In the past few years, the Internet has been actively introducing DMARC technology as a tool to effectively combat spam.

If you don’t go into technical details that are better known on specialized resources, for example dmarc.org or from articles on Habrahabr , then the essence of DMARC is the possibility, first of all, based on the results of the SPF and DKIM verification, to inform the recipient server about the actions that should be taken in case of detection of problems during their verification, and, secondly, to obtain statistics and operational report on the sources of sending messages for this domain.

Based on the above, the task of implementing DMARC support on a specific mail server is to ensure the implementation of the policy of the sending domain at the local level and send analytical reports as a contribution to the global process of combating spam.

Consider the DMARC configuration for a FreeBSD system with an Exim SMTP server installed.
')

root@beta:~ # uname -v FreeBSD 10.3-RELEASE-p3 #0: Tue May 17 08:43:55 UTC 2016 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC root@beta:~ # pkg info | grep exim exim-4.87 High performance MTA for Unix systems on the Internet 

1. Configuring OpenDMARC

To enable DMARC support and the corresponding options for configuring, Exim must be built with support for the Experimental_DMARC option, as well as DKIM and Experimental_SPF without which DMARC cannot be used.

 root@beta:~ # exim --version Exim version 4.87 #0 (FreeBSD 10.3) built 21-Apr-2016 19:02:37 Copyright (c) University of Cambridge, 1995 - 2016 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2016 Probably Berkeley DB version 1.8x (native mode) Support for: crypteq iconv() use_setclassresources PAM Perl Expand_dlfunc TCPwrappers OpenSSL Content_Scanning Old_Demime DKIM DNSSEC I18N PRDR Experimental_SPF Experimental_DCC Experimental_DMARC Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch mysql nis nis0 passwd Authenticators: cram_md5 dovecot plaintext spa Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 Configuration file is /usr/local/etc/exim/configure 

This will automatically install the necessary OpenDMARC package to ensure functionality.

 root@beta:~ # pkg info | grep dmarc opendmarc-1.3.1_3 DMARC library and milter implementation 

First you need to make a basic configuration setting OpenDMARC. It is fairly simple and does not require serious changes when using the sample configuration file for their documentation.

 root@beta:~ # cd /usr/local/etc/mail/ root@beta:/usr/local/etc/mail # cp opendmarc.conf.sample opendmarc.conf root@beta:/usr/local/etc/mail # cat opendmarc.conf | egrep -v '^#|^$' AuthservID my.server ForensicReports true ForensicReportsSentBy noreply@my.server HistoryFile /usr/local/etc/exim/dmarc.dat 

Four of these options will be enough to ensure that DMARC works in the system:

• AuthservID determines the name of the server on behalf of which the reports will be sent - it is recommended to specify the main host name under which it appears in the DNS A-record;
• ForensicReports includes sending immediate problem reports if requested by the policy of the sending domain;
• ForensicReportsSentBy specifies the address of the sender of the reports — in this case, the locally non-existent address so as not to receive delivery error messages for mistakenly configured DMARC records;
• HistoryFile finally determines the location of a temporary file for collecting statistics for generating reports.

Create immediately the above file for statistics.

 root@beta:/usr/local/etc/mail # cd ../exim root@beta:/usr/local/etc/exim # touch dmarc.dat root@beta:/usr/local/etc/exim # chmod 666 dmarc.dat root@beta:/usr/local/etc/exim # ll dmarc.dat -rw-rw-rw- 1 root wheel 0 24  22:47 dmarc.dat 

2. Configure Exim to support DMARC

Next, make changes to the Exim configuration. In the section of the initial values ​​of variables to begin acl , add a block:

 root@beta:/usr/local/etc/exim # cat configure | grep dmarc dmarc_tld_file = /usr/local/etc/exim/public_suffix_list.dat dmarc_history_file = /usr/local/etc/exim/dmarc.dat dmarc_forensic_sender = noreply@my.server 

The last two options perform the same role as in the OpenDMARC configuration file. The first, dmarc_tld_file, defines the current database of public suffixes of domain names from the Mozilla foundation. Without delaying the case in debt, download its local copy.

 root@beta:/usr/local/etc/exim # fetch https://publicsuffix.org/list/public_suffix_list.dat public_suffix_list.dat 100% of 179 kB 227 kBps 00m01s root@beta:/usr/local/etc/exim # ll public_suffix_list.dat -rw-r--r-- 1 root wheel 183718 24  18:52 public_suffix_list.dat 

It’s a good idea to keep it up to date with CRON.

 root@beta:/usr/local/etc/exim # cat /etc/crontab | grep publicsuffix 0 3 * * 1 root fetch -q https://publicsuffix.org/list/public_suffix_list.dat -o /usr/local/etc/exim && service exim reload 

Due to the fact that Exim configuration settings may differ from the needs of a particular server, we’ll focus on general recommendations for using DMARC (see also the “DMARC support” section in the official documentation ).

First, I recommend to go through the configuration and disable DMARC checks for trusted hosts (if they do not specifically require such maintenance) from the + relayfromhosts list in the corresponding ACL rule with the command:

control = dmarc_disable_verify

For all others, it would be wise to provide support for the capabilities of DMARC and, moreover, to include prompt information on requests by the rule:

warn control = dmarc_enable_forensic

It is reasonable to start applying the DMARC policy set by the sending domain in the acl_smtp_data section immediately after accepting mail from authenticated users and trusted hosts. In the simplest case, we will refuse to receive a letter for a given reject policy and add points to the counter, which is the spam criterion for the quarantine policy. However, if you wish, you can also implement more subtle support using optional DMARC entry fields, for example pct .

accept authenticated = *

accept hosts = +relay_from_hosts

# --- check sender's DMARC policy
warn dmarc_status = *
add_header = $dmarc_ar_header

deny dmarc_status = reject
message = Rejected by sender's DMARC policy

warn dmarc_status = quarantine
set acl_c0 = ${eval:$acl_c0+40}
set acl_c1 = QDMARC(40) suspicious message according DMARC policy; $acl_c1

Exim is now set up and you can restart it by applying the settings you made.

 root@beta:/usr/local/etc/exim # service exim restart Stopping exim. Waiting for PIDS: 78683. Starting exim. 

Support for the implementation of the DMARC policy of the sending domain on our server is implemented. In addition, the server will instantly, if it refuses to receive a letter, notify the domain owner’s reporting system about the situation by sending a Forensic report. Below is an example of such a letter-report:

Return-path: <>
Envelope-to: d@ruf.agari.com
Delivery-date: Wed, 18 May 2016 19:25:30 +0200
Received: from mailnull by my.server with local (Exim 4.87 (FreeBSD))
id 1b35Du-0000Te-QK
for d@ruf.agari.com; Wed, 18 May 2016 19:25:30 +0200
Auto-Submitted: auto-replied
From: noreply@my.server
To: d@ruf.agari.com
Subject: DMARC Forensic Report for mail.ru from IP 190.223.42.106
Message-Id: <E1b35Du-0000Te-QK@my.server>
Date: Wed, 18 May 2016 19:25:30 +0200

Failed message published DMARC
policy for your domain.

Sender Domain: mail.ru
Sender IP Address: 190.223.42.106
Received Date: Wed, 18 May 2016 19:25:30 +0200
SPF Alignment: no
DKIM Alignment: no
DMARC Results: Reject

- This is a copy of the headers that were received before the error.
was detected.

Received: from [190.223.42.106]
by my.server with esmtp (Exim 4.87 (FreeBSD))
(envelope-from <outletqn@mail.ru>)
id 1b35Du-0000TE-Eb
for sales@my.server; Wed, 18 May 2016 19:25:30 +0200
Received: from [163.116.8.100] (account frontenace19@inbox.ru HELO exbtaaovmshlgq.peejojgxxotd.tv)
by (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 745786287 for sales@my.server; Wed, 18 May 2016 12:17:49 -0500
Date: Wed, 18 May 2016 12:17:49 -0500
From: =? Koi8-r? B? 48XO1NIg4dfUz83B1MnawcPJyQ ==? = <Outletqn@mail.ru>
X-Mailer: The Bat! (v2.12.00) Educational
X-Priority: 3 (Normal)
Message-ID: <2803497135.OXX007B0034066@xnfwvhhklng.fffnarj.va>
To: <sales@peek.ru>
Subject: =? Koi8-r? B? 8M8g0M / Xz8TVIMvPztTSz8zRIMvB3sXT1NfBINDSz8TVy8PJyQ ==? =
MIME-Version: 1.0
Content-Type: text / plain;
charset = koi8-r
Content-Transfer-Encoding: 8bit
Received-SPF: softfail (my.server: not allowed) 190.223.42.106 as permitted sender client-ip = 190.223.42.106; envelope-from=outletqn@mail.ru; helo = [190.223.42.106];

3. Setting up DMARC report distribution

Now it is time to implement the periodic DMARC reports.

To do this, it will require, first, to create a database of senders and recipients of reports, and, second, to implement their distribution.

On this system, for a number of related services, including support for the operation of mail services, the MySQL database server is used, so we will use it to store the OpenDMARC database.

 root@beta:/usr/local/etc/exim # cd /usr/local/share/doc/opendmarc/ root@beta:/usr/local/share/doc/opendmarc # mysql -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 29062 Server version: 5.6.30 Source distribution Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> CREATE DATABASE opendmarc; mysql> GRANT ALL PRIVILEGES ON opendmarc.* TO opendmarc IDENTIFIED BY 'opendmarc'; mysql> quit; root@beta:/usr/local/share/doc/opendmarc # root@beta:/usr/local/share/doc/opendmarc # mysql -h localhost -u opendmarc -p opendmarc < schema.mysql 

Now we will create a script to update the database with data from a temporary file with statistics collected by Exim.

 root@beta:/usr/local/share/doc/opendmarc # cd /usr/local/etc/exim root@beta:/usr/local/etc/exim # touch dmarc-cron.sh root@beta:/usr/local/etc/exim # chmod 755 dmarc-cron.sh root@beta:/usr/local/etc/exim # ll dmarc-cron.sh -rwxr-xr-x 1 root wheel 735 24  22:48 dmarc-cron.sh* root@beta:/usr/local/etc/exim # cat dmarc-cron.sh #!/bin/sh # Update DMARC database and send reports # (c)2014 by Max Kostikov http://kostikov.co e-mail: max@kostikov.co # # cat /etc/crontab | grep dmarc # 0 */6 * * * root /usr/local/etc/exim/dmarc-cron.sh >/dev/null 2>&1 LOG="/usr/local/etc/exim/dmarc.dat" HOST="localhost" PORT="3306" USER="opendmarc" PASS="opendmarc" DB="opendmarc" opendmarc-import --dbhost=$HOST --dbport=$PORT --dbname=$DB --dbuser=$USER --dbpasswd=$PASS --verbose < $LOG cat /dev/null > $LOG opendmarc-reports --dbhost=$HOST --dbport=$PORT --dbname=$DB --dbuser=$USER --dbpasswd=$PASS --interval=86400 --verbose --report-email 'noreply@my.server' opendmarc-expire --dbhost=$HOST --dbport=$PORT --dbname=$DB --dbuser=$USER --dbpasswd=$PASS --verbose --expire=30 

It uses three utilities from the OpenDMARC package. The first opendmarc-import imports data from a temporary statistics file, the second opendmarc-reports generates reports for a specified interval no more than once every 24 hours for one domain, and the third opendmarc-expire deletes outdated entries in the database whose life span exceeds 30 days. After importing, the statistics file is cleared.

Add the created script to the CRON at intervals of once every 6 hours.

 root@beta:/usr/local/etc/exim # cat /etc/crontab | grep dmarc 0 */6 * * * root /usr/local/etc/exim/dmarc-cron.sh >/dev/null 2>&1 

Actually, on this setup is completely finished, as well as completed our transition to the side of good in the active fight against spam.