Any instructions how to manually move DKIM and DMARC

Questions and answers about how to do stuff
Post Reply
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Any instructions how to manually move DKIM and DMARC

Post by bostjanc »

Hi.
In the phase of having side by side migration of EFA 3.x to EFA 4.x
We will be probably migrating components and custom settings one-by-one (WHITELISTS, DMARC, DKIM, FAIL2BAN settings).
Is there any good tutorial how to migrate DKIM,DMARC settings?

with best regards
B
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Any instructions how to manually move DKIM and DMARC

Post by shawniverson »

https://wiki.efa-project.org/doku.php?i ... m_v3_to_v4

opendmarc migration should be similar to opendkim
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Any instructions how to manually move DKIM and DMARC

Post by pdwalker »

Here are my v3 to v4 upgrade notes that may be of some use.

viewtopic.php?f=5&t=4325

I don't recall doing anything special for dmark, other than updating the configuration file.
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: Any instructions how to manually move DKIM and DMARC

Post by bostjanc »

I see a lot of differences in config for DKIM in EFA 3.x comparing to EFA 4.x fresh installation.

Comparison of files:

EFA 3.x (FILE: /etc/opendkim.conf)

##
## opendkim.conf -- configuration file for OpenDKIM filter
##
AutoRestart Yes
AutoRestartRate 10/1h
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy Yes
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:8891@localhost
Syslog Yes
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UMask 022
UserID opendkim:opendkim




EFA 4.x fresh install (FILE: /etc/opendkim.conf)
Selector default

## Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits 1024

## Gives the location of a private key to be used for signing ALL messages. This
## directive is ignored if KeyTable is enabled.
#KeyFile /etc/opendkim/keys/default.private

## Gives the location of a file mapping key names to signing keys. In simple terms,
## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
## directive in the configuration file. Requires SigningTable be enabled.
# KeyTable /etc/opendkim/KeyTable

## Defines a table used to select one or more signatures to apply to a message based
## on the address found in the From: header field. In simple terms, this tells
## OpenDKIM how to use your keys. Requires KeyTable be enabled.
# SigningTable refile:/etc/opendkim/SigningTable

## Identifies a set of "external" hosts that may send mail through the server as one
## of the signing domains without credentials as such.
# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

## Identifies a set "internal" hosts whose mail should be signed rather than verified.
# InternalHosts refile:/etc/opendkim/TrustedHosts

## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
## whose mail should be neither signed nor verified by this filter. See man
## page for file format.
# PeerList X.X.X.X

## Always oversign From (sign using actual From and a null From to prevent
## malicious signatures header fields (From and/or others) between the signer
## and the verifier. From is oversigned by default in the Fedora package
## because it is often the identity key used by reputation systems and thus
## somewhat security sensitive.
OversignHeaders From

## Instructs the DKIM library to maintain its own local cache of keys and
## policies retrieved from DNS, rather than relying on the nameserver for
## caching service. Useful if the nameserver being used by the filter is
## not local.
# QueryCache yes

- I can't remember how I did or where did I take configuration steps for configuring DKIM/DMARC on EFA 3.x, I think it was somewhere on this forum ...

- Instructions on "https://wiki.efa-project.org/doku.php?i ... m_v3_to_v4" have a step:
cp -ra /mnt/etc/opendkim/* /etc/opendkim (answer yes to overwrite)

but we don't have /mnt/etc/opendkim

[root@efa mnt]# find / -name opendkim
/var/spool/opendkim
/var/lock/subsys/opendkim
/var/run/opendkim
/usr/sbin/opendkim
/usr/local/share/doc/opendkim
/usr/local/share/doc/opendkim/opendkim
/usr/local/sbin/opendkim
/usr/local/src/opendkim-2.4.2/opendkim
/usr/local/src/opendkim-2.4.2/opendkim/.libs/opendkim
/usr/local/src/opendkim-2.4.2/opendkim/opendkim
/usr/local/src/opendkim-2.4.2/contrib/init/generic/opendkim
/usr/local/src/opendkim-2.4.2/contrib/init/redhat/opendkim
/usr/local/src/opendkim-2.4.2/contrib/init/solaris/opendkim
/usr/local/include/opendkim
/etc/sysconfig/opendkim
/etc/rc.d/init.d/opendkim
/etc/opendkim
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: Any instructions how to manually move DKIM and DMARC

Post by bostjanc »

How can dkim/dmarc inbound/outbound mail flow be tested @pdwalker ?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Any instructions how to manually move DKIM and DMARC

Post by pdwalker »

Apologies, I've been away from the forums for a while.

Answer to follow as I have to look it up myself again.
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: Any instructions how to manually move DKIM and DMARC

Post by bostjanc »

Hi.
Thank you for your reply.

With the help of Shawn on IRC chanell #efa-project I had sucesssfully moved DKIM and DMARC to EFA 4.x
On DMARC I didn't have to do anything special, for DKIM I had copied the keys and compared&merged dkim.conf efa3 vs efa4. Alll good!

With best regards
BostjanC
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Any instructions how to manually move DKIM and DMARC

Post by pdwalker »

There's an IRC channel?

Glad to hear you have everything working.
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: Any instructions how to manually move DKIM and DMARC

Post by bostjanc »

Yep, and Shawn is very responsive on that IRC channel:
https://wiki.efa-project.org/doku.php?id=irc_channel
Post Reply