<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Century Gothic";
panose-1:2 11 5 2 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.DefaultFontHxMailStyle
{mso-style-name:"Default Font HxMail Style";
font-family:"Century Gothic",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=DE-CH link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span class=DefaultFontHxMailStyle>Sure, I even made a howto for 16. <o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle>You may have missed it if you only read «official» docs:<o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><a href="https://diala.org/dokuwiki/howto/dkim_signing_with_kolab_16_on_debian_9">https://diala.org/dokuwiki/howto/dkim_signing_with_kolab_16_on_debian_9</a><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle>I did not check with Winterfell though. <o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif'>Regards<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Century Gothic",sans-serif'>Peter Koch</span><o:p></o:p></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>Von: </b><a href="mailto:petrovic.milan@gmail.com">Milan Petrovic</a><br><b>Gesendet: </b>Samstag, 19. Oktober 2019 00:16<br><b>An: </b><a href="mailto:users@lists.kolab.org">users@lists.kolab.org</a><br><b>Betreff: </b>Re: DKIM setup in Winterfell</p></div><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><div><p class=MsoNormal>I can't believe noone has ever setup DKIM in Kolab 16 or Winterfell...</p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Tue, Oct 8, 2019 at 9:34 PM Milan Petrovic <<a href="mailto:petrovic.milan@gmail.com">petrovic.milan@gmail.com</a>> wrote:</p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p class=MsoNormal>Has anyone been setting the DKIM up in Winterfell?</p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Wed, Oct 2, 2019 at 2:05 AM Milan Petrovic <<a href="mailto:petrovic.milan@gmail.com" target="_blank">petrovic.milan@gmail.com</a>> wrote:</p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><div><p class=MsoNormal>Is there any difference in setting up the DKIM signing through Amavis in Winterfell as compared to earlier versions (I'm referring to the available guides in Kolab doc)?</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm trying to set it up, following the doc guide thoroughly, but I keep getting the verification failed (not only through some online checking services, but also GMail as a recipient finds the same).</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>My amavisd.conf looks like this:</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>...</p></div><div><p class=MsoNormal>$inet_socket_port = [10023,10024]; # listen on multiple TCP ports<br><br>$interface_policy{'10023'} = 'SUBMISSION';<br>$policy_bank{'SUBMISSION'} = {<br> originating => 1,<br> smtpd_discard_ehlo_keywords => ['8BITGTGpq6rkEc1AIT@dkimvalidator.comMIME']<br>};</p></div><div><p class=MsoNormal>...</p></div><div><p class=MsoNormal>dkim_key(<br> '<a href="http://mydomain.com" target="_blank">mydomain.com</a>',<br> 'dkim20092019',<br> '/etc/amavisd/dkim/mydomain.com.dkim20092019.pem'<br>);<br>@dkim_signature_options_bysender_maps = (<br> {<br> "<a href="http://mydomain.com" target="_blank">mydomain.com</a>" => {<br> d => '<a href="http://mydomain.com" target="_blank">mydomain.com</a>',<br> a => 'rsa-sha256',<br> ttl => 10*24*3600,<br> c => 'relaxed/simple'<br> }<br> }<br>);<br><br>1; # insure a defined return value</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>And my <a href="http://master.cf" target="_blank">master.cf</a>:</p></div><div><p class=MsoNormal>...</p></div><div><p class=MsoNormal>submission inet n - n - - smtpd<br> -o cleanup_service_name=cleanup_submission<br> -o syslog_name=postfix/submission<br> -o smtpd_tls_security_level=encrypt<br> -o smtpd_sasl_auth_enable=yes<br> -o smtpd_sasl_authenticated_header=yes<br> -o smtpd_client_restrictions=permit_sasl_authenticated,reject<br> -o smtpd_data_restrictions=$submission_data_restrictions<br> -o smtpd_recipient_restrictions=$submission_recipient_restrictions<br> -o smtpd_sender_restrictions=$submission_sender_restrictions<br> -o content_filter=smtp-amavis:[127.0.0.1]:10023<br> -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters</p></div><div><p class=MsoNormal>...</p></div><div><p class=MsoNormal>smtp-amavis unix - - n - 3 smtp<br> -o smtp_data_done_timeout=1800<br> -o disable_dns_lookups=yes<br> -o smtp_send_xforward_command=yes<br> -o max_use=20<br> -o smtp_bind_address=127.0.0.1<br><br># Listener to re-inject email from Amavisd into Postfix<br><a href="http://127.0.0.1:10025" target="_blank">127.0.0.1:10025</a> inet n - n - 100 smtpd<br> -o cleanup_service_name=cleanup_internal<br> -o content_filter=smtp-wallace:[127.0.0.1]:10026<br> -o local_recipient_maps=<br> -o relay_recipient_maps=<br> -o smtpd_restriction_classes=<br> -o smtpd_client_restrictions=<br> -o smtpd_helo_restrictions=<br> -o smtpd_sender_restrictions=<br> -o smtpd_recipient_restrictions=permit_mynetworks,reject<br> -o mynetworks=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a><br> -o smtpd_authorized_xforward_hosts=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal># Filter email through Wallace<br>smtp-wallace unix - - n - 3 smtp<br> -o smtp_data_done_timeout=1800<br> -o disable_dns_lookups=yes<br> -o smtp_send_xforward_command=yes<br> -o max_use=20</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal># Listener to re-inject email from Wallace into Postfix<br><a href="http://127.0.0.1:10027" target="_blank">127.0.0.1:10027</a> inet n - n - 100 smtpd<br> -o cleanup_service_name=cleanup_internal<br> -o content_filter=<br> -o local_recipient_maps=<br> -o relay_recipient_maps=<br> -o smtpd_restriction_classes=<br> -o smtpd_client_restrictions=<br> -o smtpd_helo_restrictions=<br> -o smtpd_sender_restrictions=<br> -o smtpd_recipient_restrictions=permit_mynetworks,reject<br> -o mynetworks=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a><br> -o smtpd_authorized_xforward_hosts=<a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Sending a test mail to <a href="mailto:auth-results@verifier.port25.com" target="_blank">auth-results@verifier.port25.com</a>, among others, gives the following result:</p></div><div><p class=MsoNormal>DKIM_INVALID DKIM or DK signature exists, but is not valid</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Similar thing happens with <a href="http://dkimvalidator.com" target="_blank">dkimvalidator.com</a>:</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Validating Signature<br>result = fail<br>Details: message has been altered</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>All mails are sent through Roundcube. </p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>On the other hand, the mxtoolbox' dkim verifier passes. Also the 'amavisd ... testkeys" gives a "pass".</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Excerpt from the amavis' log (everything looks normal to me here):</p></div><div><p class=MsoNormal>...</p></div><div><p class=MsoNormal>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) header: Received: from <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> ([127.0.0.1])\n\tby localhost (<a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> [127.0.0.1]) (amavisd-new, port 10028)\n\twith ESMTP id GWd2ey-29lPr for <<a href="mailto:mailAtGmail@gmail.com" target="_blank">mailAtGmail@gmail.com</a>>;\n\tWed, 2 Oct 2019 01:31:03 +0200 (CEST)\n<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) headers CLUSTERING: done all 1 recips in one go<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) dkim: candidate originators: From:<<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>><br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) query_keys: cached <a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a><br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) lookup_hash(<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>) matches keys: "<a href="http://mydomain.com" target="_blank">mydomain.com</a>"=>HASH(0x23176e8)<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) lookup [dkim_signature_options_bysender], 1 matches for "<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>", results: "<a href="http://mydomain.com" target="_blank">mydomain.com</a>"=>{c=>"relaxed/simple",a=>"rsa-sha256",ttl=>"864000",d=>"<a href="http://mydomain.com" target="_blank">mydomain.com</a>"}<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) dkim: signature options for <a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>(From): c=relaxed/simple; a=rsa-sha256; ttl=864000; d=<a href="http://mydomain.com" target="_blank">mydomain.com</a><br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) dkim: signing (author), From: <<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>> (From:<<a href="mailto:milan@mydomain.com" target="_blank">milan@mydomain.com</a>>), KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=><a href="http://mydomain.com" target="_blank">mydomain.com</a>, s=>dkim20092019, ttl=>864000, x=>1570836664<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) write_header: 1, Amavis::Out::SMTP=HASH(0x785b2b8)<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) header encoded (all-ASCII): DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\<a href="http://tmydomain.com" target="_blank">tmydomain.com</a>; h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received; s=dkim20092019; t=1569972663; x=1570836664; bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=; b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuX...<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) ...m\n\tj1YnOl9AzPw14xi06cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\<a href="http://tmydomain.com" target="_blank">tmydomain.com</a>; h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received; s=dkim20092019; t=1569972663; x=1570836664; bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=; b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuXm\n\tj1YnOl9AzPw14xi0...<br>Oct 02 01:31:04 <a href="http://mail.mydomain.com" target="_blank">mail.mydomain.com</a> amavis[11404]: (11404-02) ...6cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=\n</p></div><div><p class=MsoNormal>...</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>So, is there anything different I should do while setting up the DKIM in Winterfell?</p></div></div></div></blockquote></div></blockquote></div><p class=MsoNormal style='margin-left:9.6pt'><o:p> </o:p></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p></div></body></html>