DKIM setup in Winterfell

Milan Petrovic petrovic.milan at gmail.com
Tue Oct 8 21:34:14 CEST 2019


Has anyone been setting the DKIM up in Winterfell?

On Wed, Oct 2, 2019 at 2:05 AM Milan Petrovic <petrovic.milan at gmail.com>
wrote:

> Is there any difference in setting up the DKIM signing through Amavis in
> Winterfell as compared to earlier versions (I'm referring to the available
> guides in Kolab doc)?
>
> I'm trying to set it up, following the doc guide thoroughly, but I keep
> getting the verification failed (not only through some online checking
> services, but also GMail as a recipient finds the same).
>
> My amavisd.conf looks like this:
>
> ...
> $inet_socket_port = [10023,10024];  # listen on multiple TCP ports
>
> $interface_policy{'10023'} = 'SUBMISSION';
> $policy_bank{'SUBMISSION'} = {
>     originating => 1,
>     smtpd_discard_ehlo_keywords =>
> ['8BITGTGpq6rkEc1AIT at dkimvalidator.comMIME']
> };
> ...
> dkim_key(
>     'mydomain.com',
>     'dkim20092019',
>     '/etc/amavisd/dkim/mydomain.com.dkim20092019.pem'
> );
> @dkim_signature_options_bysender_maps = (
>     {
>       "mydomain.com" => {
>             d   => 'mydomain.com',
>             a   => 'rsa-sha256',
>             ttl => 10*24*3600,
>             c   => 'relaxed/simple'
>         }
>     }
> );
>
> 1;  # insure a defined return value
>
>
> And my master.cf:
> ...
> submission          inet        n - n - - smtpd
>     -o cleanup_service_name=cleanup_submission
>     -o syslog_name=postfix/submission
>     -o smtpd_tls_security_level=encrypt
>     -o smtpd_sasl_auth_enable=yes
>     -o smtpd_sasl_authenticated_header=yes
>     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>     -o smtpd_data_restrictions=$submission_data_restrictions
>     -o smtpd_recipient_restrictions=$submission_recipient_restrictions
>     -o smtpd_sender_restrictions=$submission_sender_restrictions
>     -o content_filter=smtp-amavis:[127.0.0.1]:10023
>     -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
> ...
> smtp-amavis         unix        -       -       n       -       3 smtp
>     -o smtp_data_done_timeout=1800
>     -o disable_dns_lookups=yes
>     -o smtp_send_xforward_command=yes
>     -o max_use=20
>     -o smtp_bind_address=127.0.0.1
>
> # Listener to re-inject email from Amavisd into Postfix
> 127.0.0.1:10025     inet        n - n - 100     smtpd
>     -o cleanup_service_name=cleanup_internal
>     -o content_filter=smtp-wallace:[127.0.0.1]:10026
>     -o local_recipient_maps=
>     -o relay_recipient_maps=
>     -o smtpd_restriction_classes=
>     -o smtpd_client_restrictions=
>     -o smtpd_helo_restrictions=
>     -o smtpd_sender_restrictions=
>     -o smtpd_recipient_restrictions=permit_mynetworks,reject
>     -o mynetworks=127.0.0.0/8
>     -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
> # Filter email through Wallace
> smtp-wallace        unix        - - n - 3       smtp
>     -o smtp_data_done_timeout=1800
>     -o disable_dns_lookups=yes
>     -o smtp_send_xforward_command=yes
>     -o max_use=20
>
> # Listener to re-inject email from Wallace into Postfix
> 127.0.0.1:10027     inet        n - n - 100     smtpd
>     -o cleanup_service_name=cleanup_internal
>     -o content_filter=
>     -o local_recipient_maps=
>     -o relay_recipient_maps=
>     -o smtpd_restriction_classes=
>     -o smtpd_client_restrictions=
>     -o smtpd_helo_restrictions=
>     -o smtpd_sender_restrictions=
>     -o smtpd_recipient_restrictions=permit_mynetworks,reject
>     -o mynetworks=127.0.0.0/8
>     -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
>
> Sending a test mail to auth-results at verifier.port25.com, among others,
> gives the following result:
> DKIM_INVALID           DKIM or DK signature exists, but is not valid
>
> Similar thing happens with dkimvalidator.com:
>
> Validating Signature
> result = fail
> Details: message has been altered
>
> All mails are sent through  Roundcube.
>
>
> On the other hand, the mxtoolbox' dkim verifier passes. Also the 'amavisd
> ... testkeys" gives a "pass".
>
> Excerpt from the amavis' log (everything looks normal to me here):
> ...
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header:
> Received: from mail.mydomain.com ([127.0.0.1])\n\tby localhost (
> mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10028)\n\twith ESMTP id
> GWd2ey-29lPr for <mailAtGmail at gmail.com>;\n\tWed,  2 Oct 2019 01:31:03
> +0200 (CEST)\n
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) headers
> CLUSTERING: done all 1 recips in one go
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim:
> candidate originators: From:<milan at mydomain.com>
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) query_keys:
> cached milan at mydomain.com
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) lookup_hash(
> milan at mydomain.com) matches keys: "mydomain.com"=>HASH(0x23176e8)
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) lookup
> [dkim_signature_options_bysender], 1 matches for "milan at mydomain.com",
> results: "mydomain.com
> "=>{c=>"relaxed/simple",a=>"rsa-sha256",ttl=>"864000",d=>"mydomain.com"}
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim:
> signature options for milan at mydomain.com(From): c=relaxed/simple;
> a=rsa-sha256; ttl=864000; d=mydomain.com
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim: signing
> (author), From: <milan at mydomain.com> (From:<milan at mydomain.com>),
> KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>mydomain.com,
> s=>dkim20092019, ttl=>864000, x=>1570836664
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) write_header:
> 1, Amavis::Out::SMTP=HASH(0x785b2b8)
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header
> encoded (all-ASCII): DKIM-Signature:  v=1; a=rsa-sha256; c=relaxed/simple;
> d=\n\tmydomain.com;
> h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received;
> s=dkim20092019; t=1569972663; x=1570836664;
> bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=;
> b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuX...
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02)
> ...m\n\tj1YnOl9AzPw14xi06cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header:
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\tmydomain.com;
> h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received;
> s=dkim20092019; t=1569972663; x=1570836664;
> bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=;
> b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuXm\n\tj1YnOl9AzPw14xi0...
> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02)
> ...6cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=\n
> ...
>
> So, is there anything different I should do while setting up the DKIM in
> Winterfell?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20191008/cfdff54e/attachment.html>


More information about the users mailing list