Update firststeps-dmarc_reporting.md

Dieser Commit ist enthalten in:
Dmitriy Alekseev 2021-08-28 16:26:19 +03:00 committet von GitHub
Ursprung 0b92341946
Commit 7c953ae4aa
Es konnte kein GPG-SchlĂĽssel zu dieser Signatur gefunden werden
GPG-SchlĂĽssel-ID: 4AEE18F83AFDEB23

Datei anzeigen

@ -1,62 +1,77 @@
DMARC Reporting done via Rspamd DMARC Module.
Offical configuration options and documentation can be found here: https://rspamd.com/doc/modules/dmarc.html
Rspamd documentation can be found here: https://rspamd.com/doc/modules/dmarc.html
**Important:**
1. Before use config examples from this document please adjust them, change `example.com` and `Example` to your actual data
1. Before use examples bellow, change `example.com`, `mail.example.com` and `Example` to your actual data
2. DMARC reporting require additional attention, especially at first days
3. Your reports for all server will be send from one reporting domain. Recommended to use parent domain of your `MAILCOW_HOSTNAME`, f.e:
- if your `MAILCOW_HOSTNAME=mail.example.com` then Reporting `domain = "example.com";`
- set `email` from same domain also, `email = "noreply-dmarc@example.com";`
4. This optional, but recomended step: create `noreply-dmarc` email user in mailcow to handle bounces.
4. This optional, but recommended step: create `noreply-dmarc` email user in mailcow to handle bounces.
- Go to mailcow admin UI → Configuration → Mail Setup → Mailboxes → Add mailbox → Create mailbox `noreply-dmarc`, please choose correct domain
- In case you want silently discard bounces: login in SOGo from this account and go to Preferences → Mail → Filters → Create Filter → Add action → Provide name, f.e: `noreply` and add action: Discard the message and save filter
- In case you plan to resend a copy of reports to yourself: you need add condition to previous filter example `From is not noreply-dmarc@example.com`
## Enable DMARC Reports
## Enable DMARC Reporting
1. Create or edit file in `data/conf/rspamd/local.d/dmarc.conf` and set content to:
```
reporting = true;
send_reports = true;
report_settings {
org_name = "Example";
domain = "example.com";
email = "noreply-dmarc@example.com";
from_name = "Example DMARC Report";
smtp = "postfix";
reporting {
enabled = true;
email = 'noreply-dmarc@example.com';
domain = 'example.com';
org_name = 'Example';
helo = 'rspamd';
smtp = 'postfix';
smtp_port = 25;
helo = "rspamd";
retries = 3;
hscan_count = 1500
from_name = 'Example DMARC Report';
msgid_from = 'rspamd.mail.example.com';
max_entries = 2k;
keys_expire = 2d;
}
```
2. Create required `dmarc_reports_last_sent` file:
`docker-compose exec rspamd-mailcow bash -c "touch /var/lib/rspamd/dmarc_reports_last_sent; chown 101:101 /var/lib/rspamd/dmarc_reports_last_sent; chmod 644 /var/lib/rspamd/dmarc_reports_last_sent"`
3. Restart rspamd container:
`docker-compose restart rspamd-mailcow`
2. Create `docker-compose.override.yml` or merge with your existing one:
```
version: '2.1'
## Disable DMARC Reports
To disable reporting set `send_reports` to `false` and restart rspamd container
services:
rspamd-mailcow:
environment:
- MASTER=${MASTER:-y}
labels:
ofelia.enabled: "true"
ofelia.job-exec.rspamd_dmarc_reporting.schedule: "@every 24h"
ofelia.job-exec.rspamd_dmarc_reporting.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/bin/rspamadm dmarc_report > /var/lib/rspamd/dmarc_reports_last_log 2>&1 || exit 0\""
ofelia-mailcow:
depends_on:
- rspamd-mailcow
```
3. Run `docker-compose up -d`
## Send a copy reports to yourself
To get copy of own generated reports you can add `additional_address = "noreply-dmarc@pnnsoft.com";` in `report_settings` section.
To recieve a hidden copy of reports generated by Rspamd you can set a list of comma-separated emails via `bcc_addrs = ["noreply-dmarc@example.com","parsedmarc@example.com"];` in `reporting` section.
Rspamd will load changes in runtime, no need to restart it.
This useful in case:
- you want to check that your DMARC Reports send correctly, e.g.: check that they signed by DKIM, etc.
- you want to analyze own reports to get statics data, f.e: use with ParseDMARC or other analytic system
**Important:**
## Troubleshooting
You can check:
1. Run `docker-compose exec rspamd-mailcow ls -lah /var/lib/rspamd/dmarc_reports_last_log` to check when file was been modified last time
2. Do `docker-compose exec rspamd-mailcow cat /var/lib/rspamd/dmarc_reports_last_log` to check last report output
3. Manually trigger sending of DMARC reports via `rspamd-mailcow rspamadm dmarc_report` and check the output
4. Validate that Rspamd has recorded data in Redis via `docker-compose exec redis-mailcow redis-cli KEYS 'dmarc;*'` and then run `docker-compose exec redis-mailcow redis-cli HGETALL "dmarc;example.com;date"`
Future `additional_address_bcc` is broken, lead to not sending reports to `additional_address` even while it `false`.
Do not add this option to `dmarc.conf` till bug https://github.com/rspamd/rspamd/issues/3465 will be resolved and fixed version will be used in mailcow.
## Change DMARC Reporting Frequency
In the example above reports are send once a 24 hours. To change this behaviour:
1. Adjust `ofelia.job-exec.rspamd_dmarc_reporting.schedule: "@every 24h"` to desired value in `docker-compose.override.yml`
2. Run `docker-compose up -d`
3. Run `docker-compose restart ofelia-mailcow`
## DMARC Force actions
This module also allows to enable force actions based on sender DMARC policy to reject or quarantine emails which has failed policy.
This good from security point, but it can lead of rejecting of forwarded email and not allow whitelist broken senders. Better **avoid** using this option.
If you still want to enable it, add to end of `data/conf/rspamd/local.d/dmarc.conf`:
```
actions {
quarantine = "add_header";
reject = "reject";
}
```
## Disable DMARC Reporting
To disable reporting:
1. Set `enabled` to `false` in `data/conf/rspamd/local.d/dmarc.conf`
2. Revert changes done to `docker-compose.override.yml`
3. Run `docker-compose up -d`