Mail Server : Set DMARC Checking2024/07/16

Configure Postfix to check DMARC (Domain-based Message Authentication, Reporting, and Conformance) on receiving mail.

To configure DMARC as a sender, see Configuring DMARC records on your DNS server.

[1]

Install and configure OpenDMARC.

root@mail:~#

apt -y install opendmarc

# On this example, select [No]
# DB will be used to generate reports, but in this example, 
# it will proceed without sending reports
 +-------------------------+ Configuring opendmarc +-------------------------+
 |                                                                           |
 | The opendmarc package must have a database installed and configured       |
 | before it can be used. This can be optionally handled with                |
 | dbconfig-common.                                                          |
 |                                                                           |
 | If you are an advanced database administrator and know that you want to   |
 | perform this configuration manually, or if your database has already      |
 | been installed and configured, you should refuse this option. Details on  |
 | what needs to be done should most likely be provided in                   |
 | /usr/share/doc/opendmarc.                                                 |
 |                                                                           |
 | Otherwise, you should probably choose this option.                        |
 |                                                                           |
 | Configure database for opendmarc with dbconfig-common?                    |
 |                                                                           |
 |                    <Yes>                       <No>                       |
 |                                                                           |
 +---------------------------------------------------------------------------+

root@mail:~#

vi /etc/opendmarc.conf

# line 13 : uncomment and change
# name that appears in the Authentication-Results header
# use the server hostname in the [HOSTNAME] specification
AuthservID HOSTNAME

# line 22 : to enable failure report generation, uncomment and change to [true]
# if [true], generate failure reports if the sender requests them
# * on this example, proceed with the default setting [false]
# FailureReports false

# line 52 : uncomment and change
# if [true], reject message if DMARC evaluation fails
RejectFailures true

# line 67 : change (listen on TCP)
Socket inet:8893@localhost

# line 93 : uncomment and change
# specify the trusted [authserv-id]
# if [HOSTNAME] is specified, it will be replaced with the server hostname
# if multiple entries are specified, separate them with commas
TrustedAuthservIDs HOSTNAME

# add to last line
# skip checking for SMTP AUTH authenticated clients
IgnoreAuthenticatedClients true

# list of hosts to skip checking
IgnoreHosts /etc/opendmarc/ignore.hosts

# reject messages if their headers do not comply with RFC5322
RequiredHeaders true

root@mail:~#

mkdir /etc/opendmarc

root@mail:~#

vi /etc/opendmarc/ignore.hosts

# create new file
# list hosts to skip
127.0.0.1
::1
localhost

root@mail:~#

chown -R opendmarc:opendmarc /etc/opendmarc

root@mail:~#

systemctl restart opendmarc

[2]	Configure Postfix.

root@mail:~#

vi /etc/postfix/main.cf

# add opendmark to [smtpd_milters]
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

root@mail:~#

systemctl reload postfix

[3]	Send an email to your email address from Gmail or similar. If the header shows [Authentication-Results: mail.srv.world; dmarc=pass ***], then everything is OK.

Matched Content