Kolab 3.4 and opendkim signing

Soliva Andrea soliva at comcept.ch
Sat Jul 23 17:18:39 CEST 2016 

Hi all

has anybody implemented dkim within Kolab 3.4?

I'm able to sign the corresponding Domain based on "from" if I use 
"roundcube" but not if I use Outlook ActiveSync. I think the problem is 
the "from" which is not anymore recognized if the mail comes in over the 
different policys used within Kolab.Error/Warning within log file is:


can’t determine message sender;


The presence of a “From” or “Sender” header within the email is 
mandatory for DKIM, otherwise the mail can’t be signed; this message was 
saying that the mail had none and was therefore refusing to sign it.

This happens onyl for Outlook ActiveSync and as mentioned over 
"roundcubemail" is all working which does not wonder me because 
"roundcubemail" talks directly to localhost!


I tried also to sign in "amavisd" which would actually my preffered 
Methode but even I used a interface_policy i could not get the mail 
signed for some reason. If somebody did a implementation over "amavisd" 
would appriciate if somebody can deliver how it was done.

What I did based on opendkim and postfix is following:

Installation based on CentOS 6 latest patch:

# yum install opendkim

# vi /etc/opendkim.conf

---------------

##  Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid

##  Selects operating modes. Valid modes are s (sign) and v (verify). 
Default is v.
##  Must be changed to s (sign only) or sv (sign and verify) in order to 
sign outgoing
##  messages.
Mode    sv

##  Log activity to the system log.
Syslog  yes

##  Log additional entries indicating successful signing or verification 
of messages.
SyslogSuccess   yes

##  If logging is enabled, include detailed logging about why or why not 
a message was
##  signed or verified. This causes an increase in the amount of log 
data generated
##  for each message, so set this to No (or comment it out) if it gets 
too noisy.
LogWhy  yes

##  Attempt to become the specified user before starting operations.
UserID  opendkim:opendkim

##  Create a socket through which your MTA can communicate.
Socket  inet:8891 at localhost

##  Required to use local socket with MTAs that access the socket as a 
non-
##  privileged user (e.g. Postfix)
Umask   002

##  This specifies a text file in which to store DKIM transaction 
statistics.
##  OpenDKIM must be manually compiled with --enable-stats to enable 
this feature.
# Statistics    /var/spool/opendkim/stats.dat

##  Specifies whether or not the filter should generate report mail back
##  to senders when verification fails and an address for such a purpose
##  is provided. See opendkim.conf(5) for details.
SendReports     no

##  Specifies the sending address to be used on From: headers of 
outgoing
##  failure reports.  By default, the e-mail address of the user 
executing
##  the filter is used (executing_user at hostname).
# ReportAddress "Example.com Postmaster" <postmaster at example.com>

##  Add a DKIM-Filter header field to messages passing through this 
filter
##  to identify messages it has processed.
SoftwareHeader  yes

## SIGNING OPTIONS

##  Selects the canonicalization method(s) to be used when signing 
messages.
##  Selects the canonicalization method(s) to be used when signing 
messages.
Canonicalization        relaxed/simple

##  Domain(s) whose mail should be signed by this filter. Mail from 
other domains will
##  be verified rather than being signed. Uncomment and use your domain 
name.
##  This parameter is not required if a SigningTable is in use.
# Domain        example.com

##  Defines the name of the selector to be used when signing messages.
Selector        default

##  Specifies the minimum number of key bits for acceptable keys and 
signatures.
MinimumKeyBits  1024

##  Gives the location of a private key to be used for signing ALL 
messages. This
##  directive is ignored if KeyTable is enabled.
#KeyFile        /etc/opendkim/keys/default.private

##  Gives the location of a file mapping key names to signing keys. In 
simple terms,
##  this tells OpenDKIM where to find your keys. If present, overrides 
any KeyFile
##  directive in the configuration file. Requires SigningTable be 
enabled.
KeyTable        /etc/opendkim/KeyTable

##  Defines a table used to select one or more signatures to apply to a 
message based
##  on the address found in the From: header field. In simple terms, 
this tells
##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
SigningTable    refile:/etc/opendkim/SigningTable

##  Identifies a set of "external" hosts that may send mail through the 
server as one
##  of the signing domains without credentials as such.
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts

##  Identifies a set "internal" hosts whose mail should be signed rather 
than verified.
InternalHosts   refile:/etc/opendkim/TrustedHosts

##  Contains a list of IP addresses, CIDR blocks, hostnames or domain 
names
##  whose mail should be neither signed nor verified by this filter.  
See man
##  page for file format.
# PeerList      X.X.X.X

##  Always oversign From (sign using actual From and a null From to 
prevent
##  malicious signatures header fields (From and/or others) between the 
signer
##  and the verifier.  From is oversigned by default in the Fedora 
package
##  because it is often the identity key used by reputation systems and 
thus
##  somewhat security sensitive.
OversignHeaders From

## Additional Options
##
AutoRestart             Yes
AutoRestartRate         10/1h
SignatureAlgorithm      rsa-sha256

---------------

# vi /etc/opendkim/TrustedHosts

---------------

# The localhost IP (127.0.0.1) should always be the first entry in this 
file.
127.0.0.1
::1
# Local subnets that are trusted and do not need to be verified!
[Internal Network]/24

---------------

# /usr/sbin/opendkim-genkey --verbose --bits=1024 
--hash-algorithms=rsa-sha256 --restrict --selector=mail 
--directory=/etc/opendkim/keys/
opendkim-genkey: generating private key
opendkim-genkey: private key written to mail.private
opendkim-genkey: extracting public key
opendkim-genkey: DNS TXT record written to mail.txt

# vi /etc/opendkim/KeyTable

---------------

mail._domainkey.comcept.ch 
comcept.ch:mail:/etc/opendkim/keys/mail.private

---------------

# vi /tc/opendkim/SigningTable

---------------

*@comcept.ch mail._domainkey.comcept.ch

---------------

vi /etc/postfix/main.cf

--------------

milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

---------------

File "/etc/sysconfig/opendkim" is left as Default


vi /etc/postfix/master.cf

--------------

127.0.0.1:25025 inet    n       -       -       -       -       smtpd

-o smtpd_milters=


--------------

Again over "roundcubemail" all is working fine but not over Outlook 
ActiveSync.

Help would be really appriciated!

-- 

Andrea Soliva

More information about the users mailing list