-
Notifications
You must be signed in to change notification settings - Fork 56
/
README
212 lines (152 loc) · 8.33 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
This directory has the latest open source DMARC software from The Trusted
Domain Project.
There is a web site at http://www.trusteddomain.org/opendmarc that is home for
the latest updates.
+--------------+
| INTRODUCTION |
+--------------+
The OpenDMARC project is a community effort to develop and maintain an open
source package for providing DMARC report generation and policy enforcement
services.
In simple terms, DMARC takes the results of ARC, SPF and DKIM checks,
done by either upstream filters, or SPF checks that opendmarc performs itself,
and uses these to make a "pass or fail" decision. A domain owner may put
a record in the DNS to determine what should happen to a failing record:
No negative action (typically for testing), message quarantining, or
outright rejection at SMTP acceptance time.
Additionally, records placed in the DNS allow a domain owner to
receive reports back on when messages are received that fail DMARC,
as well as specifying what percentage of messages should be evaluated.
This README is not intended to be a full explanation of how the DMARC
protocol works, but at the very least, some software that does DKIM
checks should be available in your mail stream in order to use this
software.
This package includes a library for handling DMARC record parsing,
a database schema and tools for aggregating and processing transaction
history to produce DMARC reports, and a filter that ties it all together
with an MTA using the milter protocol.
"milter" is a portmanteau of "mail filter" and refers to a protocol and API
for communicating mail traffic information between MTAs and mail filtering
plug-in applications. It was originally invented at Sendmail, Inc. but
has also been adapted to other MTAs.
Note that the implementation is called "OpenDMARC" but contains a program,
called "opendmarc", all lower case.
+--------------+
| DEPENDENCIES |
+--------------+
To compile and operate, this package requires the following:
o sendmail v8.13.0 (or later), or Postfix 2.3, (or later) and libmilter.
(These are only required if you are building the filter.)
o glib (GLib) headers and libraries 2.48.2 (or greater)
o some systems (Linux at least) do not natively have the strlcpy()
function. Under Arch Linux, this is provided by the "libbsd" package.
o Access to a working nameserver (required only for signature verification).
o A perl interpreter.
o If you are interested in tinkering with the build and packaging structure,
you may need to upgrade to these versions of GNU's "autotools" components:
autoconf (GNU Autoconf) 2.61
automake (GNU automake) 1.7 (or 1.9 to avoid warnings)
ltmain.sh (GNU libtool) 2.2.6 (or 1.5.26 after make maintainer-clean)
o LibSFF2 (https://www.libspf2.org) is optional, but can be used for improved
SPF parsing inside the opendmarc filter. Note that this will be a requirement
in a future version, if SPF checking is desired.
Actual use requires a mail server that speaks the "milter" protocol, as well
as some DKIM checking service that acts on messages before they reach the
opendmarc milter (such as the Trusted Domain Project's "OpenDKIM"). A
filter that performs SPF checking is optional, but OpenDMARC may be compiled
to link against LibSPF2, and thus do SPF checks on its own.
Some components (such as the report parser) can opeerate without being
joined to a mail server, but using that portion alone is generally atypical.
+-----------------------+
| RELATED DOCUMENTATION |
+-----------------------+
The man page for opendmarc (the actual filter program) is present in the
opendmarc directory of this source distribution. There is additional
information in the INSTALL and FEATURES files, and in the README file in the
opendmarc directory. Changes are documented in the RELEASE_NOTES file.
HTML-style documentation for libopendmarc is available in libopendmarc/docs in
this source distribution.
General information about DMARC can be found at http://www.dmarc.org
Mailing lists discussing and supporting the DMARC software found in this
package are maintained via a list server at trusteddomain.org. Visit
http://www.trusteddomain.org to subscribe or browse archives. The available
lists are:
opendmarc-announce (moderated) Release announcements.
opendmarc-users General OpenDMARC user questions and answers.
opendmarc-dev Chatter among OpenDMARC developers.
opendmarc-code Automated source code change announcements.
Bug tracking is done via the trackers on SourceForge at
http://sourceforge.net/projects/opendmarc. You can enter new bug
reports there, but please check first for older bugs already open,
or even already closed, before opening a new issue.
+---------------------+
| DIRECTORY STRUCTURE |
+---------------------+
contrib A collection of user contributed scripts that may be useful.
db Database schema and tools for generating DMARC reports based
upon accumulated data.
docs A collection of RFCs and drafts related to opendmarc.
libopendmarc A library that implements the proposed DMARC standard.
libopendmarc/docs
HTML documentation describing the API provided by libopendmarc.
opendmarc A milter-based filter application which uses libopendmarc (and
optionally libar) to provide DMARC service via an MTA using
the milter protocol.
+----------------+
| RUNTIME ISSUES |
+----------------+
WARNING: symbol 'X' not available
The filter attempted to get some information from the MTA that the MTA
did not provide.
At various points in the interaction between the MTA and the filter, certain
macros containing information about the job in progress or the connection
being handled are passed from the MTA to the filter.
In the case of sendmail, the names of the macros the MTA should pass to the
filter are defined by the "Milter.macros" settings in sendmail.cf, e.g.
"Milter.macros.connect", "Milter.macros.envfrom", etc. This message
indicates that the filter needed the contents of macro X, but that macro
was not passed down from the MTA.
Typically the values needed by this filter are passed from the MTA if the
sendmail.cf was generated by the usual m4 method. If you do not have
those options defined in your sendmail.cf, make sure your M4 configuration
files are current and rebuild your sendmail.cf to get appropriate lines
added to your sendmail.cf, and then restart sendmail.
MTA timeouts
By default, the MTA is configured to wait up to ten seconds for a response
from a filter before giving up. When querying remote nameservers
for key and policy data, the DMARC filter may not get a response from the
resolver within that time frame, and thus this MTA timeout will occur.
This can cause messages to be rejected, temp-failed or delivered without
verification, depending on the failure mode selected for the filter.
When using the standard resolver library provided with your system, the
DNS timeout cannot be adjusted. If you encounter this problem, you must
increase the time the MTA waits for replies. See the documentation in
the sendmail open source distribution (libmilter/README in particular)
for instructions on changing these timeouts.
When using the provided asynchronous resolver library, you can use the
"-T" command line option to change the timeout so that it is shorter than
the MTA timeout.
Other OpenDMARC issues:
Report any bugs to the email address [email protected] or to
the SourceForge issue tracker accessible at:
http://sourceforge.net/p/opendmarc/tickets/
+-----------------+
| FURTHER READING |
+-----------------+
As DMARC adoption becomes more common, any list of links placed in the README
of a single implementation will invariably grow out of date. Using your favorite
search engine, or the mailing lists for your operating system or MTA is
not an unreasonable path forward.
As a start, however, the RFC's that define SPF, DKIM, and DMARC present a
fairly comprehensive, if technical, understanding of the underlying protocols.
Although there is not much information involving marrying them to a specific
mail server.
At the time of this writing, the following are the most recent RFC's for the
protocols involved (although many other RFC's are referenced, of course).
https://tools.ietf.org/html/rfc6376 (DKIM)
https://tools.ietf.org/html/rfc7208 (SPF)
https://tools.ietf.org/html/rfc7489 (DMARC)
https://tools.ietf.org/html/rfc8617 (ARC)
--
Copyright (c) 2012, 2016, 2018, 2021, The Trusted Domain Project.
All rights reserved.