DMARC with Postfix on Debian stretch
This installation guide is an addition to the DKIM and Postfix article. It describes how to get incoming messages checked for DKIM.
Install the opendmarc package, which contains the milter for Postfix. Edit the /etc/opendmarc.conf file and add the following configuration (I disabled failure reports on my host):
The IgnoreHosts is useful to specify exceptions to messages. My /etc/opendmarc/hosts.ignore file contains the following addresses, so outgoing messages are not tagged:
On Debian stretch the socket is specified directly in the systemd service file. Change the the socket location in the ExecStart line in the opendmarc.service file to /var/run/opendmarc/opendmarc.pid.
This can be done using by creating an systemd override file using the edit option of the systemctl command:
systemctl edit opendmarc.service
This will create an empty file /etc/systemd/system/opendmarc.service.d/override.conf and open it in an editor. Insert the following lines and save the file.
# with an override you must "clear" the ExecStart first.
ExecStart=/usr/sbin/opendmarc -p local:/var/spool/postfix/opendmarc/opendmarc.sock -u opendmarc -P /var/run/opendmarc/opendmarc.pid
Alternatively, use the systemctl edit --full opendmarc.service to create a copy of the opendmarc.service file and edit it in line. Change the ExecStart line as in the example above.
If you are already using milters (like a DKIM one) then all that is left to do is to add the opendmarc socket to the milter list:
smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock, unix:/opendmarc/opendmarc.sock
non_smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock, unix:/opendmarc/opendmarc.sock
Restart the opendmarc and postfix services and you should start seeing tags like these in the header section of incoming mails:
Authentication-Results: mx.example.com; dmarc=pass (p=none dis=none) header.from=gmail.com
- 27 December 2017
- Updated the way how to edit systemd files. Thanks to Louis P.H. van Belle.