In previous articles we have discussed a number of effective tips for blocking spam. This tutorial shows you how to configure OpenDMARC with the Postfix SMTP server on the CentOS/RHEL to block identity theft and spam. OpenDMARC is an open source DMARC email policy filter for MTA (Message Transport Agent, also known as SMTP server).

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an Internet standard (RFC 7489) that enables domain owners to prevent their domain names from being used by mail spoofers. Before DMARC was invented, bad actors could very easily use someone else’s domain name in the Van address.

If the domain owner has created a DMARC DNS record for his domain name and the receiving mail server has implemented DMARC authentication, the wrong actors must pass the SPF or DKIM correction to pass the DMARC authentication. If the DMARC check fails, false emails may be rejected. Never seen by end users. It is difficult for a bad actor to deliver SPF or DKIM unless the domain owner’s mail server is compromised.

Set OpenDMARC to CentOS / RHEL with Postfix to Block Email Spoofing

Example of e-mail replacement

The spammer sent me a ransom email via winsaaluminyumankara.com to From. Whoever it is, winsaaluminyumankara.com is public information. It is clear that the spammer is not responsible for this domain name.

Set OpenDMARC to CentOS / RHEL with Postfix to Block Email Spoofing

winsaaluminyumankara.com has a DMARC record

Set OpenDMARC to CentOS / RHEL with Postfix to Block Email Spoofing

I then checked the headers of the e-mails indicating that the FPS has failed. No DKIM signature. So the DMARC test failed. It’s a fake letter.

Set OpenDMARC to CentOS / RHEL with Postfix to Block Email Spoofing

This indicates that not only big brands are used by counterfeiters, but that every domain name on the internet can be unmasked as a bad actor. Unfortunately the DMARC policy for this domain name is set to p=not, which tells the receiving mail server not to do anything special if the DMARC checks fail. If the policy is p=refuse, then my Postfix SMTP server will reject this mail with OpenDMARC.

Paypal and Facebook have established a DMARC rejection policy for their domain names.

Set OpenDMARC to CentOS / RHEL with Postfix to Block Email Spoofing

So, if a bad actor tries to fake Paypal or Facebook, my mail server may reject the fake mails with OpenDMARC. There are many other known domain names that have implemented a DMARC rejection policy, as you can see in the table below.

       
       
       
       

The proton mail provider for secure mailboxes uses Postfix and OpenDMARC to perform DMARC checks on incoming mail, and I will show you how to do the same on your own Postfix SMTP server.

Requirements

This tutorial is intended for P.O. box providers and anyone who manages their own mail server to protect their users against email fraud. If you have a domain name and want to prevent mail spoofers from using your domain name, read this article to create a DMARC record and analyze the DMARC report. I also recommend that you read this article if you do not have a good understanding of DMARC.

Before installing OpenDMARC on your mail server, the DKIM authentication service must be performed. OpenDMARC must be used in combination with OpenDKIM. If you are using Amavis to sign and check DKIM, I advise you to switch from Amavis to OpenDKIM. Indeed, OpenDMARC cannot read the results of the Amavis DKIM exam. You don’t have to remove Amavis completely. Disable DKIM in Amavis and install and configure OpenDKIM.

If you do not want to migrate to OpenDKIM, you will need to integrate Amavis with Postfix through the milking interface explained at the end of the article.

Configuring OpenDMARC with Postfix SMTP Server on CentOS/RHEL

OpenDMARC is open source software that can perform DMARC checks and generate reports. You can install it from the EPEL repository on CentOS/RHEL.

Install sudo dnf epel-release

sudo dnf opendmarc installation

Start OpenDMARC.

sudo systemctl start opendmarc

Activate automatic start during charging.

turn on sudo systemctl opendmarc

OpenDMARC listens 127.0.0.1:8893. Run the following command to check the status.

systematized state of the Opendmarc

A way out:

opendmarc.service – Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter
uploaded: uploaded (/usr/lib/system/opendmarc.service; enabled; default provider: disabled)
active: active (running) from Sun 2020-03-08 23:52:59 EDT; 1min 4s ago
Docs: man:opendmarc(8)
man:opendmarc.conf(5)
man:opendmarc import(8)
man:opendmarc reports(8)
http://www.trusteddomain.org/opendmarc/
Main PID: 19987 (opendmarc)
Tasks: 3 (limit: 5047)
memory : 1.1M
CGroup: /system.slice/opendmarc.service
└─19987 /usr/sbin/update -c /etc/update -P /var/run/update -P /opendmarc.pid

Then edit the main configuration file with a text editor.

sudo nano /etc/update.conf

Find the next line:

# The name AuthservID

By default, OpenDMARC uses the host MTA name as AuthserveID, but it is better to use a different name for the authentication service because Amavisd-new will overwrite the header of the authentication result added by OpenDMARC. You can customize it as follows, so you can easily see which program adds which header to the authentication result

AuthservID OpenDMARC

Then add the next line. Replace the hostname with your real Postfix hostname. This tells OpenDMARC to trust the authentication results of mail.yourdomain.com to the ID. This is necessary if you use OpenDKIM to perform DKIM checks.

TrustedAuthservID’s mail.yourdomain.com

Then find the next line.

# IgnoreAuthenticatedClients incorrect

Change the value to true to ignore SMTP clients that successfully authenticate via SMTP AUTH, including desktop/mobile email clients that send outgoing mail on port 587.

Ignore the verified customers are really

Then find this line:

# RejectFailures wrong

By default, OpenDMARC will not reject messages that do not pass the DMARC validation, even if the domain policy is set to p=deny. If you prefer to reject messages that do not pass the DMARC validation when the domain policy is set to p=refuse, remove the comment from this line and change the value from false to true.

RefusalFail .

Find the next line.

# Incorrect mandatory headlines

Make one… :

MandatoryRecommended

Messages that do not comply with the e-mail header standards described in RFC5322 will be rejected. For example, if an incoming letter has no header of: or date: it will be rejected. To Von: The field from which no domain name can be retrieved will also be rejected.

By default, OpenDMARC ignores CentOS/RHEL SPF results in e-mail headers and performs SPF checks itself. It is controlled by the following two parameters.

SPFIgnorThe results are true

SPFSelfValidate where

If you prefer to use another SPF check service on your mail server, ask OpenDMARC to trust the SPF results in the mail headers and only perform SPF checks if it does not find SPF results in the headers.

SPFIgnore Results incorrect

SPFSelfValidate where

Save the file and close it. Then restart OpenDMARC to make the changes take effect.

sudo systemctl restart opendmarc

Integration of OpenDMARC with Postfix SMTP Server

Edit the main postfix configuration file.

sudo nano /etc/postfix/main.cf

If you followed my DKIM tutorial on CentOS 8/RHEL 8, you should have the lines in this file as shown below OpenDKIM listens 127.0.0.1:8891.

# Filter configuration
milter_default_action = take
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters

All you have to do is add the OpenDMARC socket file so that Postfix can communicate with OpenDMARC. (Make sure it is after the OpenDKIM connection.) OpenDMARC listens to 127.0.0.1:8893.

# Filter configuration
milter_default_action = take
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters

Save the file and close it. Then restart Postfix to put the change into effect.

sudo systemctl Restart Postfix

OpenDMARCVerification

Now send an e-mail from another e-mail address to your domain address. Then check the e-mail headers. If OpenDMARC works properly, you can view the DMARC test results as shown below.

Authentication products : OpenDMARC; dmarc=pas (p=no dis=no) header.from=gmail.com

I sent an email from my Gmail account to my domain email address and it passed the DMARC check. If you don’t see this letterhead, check your tights.

ship nano /var/log/maillog

You’ll see something similar to what’s below:

opendmarc [26495] : 61DAA3EA44: passport gmail.com

Testing OpenDMARC with Telnet

You can use Telnet to register another domain name, such as B. paypal.com. First run the following command to connect to port 25 of your mail server.

telnet-mail.yourdomain.com 25

Then follow these steps to send a fake email. (They print the text in bold).

HELO mail.paypal.com
250 mail.yourdomain.com
MAIL FROM:<[protected e-mail]>
250 2.1.0 Ok
RCPT TO:<[protected e-mail]>
250 2.1.5 Ok
DATA
354 End data with .
From: [secure email]
to :
Subject:  Please update your password.

Click on this link to update your password.
.
550 5.7.1 Rejected by DMARC’s withdrawal policy from Paypal.com

As you can see, my mail server rejected this message because it did not pass the DMARC check and Paypal set the p=refusal policy.

Pay attention: If the DMARC domain policy is set to p=quantity, the OpenDMARC Milkmaid will place the spoofed email in the Postifx queue indefinitely. The postmaster can list all messages in the queue with the command postqueue -p and use the command line utility postsuper to release messages from the queue.

Integration of Amavis with Postfix via Miller.

As explained in the Prerequisites section, I recommend switching from Amavis to OpenDKIM, but if you don’t want to switch, you need to integrate Amavis with Postfix through the Melker interface, so that OpenDMARC can read Amavis’ DKIM controls.

Install the amavisd filter package on CentOS/RHEL.

sudo dnf installation amavisd filter

Start the service.

sudo systemctl start amavisd filter

Activate automatic start during charging.

sudo systemctl activates the amavisd filter

Amavisd filter listens to the Unix connection in /run/amavisd/amavisd-milter.sock. Edit the main postfix configuration file.

sudo nano /etc/postfix/main.cf

Add the following lines to the end of the file. Note that you need to place the amavisd filter Unix bus in front of the OpenDMARC TCP bus.

# filter configuration
milter_default_action = take
milter_protocol = 6
smtpd_milters = unix:/run/amavisd/amavisd-milter.sock,inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters

Also, comment on the next line so that Postfix doesn’t go through the incoming Amavis mail twice.

content_filter = smtp-amavis : [127.0.0.1]:10024

Save the file and close it. Then add a postfix to the Amavis group so that Postfix can access the Amavis Unix socket.

sudo gpasswd – a postfix amavis

Outgoing messages from authenticated users should not be sent to Amavis via the shareholder interface, as Amavis will not add a DKIM signature. You must use 127.0.0.1:10026 as usual, so a DKIM signature will be added. Edit the Postfix master.cf file.

sudo nano /etc/postfix/master.cf

Find the service component. This is what it would look like if you followed my Amavis CentOS/RHEL manual.

enteret n – y – – – smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=not
-o smtpd_sasl_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,
-o smtpd_recipient_restrictions=permit_mynetworks,allow_sasl_authenticated,reject
-o smtpd_sasl_type=pigeon fan
-o smtpd_sasl_path=private/auth
-o content_filter=smtp-amavis :[127.0.0.1]:10026

Now add the next option at the end.

-o smtpd_milters=

Here we go:

enteret n – y – – – smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=not
-o smtpd_sasl_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,
-o smtpd_recipient_restrictions=permit_mynetworks,allow_sasl_authenticated,reject
-o smtpd_sasl_type=pigeon fan
-o smtpd_sasl_path=private/auth
-o content_filter=smtp-amavis :[127.0.0.1]:10026
-o smtpd_milters =

This requires that no slice is used when submitting a postfix, so messages from authenticated users are not sent to Amavis via the slice interface. Note that you may not insert a space before the equal sign (=).

You must also add this line to the smtps component.

smtps inet n – y – – – smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_mynetworks,allow_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o content_filter=smtp-amavis :[127.0.0.1]:10026
-o smtpd_milters=

Save the file and close it.  Restart the postfix to make the changes take effect.

sudo systemctl Restart Postfix

OpenDMARC will now be able to read the results of Amavis’ DKIM verification, and Amavis will continue to add DKIM signature for authenticated users.

Packaging

I hope this guide has helped you configure OpenDMARC from the Postfix SMTP server to CentOS/RHEL to block identity theft and spam. As always, if you find this message useful, subscribe to our free newsletter for more tips and tricks. Take care of yourself.

Evaluate this training manual.

On second thought: 2 On average: 5]opendmarc-reports,postfix dmarc

Share:

administrator