Fix errors handling DKIM signatures and DMARC proofs.

install_opendmarc.sh

@@ -3,6 +3,7 @@
 clear
 echo -e "\n   \033[32mStart Installation of OpenDMARC..\033[m"
 
+overwrite_config_files=true
 
 
 # -------------
@@ -23,13 +24,15 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
 opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
 
 config_file_name_value_parameters="
-   AuthservID|DMARC check $(hostname -f)
+   AuthservID|$(hostname -f)
+   TrustedAuthservIDs|$(hostname -f)
    PidFile|/run/opendmarc/opendmarc.pid
    RejectFailures|true
    Syslog|true
    SyslogFacility|mail
    TrustedAuthservIDs|$(hostname -f)
-   IgnoreHosts|/etc/opendmarc/ignore.hosts
+   IgnoreHosts|${opendmarc_base_dir}/ignore.hosts
+   IgnoreMailFrom|${opendmarc_base_dir}/ignore.mailfrom
    IgnoreAuthenticatedClients|true
    RequiredHeaders|false
    UMask|002
@@ -194,6 +197,9 @@ if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
 ## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
 #
 IgnoreHosts 127.0.0.1
+
+# Optional - auch nach Absender-Domain ignorieren:
+IgnoreMailFrom ${opendmarc_base_dir}/ignore.mailfrom
 EOF
    if [[ $? -eq 0 ]] ; then
       echo_ok
@@ -213,7 +219,7 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
    cat << EOF >> ${opendmarc_conf_file}
 
-## If set, causes mail from authenticated clients (i.e., those that used 
+## If set, causes mail from authenticated clients (i.e., those that used
 ## SMTP AUTH) to be ignored by the filter. The default is "false".
 #
 IgnoreAuthenticatedClients false
@@ -229,6 +235,33 @@ else
 fi
 
 
+# - Add 'TrustedAuthservIDs' with default value to the original opendmarc.conf file
+#
+_param="TrustedAuthservIDs"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+# Provides a list of authserv-ids that are to be used to identify Authentication-Results
+# header fields whose contents are to be assumed as valid input for the DMARC assessment.
+# To provide a list, separate values by commas. If the string "HOSTNAME" is provided,
+# the name of the host running the filter (as returned by the gethostname(3) function)
+# will be used. Matching against this list is case-insensitive. The default is to use the
+# value of AuthservID.
+#
+TrustedAuthservIDs OpenDMARC
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
 # - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
 #
 _param="IgnoreAuthenticatedClients"
@@ -259,9 +292,9 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
    cat << EOF >> ${opendmarc_conf_file}
 
-## If set, the filter will ensure the header of the message conforms to the basic 
-## header field count restrictions laid out in RFC5322, Section 3.6. Messages 
-## failing this test are rejected without further processing. A From: field from 
+## If set, the filter will ensure the header of the message conforms to the basic
+## header field count restrictions laid out in RFC5322, Section 3.6. Messages
+## failing this test are rejected without further processing. A From: field from
 ## which no domain name could be extracted will also be rejected.
 #
 RequiredHeaders false
@@ -445,8 +478,8 @@ else
 fi
 
 
-# - Create the directories to hold opendmarc's data files, assign 
-# - ownership to the opendmarc user, and restrict the file 
+# - Create the directories to hold opendmarc's data files, assign
+# - ownership to the opendmarc user, and restrict the file
 # - permissions:
 # -
 echononl "   Create directory '$opendmarc_base_dir'"
@@ -472,6 +505,18 @@ else
 fi
 
 
+echononl "   Backup existing file '${opendmarc_base_dir}/ignore.hosts'.."
+if [[ -f "${opendmarc_base_dir}/ignore.hosts" ]] ; then
+   mv "${opendmarc_base_dir}/ignore.hosts" "${opendmarc_base_dir}/ignore.hosts.${backup_date}"
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
 
 # - Create the file ${opendmarc_base_dir}/ignore.hosts
 # -
@@ -480,11 +525,49 @@ if [[ -f "${opendmarc_base_dir}/ignore.hosts" ]] ; then
    echo_skipped
 else
    cat <<EOF > ${opendmarc_base_dir}/ignore.hosts 2> $log_file
-# We are using AmaViS at 'localhost 127.0.0.1 . So we cannot bypass them
+# /etc/opendmarc/ignore.hosts
 #
-# 127.0.0.1
-# localhost
-$(hostname -f)
+# Diese Datei wird aktuell NICHT genutzt, da OpenDMARC
+# auf localhost:10025 arbeitet und dort immer nur
+# 127.0.0.1/::1 als Client-IP sieht.
+
+# Bitte KEINE Einträge hinzufügen.
+EOF
+   opendmarc_needs_restart=true
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+fi
+
+
+# - Create the file ${opendmarc_base_dir}/ignore.hosts
+# -
+
+echononl "   Backup existing file '${opendmarc_base_dir}/ignore.mailfrom'.."
+if [[ -f "${opendmarc_base_dir}/ignore.mailfrom" ]] ; then
+   mv "${opendmarc_base_dir}/ignore.mailfrom" "${opendmarc_base_dir}/ignore.mailfrom.${backup_date}"
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+echononl "   Create file '${opendmarc_base_dir}/ignore.mailfrom'.."
+if [[ -f "${opendmarc_base_dir}/ignore.mailfrom" ]] ; then
+   echo_skipped
+else
+   cat <<EOF > ${opendmarc_base_dir}/ignore.mailfrom 2> $log_file
+# /etc/opendmarc/ignore.mailfrom
+#
+# Wird derzeit nicht genutzt.
+# Keine Einträge hinzufügen.
 EOF
    opendmarc_needs_restart=true
    if [[ $? -eq 0 ]] ; then
@@ -529,7 +612,7 @@ EOF
 fi
 
 
-# - Create the opendmarc socket directory in Postfix’s work area 
+# - Create the opendmarc socket directory in Postfix’s work area
 # - and make sure it has the correct ownership:
 # -
 echononl "   Create the opendmarc socket directory in Postfix's work area.."
@@ -555,7 +638,7 @@ else
 fi
 
 
-# - Edit /etc/postfix/main.cf and add a section to activate 
+# - Edit /etc/postfix/main.cf and add a section to activate
 # - processing of e-mail through the opendmarc daemon:
 # -
 echononl "   Backup existing postfix configuration (main.cf).."
@@ -591,15 +674,15 @@ fi
 # - Prevent Postfix from setting the DMARC Header twice (one befor
 # - and one after processing amavis
 # -
-# - To disable milter processing after amavis, add to your master.cf in 
+# - To disable milter processing after amavis, add to your master.cf in
 # - the after-amavis section:
 # -    127.0.0.1:10025 inet    n       -       -       -       -       smtpd
 # -       [...]
 # -       -o smtpd_milters=
 # -
 # - If you want to run the milter after amavis, set in main.cf
-# -    smtpd_milters= 
-# - to an empty string and add the smtpd_milters configuration to master.cf 
+# -    smtpd_milters=
+# - to an empty string and add the smtpd_milters configuration to master.cf
 # - (after-section amavis) instead:
 # -    -o smtpd_milters=local:/opendmarc/opendmarc.sock
 # -
@@ -648,7 +731,7 @@ else
 fi
 
 # - Restart opendmarc
-# - 
+# -
 echononl "   Restart opendmarc.."
 if $opendmarc_needs_restart ; then
    if $SYSTEMD_EXISTS ; then