Current File : //usr/share/doc/opendmarc/README.Debian
opendmarc for Debian
-------------------
Configuration Notes for Debian systes
--------------------------------------------
The DMARC protocol is built on top of SPF and DKIM. OpenDMARC needs SPF and
DKIM verification results as an input. OpenDMARC uses RFC 5451 Authentication
Results header fields to get those results. OpenDMARC will use header fields
with an AuthservID that matches either the one specified in
/etc/opendmarc.conf or the system hostname. It is important to verify that
the AuthservID provided by SPF and DKIM verifiers matches the one that
opendmarc expects.
In Debian, postfix-policyd-spf-python and opendkim have been tested to
generate appropriate A-R header fields. For postfix-policyd-spf-python,
however, it is not the default configuration. See man 5 policyd-spf.conf for
information on how to configure it to generate A-R header fields.
To generate aggregate feedback reports a MySQL database is needed. See the
man pages for opendmarc-expire, opendmarc-import, opendmarc-params, and
opendmarc-reports for details on how the aggregate report data collection and
report generation works. The database schema, setup script, and README.schema
files can be found in /usr/share/doc/opendmarc.
Notes for Postfix users
-----------------------
Postfix users who wish to access the opendmarc service via UNIX socket
may need to add the postfix user to the opendmarc group and ensure that
UMask is set to 002 in /etc/opendmarc.conf, in order to make the socket
readable by Posfix.
Users may also need to move the socket into a directory accessible by the
Postfix chroot; this can be accomplished by setting the SOCKET variable
in /etc/systemd/system/opendmarc.service.d/overrride.conf (if systemd is used)
or in /etc/default/opendmarc (if SysV is used). Alternately, it can be set in
the installed configuration file, /etc/opendmarc.conf.
If opendmarc fails to start during boot, add After=network-online.target to
/etc/systemd/system/opendmarc.service.d/overrride.conf (if systemd is used) to
ensure the network is fully initialized before openmarc is started. This is
not likely to be an issue with SysV.
The default is to connect to the filter over a Unix socket. It can also use
TCP sockets. The filter can be bound to localhost to prevent other hosts from
accessing it. For example, to bind to port 8892, specify
"inet:8892@localhost". In order to use a TCP socket for a specific IP
address, that address has to be bound to an active network connection.
Changing group ownership of socket
----------------------------------
The group ID of the UNIX socket created by openmarc can be changed by
changing the primary GID of the opendmarc user, e.g.:
$ usermod -g mail opendmarc
Mini Shell