[howto] Installing and using opendkim with EFA 3.0.0.7

Questions and answers about how to do stuff
ovizii
Posts: 437
Joined: 11 May 2016 08:08

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ovizii » 26 May 2016 10:17

ah, thanks, I see its planned for 3.1.0.0 very good to know!

ovizii
Posts: 437
Joined: 11 May 2016 08:08

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ovizii » 30 Dec 2016 09:39

has anyone ever gotten DKIM running on EFA working?
mine seems to work perfectly and yet none of the DKIM signatures are valid. I've used a few testers i.e. send email to: check-auth@verifier.port25.com and it always fails with:

Code: Select all

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         fail (wrong body hash: expected 40dlJjIaFkHKPeDoJMx1Af6iJ9nswJRG+LcQYubSQZE=)
I've googled the matter, some advised to turn off watermarking but that didn't make a difference, I tried sending HTML / TEXT-only mails and both fail. I tried adding FixCRLF Yes to my opendkim.conf file but that didn't help either, my body hash simply never works out.

Any advice?

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker » 05 May 2017 06:15

Hi Ovizii,

Sorry for the delay in responding, I'm slowly working my way backwards through old posts.

It works perfectly for me.

Without logging into your system and diagnosing your settings, I cannot say why you are having the problem while I am not. Something must be modifying the message after the dkim signing process which is why you getting the hash fails.

Are you still having the problem?

ovizii
Posts: 437
Joined: 11 May 2016 08:08

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ovizii » 05 May 2017 07:22

Sorry for this oversight, I had enquired about DKIm in a few threads. What finally got it working (not sure which one) was stopping any kind of signing emails and changing my DKIM key to 1024 as I had read some DNS servers having problems with a 2048 bit key. All working now.


bostjanc
Posts: 97
Joined: 01 Jun 2016 17:18

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by bostjanc » 27 Aug 2017 20:34

Nice instructions guys, but I'm a little bit confused about which additional steps should be done if you wish to cover two domains and use the same key for both domains?
please help, with best regards

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker » 29 Aug 2017 04:53

Same keys for two domains? Hmm... I don't know... I'd have to look it up and see.

How about these instructions?
https://askubuntu.com/questions/438756/ ... tes#441536

bostjanc
Posts: 97
Joined: 01 Jun 2016 17:18

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by bostjanc » 29 Aug 2017 04:55

ok. but what if you generate two different keys, each key for a specific domain. im a little bit confused what and where to put in config files...

bostjanc
Posts: 97
Joined: 01 Jun 2016 17:18

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by bostjanc » 29 Aug 2017 04:56

i will take a look of instructions tjat you have posted. thanks

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker » 29 Aug 2017 05:22

Good luck. There is lots of information out there and I am sure someone else has had the same issue to solve.

I don't have the answer, nor do I have time to investigate it fully as I don't currently need this functionality.

If I do later on, then I'll definitely find an answer.

ulfthomas
Posts: 14
Joined: 07 Nov 2017 07:59

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ulfthomas » 07 Nov 2017 08:17

Hi all.

I just found EFA and implemented it with success straight away - and so far I do love it.

At the moment I am combating OpenDkim and I have been able to make it work - but I was forced to disable in-line signing. Is there any way to run dkim whilst having signing enabled? Can the order be altered in any way to make dkim the last action happening (thereby the mail will not be changed which ruins the dkim verification) - or; is there any documentation on setting up an additional Postfix instance to handle outgoing email with dkim signing?

I have googled - but cannot find a proper solution. Thank you kindly for any insight.

//Thomas

ovizii
Posts: 437
Joined: 11 May 2016 08:08

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ovizii » 07 Nov 2017 11:38

@ulfthomas: I just wanted to confirm that I had the exact same problem and solution. I didn't find any other option than to completely disable inline signing.

ulfthomas
Posts: 14
Joined: 07 Nov 2017 07:59

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ulfthomas » 07 Nov 2017 11:47

ovizii wrote:
07 Nov 2017 11:38
@ulfthomas: I just wanted to confirm that I had the exact same problem and solution. I didn't find any other option than to completely disable inline signing.
I have spent the last few hours trying to work my way around this by duplicating the existing postfix instance in EFA to handle all outgoing mail. I have - just this minute actually - been successful in this attempt. I now have a working postfix that receives all outbound email, stamps the DKIM and delivers it.

Now I have to figure out how to do inbound dkim verification since all mail is being received by the original postfix but all dkim operations are being used by the new. :) Wish me luck. :P

ulfthomas
Posts: 14
Joined: 07 Nov 2017 07:59

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ulfthomas » 07 Nov 2017 15:02

ulfthomas wrote:
07 Nov 2017 11:47
ovizii wrote:
07 Nov 2017 11:38
@ulfthomas: I just wanted to confirm that I had the exact same problem and solution. I didn't find any other option than to completely disable inline signing.
I have spent the last few hours trying to work my way around this by duplicating the existing postfix instance in EFA to handle all outgoing mail. I have - just this minute actually - been successful in this attempt. I now have a working postfix that receives all outbound email, stamps the DKIM and delivers it.

Now I have to figure out how to do inbound dkim verification since all mail is being received by the original postfix but all dkim operations are being used by the new. :) Wish me luck. :P
So - after much googling and trial and error this is my setup now - which works with in-line signing:

Outbound
Mail Server ---> Postfix Main ---> Postfix SMTP ---> Internet

Inbound
Internet ---> Postfix Main ---> Mail Server

Configuration Details

Mail Server
- No changes, using Postfix Main as smart host

Postfix Main
- This is the original Postfix instance on EFA (with config modifications)
- Performs all spam-related verification including DKIM and DMARC
- Configured with Postfix SMTP as smart host

Postfix SMTP
- The new Postfix instance (a copy of the original with config modifications)
- Signs DKIM only on outbound email

OpenDKIM
- Is called from both Postfix instances
- Trick was to make it ignore mail from internal mail server:
-- this enabled outbound emails to be signed only by Postfix SMTP
-- and it enabled DKIM verifications to be handled by Postfix main

I have not been using EFA for long and this might not be the preferred way to do this - but for me it works. All tests done on dkim, spf and dmarc are now reported as successful and all inbound email are being scanned and stamped properly. :)

If others would like to know the setup I will be happy to do a config write-up of this - so let me know.

//Thomas

TheGr8Wonder
Posts: 97
Joined: 01 Jul 2017 02:32

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by TheGr8Wonder » 07 Nov 2017 22:00

This is being integrated into 3.0.2.6. The release is delayed until end of month, when we will have more free time to devote to coding.

ulfthomas
Posts: 14
Joined: 07 Nov 2017 07:59

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ulfthomas » 08 Nov 2017 07:54

TheGr8Wonder wrote:
07 Nov 2017 22:00
This is being integrated into 3.0.2.6. The release is delayed until end of month, when we will have more free time to devote to coding.
That is good news.

Will it work with in-line signing?

User avatar
shawniverson
Posts: 2737
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by shawniverson » 15 Nov 2017 23:31

ulfthomas wrote:
07 Nov 2017 15:02

If others would like to know the setup I will be happy to do a config write-up of this - so let me know.

//Thomas
Very interested in your work. Standing up a second postfix instance for signing is a brilliant idea and moves signing after the mailscanner message mods.

I think we should consider your implementation method of opendkim.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

ulfthomas
Posts: 14
Joined: 07 Nov 2017 07:59

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ulfthomas » 16 Nov 2017 08:32

shawniverson wrote:
15 Nov 2017 23:31

Very interested in your work. Standing up a second postfix instance for signing is a brilliant idea and moves signing after the mailscanner message mods.

I think we should consider your implementation method of opendkim.
Let me know how I can contribute and I will do my best.

User avatar
shawniverson
Posts: 2737
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by shawniverson » 16 Nov 2017 22:58

A little how-to would be great :D . Don't need exhaustive details, just the highlights. I would like to set it up and see what we can do with it.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

ulfthomas
Posts: 14
Joined: 07 Nov 2017 07:59

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ulfthomas » 17 Nov 2017 09:02

shawniverson wrote:
16 Nov 2017 22:58
A little how-to would be great :D . Don't need exhaustive details, just the highlights. I would like to set it up and see what we can do with it.
I'll write up a summary this weekend. Nothing to complicated so should be an easy ride. :)

ulfthomas
Posts: 14
Joined: 07 Nov 2017 07:59

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ulfthomas » 21 Nov 2017 11:46

Hi again.

This is quick write-up of how I switched from one to two postfix instances primarily to solve proper dkim-signing of outbound email together with the additions of the EFA spam-links. The background for doing this was that emails were being signed by dkim before EFA inserted the links hence dkim verification would fail since the email would be changed after it was signed. My setup results in dkim being signed as the final operation before the mail is sent to the internet.
Please note:
- both postfix instances are utilizing the same instances of opendkim and opendmarc which requires some specific configration. This is highlighted in the write-up.
- In the configuration files I have replaced any information pertaining to my setup. Please read them and modify accordingly before saving your configuration files.
My setup is as follows:

- Internal Exchange mail server
- EFA running two postfix instances (MAIN: original postfix instaces, SMTP: new postfix instance)
- Implements DKIM and DMARC
- 3 domains

Mail flow:
- Exchange using MAIN as smart host
- MAIN using SMTP as smart host
- SMTP delivers mail to the internet
- MAIN receives mail from the internet

Final setup (outbound):
1: Mail sent from Exchange to MAIN
3: DMARC on MAIN (see note 1)
4: MailScanner on MAIN as per default configuration
5: Mail sent to SMTP
6: DKIM on SMTP (see note 1)
7: Mail leaving my setup

Final setup (inbound):
1: Mail received by MAIN
2: DMARC on MAIN (see note 1)
3: DKIM on MAIN
4: MailScanner on MAIN
5: Mail delivered to internal mail server

As a general warning: I am no expert in Linux which resulted in me not finding out about postmulti until I had a working setup using this manual approach. I will consider redoing my setup using postmulti at a later stage.

Setup

1: Install opendkim
- Kudos to pdwalker for supplying the instructions.
- Make sure it works before proceeding

2: Install opendmarc
- Kudos to thewomble for supplying the instructions.
- Make sure it works before proceeding

3: Assign an extra IP address to EFA

Code: Select all

cd /etc/sysconfig/network-scripts
cp ifcfg-eth0 ifcfg-eth0:1
vi ifcfg-eth0:1
IPADDR=NEW IP ADDRESS
4 Add NEW IP ADDRESS to hosts file

Code: Select all

vi /etc/hosts
NEW IP ADDRESS SMTP.DOMAIN.COM
5 Reboot EFA
- Verify that new IP is pingable from remote client
- Verify local name resolution on new ip and hostname

6 Stop services

Code: Select all

service opendkim stop
service opendmarc stop
service postfix stop
7 Copy your existing postfix to a new folder

Code: Select all

cp -rp /etc/postfix /etc/postfix-smtp
8 Create new spool directory structure for postfix-smtp

Code: Select all

mkdir /var/spool/postfix-smtp
postfix -c /etc/postfix-smtp check
9 Edit Configuration files
/etc/postfix/master.cf
- Change line:
smtp inet n - n - - smtpd
to
smtp inet n - n - - smtpd -o smtp_bind_address=ORIGINAL IP ADDRESS
/etc/postfix-smtp/master.cf
- Change line:
smtp inet n - n - - smtpd
to
smtp inet n - n - - smtpd -o smtp_bind_address=NEW IP ADDRESS
/etc/postfix/main.cf
These should be added if missing or changed accordingly if present.

Code: Select all

alternate_config_directories = /etc/postfix-smtp
myhostname = MAIN.domain.com
relayhost = NEW IP ADDRESS
syslog_name = MAIN
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
/etc/postfix-smtp/main.cf
These should be added if missing or changed accordingly if present.

Code: Select all

inet_interfaces = NEW IP ADDRESS
myhostname = SMPT.domain.com
queue_directory = /var/spool/postfix-smtp
relayhost = <if required>
syslog_name = SMTP
smtpd_milters = inet:127.0.0.1:8891
/etc/opendkim.conf
The file should resemble this when properly configured

Code: Select all

PidFile /var/run/opendkim/opendkim.pid
Mode    sv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  inet:8891@localhost
Umask   002
SendReports     yes
##  Specifies the sending address to be used on From: headers of outgoing
##  failure reports.  By default, the e-mail address of the user executing
##  the filter is used (executing_user@hostname).
ReportAddress   "DOMAIN Sender" <SENDER@DOMAIN.COM>
SoftwareHeader  yes
Canonicalization        relaxed/simple
Selector        default
MinimumKeyBits  1024
KeyFile /etc/opendkim/keys/default.private
KeyTable        refile:/etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
PeerList        refile:/etc/opendkim/NoFilterHost
OversignHeaders From
AutoRestart    yes
AutoRestartRate        10/1h
/etc/opendmarc.conf
The file should resemble this when properly configured

Code: Select all

AuthservID HOSTNAME
AuthservIDWithJobID true
AutoRestart true
AutoRestartCount 0
AutoRestartRate 10/1h
CopyFailuresTo RECIPIENT@DOMAIN.COM
FailureReportsBcc RECIPIENT@DOMAIN.COM
FailureReportsOnNone true
FailureReportsSentBy SENDER@DOMAIN.COM
HistoryFile /etc/opendmarc/opendmarc.dat
IgnoreAuthenticatedClients true
IgnoreHosts /etc/opendmarc/ignore.hosts
IgnoreMailFrom <HERE I HAVE LISTED ALL MY TLD's>
MilterDebug 2
PidFile /var/run/opendmarc.pid
PublicSuffixList /etc/opendmarc/effective_tld_names.dat
RecordAllMessages false
Socket inet:8893@localhost
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
SyslogFacility opendmarc
TrustedAuthservIDs HOSTNAME,<MX NAME>
UserID opendmarc
/etc/opendkim/NoFilterHost

Code: Select all

my.internal.server myinternal.domain IP.OF.INTERAL.SERVER
Read the comments pertaining to PeerList to learn how to ignore your entire internal network should you so please.
NoFilterHost was not part of the install documentation I used to install opendkim, but I added it to be able to ignore my internal mail server. I would also like to point out that I am using the same DKIM details to sign all my domains - this can be achieved by merely duplicating the information contained in the files KeyTable and SigningTable.
10 Add postfix-smtp to start-up script
- vi /etc/rc.local

Code: Select all

postfix -c /etc/postfix-smtp start
11 Start services

Code: Select all

service postfix start
postfix -c /etc/postfix-smtp start
service opendkim start
service opendmarc start
12 Verification
Tail your /var/log/maillog file and verify that all services are starting properly - and make sure they do before attempting to verify mail flow.

13 Send mail from your internal mail server to the internet
- Make sure it is received by MAIN, scanned and sent to SMTP
- Make sure SMTP receives it, DKIM signs it and sends it to the internet

14 Send an inbound email
- Make sure it is received by MAIN, verified and sent to your internal mail server


Note 1
MAIN and SMTP are both using the same DMARC and DKIM instances. Both DKIM and DMARC are therefore configured to ignore emails from the internal mail server because 1) MAIN will never have to verify nor sign any emails originating on the inside and 2) SMTP will never receive any emails from the internal mail server (as it is the smart host for MAIN only). This configuration allows MAIN to verify all inbound email using DKIM and DMARC whilst SMTP does all outbound DKIM signing. Also - since SMTP is doing only DKIM signing I have removed the DMARC service all together from this postfix instance. My reasoning for setting it up this way was to leave as much as possible on the original EFA whilst only having the secondary doing outbound DKIM-signing.

------ End Write-up ------

I have checked spelling, order and config files many times over and hopefully I haven't missed anything or done something all together outrageous. :)

If you find any issues, have questions or would like to improve on my setup (Aside from postmulti that is ;)) - please leave a comment. And as I said - I am no Linux expert but I will try to answer any questions you might have.

//UlfThomas

------ Version control ------
23/11: Visual changes only by formatting additional sections as code
Last edited by ulfthomas on 23 Nov 2017 09:00, edited 1 time in total.

User avatar
shawniverson
Posts: 2737
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by shawniverson » 21 Nov 2017 15:16

This is awesomesauce. Will be taking a deep look at this. :clap: :dance:
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

ulfthomas
Posts: 14
Joined: 07 Nov 2017 07:59

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ulfthomas » 04 Dec 2017 08:09

Were you able to replicate this? :)

sxfx
Posts: 8
Joined: 04 Dec 2017 19:05

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by sxfx » 06 Dec 2017 12:43

Someone know if something has changed?

I've got:
Sign Clean Messages = No
Sign Messages Already Processed = no

And I'm getting DKIM result = fail Details: body has been altered

What else i need to do?


Thanks!

sxfx
Posts: 8
Joined: 04 Dec 2017 19:05

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by sxfx » 06 Dec 2017 15:45

Never mind, i got it.

[efabox]$ EFA-Configure

9) Spam Settings
1) Non Spam Settings

Disabling Signatures worked like a charm!

Thanks!

Post Reply