<div dir="ltr"><div>Worked like a charm! Thanks!</div><div><br></div><div>Confirming it works also on Winterfell installed on CentOS 7. The only difference is apt install... -> "yum install opendkim" (tools are included).</div><div><br></div><div>I have also just copied the key generated by amavis so I wouldn't need to wait for the DNS propagation.</div><div><br></div><div>Tested with Roundcube, Thunderbird and mobile<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Oct 19, 2019 at 8:29 AM Peter Koch <<a href="mailto:ibksoftwareag@gmail.com">ibksoftwareag@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="DE-CH"><div class="gmail-m_8072173552439509520WordSection1"><p class="MsoNormal"><span class="gmail-m_8072173552439509520DefaultFontHxMailStyle">Sure, I even made a howto for 16. <u></u><u></u></span></p><p class="MsoNormal"><span class="gmail-m_8072173552439509520DefaultFontHxMailStyle">You may have missed it if you only read «official» docs:<u></u><u></u></span></p><p class="MsoNormal"><span class="gmail-m_8072173552439509520DefaultFontHxMailStyle"><u></u> <u></u></span></p><p class="MsoNormal"><span class="gmail-m_8072173552439509520DefaultFontHxMailStyle"><a href="https://diala.org/dokuwiki/howto/dkim_signing_with_kolab_16_on_debian_9" target="_blank">https://diala.org/dokuwiki/howto/dkim_signing_with_kolab_16_on_debian_9</a><u></u><u></u></span></p><p class="MsoNormal"><span class="gmail-m_8072173552439509520DefaultFontHxMailStyle"><u></u> <u></u></span></p><p class="MsoNormal"><span class="gmail-m_8072173552439509520DefaultFontHxMailStyle">I did not check with Winterfell though. <u></u><u></u></span></p><p class="MsoNormal"><span class="gmail-m_8072173552439509520DefaultFontHxMailStyle"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-family:"Century Gothic",sans-serif">Regards<u></u><u></u></span></p><p class="MsoNormal"><span style="font-family:"Century Gothic",sans-serif">Peter Koch</span><u></u><u></u></p><p class="MsoNormal"><span class="gmail-m_8072173552439509520DefaultFontHxMailStyle"><u></u> <u></u></span></p><div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm"><p class="MsoNormal" style="border:medium none;padding:0cm"><b>Von: </b><a href="mailto:petrovic.milan@gmail.com" target="_blank">Milan Petrovic</a><br><b>Gesendet: </b>Samstag, 19. Oktober 2019 00:16<br><b>An: </b><a href="mailto:users@lists.kolab.org" target="_blank">users@lists.kolab.org</a><br><b>Betreff: </b>Re: DKIM setup in Winterfell</p></div><p class="MsoNormal"><span class="gmail-m_8072173552439509520DefaultFontHxMailStyle"><u></u> <u></u></span></p><div><p class="MsoNormal">I can't believe noone has ever setup DKIM in Kolab 16 or Winterfell...</p></div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">On Tue, Oct 8, 2019 at 9:34 PM Milan Petrovic <<a href="mailto:petrovic.milan@gmail.com" target="_blank">petrovic.milan@gmail.com</a>> wrote:</p></div><blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm"><div><p class="MsoNormal">Has anyone been setting the DKIM up in Winterfell?</p></div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">On Wed, Oct 2, 2019 at 2:05 AM Milan Petrovic <<a href="mailto:petrovic.milan@gmail.com" target="_blank">petrovic.milan@gmail.com</a>> wrote:</p></div><blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm"><div><div><div><p class="MsoNormal">Is there any difference in setting up the DKIM signing through Amavis in Winterfell as compared to earlier versions (I'm referring to the available guides in Kolab doc)?</p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I'm trying to set it up, following the doc guide thoroughly, but I keep getting the verification failed (not only through some online checking services, but also GMail as a recipient finds the same).</p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">My amavisd.conf looks like this:</p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">...</p></div><div><p class="MsoNormal">$inet_socket_port = [10023,10024];  # listen on multiple TCP ports<br><br>$interface_policy{'10023'} = 'SUBMISSION';<br>$policy_bank{'SUBMISSION'} = {<br>    originating => 1,<br>    smtpd_discard_ehlo_keywords => ['8BITGTGpq6rkEc1AIT@dkimvalidator.comMIME']<br>};</p></div><div><p class="MsoNormal">...</p></div><div><p class="MsoNormal">dkim_key(<br>    '<a href="http://mydomain.com" target="_blank">mydomain.com</a>',<br>    'dkim20092019',<br>    '/etc/amavisd/dkim/mydomain.com.dkim20092019.pem'<br>);<br>@dkim_signature_options_bysender_maps = (<br>    {<br>      "<a href="http://mydomain.com" target="_blank">mydomain.com</a>" => {<br>            d   => '<a href="http://mydomain.com" target="_blank">mydomain.com</a>',<br>            a   => 'rsa-sha256',<br>            ttl => 10*24*3600,<br>            c   => 'relaxed/simple'<br>        }<br>    }<br>);<br><br>1;  # insure a defined return value</p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">And my <a href="http://master.cf" target="_blank">master.cf</a>:</p></div><div><p class="MsoNormal">...</p></div><div><p class="MsoNormal">submission          inet        n - n - - smtpd<br>    -o cleanup_service_name=cleanup_submission<br>    -o syslog_name=postfix/submission<br>    -o smtpd_tls_security_level=encrypt<br>    -o smtpd_sasl_auth_enable=yes<br>    -o smtpd_sasl_authenticated_header=yes<br>    -o smtpd_client_restrictions=permit_sasl_authenticated,reject<br>    -o smtpd_data_restrictions=$submission_data_restrictions<br>    -o smtpd_recipient_restrictions=$submission_recipient_restrictions<br>    -o smtpd_sender_restrictions=$submission_sender_restrictions<br>    -o content_filter=smtp-amavis:[127.0.0.1]:10023<br>    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters</p></div><div><p class="MsoNormal">...</p></div><div><p class="MsoNormal">smtp-amavis         unix        -       -       n       -       3 smtp<br>    -o smtp_data_done_timeout=1800<br>    -o disable_dns_lookups=yes<br>    -o smtp_send_xforward_command=yes<br>    -o max_use=20<br>    -o smtp_bind_address=127.0.0.1<br><br># Listener to re-inject email from Amavisd into Postfix<br><a href="http://127.0.0.1:10025" target="_blank">127.0.0.1:10025</a>     inet        n - n - 100     smtpd<br>    -o cleanup_service_name=cleanup_internal<br>    -o content_filter=smtp-wallace:[127.0.0.1]:10026<br>    -o local_recipient_maps=<br>    -o relay_recipient_maps=<br>    -o smtpd_restriction_classes=<br>    -o smtpd_client_restrictions=<br>    -o smtpd_helo_restrictions=<br>    -o smtpd_sender_restrictions=<br>    -o smtpd_recipient_restrictions=permit_mynetworks,reject<br>    -o mynetworks=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a><br>    -o smtpd_authorized_xforward_hosts=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"># Filter email through Wallace<br>smtp-wallace        unix        - - n - 3       smtp<br>    -o smtp_data_done_timeout=1800<br>    -o disable_dns_lookups=yes<br>    -o smtp_send_xforward_command=yes<br>    -o max_use=20</p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"># Listener to re-inject email from Wallace into Postfix<br><a href="http://127.0.0.1:10027" target="_blank">127.0.0.1:10027</a>     inet        n - n - 100     smtpd<br>    -o cleanup_service_name=cleanup_internal<br>    -o content_filter=<br>    -o local_recipient_maps=<br>    -o relay_recipient_maps=<br>    -o smtpd_restriction_classes=<br>    -o smtpd_client_restrictions=<br>    -o smtpd_helo_restrictions=<br>    -o smtpd_sender_restrictions=<br>    -o smtpd_recipient_restrictions=permit_mynetworks,reject<br>    -o mynetworks=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a><br>    -o smtpd_authorized_xforward_hosts=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Sending a test mail to <a href="mailto:auth-results@verifier.port25.com" target="_blank">auth-results@verifier.port25.com</a>, among others, gives the following result:</p></div><div><p class="MsoNormal">DKIM_INVALID           DKIM or DK signature exists, but is not valid</p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Similar thing happens with <a href="http://dkimvalidator.com" target="_blank">dkimvalidator.com</a>:</p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Validating Signature<br>result = fail<br>Details: message has been altered</p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">All mails are sent through  Roundcube. </p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">On the other hand, the mxtoolbox' dkim verifier passes. Also the 'amavisd ... testkeys" gives a "pass".</p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Excerpt from the amavis' log (everything looks normal to me here):</p></div><div><p class="MsoNormal">...</p></div><div><p class="MsoNormal">Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) header: Received: from <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> ([127.0.0.1])\n\tby localhost (<a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> [127.0.0.1]) (amavisd-new, port 10028)\n\twith ESMTP id GWd2ey-29lPr for <<a href="mailto:mailAtGmail@gmail.com" target="_blank">mailAtGmail@gmail.com</a>>;\n\tWed,  2 Oct 2019 01:31:03 +0200 (CEST)\n<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) headers CLUSTERING: done all 1 recips in one go<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) dkim: candidate originators: From:<<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>><br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) query_keys: cached <a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a><br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) lookup_hash(<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>) matches keys: "<a href="http://mydomain.com" target="_blank">mydomain.com</a>"=>HASH(0x23176e8)<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) lookup [dkim_signature_options_bysender], 1 matches for "<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>", results: "<a href="http://mydomain.com" target="_blank">mydomain.com</a>"=>{c=>"relaxed/simple",a=>"rsa-sha256",ttl=>"864000",d=>"<a href="http://mydomain.com" target="_blank">mydomain.com</a>"}<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) dkim: signature options for <a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>(From): c=relaxed/simple; a=rsa-sha256; ttl=864000; d=<a href="http://mydomain.com" target="_blank">mydomain.com</a><br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) dkim: signing (author), From: <<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>> (From:<<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>>), KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=><a href="http://mydomain.com" target="_blank">mydomain.com</a>, s=>dkim20092019, ttl=>864000, x=>1570836664<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) write_header: 1, Amavis::Out::SMTP=HASH(0x785b2b8)<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) header encoded (all-ASCII): DKIM-Signature:  v=1; a=rsa-sha256; c=relaxed/simple; d=\n\<a href="http://tmydomain.com" target="_blank">tmydomain.com</a>; h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received; s=dkim20092019; t=1569972663; x=1570836664; bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=; b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuX...<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) ...m\n\tj1YnOl9AzPw14xi06cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\<a href="http://tmydomain.com" target="_blank">tmydomain.com</a>; h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received; s=dkim20092019; t=1569972663; x=1570836664; bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=; b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuXm\n\tj1YnOl9AzPw14xi0...<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) ...6cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=\n</p></div><div><p class="MsoNormal">...</p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">So, is there anything different I should do while setting up the DKIM in Winterfell?</p></div></div></div></blockquote></div></blockquote></div><p class="MsoNormal" style="margin-left:9.6pt"><u></u> <u></u></p><p class="MsoNormal"><span class="gmail-m_8072173552439509520DefaultFontHxMailStyle"><u></u> <u></u></span></p></div></div></blockquote></div>