Page 1 of 3

[howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 23 Mar 2015 06:07
by pdwalker
Hi All,

[edit: see below]

I'm looking to implement DKIM and I was wondering if anyone has already done so successfully with EFA.

I'm trying to avoid doing something that will break my efa installation in horrible ways during future updates.

Any advice appreciated.

Re: Does anyone have any experience using DKIM with 3.0.0.7?

Posted: 26 Mar 2015 11:33
by pdwalker
Well, I'll take that as a "no"

Fortunately, I found this set of instructions:
https://www.howtoforge.com/set-up-dkim- ... g-opendkim

Basically, these instructions are basically correct for doing it in EFA, but with some minor changes. I'll document what I did differently a bit later.

Re: [solved] [pending writeup] Does anyone have any experience using DKIM with 3.0.0.7?

Posted: 26 Mar 2015 17:01
by shawniverson
:text-bravo:

Keep us posted. :D

[howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 27 Mar 2015 05:19
by pdwalker
These instructions reference the howto article Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM

1 Requirements
no change, skip

2 Preliminary Notes
no change, skip

3 Download and install OpenDKIM

Code: Select all

yum install openssl-devel opendkim
nothing else needs to be done as the opendkim package from the rpmforge repository takes care of everything else. This repository is already configured in EFA

The opendkim dependencies install only the necessary sendmail packages needed. Installing sendmail-devel will result in sendmail being installed as well. Don't do that.

4 Create a new user
5 Create working directories
6 Copy the startup script to /etc/init.d/
skip these, already done

7 Generate keys for signing
remember to replace example.com with <YOURDOMAIN>, otherwise just follow the same instructions.

I named my key 'default' as they did in the example

Code: Select all

mkdir /etc/opendkim/keys/<YOURDOMAIN>
opendkim-genkey -D /etc/opendkim/keys/<YOURDOMAIN>/ -d <YOURDOMAIN> -s default
chown -R opendkim:opendkim /etc/opendkim/keys/<YOURDOMAIN>
mv /etc/opendkim/keys/<YOURDOMAIN>/default.private /etc/opendkim/keys/<YOURDOMAIN>/default
8 Edit configuration files
These are the settings I used. Some of them needed to be added, some uncommented and some altered from the installed default configuration file. Pay attention to the ones that start with a value of "refile"

/etc/opendkim.conf

Code: Select all

PidFile             /var/run/opendkim/opendkim.pid
Mode                sv
Syslog              yes
SyslogSuccess       yes
LogWhy              yes
UserID              opendkim:opendkim
Socket              inet:8891@localhost
Umask               002
Canonicalization    relaxed/simple
Selector            default
KeyFile             /etc/opendkim/keys/default.private
KeyTable            refile:/etc/opendkim/KeyTable
SigningTable        refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts       refile:/etc/opendkim/TrustedHosts
AutoRestart         yes
AutoRestartRate     10/1h
/etc/opendkim/KeyTable

Code: Select all

default._domainkey.<YOURDOMAIN> <YOURDOMAIN>:default:/etc/opendkim/keys/<YOURDOMAIN>/default
/etc/opendkim/SigningTable

Code: Select all

*@<YOURDOMAIN> default._domainkey.<YOURDOMAIN>
/etc/opendkim/TrustedHosts

Code: Select all

127.0.0.1
<ip address of EFA appliance>
<ip address of internal mail server that uses efa as a smarthost>
<another internal ip address of another mail server>
<yet another internal mail server, etc, etc>
9 Edit your Postfix configuration
/etc/postfix/main.cf, append at the end

Code: Select all

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol			= 2
10 Start OpenDKIM and restart Postfix
no need to "rehash"
no need to check for sendmail as we shouldn't have installed it.

start opendkim

Code: Select all

service opendkim start
if your opendkim.conf is correct, and your referenced keys are in the right place and named correctly, opendkim will start without a problem. Otherwise, the error messages were pretty self-explanatory.

restart mailscanner/postfix

Code: Select all

service MailScanner restart
12 Adding DNS Records
Strangely enough, this is the part that gave me the most trouble as I wasn't putting in the text records correctly.

Code: Select all

cat /etc/opendkim/keys/<YOURDOMAIN>/default.txt
assuming a value of
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=7k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQABMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp4" ; ----- DKIM default for example.com
your DNS TXT record name is
default._domainkey
your DNS record type is TXT
your DNS record value is
v=DKIM1; g=*; k=rsa; p=7k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQABMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp4
Don't keep the comment from the generated default.txt file. There is a limit on DNS records using UDP, and if the record is too big, the nameserver will have to make a TCP connection to get it all (slower)

While you are there, you should consider creating an SPF record as well. (you've already done that, right?)

Set the TTL to a low value (10 minutes?) until you are sure you've gotten it correct and everything tests properly. Then you can increase the TTL to something more reasonable, like a day or a week.

13 Testing your setup
as suggested - send one email addressed to both autorespond+dkim@dk.elandsys.com and check-auth@verifier.port25.com. Both will give you detailed information about the success/failure of your DKIM and SPF setup.

Lastly
You can also see from the SpamAssassin scoring if your DKIM is correct. Outgoing mail will show the following if it is correct

Code: Select all

 0.10	DKIM_SIGNED    Message has a DKIM or DK signature, not necessarily valid
-0.10	DKIM_VALID     Message has at least one valid DKIM or DK signature
-0.10	DKIM_VALID_AU  Message has a valid DKIM or DK signature from author's domain
resulting in a slight -0.1 modification to your spam score.

If it's incorrect, you'll see a slight increase in the score for having an invalid DKIM setup.

Code: Select all

0.10	DKIM_SIGNED    Message has a DKIM or DK signature, not necessarily valid
0.10	T_DKIM_INVALID Message has at least one valid DKIM or DK signature
All in all, it's pretty straight forward. More complex signing requirements will require more careful attention paid to the opendkim configuration, but aside from that, it has minimal impact on the EFA installation - just the 4 line addition to the postfix main.cf file

PS: I've done this from memory from a day later. Hopefully I've not forgotten anything.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 27 Mar 2015 15:55
by shawniverson

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 27 Mar 2015 16:01
by pdwalker
Isn't the internet a wonderful invention? (except for spam, of course)

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 09 Jun 2015 21:34
by TheN4cer
I got this setup up and running, but verifying via http://dkimvalidator.com and other sites gives a DKIM failure with a wrong body hash.
Google says that some people have turned off the watermark in MailScanner, but that did not work for me. Anyone else having this issue?

Thanks.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 10 Jun 2015 02:03
by pdwalker
I'll test mine again with your link and see if I still correctly validate.

What domain are you using? I'd like to look at your DKIM key as well.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 10 Jun 2015 13:31
by TheN4cer
Let me know how your tests turn out. I will PM you domain info.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 10 Jun 2015 13:33
by TheN4cer
Guess I can't use PM yet, I emailed you the domain.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 10 Jun 2015 16:14
by pdwalker
got it.

testing now.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 10 Jun 2015 16:38
by pdwalker
I think I found the problem. Somehow your domainkey is identical to mine. That shouldn't be.

Can you tell me how you generated your domain key?

[edit: Doh!]

Sorry, I only looked at the beginning of the domain key, not the whole thing. They are different. Let me keep looking.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 10 Jun 2015 16:51
by pdwalker
According to http://dkimcore.org/c/keycheck/, your dkim key is correct.

Can you email me the different results from your http://dkimvalidator.com/results results page for your domain? I think I need to see what exactly is failing.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 10 Jun 2015 17:19
by TheN4cer
Will do.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 11 Jun 2015 05:53
by pdwalker
Ok, your test message to me shows:

Code: Select all

Spam Report:	
Score	Matching Rule	Description
 0.80	BAYES_50	     Bayes spam probability is 40 to 60%
 0.10	DKIM_SIGNED  	Message has a DKIM or DK signature, not necessarily valid
 0.00	HTML_MESSAGE	 HTML included in message
 0.00	SPF_FAIL        SPF: sender does not match SPF record (fail)
-0.00	SPF_HELO_PASS	SPF: HELO matches SPF record
 0.01	T_DKIM_INVALID
I can see the message is signed, but it gets a header verification error. It would appear that something is altering the message between efa and the rest of the world.

Can you give me a block diagram of your mail flow?

mine is [ms exchange server] <--> [efa] <--> [rest of the world]

do you have something between the efa box and the rest of the world that is altering the messages somehow?

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 11 Jun 2015 05:57
by pdwalker
Also, what messages show up in /var/log/maillog?

I see messages like this with a successful signing of an outgoing message
Jun 11 13:55:29 efa opendkim[1276]: 7C20B180052: DKIM-Signature field added (s=default, d=<MYDOMAIN>)

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 11 Jun 2015 16:33
by TheN4cer
The EFA box is the last hop, so it goes:

Exchange edge --> EFA --> internet

I do get the headers in /var/log/maillog also

opendkim[29685]: 9E6035812D4: DKIM-Signature field added (s=default, d=xxx.com)

This is so bizarre. I played around w/ setting opendkim to relaxed/relaxed but that did not help.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 11 Jun 2015 17:46
by TheN4cer
Well, I got the DKIM errors to go away after disabling the Inline Non-Spam signature option. I modified the signatures, so I wonder if that is it.
I am going to take a look and see if those files have any strange characters in there.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 11 Jun 2015 18:01
by TheN4cer
I can't seem to see any strange things in the files under /etc/MailScanner/reports/en.
I changed the inline.sig.in.txt and inline.sig.in.html files.

Can you verify that you have the non-spam signature option turned on?

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 11 Jun 2015 19:40
by pdwalker
I do not have that option turned on.

My guess is that the message is getting signed, and then modified by the inline not spam sig. If that's the case, then the order this happens will need to be adjusted.

I'm just guessing here.

I'll test it tomorrow and see what it does to my dkim setup.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 12 Jun 2015 13:25
by TheN4cer
OK, let me know how that test goes. I have it turned off for now.

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 17 Jun 2015 17:01
by TheN4cer
Just wondering how your tests went? Right now I have the inline signatures off, but users would like them turned back on.
Maybe I should post this as a new issue?

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 06 Apr 2016 06:22
by pdwalker
Whoops. I just realized I let this fall by the wayside. My apologies.

Did you ever resolve your problem?

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 25 May 2016 23:13
by ovizii
What is the current status of EFA regarding DKim signing?
I know I can manually set it up but I was wondering if there are any plans to integrating it into the "setup" so you can supply the DKIm keys to EFa for a domain and it will do the rest on its own?

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Posted: 26 May 2016 01:06
by pdwalker
the answer to your question is up thread
https://github.com/E-F-A/v3/issues/163