AW: DKIM setup in Winterfell
Peter Koch
ibksoftwareag at gmail.com
Sat Oct 19 08:29:14 CEST 2019
Sure, I even made a howto for 16.
You may have missed it if you only read «official» docs:
https://diala.org/dokuwiki/howto/dkim_signing_with_kolab_16_on_debian_9
I did not check with Winterfell though.
Regards
Peter Koch
Von: Milan Petrovic
Gesendet: Samstag, 19. Oktober 2019 00:16
An: users at lists.kolab.org
Betreff: Re: DKIM setup in Winterfell
I can't believe noone has ever setup DKIM in Kolab 16 or Winterfell...
On Tue, Oct 8, 2019 at 9:34 PM Milan Petrovic <petrovic.milan at gmail.com> wrote:
Has anyone been setting the DKIM up in Winterfell?
On Wed, Oct 2, 2019 at 2:05 AM Milan Petrovic <petrovic.milan at gmail.com> wrote:
Is there any difference in setting up the DKIM signing through Amavis in Winterfell as compared to earlier versions (I'm referring to the available guides in Kolab doc)?
I'm trying to set it up, following the doc guide thoroughly, but I keep getting the verification failed (not only through some online checking services, but also GMail as a recipient finds the same).
My amavisd.conf looks like this:
...
$inet_socket_port = [10023,10024]; # listen on multiple TCP ports
$interface_policy{'10023'} = 'SUBMISSION';
$policy_bank{'SUBMISSION'} = {
originating => 1,
smtpd_discard_ehlo_keywords => ['8BITGTGpq6rkEc1AIT at dkimvalidator.comMIME']
};
...
dkim_key(
'mydomain.com',
'dkim20092019',
'/etc/amavisd/dkim/mydomain.com.dkim20092019.pem'
);
@dkim_signature_options_bysender_maps = (
{
"mydomain.com" => {
d => 'mydomain.com',
a => 'rsa-sha256',
ttl => 10*24*3600,
c => 'relaxed/simple'
}
}
);
1; # insure a defined return value
And my master.cf:
...
submission inet n - n - - smtpd
-o cleanup_service_name=cleanup_submission
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions=$submission_data_restrictions
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_sender_restrictions=$submission_sender_restrictions
-o content_filter=smtp-amavis:[127.0.0.1]:10023
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
...
smtp-amavis unix - - n - 3 smtp
-o smtp_data_done_timeout=1800
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
-o max_use=20
-o smtp_bind_address=127.0.0.1
# Listener to re-inject email from Amavisd into Postfix
127.0.0.1:10025 inet n - n - 100 smtpd
-o cleanup_service_name=cleanup_internal
-o content_filter=smtp-wallace:[127.0.0.1]:10026
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# Filter email through Wallace
smtp-wallace unix - - n - 3 smtp
-o smtp_data_done_timeout=1800
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
-o max_use=20
# Listener to re-inject email from Wallace into Postfix
127.0.0.1:10027 inet n - n - 100 smtpd
-o cleanup_service_name=cleanup_internal
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
Sending a test mail to auth-results at verifier.port25.com, among others, gives the following result:
DKIM_INVALID DKIM or DK signature exists, but is not valid
Similar thing happens with dkimvalidator.com:
Validating Signature
result = fail
Details: message has been altered
All mails are sent through Roundcube.
On the other hand, the mxtoolbox' dkim verifier passes. Also the 'amavisd ... testkeys" gives a "pass".
Excerpt from the amavis' log (everything looks normal to me here):
...
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header: Received: from mail.mydomain.com ([127.0.0.1])\n\tby localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10028)\n\twith ESMTP id GWd2ey-29lPr for <mailAtGmail at gmail.com>;\n\tWed, 2 Oct 2019 01:31:03 +0200 (CEST)\n
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) headers CLUSTERING: done all 1 recips in one go
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim: candidate originators: From:<milan at mydomain.com>
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) query_keys: cached milan at mydomain.com
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) lookup_hash(milan at mydomain.com) matches keys: "mydomain.com"=>HASH(0x23176e8)
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) lookup [dkim_signature_options_bysender], 1 matches for "milan at mydomain.com", results: "mydomain.com"=>{c=>"relaxed/simple",a=>"rsa-sha256",ttl=>"864000",d=>"mydomain.com"}
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim: signature options for milan at mydomain.com(From): c=relaxed/simple; a=rsa-sha256; ttl=864000; d=mydomain.com
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim: signing (author), From: <milan at mydomain.com> (From:<milan at mydomain.com>), KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>mydomain.com, s=>dkim20092019, ttl=>864000, x=>1570836664
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) write_header: 1, Amavis::Out::SMTP=HASH(0x785b2b8)
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header encoded (all-ASCII): DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\tmydomain.com; h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received; s=dkim20092019; t=1569972663; x=1570836664; bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=; b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuX...
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) ...m\n\tj1YnOl9AzPw14xi06cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\tmydomain.com; h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received; s=dkim20092019; t=1569972663; x=1570836664; bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=; b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuXm\n\tj1YnOl9AzPw14xi0...
Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) ...6cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=\n
...
So, is there anything different I should do while setting up the DKIM in Winterfell?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20191019/df9bfbe6/attachment-0001.html>
More information about the users
mailing list