I have been using [Skelleton](https://www.skelleton.net)’s guide[^guide] to setup [opendmarc](http://www.trusteddomain.org/opendmarc/) on some mail server I am building.

My problem is the version of opendmarc that comes with Debian is 1.3.0 and this version has a bug[^list] which fails to honor the *IgnoreAuthenticatedClients* directive.

This is an attempt to build[^build] the newest version, 1.3.1, for Debian jessie.

### Prepare the environment

* Install all necessary packages:

“`
$ sudo apt -y install pbuilder debootstrap devscripts packaging-dev debian-keyring
“`

* Prepare a Debian jessie build environment:

“`
$ sudo pbuilder create –debootstrapopts –variant=buildd –mirror http://ftp.us.debian.org/debian/ –distribution jessie –architecture amd64 –components main –debbuildopts -mJohn Doe \
“`

### Prepare the Debian environment for *opendmarc* 1.3.1

* Download and extract the package:

“`
$ wget http://downloads.sourceforge.net/project/opendmarc/opendmarc-1.3.1.tar.gz
$ tar xvzf opendmarc-1.3.1.tar.gz
$ cd opendmarc-1.3.1/
“`
* Prepare for Debian packaging:

“`
$ DEBFULLNAME=”John Doe” DEBEMAIL=”john.doe@example.net” dh_make -s -y –createorig
“`

* Rename the *debian* folder:

“`
$ mv debian debian.orig
“`

* Shamelessly copy *debian/** from the original:

“`
$ cd /tmp/
$ apt-get source opendmarc
$ cd opendmarc-1.3.1+dfsg/
$ cp -a debian/ ~/opendmarc-1.3.1
“`

* Optional steps:

* Change the Author name to yours in *debian/control*

* Restore the *debian/changelog* file:

“`
$ cp debian.orig/changelog debian/
“`

* Get rid of the *debian.orig* folder:

“`
$ mv debian.orig/ ..
“`

* Edit the *debian/changelog* file with `dch -e`:

opendmarc (1.3.1-1) unstable; urgency=medium
  * Initial release: To fix the IgnoreAuthenticatedClients issue:     http://www.trusteddomain.org/pipermail/opendmarc-users/2016-April/000636.html
 -- John Doe <john.doe@example.net> Fri, 29 Apr 2016 13:43:22 +0300

### Build *opendmarc* 1.3.1

* Run *pdebuild*:

“`
$ pdebuild
“`

* You cab find the resultant debs under */var/cache/pbuilder/result/*:

“`
$ ls -la /var/cache/pbuilder/result/
total 868
drwxr-xr-x 2 root root 4096 Απρ 29 13:54 .
drwxr-xr-x 8 root root 4096 Απρ 29 12:56 ..
-rw-r–r– 1 theodotos theodotos 38534 Απρ 29 13:54 libopendmarc2_1.3.1-1_amd64.deb
-rw-r–r– 1 theodotos theodotos 64210 Απρ 29 13:54 libopendmarc-dev_1.3.1-1_amd64.deb
-rw-r–r– 1 theodotos theodotos 2348 Απρ 29 13:54 opendmarc_1.3.1-1_amd64.changes
-rw-r–r– 1 theodotos theodotos 75890 Απρ 29 13:54 opendmarc_1.3.1-1_amd64.deb
-rw-rw-r– 1 theodotos theodotos 846 Απρ 29 13:54 opendmarc_1.3.1-1.dsc
-rw-r–r– 1 theodotos theodotos 663859 Απρ 29 13:54 opendmarc_1.3.1-1.tar.gz
-rw-r–r– 1 theodotos theodotos 17136 Απρ 29 13:54 rddmarc_1.3.1-1_all.deb
“`

You can now copy the debs over your mail server and test them.

__Update: I did this before I had discovered that opendmarc 1.3.1 is in Debian jessie backports[^backports]. But an interesting drill nevertheless.__

References
———-
[^guide]: https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
[^list]: http://www.trusteddomain.org/pipermail/opendmarc-users/2016-April/000636.html
[^build]: http://www.theo-andreou.org/?p=1145
[^backports]: http://www.trusteddomain.org/pipermail/opendmarc-users/2016-April/000641.html

These are the instructions for installing an [ORCID](http://orcid.org/)[^orcid] authentication node. We will be using the [simple-orcid-auth-node](https://github.com/ORCID/simple-orcid-auth-node)[^soan] developed by the ORCID organization.

### Assumptions

* An Ubuntu 16.04 server machine but works on 14.04x with some minor changes.
* A FQDN, let’s say *orcid.example.com*.
* Server IP is 10.2.2.2 in our case.
* Create an *orcid* user: `sudo useradd -r -m -d /var/www/html/orcid orcid`.
* For Ubuntu 14.04 it is better to use */var/www/orcid* instead of */var/www/html/orcid*.
* Also use `service restart` on 14.04.x instead of `systemctl restart `.

### Installing *simple-orcid-auth-node*

* Install necessary packages (as a privileged user):

“`
$ sudo apt -y install nginx nodejs npm
“`

__NOTE: If you are using Ubuntu 14.04.x do not install the [node](http://packages.ubuntu.com/trusty/node) package. This package is completely unrelated with [nodejs](https://nodejs.org/en/).__[^node]

* Download and extract *simple-orcid-auth-node* (as the *orcid* user):

“`
sudo su – orcid
wget https://github.com/rcpeters/simple-orcid-auth-node/archive/master.tar.gz
tar xvzf master.tar.gz
“`

* Install the application:

“`
$ cd simple-orcid-auth-node-master/
$ npm install
“`

* Test run the application (as the *orcid* user):

“`
$ nodejs client-app.js
server started on 8000
“`

Looks OK. Now point your Hit CTRL^C and move on.

__NOTE: If you prefer using the legacy `node client-app.js` invocation, you need to install the [nodejs-legacy](http://packages.ubuntu.com/xenial/nodejs-legacy) package as well.__

### Setting ORCID as an autostart service

* Autostart using *systemd*[^systemd] (Ubuntu 16.04):

* Create the */etc/systemd/system/orcid.service* service definition (as the *root* user):

$ cat > /etc/systemd/system/orcid.service << EOF
[Service]
ExecStart=/usr/bin/nodejs /var/www/html/orcid/simple-orcid-auth-node-master/client-app.js
WorkingDirectory=/var/www/html/orcid/simple-orcid-auth-node-master
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=orcid
User=orcid
Group=orcid
Environment=NODE_ENV=production
[Install] WantedBy=multi-user.target EOF

* Reload *systemd* and start the service:

“`
$ sudo systemctl daemon-reload
$ sudo systemctl start orcid.service
“`

* Verify that the service is started:

$ sudo systemctl status orcid.service
● orcid.service
   Loaded: loaded (/etc/systemd/system/orcid.service; disabled; vendor preset: enabled)
   Active: active (running) since Wed 2016-04-27 09:00:16 UTC; 37s ago
 Main PID: 11141 (nodejs)
    Tasks: 5 (limit: 512)
   Memory: 24.1M
      CPU: 268ms
   CGroup: /system.slice/orcid.service
           └─11141 /usr/bin/nodejs /var/www/html/orcid/simple-orcid-auth-node-master/client-app.js
Apr 27 09:00:16 orcid systemd[1]: Started orcid.service. Apr 27 09:00:16 orcid orcid[11141]: server started on 8000

* Autostart using *sysv-init* (Ubuntu 14.04.x):

* Prepare a *sysv-init* startup script or use mine for convinience:

“`
$ cd /etc/init.d
$ wget https://raw.githubusercontent.com/theodotos/arena/master/orcid
$ chmod +x orcid
$ update-rc.d orcid enable
$ update-rc.d orcid defaults
“`

Now *orcid* should be able to autostart after a reboot.

### Setting up nginx

* Prepare this configuration:

$ cat > /etc/nginx/sites-available/orcid << EOF
server {
    listen 80;     listen [::]:80 ipv6only=on;
    server_name orcid.example.com;
    access_log /var/log/nginx/orcid.access.log;     error_log /var/log/nginx/orcid.error.log;
    location / {         proxy_pass http://localhost:8000/;         proxy_set_header Host \$host;         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;     } } EOF

* Enable the *orcid* site:

“`
$ cd /etc/nginx/sites-enabled/
$ sudo ln -s /etc/nginx/sites-available/orcid
“`

* Uncomment the following line in */etc/nginx/nginx.conf*[^nginx]:

“`
server_names_hash_bucket_size 64;
“`

* Restart *nginx*:

“`
$ sudo systemctl restart nginx.service
“`

* Verify *nginx* with `sudo systemctl status nginx.service`

Now you can visit the http://orcid.example.com site and test your setup

### Going to production

The default *simple-orcid-auth-node* is using the sandbox ORCID service which is ideal for testing. This is how the configuration file (*helpers/config.js*) looks like:

“`
module.exports = config = {
// Config for OAuth2
CLIENT_ID: ‘APP-O9TUKAPVLALU1SOJ’,
CLIENT_SECRET: ‘0eafb938-020e-45a6-a148-3c222171d9d8’,
AUTHORIZE_URI: ‘https://sandbox.orcid.org/oauth/authorize’,
TOKEN_EXCHANGE_URI: ‘https://api.sandbox.orcid.org/oauth/token’,
CODE_CALLBACK_URI: ‘http://localhost:8000/authorization-code-callback’,
// General server config
PORT: ‘8000’,
SERVER_IP: ‘127.0.0.1’,
}

“`

This setup will not work in production. You have to modify the **CLIENT_ID** and **CLIENT_SECRET** variables with your own credentials and change the **AUTHORIZE_URI** and **TOKEN_EXCHANGE_URI** to point to the production ORCID services:

module.exports = config = {
  // Config for OAuth2 
  CLIENT_ID: 'APP-HSGSHJS335353GSGSG',
  CLIENT_SECRET: '56d4eb21-6622-8483-3422-f53f3fs53sfs35f',
  AUTHORIZE_URI: 'https://orcid.org/oauth/authorize',
  TOKEN_EXCHANGE_URI: 'https://api.orcid.org/oauth/token',
  CODE_CALLBACK_URI: 'http://localhost:8000/authorization-code-callback',
  // General server config
  PORT: '8000',
  SERVER_IP: '127.0.0.1',
}
...

Restart *nginx* and *orcid* when done:

“`
$ sudo systemctl restart nginx.service orcid.service
“`

References
———-

[^orcid]: https://en.wikipedia.org/wiki/ORCID
[^soan]: https://github.com/ORCID/simple-orcid-auth-node
[^node]: https://github.com/ORCID/simple-orcid-auth-node/issues/3
[^systemd]: https://www.digitalocean.com/community/tutorials/how-to-deploy-node-js-applications-using-systemd-and-nginx
[^nginx]: http://charles.lescampeurs.org/2008/11/14/fix-nginx-increase-server_names_hash_bucket_size