projects / opendmarc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Initial commit
[opendmarc.git] / usr / share / doc / opendmarc / README.Debian
1 opendmarc for Debian
2 -------------------
3
4 Configuration Notes for Debian systes
5 --------------------------------------------
6
7 The DMARC protocol is built on top of SPF and DKIM. OpenDMARC needs SPF and
8 DKIM verification results as an input. OpenDMARC uses RFC 5451 Authentication
9 Results header fields to get those results. OpenDMARC will use header fields
10 with an AuthservID that matches either the one specified in
11 /etc/opendmarc.conf or the system hostname. It is important to verify that
12 the AuthservID provided by SPF and DKIM verifiers matches the one that
13 opendmarc expects.
14
15 In Debian, postfix-policyd-spf-python and opendkim have been tested to
16 generate appropriate A-R header fields. For postfix-policyd-spf-python,
17 however, it is not the default configuration. See man 5 policyd-spf.conf for
18 information on how to configure it to generate A-R header fields.
19
20 To generate aggregate feedback reports a MySQL database is needed. See the
21 man pages for opendmarc-expire, opendmarc-import, opendmarc-params, and
22 opendmarc-reports for details on how the aggregate report data collection and
23 report generation works. The database schema, setup script, and README.schema
24 files can be found in /usr/share/doc/opendmarc.
25
26 Notes for Postfix users
27 -----------------------
28
29 Postfix users who wish to access the opendmarc service via UNIX socket
30 may need to add the postfix user to the opendmarc group and ensure that
31 UMask is set to 002 in /etc/opendkim.conf, in order to make the socket
32 readable by Posfix.
33
34 Users may also need to move the socket into a directory accessible by the
35 Postfix chroot; this can be accomplished by setting the SOCKET variable
36 in /etc/default/opendmarc.
37
38 The default is to connect to the filter over TCP. The filter can be bound to
39 localhost to prevent other hosts from accessing it. For example, to bind to
40 port 8892, specify "inet:8892@localhost".
41
42 Changing group ownership of socket
43 ----------------------------------
44
45 The group ID of the UNIX socket created by opendkim can be changed by
46 changing the primary GID of the opendmarc user, e.g.:
47 $ usermod -g mail opendmarc
48
Update of the opendmarc package