloading the standard one that DA use and store it in the CB custom folder:

Code:

mkdir -p /usr/local/directadmin/custombuild/custom/exim/
wget -O /usr/local/directadmin/custombuild/custom/exim/Makefile http://files.directadmin.com/services/custombuild/Makefile
And we will edit it this way:
Look for EXPERIMENTAL_SPF=yes
And uncomment it and the line just after, like this:

HTML Code:

EXPERIMENTAL_SPF=yes
CFLAGS += -I/usr/local/include
Than, at the end of all the experimental options add:

Code:

# Uncomment the following lines to add DMARC support, you must first enable SPF.
# Please read the Local/Makefile Idea on enabling the SUPPORT_SPF
# feature. You must also have DKIM support, so you cannot set the
# DISABLE_DKIM feature. Once both of those conditions have been met
# you can enable DMARC in Local/Makefile:
EXPERIMENTAL_DMARC=yes
LDFLAGS += -lopendmarc
(Or you can download the ready version here: https://repository.crazynetwork.it/d.../exim/Makefile using wget -O /usr/local/directadmin/custombuild/custom/exim/Makefile https://repository.crazynetwork.it/d.../exim/Makefile using

Once done, let's build exim

Code:

/usr/local/directadmin/custombuild/build exim
Now, let's do some configurations files:
Create this file (or update it to also contain the following): /etc/exim.acl_check_recipient.pre.conf

Code:

wa authenticated = * hosts = +relay_hosts domains = +local_domains control = dmarc_disable_verify
wa !authenticated = * hosts = !+relay_hosts domains = !+local_domain control = dmarc_enable_forensic
Now we need the TLDs DB from https://publicsuffix.org/

Code:

wget -O /etc/exim_opendmarc.tlds https://publicsuffix.org/list/public_suffix_list.dat
And configure the spool and the TLDs file in exim too in:

Code:

touch /etc/exim.variables.conf.custom
echo "dmarc_history_file=/var/spool/exim/opendmarc.dat" >> /etc/exim.variables.conf.custom
echo "dmarc_tld_file=/etc/exim_opendmarc.tlds" >> /etc/exim.variables.conf.custom
And rebuild exim configurations.

Code:

/usr/local/directadmin/custombuild/build exim_conf
Now, we need to edit a file that CB mantain, I will check with Martynas and John if there is a way to have this as custom version because it will be needed

Add the following at the end of the file: /etc/exim.acl_check_recipient.pre.conf

Code:

# DMARC Checks wa dmarc_status = accept : none : off !authenticated = * log_message = DMARC DEBUG: $dmarc_status $dmarc_used_domain add_header = $dmarc_ar_header wa dmarc_status = !accept !authenticated = * log_message = DMARC DEBUG: '$dmarc_status' for $dmarc_used_domain wa dmarc_status = quarantine !authenticated = * set acl_m_quarantine = 1 # Do something in a transport with this flag variable deny condition = ${if eq{$dmarc_domain_policy}{reject}} condition = ${if eq{$acl_m_mailing_list}{1}} message = Messages from $dmarc_used_domain break mailing lists deny dmarc_status = reject !authenticated = * message = Message from $dmarc_used_domain failed sender's DMARC policy, REJECT
Now restart exim

Code:

service exim restart
And you should be able to see in a DMARC in the exim logs (try to make some traffic from a site that have DMARC):
tail -f /var/log/exim/mainlog | grep DMARC

And you should also be able to see a DMARC line in the headers:

Code:

Authentication-Results: Orange01.CrazyNetwork.it; dmarc=pass header.from=gmail.com
Now, let's send out some reports!
To do this you will need:
A MySQL DB
An email address that will send out email (with SMTP Auth)
2 Scripts (one is opendmarc-report which I have modified to use SMTP Auth when sending out emails)

Prepare the MySQL DB:

Code:

wget -O /tmp/da_opendmarc.sql https://repository.crazynetwork.it/opendmarc/da_opendmarc.sql
/usr/bin/mysql -uda_admin -p`grep "^passwd=" $DA_PATH/conf/mysql.conf | cut -d= -f2` -e "CREATE DATABASE da_opendmarc.sql"
/usr/bin/mysql -uda_admin -p`grep "^passwd=" $DA_PATH/conf/mysql.conf | cut -d= -f2` -e "CREATE USER 'da_opendmarc'@'127.0.0.1' IDENTIFIED BY 'PASSWORD';"
/usr/bin/mysql -uda_admin -p`grep "^passwd=" $DA_PATH/conf/mysql.conf | cut -d= -f2` -e "GRANT ALL PRIVILEGES ON da_opendmarc . * TO 'da_opendmarc'@'127.0.0.1';"
/usr/bin/mysql -uda_admin -p`grep "^passwd=" $DA_PATH/conf/mysql.conf | cut -d= -f2` -e "FLUSH PRIVILEGES;"
mysql -uda_opendmarc -pPASSWORD da_opendmarc < /tmp/da_opendmarc.sql
rm -rf /tmp/da_opendmarc.sql
Get the scripts:

Code:

wget -O /usr/local/directadmin/scripts/custom/exim_dmarc.sh https://repository.crazynetwork.it/directadmin/scripts/custom/exim_dmarc.sh
wget -O /usr/local/directadmin/scripts/custom/opendmarc-reports https://repository.crazynetwork.it/directadmin/scripts/custom/opendmarc-reports
chmod 700 /usr/local/directadmin/scripts/custom/exim_dmarc.sh
chmod 700 /usr/local/directadmin/scripts/custom/opendmarc-reports
Edit /usr/local/directadmin/scripts/custom/exim_dmarc.sh and fill the required DB and SMTP Auth informations changing those lines:

Code:

DBHOST="localhost"
DBNAME="da_opendmarc"
DBUSER="da_opendmarc"
DBPASS="DATABASE PASSWORD"
REPORTEMAIL="EMAIL USERNAME"
REPORTSMTP_HOST="EMAIL SERVER HOST"
REPORTSMTP_PORT="EMAIL SERVER PORT"
REPORTSMTP_USER="EMAIL AUTH USER"
REPORTSMTP_PASS="EMAIL AUTH PASS"
REPORTORG="REPORTER NAME"
And finally, add the required cronjobs:

Code:

echo "0 * * * * /usr/local/directadmin/scripts/custom/exim_dmarc.sh -i >/dev/null 2>&1" >> /etc/cron.d/directadmin_cron
echo "30 */6 * * * /usr/local/directadmin/scripts/custom/exim_dmarc.sh -r >/dev/null 2>&1" >> /etc/cron.d/directadmin_cron
echo "0 0 0 * * /usr/local/directadmin/scripts/custom/exim_dmarc.sh -e >/dev/null 2>&1" >> /etc/cron.d/directadmin_cron

Now everything should be configured.
A suggestion would be, before adding the cronjob to test everything (for example sending from one of you domain to another of your domain a mail which is DMARC signed so to check everything)

IMPORT DMARC DATA INTO DB: /usr/local/directadmin/scripts/custom/exim_dmarc.sh -i
SEND DMARC REPORTS OUT: /usr/local/directadmin/scripts/custom/exim_dmarc.sh -r
DELETE OLD DATA FROM DB: /usr/local/directadmin/scripts/custom/exim_dmarc.sh -E
SHOW THE REPORT THAT ARE GOING TO BE SENT (NO SEND): /usr/local/directadmin/scripts/custom/exim_dmarc.sh -t

I hope that this will be helpful to someone, if I forgot something or you face any problem let me know and I will try to help

Best regards

DirectAdmin Forums...

ما را در سایت DirectAdmin Forums دنبال می‌کنید

برچسب: نویسنده: ایمان اصلاحی بازدید: 590 تاريخ: چهارشنبه 18 بهمن 1396 ساعت: 22:37

صفحه بندی

آرشیو مطالب

پيوندهای روزانه

لینک دوستان

خبرنامه