Building opendmarc for Debian Jessie

I have been using Skelleton‘s guide1 to setup opendmarc on some mail server I am building.

My problem is the version of opendmarc that comes with Debian is 1.3.0 and this version has a bug2 which fails to honor the IgnoreAuthenticatedClients directive.

This is an attempt to build3 the newest version, 1.3.1, for Debian jessie.

Prepare the environment

  • Install all necessary packages:
    $ sudo apt -y install pbuilder debootstrap devscripts packaging-dev debian-keyring
  • Prepare a Debian jessie build environment:
    $ sudo pbuilder create --debootstrapopts --variant=buildd --mirror --distribution jessie --architecture amd64 --components main --debbuildopts -mJohn Doe \<john\>

Prepare the Debian environment for opendmarc 1.3.1

  • Download and extract the package:
    $ wget
    $ tar xvzf opendmarc-1.3.1.tar.gz
    $ cd opendmarc-1.3.1/
  • Prepare for Debian packaging:
    $ DEBFULLNAME="John Doe" DEBEMAIL="" dh_make -s -y --createorig
    • Rename the debian folder:
      $ mv debian debian.orig
  • Shamelessly copy *debian/** from the original:
    $ cd /tmp/
    $ apt-get source opendmarc
    $ cd opendmarc-1.3.1+dfsg/
    $ cp -a debian/ ~/opendmarc-1.3.1
  • Optional steps:
    • Change the Author name to yours in debian/control
    • Restore the debian/changelog file:

      $ cp debian.orig/changelog debian/

    • Get rid of the debian.orig folder:
      $ mv debian.orig/ ..
    • Edit the debian/changelog file with dch -e:
      opendmarc (1.3.1-1) unstable; urgency=medium<br />
        * Initial release: To fix the IgnoreAuthenticatedClients issue:

       -- John Doe </john><john>  Fri, 29 Apr 2016 13:43:22 +0300

Build opendmarc 1.3.1

  • Run pdebuild:
    $ pdebuild
  • You cab find the resultant debs under /var/cache/pbuilder/result/:
    $ ls -la /var/cache/pbuilder/result/
    total 868
    drwxr-xr-x 2 root      root        4096 Απρ  29 13:54 .
    drwxr-xr-x 8 root      root        4096 Απρ  29 12:56 ..
    -rw-r--r-- 1 theodotos theodotos  38534 Απρ  29 13:54 libopendmarc2_1.3.1-1_amd64.deb
    -rw-r--r-- 1 theodotos theodotos  64210 Απρ  29 13:54 libopendmarc-dev_1.3.1-1_amd64.deb
    -rw-r--r-- 1 theodotos theodotos   2348 Απρ  29 13:54 opendmarc_1.3.1-1_amd64.changes
    -rw-r--r-- 1 theodotos theodotos  75890 Απρ  29 13:54 opendmarc_1.3.1-1_amd64.deb
    -rw-rw-r-- 1 theodotos theodotos    846 Απρ  29 13:54 opendmarc_1.3.1-1.dsc
    -rw-r--r-- 1 theodotos theodotos 663859 Απρ  29 13:54 opendmarc_1.3.1-1.tar.gz
    -rw-r--r-- 1 theodotos theodotos  17136 Απρ  29 13:54 rddmarc_1.3.1-1_all.deb

You can now copy the debs over your mail server and test them.

Update: I did this before I had discovered that opendmarc 1.3.1 is in Debian jessie backports4. But an interesting drill nevertheless.


  1. ↩︎
  2. ↩︎
  3. ↩︎
  4.</john> ↩︎

Installing a Simple ORCID Authentication Node

These are the instructions for installing an ORCID1 authentication node. We will be using the simple-orcid-auth-node2 developed by the ORCID organization.


  • An Ubuntu 16.04 server machine but works on 14.04x with some minor changes.
  • A FQDN, let’s say
  • Server IP is in our case.
  • Create an orcid user: sudo useradd -r -m -d /var/www/html/orcid orcid.
  • For Ubuntu 14.04 it is better to use /var/www/orcid instead of /var/www/html/orcid.
  • Also use service servicename restart on 14.04.x instead of systemctl restart service.

Installing simple-orcid-auth-node

  • Install necessary packages (as a privileged user):
    $ sudo apt -y install nginx nodejs npm

    NOTE: If you are using Ubuntu 14.04.x do not install the node package. This package is completely unrelated with nodejs.__3

  • Download and extract simple-orcid-auth-node (as the orcid user):

    sudo su - orcid
    tar xvzf master.tar.gz

  • Install the application:
    $ cd simple-orcid-auth-node-master/
    $ npm install
  • Test run the application (as the orcid user):
    $ nodejs client-app.js
    server started on 8000

    Looks OK. Now point your Hit CTRL^C and move on.

    NOTE: If you prefer using the legacy node client-app.js invocation, you need to install the nodejs-legacy package as well.

Setting ORCID as an autostart service

  • Autostart using systemd4 (Ubuntu 16.04):

    • Create the /etc/systemd/system/orcid.service service definition (as the root user):
      $ cat > /etc/systemd/system/orcid.service < < EOF
      ExecStart=/usr/bin/nodejs /var/www/html/orcid/simple-orcid-auth-node-master/client-app.js
    • Reload systemd and start the service:
      $ sudo systemctl daemon-reload
      $ sudo systemctl start orcid.service
    • Verify that the service is started:
      $ sudo systemctl status orcid.service
      ● orcid.service
      Loaded: loaded (/etc/systemd/system/orcid.service; disabled; vendor preset: enabled)
      Active: active (running) since Wed 2016-04-27 09:00:16 UTC; 37s ago
      Main PID: 11141 (nodejs)
      Tasks: 5 (limit: 512)
      Memory: 24.1M
      CPU: 268ms
      CGroup: /system.slice/orcid.service
         └─11141 /usr/bin/nodejs /var/www/html/orcid/simple-orcid-auth-node-master/client-app.js
      Apr 27 09:00:16 orcid systemd[1]: Started orcid.service.
      Apr 27 09:00:16 orcid orcid[11141]: server started on 8000
  • Autostart using sysv-init (Ubuntu 14.04.x):
    • Prepare a sysv-init startup script or use mine for convinience:
      $ cd /etc/init.d
      $ wget
      $ chmod +x orcid
      $ update-rc.d orcid enable
      $ update-rc.d orcid defaults

    Now orcid should be able to autostart after a reboot.

Setting up nginx

  • Prepare this configuration:

    $ cat > /etc/nginx/sites-available/orcid < < EOF
    server {
        listen 80;
        listen [::]:80 ipv6only=on;
        access_log  /var/log/nginx/orcid.access.log;
        error_log /var/log/nginx/orcid.error.log;
        location / {
            proxy_pass http://localhost:8000/;
            proxy_set_header Host \$host;
            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;

  • Enable the orcid site:
    $ cd /etc/nginx/sites-enabled/
    $ sudo ln -s /etc/nginx/sites-available/orcid
  • Uncomment the following line in /etc/nginx/nginx.conf5:
        server_names_hash_bucket_size 64;
  • Restart nginx:
    $ sudo systemctl restart nginx.service
  • Verify nginx with sudo systemctl status nginx.service

Now you can visit the site and test your setup

Going to production

The default simple-orcid-auth-node is using the sandbox ORCID service which is ideal for testing. This is how the configuration file (helpers/config.js) looks like:

module.exports = config = {
  // Config for OAuth2 
  CLIENT_SECRET: '0eafb938-020e-45a6-a148-3c222171d9d8',
  CODE_CALLBACK_URI: 'http://localhost:8000/authorization-code-callback',
  // General server config
  PORT: '8000',
  SERVER_IP: '',

This setup will not work in production. You have to modify the CLIENT_ID and CLIENT_SECRET variables with your own credentials and change the AUTHORIZE_URI and TOKEN_EXCHANGE_URI to point to the production ORCID services:

module.exports = config = {
  // Config for OAuth2 
  CLIENT_SECRET: '56d4eb21-6622-8483-3422-f53f3fs53sfs35f',
  CODE_CALLBACK_URI: 'http://localhost:8000/authorization-code-callback',
  // General server config
  PORT: '8000',
  SERVER_IP: '',

Restart nginx and orcid when done:

$ sudo systemctl restart nginx.service orcid.service


  1. ↩︎
  2. ↩︎
  3. ↩︎
  4. ↩︎
  5.</service> ↩︎