<div dir="ltr">I can't believe noone has ever setup DKIM in Kolab 16 or Winterfell...<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 8, 2019 at 9:34 PM Milan Petrovic <<a href="mailto:petrovic.milan@gmail.com">petrovic.milan@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Has anyone been setting the DKIM up in Winterfell?<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Oct 2, 2019 at 2:05 AM Milan Petrovic <<a href="mailto:petrovic.milan@gmail.com" target="_blank">petrovic.milan@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>Is there any difference in setting up the DKIM signing through Amavis in Winterfell as compared to earlier versions (I'm referring to the available guides in Kolab doc)?</div><div><br></div><div>I'm trying to set it up, following the doc guide thoroughly, but I keep getting the verification failed (not only through some online checking services, but also GMail as a recipient finds the same).</div><div><br></div><div>My amavisd.conf looks like this:</div><div><br></div><div>...</div><div>$inet_socket_port = [10023,10024];  # listen on multiple TCP ports<br><br>$interface_policy{'10023'} = 'SUBMISSION';<br>$policy_bank{'SUBMISSION'} = {<br>    originating => 1,<br>    smtpd_discard_ehlo_keywords => ['8BITGTGpq6rkEc1AIT@dkimvalidator.comMIME']<br>};</div><div>...</div><div>dkim_key(<br>    '<a href="http://mydomain.com" target="_blank">mydomain.com</a>',<br>    'dkim20092019',<br>    '/etc/amavisd/dkim/mydomain.com.dkim20092019.pem'<br>);<br>@dkim_signature_options_bysender_maps = (<br>    {<br>            "<a href="http://mydomain.com" target="_blank">mydomain.com</a>" => {<br>            d   => '<a href="http://mydomain.com" target="_blank">mydomain.com</a>',<br>            a   => 'rsa-sha256',<br>            ttl => 10*24*3600,<br>            c   => 'relaxed/simple'<br>        }<br>    }<br>);<br><br>1;  # insure a defined return value</div><div><br></div><div><br></div><div>And my <a href="http://master.cf" target="_blank">master.cf</a>:</div><div>...</div><div>submission          inet        n  -       n       -       -       smtpd<br>    -o cleanup_service_name=cleanup_submission<br>    -o syslog_name=postfix/submission<br>    -o smtpd_tls_security_level=encrypt<br>    -o smtpd_sasl_auth_enable=yes<br>    -o smtpd_sasl_authenticated_header=yes<br>    -o smtpd_client_restrictions=permit_sasl_authenticated,reject<br>    -o smtpd_data_restrictions=$submission_data_restrictions<br>    -o smtpd_recipient_restrictions=$submission_recipient_restrictions<br>    -o smtpd_sender_restrictions=$submission_sender_restrictions<br>    -o content_filter=smtp-amavis:[127.0.0.1]:10023<br>    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters</div><div>...</div><div>smtp-amavis         unix        -       -       n       -       3  smtp<br>    -o smtp_data_done_timeout=1800<br>    -o disable_dns_lookups=yes<br>    -o smtp_send_xforward_command=yes<br>    -o max_use=20<br>    -o smtp_bind_address=127.0.0.1<br><br># Listener to re-inject email from Amavisd into Postfix<br><a href="http://127.0.0.1:10025" target="_blank">127.0.0.1:10025</a>     inet        n       -       n       -       100     smtpd<br>    -o cleanup_service_name=cleanup_internal<br>    -o content_filter=smtp-wallace:[127.0.0.1]:10026<br>    -o local_recipient_maps=<br>    -o relay_recipient_maps=<br>    -o smtpd_restriction_classes=<br>    -o smtpd_client_restrictions=<br>    -o smtpd_helo_restrictions=<br>    -o smtpd_sender_restrictions=<br>    -o smtpd_recipient_restrictions=permit_mynetworks,reject<br>    -o mynetworks=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a><br>    -o smtpd_authorized_xforward_hosts=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a><br></div><div><br></div><div># Filter email through Wallace<br>smtp-wallace        unix        -   -       n       -       3       smtp<br>    -o smtp_data_done_timeout=1800<br>    -o disable_dns_lookups=yes<br>    -o smtp_send_xforward_command=yes<br>    -o max_use=20<br></div><div><br></div><div># Listener to re-inject email from Wallace into Postfix<br><a href="http://127.0.0.1:10027" target="_blank">127.0.0.1:10027</a>     inet        n    -       n       -       100     smtpd<br>    -o cleanup_service_name=cleanup_internal<br>    -o content_filter=<br>    -o local_recipient_maps=<br>    -o relay_recipient_maps=<br>    -o smtpd_restriction_classes=<br>    -o smtpd_client_restrictions=<br>    -o smtpd_helo_restrictions=<br>    -o smtpd_sender_restrictions=<br>    -o smtpd_recipient_restrictions=permit_mynetworks,reject<br>    -o mynetworks=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a><br>    -o smtpd_authorized_xforward_hosts=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a></div><div><br></div><div><br></div><div>Sending a test mail to <a href="mailto:auth-results@verifier.port25.com" target="_blank">auth-results@verifier.port25.com</a>, among others, gives the following result:</div><div>DKIM_INVALID           DKIM or DK signature exists, but is not valid</div><div><br></div><div>Similar thing happens with <a href="http://dkimvalidator.com" target="_blank">dkimvalidator.com</a>:</div><div><br></div><div>Validating Signature<br>result = fail<br>Details: message has been altered</div><div><br></div><div> All mails are sent through  Roundcube. <br></div><div><br></div><div><br></div><div>On the other hand, the mxtoolbox' dkim verifier passes. Also the 'amavisd ... testkeys" gives a "pass".</div><div><br></div><div>Excerpt from the amavis' log (everything looks normal to me here):</div><div>...</div><div>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) header: Received: from <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> ([127.0.0.1])\n\tby localhost (<a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> [127.0.0.1]) (amavisd-new, port 10028)\n\twith ESMTP id GWd2ey-29lPr for <<a href="mailto:mailAtGmail@gmail.com" target="_blank">mailAtGmail@gmail.com</a>>;\n\tWed,  2 Oct 2019 01:31:03 +0200 (CEST)\n<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) headers CLUSTERING: done all 1 recips in one go<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) dkim: candidate originators: From:<<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>><br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) query_keys: cached <a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a><br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) lookup_hash(<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>) matches keys: "<a href="http://mydomain.com" target="_blank">mydomain.com</a>"=>HASH(0x23176e8)<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) lookup [dkim_signature_options_bysender], 1 matches for "<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>", results: "<a href="http://mydomain.com" target="_blank">mydomain.com</a>"=>{c=>"relaxed/simple",a=>"rsa-sha256",ttl=>"864000",d=>"<a href="http://mydomain.com" target="_blank">mydomain.com</a>"}<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) dkim: signature options for <a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>(From): c=relaxed/simple; a=rsa-sha256; ttl=864000; d=<a href="http://mydomain.com" target="_blank">mydomain.com</a><br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) dkim: signing (author), From: <<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>> (From:<<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>>), KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=><a href="http://mydomain.com" target="_blank">mydomain.com</a>, s=>dkim20092019, ttl=>864000, x=>1570836664<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) write_header: 1, Amavis::Out::SMTP=HASH(0x785b2b8)<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) header encoded (all-ASCII): DKIM-Signature:  v=1; a=rsa-sha256; c=relaxed/simple; d=\n\<a href="http://tmydomain.com" target="_blank">tmydomain.com</a>; h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received; s=dkim20092019; t=1569972663; x=1570836664; bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=; b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuX...<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) ...m\n\tj1YnOl9AzPw14xi06cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\<a href="http://tmydomain.com" target="_blank">tmydomain.com</a>; h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received; s=dkim20092019; t=1569972663; x=1570836664; bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=; b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuXm\n\tj1YnOl9AzPw14xi0...<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) ...6cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=\n</div><div>...<br></div><div><br></div><div>So, is there anything different I should do while setting up the DKIM in Winterfell?</div><div><br></div></div></div>
</blockquote></div>
</blockquote></div>