DKIM setup in Winterfell
Milan Petrovic
petrovic.milan at gmail.com
Tue Oct 8 21:34:14 CEST 2019
Has anyone been setting the DKIM up in Winterfell?
On Wed, Oct 2, 2019 at 2:05 AM Milan Petrovic <petrovic.milan at gmail.com>
wrote:
> Is there any difference in setting up the DKIM signing through Amavis in
> Winterfell as compared to earlier versions (I'm referring to the available
> guides in Kolab doc)?
>
> I'm trying to set it up, following the doc guide thoroughly, but I keep
> getting the verification failed (not only through some online checking
> services, but also GMail as a recipient finds the same).
>
> My amavisd.conf looks like this:
>
> ...
> $inet_socket_port = [10023,10024]; # listen on multiple TCP ports
>
> $interface_policy{'10023'} = 'SUBMISSION';
> $policy_bank{'SUBMISSION'} = {
> originating => 1,
> smtpd_discard_ehlo_keywords =>
> ['8BITGTGpq6rkEc1AIT at dkimvalidator.comMIME']
> };
> ...
> dkim_key(
> 'mydomain.com',
> 'dkim20092019',
> '/etc/amavisd/dkim/mydomain.com.dkim20092019.pem'
> );
> @dkim_signature_options_bysender_maps = (
> {
> "mydomain.com" => {
> d => 'mydomain.com',
> a => 'rsa-sha256',
> ttl => 10*24*3600,
> c => 'relaxed/simple'
> }
> }
> );
>
> 1; # insure a defined return value
>
>
> And my master.cf:
> ...
> submission inet n - n - - smtpd
> -o cleanup_service_name=cleanup_submission
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_sasl_authenticated_header=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o smtpd_data_restrictions=$submission_data_restrictions
> -o smtpd_recipient_restrictions=$submission_recipient_restrictions
> -o smtpd_sender_restrictions=$submission_sender_restrictions
> -o content_filter=smtp-amavis:[127.0.0.1]:10023
> -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
> ...
> smtp-amavis unix - - n - 3 smtp
> -o smtp_data_done_timeout=1800
> -o disable_dns_lookups=yes
> -o smtp_send_xforward_command=yes
> -o max_use=20
> -o smtp_bind_address=127.0.0.1
>
> # Listener to re-inject email from Amavisd into Postfix
> 127.0.0.1:10025 inet n - n - 100 smtpd
> -o cleanup_service_name=cleanup_internal
> -o content_filter=smtp-wallace:[127.0.0.1]:10026
> -o local_recipient_maps=
> -o relay_recipient_maps=
> -o smtpd_restriction_classes=
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks=127.0.0.0/8
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
> # Filter email through Wallace
> smtp-wallace unix - - n - 3 smtp
> -o smtp_data_done_timeout=1800
> -o disable_dns_lookups=yes
> -o smtp_send_xforward_command=yes
> -o max_use=20
>
> # Listener to re-inject email from Wallace into Postfix
> 127.0.0.1:10027 inet n - n - 100 smtpd
> -o cleanup_service_name=cleanup_internal
> -o content_filter=
> -o local_recipient_maps=
> -o relay_recipient_maps=
> -o smtpd_restriction_classes=
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks=127.0.0.0/8
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
>
> Sending a test mail to auth-results at verifier.port25.com, among others,
> gives the following result:
> DKIM_INVALID DKIM or DK signature exists, but is not valid
>
> Similar thing happens with dkimvalidator.com:
>
> Validating Signature
> result = fail
> Details: message has been altered
>
> All mails are sent through Roundcube.
>
>
> On the other hand, the mxtoolbox' dkim verifier passes. Also the 'amavisd
> ... testkeys" gives a "pass".
>
> Excerpt from the amavis' log (everything looks normal to me here):
> ...
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header:
> Received: from mail.mydomain.com ([127.0.0.1])\n\tby localhost (
> mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10028)\n\twith ESMTP id
> GWd2ey-29lPr for <mailAtGmail at gmail.com>;\n\tWed, 2 Oct 2019 01:31:03
> +0200 (CEST)\n
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) headers
> CLUSTERING: done all 1 recips in one go
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim:
> candidate originators: From:<milan at mydomain.com>
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) query_keys:
> cached milan at mydomain.com
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) lookup_hash(
> milan at mydomain.com) matches keys: "mydomain.com"=>HASH(0x23176e8)
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) lookup
> [dkim_signature_options_bysender], 1 matches for "milan at mydomain.com",
> results: "mydomain.com
> "=>{c=>"relaxed/simple",a=>"rsa-sha256",ttl=>"864000",d=>"mydomain.com"}
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim:
> signature options for milan at mydomain.com(From): c=relaxed/simple;
> a=rsa-sha256; ttl=864000; d=mydomain.com
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim: signing
> (author), From: <milan at mydomain.com> (From:<milan at mydomain.com>),
> KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>mydomain.com,
> s=>dkim20092019, ttl=>864000, x=>1570836664
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) write_header:
> 1, Amavis::Out::SMTP=HASH(0x785b2b8)
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header
> encoded (all-ASCII): DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> d=\n\tmydomain.com;
> h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received;
> s=dkim20092019; t=1569972663; x=1570836664;
> bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=;
> b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuX...
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02)
> ...m\n\tj1YnOl9AzPw14xi06cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header:
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\tmydomain.com;
> h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received;
> s=dkim20092019; t=1569972663; x=1570836664;
> bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=;
> b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuXm\n\tj1YnOl9AzPw14xi0...
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02)
> ...6cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=\n
> ...
>
> So, is there anything different I should do while setting up the DKIM in
> Winterfell?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20191008/cfdff54e/attachment.html>
More information about the users
mailing list