Mail Server : Set DMARC Checking2024/07/17 |
|
Configure Postfix to check DMARC (Domain-based Message Authentication, Reporting, and Conformance) on receiving mail. To configure DMARC as a sender, see Configuring DMARC records on your DNS server. |
|
| [1] | Install and configure OpenDMARC. |
|
root@mail:~#
apt -y install opendmarc
# On this example, select [No]
# DB will be used to generate reports, but in this example,
# it will proceed without sending reports
+-------------------------+ Configuring opendmarc +-------------------------+
| |
| The opendmarc package must have a database installed and configured |
| before it can be used. This can be optionally handled with |
| dbconfig-common. |
| |
| If you are an advanced database administrator and know that you want to |
| perform this configuration manually, or if your database has already |
| been installed and configured, you should refuse this option. Details on |
| what needs to be done should most likely be provided in |
| /usr/share/doc/opendmarc. |
| |
| Otherwise, you should probably choose this option. |
| |
| Configure database for opendmarc with dbconfig-common? |
| |
| <Yes> <No> |
| |
+---------------------------------------------------------------------------+
root@mail:~#
vi /etc/opendmarc.conf # line 13 : uncomment and change # name that appears in the Authentication-Results header # use the server hostname in the [HOSTNAME] specification AuthservID HOSTNAME # line 22 : to enable failure report generation, uncomment and change to [true] # if [true], generate failure reports if the sender requests them # * on this example, proceed with the default setting [false] # FailureReports false # line 52 : uncomment and change # if [true], reject message if DMARC evaluation fails RejectFailures true # line 67 : change (listen on TCP) Socket inet:8893@localhost # line 93 : uncomment and change # specify the trusted [authserv-id] # if [HOSTNAME] is specified, it will be replaced with the server hostname # if multiple entries are specified, separate them with commas TrustedAuthservIDs HOSTNAME # add to last line # skip checking for SMTP AUTH authenticated clients IgnoreAuthenticatedClients true # list of hosts to skip checking IgnoreHosts /etc/opendmarc/ignore.hosts # reject messages if their headers do not comply with RFC5322 RequiredHeaders trueroot@mail:~# mkdir /etc/opendmarc
root@mail:~#
vi /etc/opendmarc/ignore.hosts
# create new file
# list hosts to skip
127.0.0.1
::1
chown -R opendmarc:opendmarc /etc/opendmarc root@mail:~# systemctl restart opendmarc
|
| [2] | Configure Postfix. |
|
root@mail:~#
vi /etc/postfix/main.cf # add opendmark to [smtpd_milters] smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893 non_smtpd_milters = $smtpd_milters milter_default_action = acceptroot@mail:~# systemctl reload postfix |
| [3] |
Send an email to your email address from Gmail or similar. If the header shows [Authentication-Results: mail.srv.world; dmarc=pass ***], then everything is OK. |
| Sponsored Link |