I have been using Skelleton‘s guide1 to setup opendmarc on some mail server I am building.

My problem is the version of opendmarc that comes with Debian is 1.3.0 and this version has a bug2 which fails to honor the IgnoreAuthenticatedClients directive.

This is an attempt to build3 the newest version, 1.3.1, for Debian jessie.

Prepare the environment

  • Install all necessary packages:

    $ sudo apt -y install pbuilder debootstrap devscripts packaging-dev debian-keyring
  • Prepare a Debian jessie build environment:

    $ sudo pbuilder create --debootstrapopts --variant=buildd --mirror http://ftp.us.debian.org/debian/ --distribution jessie --architecture amd64 --components main --debbuildopts -mJohn Doe \<john.doe@example.net\>

Prepare the Debian environment for opendmarc 1.3.1

  • Download and extract the package:

    $ wget http://downloads.sourceforge.net/project/opendmarc/opendmarc-1.3.1.tar.gz
    $ tar xvzf opendmarc-1.3.1.tar.gz
    $ cd opendmarc-1.3.1/
  • Prepare for Debian packaging:

    $ DEBFULLNAME="John Doe" DEBEMAIL="john.doe@example.net" dh_make -s -y --createorig
    • Rename the debian folder:

      $ mv debian debian.orig
  • Shamelessly copy *debian/** from the original:

    $ cd /tmp/
    $ apt-get source opendmarc
    $ cd opendmarc-1.3.1+dfsg/
    $ cp -a debian/ ~/opendmarc-1.3.1
  • Optional steps:

    • Change the Author name to yours in debian/control

    • Restore the debian/changelog file:

      $ cp debian.orig/changelog debian/
    • Get rid of the debian.orig folder:

      $ mv debian.orig/ ..
    • Edit the debian/changelog file with dch -e:

      opendmarc (1.3.1-1) unstable; urgency=medium
        * Initial release: To fix the IgnoreAuthenticatedClients issue:     http://www.trusteddomain.org/pipermail/opendmarc-users/2016-April/000636.html
       -- John Doe <john.doe@example.net> Fri, 29 Apr 2016 13:43:22 +0300

Build opendmarc 1.3.1

  • Run pdebuild:

    $ pdebuild
  • You cab find the resultant debs under /var/cache/pbuilder/result/:

    $ ls -la /var/cache/pbuilder/result/
    total 868
    drwxr-xr-x 2 root      root        4096 Απρ  29 13:54 .
    drwxr-xr-x 8 root      root        4096 Απρ  29 12:56 ..
    -rw-r--r-- 1 theodotos theodotos  38534 Απρ  29 13:54 libopendmarc2_1.3.1-1_amd64.deb
    -rw-r--r-- 1 theodotos theodotos  64210 Απρ  29 13:54 libopendmarc-dev_1.3.1-1_amd64.deb
    -rw-r--r-- 1 theodotos theodotos   2348 Απρ  29 13:54 opendmarc_1.3.1-1_amd64.changes
    -rw-r--r-- 1 theodotos theodotos  75890 Απρ  29 13:54 opendmarc_1.3.1-1_amd64.deb
    -rw-rw-r-- 1 theodotos theodotos    846 Απρ  29 13:54 opendmarc_1.3.1-1.dsc
    -rw-r--r-- 1 theodotos theodotos 663859 Απρ  29 13:54 opendmarc_1.3.1-1.tar.gz
    -rw-r--r-- 1 theodotos theodotos  17136 Απρ  29 13:54 rddmarc_1.3.1-1_all.deb

You can now copy the debs over your mail server and test them.

Update: I did this before I had discovered that opendmarc 1.3.1 is in Debian jessie backports4. But an interesting drill nevertheless.


These are the instructions for installing an ORCID5 authentication node. We will be using the simple-orcid-auth-node6 developed by the ORCID organization.


  • An Ubuntu 16.04 server machine but works on 14.04x with some minor changes.
  • A FQDN, let’s say orcid.example.com.
  • Server IP is in our case.
  • Create an orcid user: sudo useradd -r -m -d /var/www/html/orcid orcid.
  • For Ubuntu 14.04 it is better to use /var/www/orcid instead of /var/www/html/orcid.
  • Also use service <servicename> restart on 14.04.x instead of systemctl restart <service>.

Installing simple-orcid-auth-node

  • Install necessary packages (as a privileged user):

    $ sudo apt -y install nginx nodejs npm

    NOTE: If you are using Ubuntu 14.04.x do not install the node package. This package is completely unrelated with nodejs.7

  • Download and extract simple-orcid-auth-node (as the orcid user):

    sudo su - orcid
    wget https://github.com/rcpeters/simple-orcid-auth-node/archive/master.tar.gz
    tar xvzf master.tar.gz
  • Install the application:

    $ cd simple-orcid-auth-node-master/
    $ npm install
  • Test run the application (as the orcid user):

    $ nodejs client-app.js
    server started on 8000

    Looks OK. Now point your Hit CTRL^C and move on.

    NOTE: If you prefer using the legacy node client-app.js invocation, you need to install the nodejs-legacy package as well.

Setting ORCID as an autostart service

  • Autostart using systemd8 (Ubuntu 16.04):

    • Create the /etc/systemd/system/orcid.service service definition (as the root user):

      $ cat > /etc/systemd/system/orcid.service << EOF
      ExecStart=/usr/bin/nodejs /var/www/html/orcid/simple-orcid-auth-node-master/client-app.js
      [Install] WantedBy=multi-user.target EOF
    • Reload systemd and start the service:

      $ sudo systemctl daemon-reload
      $ sudo systemctl start orcid.service
    • Verify that the service is started:

      $ sudo systemctl status orcid.service
      ● orcid.service
      Loaded: loaded (/etc/systemd/system/orcid.service; disabled; vendor preset: enabled)
      Active: active (running) since Wed 2016-04-27 09:00:16 UTC; 37s ago
      Main PID: 11141 (nodejs)
      Tasks: 5 (limit: 512)
      Memory: 24.1M
      CPU: 268ms
      CGroup: /system.slice/orcid.service
         └─11141 /usr/bin/nodejs /var/www/html/orcid/simple-orcid-auth-node-master/client-app.js
      Apr 27 09:00:16 orcid systemd[1]: Started orcid.service. Apr 27 09:00:16 orcid orcid[11141]: server started on 8000
  • Autostart using sysv-init (Ubuntu 14.04.x):

    • Prepare a sysv-init startup script or use mine for convinience:

      $ cd /etc/init.d
      $ wget https://raw.githubusercontent.com/theodotos/arena/master/orcid
      $ chmod +x orcid
      $ update-rc.d orcid enable
      $ update-rc.d orcid defaults

    Now orcid should be able to autostart after a reboot.

Setting up nginx

  • Prepare this configuration:

    $ cat > /etc/nginx/sites-available/orcid << EOF
    server {
        listen 80;     listen [::]:80 ipv6only=on;
        server_name orcid.example.com;
        access_log /var/log/nginx/orcid.access.log;     error_log /var/log/nginx/orcid.error.log;
        location / {         proxy_pass http://localhost:8000/;         proxy_set_header Host \$host;         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;     } } EOF
  • Enable the orcid site:

    $ cd /etc/nginx/sites-enabled/
    $ sudo ln -s /etc/nginx/sites-available/orcid
  • Uncomment the following line in /etc/nginx/nginx.conf9:

        server_names_hash_bucket_size 64;
  • Restart nginx:

    $ sudo systemctl restart nginx.service
  • Verify nginx with sudo systemctl status nginx.service

Now you can visit the http://orcid.example.com site and test your setup

Going to production

The default simple-orcid-auth-node is using the sandbox ORCID service which is ideal for testing. This is how the configuration file (helpers/config.js) looks like:

module.exports = config = {
  // Config for OAuth2 
  CLIENT_SECRET: '0eafb938-020e-45a6-a148-3c222171d9d8',
  AUTHORIZE_URI: 'https://sandbox.orcid.org/oauth/authorize',
  TOKEN_EXCHANGE_URI: 'https://api.sandbox.orcid.org/oauth/token',
  CODE_CALLBACK_URI: 'http://localhost:8000/authorization-code-callback',
  // General server config
  PORT: '8000',
  SERVER_IP: '',

This setup will not work in production. You have to modify the CLIENT_ID and CLIENT_SECRET variables with your own credentials and change the AUTHORIZE_URI and TOKEN_EXCHANGE_URI to point to the production ORCID services:

module.exports = config = {
  // Config for OAuth2 
  CLIENT_SECRET: '56d4eb21-6622-8483-3422-f53f3fs53sfs35f',
  AUTHORIZE_URI: 'https://orcid.org/oauth/authorize',
  TOKEN_EXCHANGE_URI: 'https://api.orcid.org/oauth/token',
  CODE_CALLBACK_URI: 'http://localhost:8000/authorization-code-callback',
  // General server config
  PORT: '8000',
  SERVER_IP: '',

Restart nginx and orcid when done:

$ sudo systemctl restart nginx.service orcid.service