DKIM setup in Winterfell
Milan Petrovic
petrovic.milan at gmail.com
Wed Oct 2 02:05:56 CEST 2019
Is there any difference in setting up the DKIM signing through Amavis in
Winterfell as compared to earlier versions (I'm referring to the available
guides in Kolab doc)?
I'm trying to set it up, following the doc guide thoroughly, but I keep
getting the verification failed (not only through some online checking
services, but also GMail as a recipient finds the same).
My amavisd.conf looks like this:
...
$inet_socket_port = [10023,10024]; # listen on multiple TCP ports
$interface_policy{'10023'} = 'SUBMISSION';
$policy_bank{'SUBMISSION'} = {
originating => 1,
smtpd_discard_ehlo_keywords =>
['8BITGTGpq6rkEc1AIT at dkimvalidator.comMIME']
};
...
dkim_key(
'mydomain.com',
'dkim20092019',
'/etc/amavisd/dkim/mydomain.com.dkim20092019.pem'
);
@dkim_signature_options_bysender_maps = (
{
"mydomain.com" => {
d => 'mydomain.com',
a => 'rsa-sha256',
ttl => 10*24*3600,
c => 'relaxed/simple'
}
}
);
1; # insure a defined return value
And my master.cf:
...
submission inet n - n - - smtpd
-o cleanup_service_name=cleanup_submission
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions=$submission_data_restrictions
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_sender_restrictions=$submission_sender_restrictions
-o content_filter=smtp-amavis:[127.0.0.1]:10023
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
...
smtp-amavis unix - - n - 3 smtp
-o smtp_data_done_timeout=1800
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
-o max_use=20
-o smtp_bind_address=127.0.0.1
# Listener to re-inject email from Amavisd into Postfix
127.0.0.1:10025 inet n - n - 100 smtpd
-o cleanup_service_name=cleanup_internal
-o content_filter=smtp-wallace:[127.0.0.1]:10026
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# Filter email through Wallace
smtp-wallace unix - - n - 3 smtp
-o smtp_data_done_timeout=1800
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
-o max_use=20
# Listener to re-inject email from Wallace into Postfix
127.0.0.1:10027 inet n - n - 100 smtpd
-o cleanup_service_name=cleanup_internal
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
Sending a test mail to auth-results at verifier.port25.com, among others,
gives the following result:
DKIM_INVALID DKIM or DK signature exists, but is not valid
Similar thing happens with dkimvalidator.com:
Validating Signature
result = fail
Details: message has been altered
All mails are sent through Roundcube.
On the other hand, the mxtoolbox' dkim verifier passes. Also the 'amavisd
... testkeys" gives a "pass".
Excerpt from the amavis' log (everything looks normal to me here):
...
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header:
Received: from mail.mydomain.com ([127.0.0.1])\n\tby localhost (
mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10028)\n\twith ESMTP id
GWd2ey-29lPr for <mailAtGmail at gmail.com>;\n\tWed, 2 Oct 2019 01:31:03
+0200 (CEST)\n
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) headers
CLUSTERING: done all 1 recips in one go
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim: candidate
originators: From:<milan at mydomain.com>
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) query_keys:
cached milan at mydomain.com
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) lookup_hash(
milan at mydomain.com) matches keys: "mydomain.com"=>HASH(0x23176e8)
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) lookup
[dkim_signature_options_bysender], 1 matches for "milan at mydomain.com",
results: "mydomain.com
"=>{c=>"relaxed/simple",a=>"rsa-sha256",ttl=>"864000",d=>"mydomain.com"}
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim: signature
options for milan at mydomain.com(From): c=relaxed/simple; a=rsa-sha256;
ttl=864000; d=mydomain.com
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim: signing
(author), From: <milan at mydomain.com> (From:<milan at mydomain.com>),
KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>mydomain.com,
s=>dkim20092019, ttl=>864000, x=>1570836664
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) write_header:
1, Amavis::Out::SMTP=HASH(0x785b2b8)
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header encoded
(all-ASCII): DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\
tmydomain.com;
h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received;
s=dkim20092019; t=1569972663; x=1570836664;
bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=;
b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuX...
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02)
...m\n\tj1YnOl9AzPw14xi06cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\tmydomain.com;
h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received;
s=dkim20092019; t=1569972663; x=1570836664;
bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=;
b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuXm\n\tj1YnOl9AzPw14xi0...
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02)
...6cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=\n
...
So, is there anything different I should do while setting up the DKIM in
Winterfell?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20191002/f32abab5/attachment.html>
More information about the users
mailing list