Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Posted: 26 May 2016 10:17
ah, thanks, I see its planned for 3.1.0.0 very good to know!
https://forum.efa-project.org/
Code: Select all
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: fail (wrong body hash: expected 40dlJjIaFkHKPeDoJMx1Af6iJ9nswJRG+LcQYubSQZE=)
I have spent the last few hours trying to work my way around this by duplicating the existing postfix instance in EFA to handle all outgoing mail. I have - just this minute actually - been successful in this attempt. I now have a working postfix that receives all outbound email, stamps the DKIM and delivers it.
So - after much googling and trial and error this is my setup now - which works with in-line signing:ulfthomas wrote: ↑07 Nov 2017 11:47I have spent the last few hours trying to work my way around this by duplicating the existing postfix instance in EFA to handle all outgoing mail. I have - just this minute actually - been successful in this attempt. I now have a working postfix that receives all outbound email, stamps the DKIM and delivers it.
Now I have to figure out how to do inbound dkim verification since all mail is being received by the original postfix but all dkim operations are being used by the new. Wish me luck.
That is good news.TheGr8Wonder wrote: ↑07 Nov 2017 22:00 This is being integrated into 3.0.2.6. The release is delayed until end of month, when we will have more free time to devote to coding.
Very interested in your work. Standing up a second postfix instance for signing is a brilliant idea and moves signing after the mailscanner message mods.
Let me know how I can contribute and I will do my best.shawniverson wrote: ↑15 Nov 2017 23:31
Very interested in your work. Standing up a second postfix instance for signing is a brilliant idea and moves signing after the mailscanner message mods.
I think we should consider your implementation method of opendkim.
I'll write up a summary this weekend. Nothing to complicated so should be an easy ride.shawniverson wrote: ↑16 Nov 2017 22:58 A little how-to would be great . Don't need exhaustive details, just the highlights. I would like to set it up and see what we can do with it.
My setup is as follows:Please note:
- both postfix instances are utilizing the same instances of opendkim and opendmarc which requires some specific configration. This is highlighted in the write-up.
- In the configuration files I have replaced any information pertaining to my setup. Please read them and modify accordingly before saving your configuration files.
Code: Select all
cd /etc/sysconfig/network-scripts
cp ifcfg-eth0 ifcfg-eth0:1
vi ifcfg-eth0:1
IPADDR=NEW IP ADDRESS
Code: Select all
vi /etc/hosts
NEW IP ADDRESS SMTP.DOMAIN.COM
Code: Select all
service opendkim stop
service opendmarc stop
service postfix stop
Code: Select all
cp -rp /etc/postfix /etc/postfix-smtp
Code: Select all
mkdir /var/spool/postfix-smtp
postfix -c /etc/postfix-smtp check
tosmtp inet n - n - - smtpd
/etc/postfix-smtp/master.cfsmtp inet n - n - - smtpd -o smtp_bind_address=ORIGINAL IP ADDRESS
tosmtp inet n - n - - smtpd
/etc/postfix/main.cfsmtp inet n - n - - smtpd -o smtp_bind_address=NEW IP ADDRESS
Code: Select all
alternate_config_directories = /etc/postfix-smtp
myhostname = MAIN.domain.com
relayhost = NEW IP ADDRESS
syslog_name = MAIN
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
Code: Select all
inet_interfaces = NEW IP ADDRESS
myhostname = SMPT.domain.com
queue_directory = /var/spool/postfix-smtp
relayhost = <if required>
syslog_name = SMTP
smtpd_milters = inet:127.0.0.1:8891
Code: Select all
PidFile /var/run/opendkim/opendkim.pid
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
UserID opendkim:opendkim
Socket inet:8891@localhost
Umask 002
SendReports yes
## Specifies the sending address to be used on From: headers of outgoing
## failure reports. By default, the e-mail address of the user executing
## the filter is used (executing_user@hostname).
ReportAddress "DOMAIN Sender" <SENDER@DOMAIN.COM>
SoftwareHeader yes
Canonicalization relaxed/simple
Selector default
MinimumKeyBits 1024
KeyFile /etc/opendkim/keys/default.private
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
PeerList refile:/etc/opendkim/NoFilterHost
OversignHeaders From
AutoRestart yes
AutoRestartRate 10/1h
Code: Select all
AuthservID HOSTNAME
AuthservIDWithJobID true
AutoRestart true
AutoRestartCount 0
AutoRestartRate 10/1h
CopyFailuresTo RECIPIENT@DOMAIN.COM
FailureReportsBcc RECIPIENT@DOMAIN.COM
FailureReportsOnNone true
FailureReportsSentBy SENDER@DOMAIN.COM
HistoryFile /etc/opendmarc/opendmarc.dat
IgnoreAuthenticatedClients true
IgnoreHosts /etc/opendmarc/ignore.hosts
IgnoreMailFrom <HERE I HAVE LISTED ALL MY TLD's>
MilterDebug 2
PidFile /var/run/opendmarc.pid
PublicSuffixList /etc/opendmarc/effective_tld_names.dat
RecordAllMessages false
Socket inet:8893@localhost
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
SyslogFacility opendmarc
TrustedAuthservIDs HOSTNAME,<MX NAME>
UserID opendmarc
Code: Select all
my.internal.server myinternal.domain IP.OF.INTERAL.SERVER
10 Add postfix-smtp to start-up scriptNoFilterHost was not part of the install documentation I used to install opendkim, but I added it to be able to ignore my internal mail server. I would also like to point out that I am using the same DKIM details to sign all my domains - this can be achieved by merely duplicating the information contained in the files KeyTable and SigningTable.
Code: Select all
postfix -c /etc/postfix-smtp start
Code: Select all
service postfix start
postfix -c /etc/postfix-smtp start
service opendkim start
service opendmarc start