April 2016 – Mouflons and Penguins

I have been using Skelleton‘s guide¹ to setup opendmarc on some mail server I am building.

My problem is the version of opendmarc that comes with Debian is 1.3.0 and this version has a bug² which fails to honor the IgnoreAuthenticatedClients directive.

This is an attempt to build³ the newest version, 1.3.1, for Debian jessie.

Prepare the environment

Install all necessary packages:

$ sudo apt -y install pbuilder debootstrap devscripts packaging-dev debian-keyring

Prepare a Debian jessie build environment:

$ sudo pbuilder create --debootstrapopts --variant=buildd --mirror http://ftp.us.debian.org/debian/ --distribution jessie --architecture amd64 --components main --debbuildopts -mJohn Doe \<john .doe@example.net\>

Prepare the Debian environment for opendmarc 1.3.1

Download and extract the package:

$ wget http://downloads.sourceforge.net/project/opendmarc/opendmarc-1.3.1.tar.gz
$ tar xvzf opendmarc-1.3.1.tar.gz
$ cd opendmarc-1.3.1/

Prepare for Debian packaging:

$ DEBFULLNAME="John Doe" DEBEMAIL="john.doe@example.net" dh_make -s -y --createorig

Rename the debian folder:
```
$ mv debian debian.orig
```

Shamelessly copy *debian/** from the original:

$ cd /tmp/
$ apt-get source opendmarc
$ cd opendmarc-1.3.1+dfsg/
$ cp -a debian/ ~/opendmarc-1.3.1

Optional steps:

Change the Author name to yours in debian/control
Restore the debian/changelog file:
```
$ cp debian.orig/changelog debian/
```
Get rid of the debian.orig folder:
```
$ mv debian.orig/ ..
```

Edit the debian/changelog file with dch -e:

opendmarc (1.3.1-1) unstable; urgency=medium<br />
  * Initial release: To fix the IgnoreAuthenticatedClients issue:
    http://www.trusteddomain.org/pipermail/opendmarc-users/2016-April/000636.html
 -- John Doe </john><john .doe@example.net>  Fri, 29 Apr 2016 13:43:22 +0300

Build opendmarc 1.3.1

Run pdebuild:
```
$ pdebuild
```

You cab find the resultant debs under /var/cache/pbuilder/result/:

$ ls -la /var/cache/pbuilder/result/
total 868
drwxr-xr-x 2 root      root        4096 Απρ  29 13:54 .
drwxr-xr-x 8 root      root        4096 Απρ  29 12:56 ..
-rw-r--r-- 1 theodotos theodotos  38534 Απρ  29 13:54 libopendmarc2_1.3.1-1_amd64.deb
-rw-r--r-- 1 theodotos theodotos  64210 Απρ  29 13:54 libopendmarc-dev_1.3.1-1_amd64.deb
-rw-r--r-- 1 theodotos theodotos   2348 Απρ  29 13:54 opendmarc_1.3.1-1_amd64.changes
-rw-r--r-- 1 theodotos theodotos  75890 Απρ  29 13:54 opendmarc_1.3.1-1_amd64.deb
-rw-rw-r-- 1 theodotos theodotos    846 Απρ  29 13:54 opendmarc_1.3.1-1.dsc
-rw-r--r-- 1 theodotos theodotos 663859 Απρ  29 13:54 opendmarc_1.3.1-1.tar.gz
-rw-r--r-- 1 theodotos theodotos  17136 Απρ  29 13:54 rddmarc_1.3.1-1_all.deb

You can now copy the debs over your mail server and test them.

Update: I did this before I had discovered that opendmarc 1.3.1 is in Debian jessie backports⁴. But an interesting drill nevertheless.

References

https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/ ↩︎
http://www.trusteddomain.org/pipermail/opendmarc-users/2016-April/000636.html ↩︎
http://www.theo-andreou.org/?p=1145 ↩︎
http://www.trusteddomain.org/pipermail/opendmarc-users/2016-April/000641.html</john> ↩︎

These are the instructions for installing an ORCID¹ authentication node. We will be using the simple-orcid-auth-node² developed by the ORCID organization.

Assumptions

An Ubuntu 16.04 server machine but works on 14.04x with some minor changes.
A FQDN, let’s say orcid.example.com.
Server IP is 10.2.2.2 in our case.
Create an orcid user: sudo useradd -r -m -d /var/www/html/orcid orcid.
For Ubuntu 14.04 it is better to use /var/www/orcid instead of /var/www/html/orcid.
Also use service servicename restart on 14.04.x instead of systemctl restart service.

Installing simple-orcid-auth-node

Install necessary packages (as a privileged user):
```
$ sudo apt -y install nginx nodejs npm
```
NOTE: If you are using Ubuntu 14.04.x do not install the node package. This package is completely unrelated with nodejs.__³

Download and extract simple-orcid-auth-node (as the orcid user):

sudo su - orcid
wget https://github.com/rcpeters/simple-orcid-auth-node/archive/master.tar.gz
tar xvzf master.tar.gz

Install the application:

$ cd simple-orcid-auth-node-master/
$ npm install

Test run the application (as the orcid user):
```
$ nodejs client-app.js
server started on 8000
```
Looks OK. Now point your Hit CTRL^C and move on.

NOTE: If you prefer using the legacy node client-app.js invocation, you need to install the nodejs-legacy package as well.

Setting ORCID as an autostart service

Autostart using systemd⁴ (Ubuntu 16.04):

Create the /etc/systemd/system/orcid.service service definition (as the root user):

$ cat > /etc/systemd/system/orcid.service < < EOF
[Service]
ExecStart=/usr/bin/nodejs /var/www/html/orcid/simple-orcid-auth-node-master/client-app.js
WorkingDirectory=/var/www/html/orcid/simple-orcid-auth-node-master
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=orcid
User=orcid
Group=orcid
Environment=NODE_ENV=production
[Install]
WantedBy=multi-user.target
EOF

Reload systemd and start the service:

$ sudo systemctl daemon-reload
$ sudo systemctl start orcid.service

Verify that the service is started:

$ sudo systemctl status orcid.service
● orcid.service
Loaded: loaded (/etc/systemd/system/orcid.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2016-04-27 09:00:16 UTC; 37s ago
Main PID: 11141 (nodejs)
Tasks: 5 (limit: 512)
Memory: 24.1M
CPU: 268ms
CGroup: /system.slice/orcid.service
   └─11141 /usr/bin/nodejs /var/www/html/orcid/simple-orcid-auth-node-master/client-app.js
Apr 27 09:00:16 orcid systemd[1]: Started orcid.service.
Apr 27 09:00:16 orcid orcid[11141]: server started on 8000

Autostart using sysv-init (Ubuntu 14.04.x):

Prepare a sysv-init startup script or use mine for convinience:

$ cd /etc/init.d
$ wget https://raw.githubusercontent.com/theodotos/arena/master/orcid
$ chmod +x orcid
$ update-rc.d orcid enable
$ update-rc.d orcid defaults

Now orcid should be able to autostart after a reboot.

Setting up nginx

Prepare this configuration:

$ cat > /etc/nginx/sites-available/orcid < < EOF
server {
    listen 80;
    listen [::]:80 ipv6only=on;
    server_name orcid.example.com;
    access_log  /var/log/nginx/orcid.access.log;
    error_log /var/log/nginx/orcid.error.log;
    location / {
        proxy_pass http://localhost:8000/;
        proxy_set_header Host \$host;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
}
EOF

Enable the orcid site:

$ cd /etc/nginx/sites-enabled/
$ sudo ln -s /etc/nginx/sites-available/orcid

Uncomment the following line in /etc/nginx/nginx.conf⁵:
```
    server_names_hash_bucket_size 64;
```
Restart nginx:
```
$ sudo systemctl restart nginx.service
```
Verify nginx with sudo systemctl status nginx.service

Now you can visit the http://orcid.example.com site and test your setup

Going to production

The default simple-orcid-auth-node is using the sandbox ORCID service which is ideal for testing. This is how the configuration file (helpers/config.js) looks like:

module.exports = config = {
  // Config for OAuth2 
  CLIENT_ID: 'APP-O9TUKAPVLALU1SOJ',
  CLIENT_SECRET: '0eafb938-020e-45a6-a148-3c222171d9d8',
  AUTHORIZE_URI: 'https://sandbox.orcid.org/oauth/authorize',
  TOKEN_EXCHANGE_URI: 'https://api.sandbox.orcid.org/oauth/token',
  CODE_CALLBACK_URI: 'http://localhost:8000/authorization-code-callback',
  // General server config
  PORT: '8000',
  SERVER_IP: '127.0.0.1',
}
...

This setup will not work in production. You have to modify the CLIENT_ID and CLIENT_SECRET variables with your own credentials and change the AUTHORIZE_URI and TOKEN_EXCHANGE_URI to point to the production ORCID services:

module.exports = config = {
  // Config for OAuth2 
  CLIENT_ID: 'APP-HSGSHJS335353GSGSG',
  CLIENT_SECRET: '56d4eb21-6622-8483-3422-f53f3fs53sfs35f',
  AUTHORIZE_URI: 'https://orcid.org/oauth/authorize',
  TOKEN_EXCHANGE_URI: 'https://api.orcid.org/oauth/token',
  CODE_CALLBACK_URI: 'http://localhost:8000/authorization-code-callback',
  // General server config
  PORT: '8000',
  SERVER_IP: '127.0.0.1',
}
...

Restart nginx and orcid when done:

$ sudo systemctl restart nginx.service orcid.service

References

https://en.wikipedia.org/wiki/ORCID ↩︎
https://github.com/ORCID/simple-orcid-auth-node ↩︎
https://github.com/ORCID/simple-orcid-auth-node/issues/3 ↩︎
https://www.digitalocean.com/community/tutorials/how-to-deploy-node-js-applications-using-systemd-and-nginx ↩︎
http://charles.lescampeurs.org/2008/11/14/fix-nginx-increase-server_names_hash_bucket_size</service> ↩︎