systemd configuration files for OpenDMARC

opendmarc.service

# /etc/systemd/system/opendmarc.service
[Unit]
Description=OpenDMARC email validation system
Documentation=man:opendmarc(8) man:opendmarc.conf(5) man:opendmarc-import(8) man:opendmarc-reports(8) http://www.trusteddomain.org/opendmarc/
After=network.target nss-lookup.target

[Service]
RuntimeDirectory=opendmarc
Type=forking
PIDFile=/run/opendmarc/opendmarc.pid
User=opendmarc
ExecStart=/usr/sbin/opendmarc -u opendmarc -P /run/opendmarc/opendmarc.pid
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID

# not allowed to write anywhere
ReadOnlyDirectories=/
# ...except:
# PidFile (-P); cf. RuntimeDirectory=opendmarc
ReadWriteDirectories=/run/opendmarc
# TemporaryDirectory (default); cf. PrivateTmp=yes
ReadWriteDirectories=/var/tmp
# HistoryFile
ReadWriteDirectories=/var/log/opendmarc
# Socket
ReadWriteDirectories=/var/spool/postfix/opendmarc

# custom /tmp, /var/tmp, /dev
PrivateTmp=yes
PrivateDevices=yes
# read-only system directories
ProtectSystem=full
# no home at all
ProtectHome=yes
# no setuid, no sticky bit
NoNewPrivileges=yes

# only a few address families:
# Socket for communication with sendmail
RestrictAddressFamilies=AF_UNIX
# IPv4 for DNS (_dmarc.domain)
RestrictAddressFamilies=AF_INET
# IPv6 for DNS (_dmarc.domain)
RestrictAddressFamilies=AF_INET6

[Install]
WantedBy=multi-user.target

opendmarc configuration notes:

• Any PidFile and UserId specifications in the configuration file can be removed, since the command line arguments to opendmarc (see ExecStart=) override them.
• Make sure the socket is configured in /etc/opendmarc.conf, not in /etc/defaults/opendmarc.
• The ReadWriteDirectories= directives assume a Socket in /var/spool/postfix/opendmarc and a HistoryFile in /var/log/opendmarc. Adjust the paths to your setup as necessary.