[opendmarc-users] Setting up with multiple domains

Christoph Steindl c.steindl at univie.ac.at
Wed Sep 2 04:35:58 PDT 2015 

Hey,


Am Mit, 2. Sep, 2015 um 12:24 schrieb Mick <debacletw8 at rs432.net>:
> Hi Christoph,
> 
> Thank you so much for your reply.
>> the information about the sender in an aggregate report 
>> (org_name-tag and email-tag in XML) is generated using the domain of 
>> the hostname of the server which runs opendmarc. Please have a look 
>> at line 188 and 189 of 
>> http://sourceforge.net/p/opendmarc/code/ci/master/tree/reports/opendmarc-reports.in.
>   'report-email=s' => \$repemail,
>   'report-org=s' => \$repdom,
Of course lines 19, 131 and 132 are also relevant:
use Net::Domain qw(hostfqdn hostdomain);
my $repdom = hostdomain();
my $repemail = "postmaster@" . $repdom;

> 
> Are the above the two lines you mean?... I've read on and see these 
> are the two lines you refer to.
> 
>  I've already had a poke around in that particular file as the 
> otherwise great tutorial I was following (DMARC only)  from ;
> https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
> failed with 'can't create report file'.  It was obviously a 
> permissions issue and easily resolved by running the script as root 
> and not 'opendmarc'. I temporarily killed my mail server in the 
> process  as I forgot to make the new 'opendmarc.dat' writable by 
> 'opendmarc'. Resolved script with the following ;
> 
> su -c "cat /dev/null > /run/opendmarc/opendmarc.dat" -s /bin/bash 
> opendmarc
> chmod 750 /run/opendmarc/opendmarc.dat
> 
> 
>> I guess in your case this name is equivalent to one of your mailing 
>> domains.
> Yes. There doesn't seem to be a choice here as all domains are served 
> by the same mail server and IP so  no way of differentiating domains  
> until the 'RCPT TO: <'  so far as I can see.  You will see the 
> primary domain and this domain in the headers.
> 
> Oh? I see that DKIM has failed due to an insecure key? I've got a lot 
> to learn (sigh)
For configuring DKIM I often used http://dkimvalidator.com/. Probably 
it is useful for you as well.

> 
> 
> 
>> The help command shows how (see --report-email and --report-org):
> I was thinking of cheating in this way by having a report script for 
> each domain, and rotating them.
> 
> /usr/sbin/opendmarc-reports --dbhost=${DB_SERVER} --dbuser=${DB_USER} 
> --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose -interval=86400 
> --report-email 'dmarc at domainA.uk' --report-org 'domainA.uk'
> 
> Then some time later later repeat the above replacing domainA with B 
> and so on.  It would still means that the feedback from all my 
> domains are grouped together therefore sent together, but would look 
> like each domain is conforming.  Ideally, each domain would save it's 
> own reports separately, but it doesn't seem possible at the moment
I think this won't work due to another reason. After you processed your 
data on behalf of domainA the messages are marked as (already) 
reported. In the next iteration for domainB there won't be anything 
else to report.

 From my point of view there are two potential solutions, which both 
require some effort:
1. You know how to get one opendmarc.dat file for each receiving domain 
(eg. opendmarc_domainA.dat, opendmarc_domainB.dat, ...) and import it 
to different databases, like "cat opendmarc_domainA.dat | 
opendmarc-import --dbname=dmarc_domainA && cat opendmarc_domainB.dat | 
opendmarc-import --dbname=dmarc_domainB ...". Afterwards you do the 
reporting for each domain like "opendmarc-reports 
--dbname=dmarc_domainA --report-org=domainA 
--report-email=postmaster at domainA && opendmarc-reports 
--dbname=dmarc_domainB --report-org=domainB 
--report-email=postmaster at domainB ...".

2. You are able to differentiate between the receiving domains in one 
opendmarc.dat file. Then you have to adapt the opendmarc-import script 
that it writes the data to different DBs based on the reporter value in 
opendmarc.dat and finally you have to send the reports with a similar 
command like for the first case.

Regards,
Christoph
> 
> 
> 
> Thanks again for your help,
> 
> 
> Mick.
> 
> 
> 
>>> $ opendmarc-reports --help
>>> opendmarc-reports: usage: opendmarc-reports
>>>  --day send yesterday's data
>>>  --dbhost=host database host
>>>  --dbname=name database name
>>>  --dbpasswd=passwd database password
>>>  --dbport=port database port
>>>  --dbuser=user database user
>>>  --domain=name force a report for named domain
>>>  --help print help and exit
>>>  --interval=secs report interval
>>>  --keepfiles keep xml files (in local directory)
>>>   -n synonym for --test
>>>  --nodomain=name omit a report for named domain
>>>  --noupdate don't record report transmission
>>>  --report-email reporting contact [postmaster at example.com]
>>>  --report-org reporting organization [example.com]
>>>  --smtp-port smtp server port
>>>  --smtp-server smtp server
>>>  --test don't send reports
>>>  --utc operate in UTC
>>>                     (implies --keepfiles --noupdate)
>>>  --verbose verbose output
>>>                     (repeat for increased output)
>>>  --version print version and exit
>> 
>> The domain in your opendmarc.dat is not used directly in the 
>> generated aggregate report. It represents the hostname of the 
>> machine which receives the message (for the case of multiple MXs) 
>> and is only used to distinguish them when the data gets imported 
>> into the DB using 
>> http://sourceforge.net/p/opendmarc/code/ci/master/tree/reports/opendmarc-import.in.
>> 
>> Probably you can play around with opendmarc-import and 
>> opendmarc-reports to get it working for your setup.
>> 
>> Cheers,
>> Christoph
>> 
>> Am Mit, 2. Sep, 2015 um 12:37 schrieb Mick <debacletw8 at rs432.net>:
>>> Hi all,
>>> 
>>> I guess this is a dead list. Seems more questions are asked than 
>>> answered at least. Perhaps everyone is on holiday in Blackpool? I 
>>> hoped at worse for a retort 'Read the documentation'  with a link 
>>> to the relevant section of incoherent text, but alas no, not even 
>>> that.  Abandon hope all ye who ask here! :'(
>>> 
>>> Best wishes to everyone,
>>> 
>>> Mick.
>>> 
>>> 
>>> 
>>> On 31/08/2015 00:58, Mick wrote:
>>>> Hi all,
>>>> 
>>>> I'm new to opendmarc and this list, so apologies if this has been 
>>>> asked before. Over the past few days, I've set up opendmarc, but 
>>>> am holding back on the feedback reports as I'm sure they won't 
>>>> conform.  I have 4 domains that each receive email through the 
>>>> same postfix MTA instance, so regardless of which domain messages 
>>>> are destined for, they all get labelled as a report from the 
>>>> primary domain in opendmarc.dat. Is it okay to report if not 
>>>> everything in that report applies to the domain it is said to be 
>>>> received for? I'm sure it isn't and I can't think of a way round 
>>>> this so thought I'd ask.
>>>> 
>>>> 
>>>> Many thanks,
>>>> 
>>>> Mick.
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> opendmarc-users mailing list
>>>> opendmarc-users at trusteddomain.org
>>>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>>>> 
>>> 
>>> _______________________________________________
>>> opendmarc-users mailing list
>>> opendmarc-users at trusteddomain.org
>>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20150902/bb99b915/attachment.htm>

More information about the opendmarc-users mailing list