Re: [exim-dev] Exim support for OpenDMARC

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: exim-dev
Subject: Re: [exim-dev] Exim support for OpenDMARC
On Fri, Feb 8, 2013 at 5:50 PM, Todd Lyons <tlyons@???> wrote:
> I have finished coding up my first draft of DMARC support into Exim
> using libopendmarc. It also logs the results to a (text) file such
> that the OpenDMARC support tools can import the logged statistics and
> send DMARC reports to senders (who have a DMARC record that requests
> it). It is merged with current HEAD on master.
>
> http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/odk_build
>
> I have it running on a test system in order to test PRDR. But I am
> going to also put this on one of my live servers (without PRDR) to see
> if the DMARC works ok, logs ok, etc.


So far no problems. I'm getting close to merging this into master.
It's protected by EXPERIMENTAL_DMARC so nothing behavior-wise should
change in the resulting binary unless the builder explicitly
configures it.

> It does not send DMARC forensic reports. It is planned as a future addition.


I am nearing completion of this feature. I do have two behavioral
questions, please provide feedback:

1. In the opendmarc milter, by default it does not log results to a
"statistics" file (which would be used to import into a database for
sending aggregate reports). I currently have it set to log these
results iff the global setting dmarc_history_file is defined in the
config. If exim is being built with DMARC and configures nothing, the
basic result is that nothing will get done. If exim is built with
DMARC and at least one "dmarc = pass|quarantine|reject|none" is in the
ACL, a DMARC entry will get logged in the logfiles, but it won't do
anything beyond that. If the dmarc_history_file is defined, exim logs
aggregate data and the sysadmin is expected to run the opendmarc
support tools to import and manage the data, and truncate the
statistics file. There is a "control = dmarc_disable_verify" that
will skip dmarc checking completely, which will also skip the
statistics logging.

Question: Should statistics logging be enabled by default to a default
statistics file? Downside is that a busy system can end up with a
large growing file in the exim spool directory and the novice sysadmin
may not know about it. If it grows large enough it could
theoretically fill a file system and impact mail delivery (would have
to be ignored for a long time though).

2. In the opendmarc milter, by default it does not send forensic
(failure) reports when an incoming email fails dmarc alignment and the
domain's dmarc record specifies an email address to send these
forensic reports. If exim is being built with DMARC and configured
for DMARC checking, and an incoming email fails alignment, exim will
send a forensic report. Exim will not send forensic reports if
"control = dmarc_disable_verify" or "control = dmarc_disable_forensic"
is set.

Question: Is it better to enable sending only if there is a control
setting explicitly enabling it? Meaning I would need to invert the
control setting such as "control = dmarc_enable_forensic"?

Any other comments or suggestions are welcome.

> Documentation of the settings is non-existent. I will try to get that
> done tonight or tomorrow.


There is some documentation, but not covering everything I've added.
I will ruminate and add more before the final merge.

I still have to do a lot of testing of builds and behavior with and
without various features enabled:
EXPERIMENTAL_SPF
DISABLE_DKIM
EXPERIMENTAL_DMARC

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine