DKIM setup in Winterfell
Milan Petrovic
petrovic.milan at gmail.com
Sat Oct 19 00:09:59 CEST 2019
I can't believe noone has ever setup DKIM in Kolab 16 or Winterfell...
On Tue, Oct 8, 2019 at 9:34 PM Milan Petrovic <petrovic.milan at gmail.com>
wrote:
> Has anyone been setting the DKIM up in Winterfell?
>
> On Wed, Oct 2, 2019 at 2:05 AM Milan Petrovic <petrovic.milan at gmail.com>
> wrote:
>
>> Is there any difference in setting up the DKIM signing through Amavis in
>> Winterfell as compared to earlier versions (I'm referring to the available
>> guides in Kolab doc)?
>>
>> I'm trying to set it up, following the doc guide thoroughly, but I keep
>> getting the verification failed (not only through some online checking
>> services, but also GMail as a recipient finds the same).
>>
>> My amavisd.conf looks like this:
>>
>> ...
>> $inet_socket_port = [10023,10024]; # listen on multiple TCP ports
>>
>> $interface_policy{'10023'} = 'SUBMISSION';
>> $policy_bank{'SUBMISSION'} = {
>> originating => 1,
>> smtpd_discard_ehlo_keywords =>
>> ['8BITGTGpq6rkEc1AIT at dkimvalidator.comMIME']
>> };
>> ...
>> dkim_key(
>> 'mydomain.com',
>> 'dkim20092019',
>> '/etc/amavisd/dkim/mydomain.com.dkim20092019.pem'
>> );
>> @dkim_signature_options_bysender_maps = (
>> {
>> "mydomain.com" => {
>> d => 'mydomain.com',
>> a => 'rsa-sha256',
>> ttl => 10*24*3600,
>> c => 'relaxed/simple'
>> }
>> }
>> );
>>
>> 1; # insure a defined return value
>>
>>
>> And my master.cf:
>> ...
>> submission inet n - n - - smtpd
>> -o cleanup_service_name=cleanup_submission
>> -o syslog_name=postfix/submission
>> -o smtpd_tls_security_level=encrypt
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_sasl_authenticated_header=yes
>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> -o smtpd_data_restrictions=$submission_data_restrictions
>> -o smtpd_recipient_restrictions=$submission_recipient_restrictions
>> -o smtpd_sender_restrictions=$submission_sender_restrictions
>> -o content_filter=smtp-amavis:[127.0.0.1]:10023
>> -o
>> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
>> ...
>> smtp-amavis unix - - n - 3 smtp
>> -o smtp_data_done_timeout=1800
>> -o disable_dns_lookups=yes
>> -o smtp_send_xforward_command=yes
>> -o max_use=20
>> -o smtp_bind_address=127.0.0.1
>>
>> # Listener to re-inject email from Amavisd into Postfix
>> 127.0.0.1:10025 inet n - n - 100 smtpd
>> -o cleanup_service_name=cleanup_internal
>> -o content_filter=smtp-wallace:[127.0.0.1]:10026
>> -o local_recipient_maps=
>> -o relay_recipient_maps=
>> -o smtpd_restriction_classes=
>> -o smtpd_client_restrictions=
>> -o smtpd_helo_restrictions=
>> -o smtpd_sender_restrictions=
>> -o smtpd_recipient_restrictions=permit_mynetworks,reject
>> -o mynetworks=127.0.0.0/8
>> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>>
>> # Filter email through Wallace
>> smtp-wallace unix - - n - 3 smtp
>> -o smtp_data_done_timeout=1800
>> -o disable_dns_lookups=yes
>> -o smtp_send_xforward_command=yes
>> -o max_use=20
>>
>> # Listener to re-inject email from Wallace into Postfix
>> 127.0.0.1:10027 inet n - n - 100 smtpd
>> -o cleanup_service_name=cleanup_internal
>> -o content_filter=
>> -o local_recipient_maps=
>> -o relay_recipient_maps=
>> -o smtpd_restriction_classes=
>> -o smtpd_client_restrictions=
>> -o smtpd_helo_restrictions=
>> -o smtpd_sender_restrictions=
>> -o smtpd_recipient_restrictions=permit_mynetworks,reject
>> -o mynetworks=127.0.0.0/8
>> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>>
>>
>> Sending a test mail to auth-results at verifier.port25.com, among others,
>> gives the following result:
>> DKIM_INVALID DKIM or DK signature exists, but is not valid
>>
>> Similar thing happens with dkimvalidator.com:
>>
>> Validating Signature
>> result = fail
>> Details: message has been altered
>>
>> All mails are sent through Roundcube.
>>
>>
>> On the other hand, the mxtoolbox' dkim verifier passes. Also the 'amavisd
>> ... testkeys" gives a "pass".
>>
>> Excerpt from the amavis' log (everything looks normal to me here):
>> ...
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header:
>> Received: from mail.mydomain.com ([127.0.0.1])\n\tby localhost (
>> mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10028)\n\twith ESMTP
>> id GWd2ey-29lPr for <mailAtGmail at gmail.com>;\n\tWed, 2 Oct 2019
>> 01:31:03 +0200 (CEST)\n
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) headers
>> CLUSTERING: done all 1 recips in one go
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim:
>> candidate originators: From:<milan at mydomain.com>
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) query_keys:
>> cached milan at mydomain.com
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) lookup_hash(
>> milan at mydomain.com) matches keys: "mydomain.com"=>HASH(0x23176e8)
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) lookup
>> [dkim_signature_options_bysender], 1 matches for "milan at mydomain.com",
>> results: "mydomain.com
>> "=>{c=>"relaxed/simple",a=>"rsa-sha256",ttl=>"864000",d=>"mydomain.com"}
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim:
>> signature options for milan at mydomain.com(From): c=relaxed/simple;
>> a=rsa-sha256; ttl=864000; d=mydomain.com
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) dkim:
>> signing (author), From: <milan at mydomain.com> (From:<milan at mydomain.com>),
>> KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>mydomain.com,
>> s=>dkim20092019, ttl=>864000, x=>1570836664
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02)
>> write_header: 1, Amavis::Out::SMTP=HASH(0x785b2b8)
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header
>> encoded (all-ASCII): DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
>> d=\n\tmydomain.com;
>> h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received;
>> s=dkim20092019; t=1569972663; x=1570836664;
>> bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=;
>> b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuX...
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02)
>> ...m\n\tj1YnOl9AzPw14xi06cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02) header:
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=\n\tmydomain.com;
>> h=message-id:user-agent:subject:subject:from\n\t:from:date:date:content-type:content-type:mime-version:received\n\t:received;
>> s=dkim20092019; t=1569972663; x=1570836664;
>> bh=6RpSO+\n\tmd9nsAq4tGBITXXERkubt1wZSk8UUAVzpwGXo=;
>> b=YAkS7Condre4YKZhQidgwl\n\tJEd0Nr73oanUkhOOw7y+hCnwdYWp6yqN5fUhLmAHkg4x7t0URo7SIyoq9Vz6yS9D\n\tSF1GJVLzXIGM/Lcijsa7bFs21WGWW0k4CrsA0YBmtqtPrgk/iTGM/MlWFTIBIzsl\n\tBkRB1mlZYgcUIFMzLuSYpAVlck5r5P0u9YpiDd84Q2HMjoSgu4iQauCN9bO+qLEh\n\tsqzRt40AbABmMpsZT/BQwnnsGjJadHnWXOesl8jrjkMuObMznIxhUt0WwlossViG\n\tp2rOY25WBlcn0lDxX6fqEqGkE2lyqzylSAbH1zd0dSCMnVf1Gy2zBpkmOzHW1hDK\n\tkutMGhEjtcEq+wDjNj4ZUuor0GiHFpR+ipXnIuH8+AdJNVvPMLYKtrNeo8ANw5x2\n\tQ97kD6cB/NzXnB1ukqipEdR/RBK2TytYakQaspmwtii+B3Huryl3Vn+Fbgl3hZbf\n\tseE+4dV2APJcUgo3djB3VDnbr8+HAqBrjn4R1RaTDnwNfaRGqRzeSCpy6bTVh1JS\n\tQNzAG2+cKOK36MCm0NeLZNI7RM590t9ZBmZQRgxf6E4pPBrdbZ1AhfXkIQ+tPuXm\n\tj1YnOl9AzPw14xi0...
>> Oct 02 01:31:04 mail.mydomain.com amavis[11404]: (11404-02)
>> ...6cDy6JTa3iHmUY6w9fptwLKf+GghI8q7pnZDadUTfvtFfvBz\n\tP7P5rXiCbHeY+e7U72Nnk=\n
>> ...
>>
>> So, is there anything different I should do while setting up the DKIM in
>> Winterfell?
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20191019/2509e8dc/attachment.html>
More information about the users
mailing list