Kolab 3.4 and opendkim signing
Soliva Andrea
soliva at comcept.ch
Sat Jul 23 17:18:39 CEST 2016
Hi all
has anybody implemented dkim within Kolab 3.4?
I'm able to sign the corresponding Domain based on "from" if I use
"roundcube" but not if I use Outlook ActiveSync. I think the problem is
the "from" which is not anymore recognized if the mail comes in over the
different policys used within Kolab.Error/Warning within log file is:
can’t determine message sender;
The presence of a “From” or “Sender” header within the email is
mandatory for DKIM, otherwise the mail can’t be signed; this message was
saying that the mail had none and was therefore refusing to sign it.
This happens onyl for Outlook ActiveSync and as mentioned over
"roundcubemail" is all working which does not wonder me because
"roundcubemail" talks directly to localhost!
I tried also to sign in "amavisd" which would actually my preffered
Methode but even I used a interface_policy i could not get the mail
signed for some reason. If somebody did a implementation over "amavisd"
would appriciate if somebody can deliver how it was done.
What I did based on opendkim and postfix is following:
Installation based on CentOS 6 latest patch:
# yum install opendkim
# vi /etc/opendkim.conf
---------------
## Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid
## Selects operating modes. Valid modes are s (sign) and v (verify).
Default is v.
## Must be changed to s (sign only) or sv (sign and verify) in order to
sign outgoing
## messages.
Mode sv
## Log activity to the system log.
Syslog yes
## Log additional entries indicating successful signing or verification
of messages.
SyslogSuccess yes
## If logging is enabled, include detailed logging about why or why not
a message was
## signed or verified. This causes an increase in the amount of log
data generated
## for each message, so set this to No (or comment it out) if it gets
too noisy.
LogWhy yes
## Attempt to become the specified user before starting operations.
UserID opendkim:opendkim
## Create a socket through which your MTA can communicate.
Socket inet:8891 at localhost
## Required to use local socket with MTAs that access the socket as a
non-
## privileged user (e.g. Postfix)
Umask 002
## This specifies a text file in which to store DKIM transaction
statistics.
## OpenDKIM must be manually compiled with --enable-stats to enable
this feature.
# Statistics /var/spool/opendkim/stats.dat
## Specifies whether or not the filter should generate report mail back
## to senders when verification fails and an address for such a purpose
## is provided. See opendkim.conf(5) for details.
SendReports no
## Specifies the sending address to be used on From: headers of
outgoing
## failure reports. By default, the e-mail address of the user
executing
## the filter is used (executing_user at hostname).
# ReportAddress "Example.com Postmaster" <postmaster at example.com>
## Add a DKIM-Filter header field to messages passing through this
filter
## to identify messages it has processed.
SoftwareHeader yes
## SIGNING OPTIONS
## Selects the canonicalization method(s) to be used when signing
messages.
## Selects the canonicalization method(s) to be used when signing
messages.
Canonicalization relaxed/simple
## Domain(s) whose mail should be signed by this filter. Mail from
other domains will
## be verified rather than being signed. Uncomment and use your domain
name.
## This parameter is not required if a SigningTable is in use.
# Domain example.com
## Defines the name of the selector to be used when signing messages.
Selector default
## Specifies the minimum number of key bits for acceptable keys and
signatures.
MinimumKeyBits 1024
## Gives the location of a private key to be used for signing ALL
messages. This
## directive is ignored if KeyTable is enabled.
#KeyFile /etc/opendkim/keys/default.private
## Gives the location of a file mapping key names to signing keys. In
simple terms,
## this tells OpenDKIM where to find your keys. If present, overrides
any KeyFile
## directive in the configuration file. Requires SigningTable be
enabled.
KeyTable /etc/opendkim/KeyTable
## Defines a table used to select one or more signatures to apply to a
message based
## on the address found in the From: header field. In simple terms,
this tells
## OpenDKIM how to use your keys. Requires KeyTable be enabled.
SigningTable refile:/etc/opendkim/SigningTable
## Identifies a set of "external" hosts that may send mail through the
server as one
## of the signing domains without credentials as such.
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
## Identifies a set "internal" hosts whose mail should be signed rather
than verified.
InternalHosts refile:/etc/opendkim/TrustedHosts
## Contains a list of IP addresses, CIDR blocks, hostnames or domain
names
## whose mail should be neither signed nor verified by this filter.
See man
## page for file format.
# PeerList X.X.X.X
## Always oversign From (sign using actual From and a null From to
prevent
## malicious signatures header fields (From and/or others) between the
signer
## and the verifier. From is oversigned by default in the Fedora
package
## because it is often the identity key used by reputation systems and
thus
## somewhat security sensitive.
OversignHeaders From
## Additional Options
##
AutoRestart Yes
AutoRestartRate 10/1h
SignatureAlgorithm rsa-sha256
---------------
# vi /etc/opendkim/TrustedHosts
---------------
# The localhost IP (127.0.0.1) should always be the first entry in this
file.
127.0.0.1
::1
# Local subnets that are trusted and do not need to be verified!
[Internal Network]/24
---------------
# /usr/sbin/opendkim-genkey --verbose --bits=1024
--hash-algorithms=rsa-sha256 --restrict --selector=mail
--directory=/etc/opendkim/keys/
opendkim-genkey: generating private key
opendkim-genkey: private key written to mail.private
opendkim-genkey: extracting public key
opendkim-genkey: DNS TXT record written to mail.txt
# vi /etc/opendkim/KeyTable
---------------
mail._domainkey.comcept.ch
comcept.ch:mail:/etc/opendkim/keys/mail.private
---------------
# vi /tc/opendkim/SigningTable
---------------
*@comcept.ch mail._domainkey.comcept.ch
---------------
vi /etc/postfix/main.cf
--------------
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
---------------
File "/etc/sysconfig/opendkim" is left as Default
vi /etc/postfix/master.cf
--------------
127.0.0.1:25025 inet n - - - - smtpd
-o smtpd_milters=
--------------
Again over "roundcubemail" all is working fine but not over Outlook
ActiveSync.
Help would be really appriciated!
--
Andrea Soliva
More information about the users
mailing list