[howto] Installing and using opendkim with EFA 3.0.0.7
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
ah, thanks, I see its planned for 3.1.0.0 very good to know!
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
has anyone ever gotten DKIM running on EFA working?
mine seems to work perfectly and yet none of the DKIM signatures are valid. I've used a few testers i.e. send email to: check-auth@verifier.port25.com and it always fails with:
I've googled the matter, some advised to turn off watermarking but that didn't make a difference, I tried sending HTML / TEXT-only mails and both fail. I tried adding FixCRLF Yes to my opendkim.conf file but that didn't help either, my body hash simply never works out.
Any advice?
mine seems to work perfectly and yet none of the DKIM signatures are valid. I've used a few testers i.e. send email to: check-auth@verifier.port25.com and it always fails with:
Code: Select all
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: fail (wrong body hash: expected 40dlJjIaFkHKPeDoJMx1Af6iJ9nswJRG+LcQYubSQZE=)
Any advice?
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Hi Ovizii,
Sorry for the delay in responding, I'm slowly working my way backwards through old posts.
It works perfectly for me.
Without logging into your system and diagnosing your settings, I cannot say why you are having the problem while I am not. Something must be modifying the message after the dkim signing process which is why you getting the hash fails.
Are you still having the problem?
Sorry for the delay in responding, I'm slowly working my way backwards through old posts.
It works perfectly for me.
Without logging into your system and diagnosing your settings, I cannot say why you are having the problem while I am not. Something must be modifying the message after the dkim signing process which is why you getting the hash fails.
Are you still having the problem?
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Sorry for this oversight, I had enquired about DKIm in a few threads. What finally got it working (not sure which one) was stopping any kind of signing emails and changing my DKIM key to 1024 as I had read some DNS servers having problems with a 2048 bit key. All working now.
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Nice instructions guys, but I'm a little bit confused about which additional steps should be done if you wish to cover two domains and use the same key for both domains?
please help, with best regards
please help, with best regards
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Same keys for two domains? Hmm... I don't know... I'd have to look it up and see.
How about these instructions?
https://askubuntu.com/questions/438756/ ... tes#441536
How about these instructions?
https://askubuntu.com/questions/438756/ ... tes#441536
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
ok. but what if you generate two different keys, each key for a specific domain. im a little bit confused what and where to put in config files...
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
i will take a look of instructions tjat you have posted. thanks
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Good luck. There is lots of information out there and I am sure someone else has had the same issue to solve.
I don't have the answer, nor do I have time to investigate it fully as I don't currently need this functionality.
If I do later on, then I'll definitely find an answer.
I don't have the answer, nor do I have time to investigate it fully as I don't currently need this functionality.
If I do later on, then I'll definitely find an answer.
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Hi all.
I just found EFA and implemented it with success straight away - and so far I do love it.
At the moment I am combating OpenDkim and I have been able to make it work - but I was forced to disable in-line signing. Is there any way to run dkim whilst having signing enabled? Can the order be altered in any way to make dkim the last action happening (thereby the mail will not be changed which ruins the dkim verification) - or; is there any documentation on setting up an additional Postfix instance to handle outgoing email with dkim signing?
I have googled - but cannot find a proper solution. Thank you kindly for any insight.
//Thomas
I just found EFA and implemented it with success straight away - and so far I do love it.
At the moment I am combating OpenDkim and I have been able to make it work - but I was forced to disable in-line signing. Is there any way to run dkim whilst having signing enabled? Can the order be altered in any way to make dkim the last action happening (thereby the mail will not be changed which ruins the dkim verification) - or; is there any documentation on setting up an additional Postfix instance to handle outgoing email with dkim signing?
I have googled - but cannot find a proper solution. Thank you kindly for any insight.
//Thomas
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
@ulfthomas: I just wanted to confirm that I had the exact same problem and solution. I didn't find any other option than to completely disable inline signing.
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
I have spent the last few hours trying to work my way around this by duplicating the existing postfix instance in EFA to handle all outgoing mail. I have - just this minute actually - been successful in this attempt. I now have a working postfix that receives all outbound email, stamps the DKIM and delivers it.
Now I have to figure out how to do inbound dkim verification since all mail is being received by the original postfix but all dkim operations are being used by the new. Wish me luck.
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
So - after much googling and trial and error this is my setup now - which works with in-line signing:ulfthomas wrote: ↑07 Nov 2017 11:47I have spent the last few hours trying to work my way around this by duplicating the existing postfix instance in EFA to handle all outgoing mail. I have - just this minute actually - been successful in this attempt. I now have a working postfix that receives all outbound email, stamps the DKIM and delivers it.
Now I have to figure out how to do inbound dkim verification since all mail is being received by the original postfix but all dkim operations are being used by the new. Wish me luck.
Outbound
Mail Server ---> Postfix Main ---> Postfix SMTP ---> Internet
Inbound
Internet ---> Postfix Main ---> Mail Server
Configuration Details
Mail Server
- No changes, using Postfix Main as smart host
Postfix Main
- This is the original Postfix instance on EFA (with config modifications)
- Performs all spam-related verification including DKIM and DMARC
- Configured with Postfix SMTP as smart host
Postfix SMTP
- The new Postfix instance (a copy of the original with config modifications)
- Signs DKIM only on outbound email
OpenDKIM
- Is called from both Postfix instances
- Trick was to make it ignore mail from internal mail server:
-- this enabled outbound emails to be signed only by Postfix SMTP
-- and it enabled DKIM verifications to be handled by Postfix main
I have not been using EFA for long and this might not be the preferred way to do this - but for me it works. All tests done on dkim, spf and dmarc are now reported as successful and all inbound email are being scanned and stamped properly.
If others would like to know the setup I will be happy to do a config write-up of this - so let me know.
//Thomas
-
- Posts: 97
- Joined: 01 Jul 2017 02:32
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
This is being integrated into 3.0.2.6. The release is delayed until end of month, when we will have more free time to devote to coding.
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
That is good news.TheGr8Wonder wrote: ↑07 Nov 2017 22:00 This is being integrated into 3.0.2.6. The release is delayed until end of month, when we will have more free time to devote to coding.
Will it work with in-line signing?
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Very interested in your work. Standing up a second postfix instance for signing is a brilliant idea and moves signing after the mailscanner message mods.
I think we should consider your implementation method of opendkim.
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Let me know how I can contribute and I will do my best.shawniverson wrote: ↑15 Nov 2017 23:31
Very interested in your work. Standing up a second postfix instance for signing is a brilliant idea and moves signing after the mailscanner message mods.
I think we should consider your implementation method of opendkim.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
A little how-to would be great . Don't need exhaustive details, just the highlights. I would like to set it up and see what we can do with it.
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
I'll write up a summary this weekend. Nothing to complicated so should be an easy ride.shawniverson wrote: ↑16 Nov 2017 22:58 A little how-to would be great . Don't need exhaustive details, just the highlights. I would like to set it up and see what we can do with it.
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Hi again.
This is quick write-up of how I switched from one to two postfix instances primarily to solve proper dkim-signing of outbound email together with the additions of the EFA spam-links. The background for doing this was that emails were being signed by dkim before EFA inserted the links hence dkim verification would fail since the email would be changed after it was signed. My setup results in dkim being signed as the final operation before the mail is sent to the internet.
- Internal Exchange mail server
- EFA running two postfix instances (MAIN: original postfix instaces, SMTP: new postfix instance)
- Implements DKIM and DMARC
- 3 domains
Mail flow:
- Exchange using MAIN as smart host
- MAIN using SMTP as smart host
- SMTP delivers mail to the internet
- MAIN receives mail from the internet
Final setup (outbound):
1: Mail sent from Exchange to MAIN
3: DMARC on MAIN (see note 1)
4: MailScanner on MAIN as per default configuration
5: Mail sent to SMTP
6: DKIM on SMTP (see note 1)
7: Mail leaving my setup
Final setup (inbound):
1: Mail received by MAIN
2: DMARC on MAIN (see note 1)
3: DKIM on MAIN
4: MailScanner on MAIN
5: Mail delivered to internal mail server
As a general warning: I am no expert in Linux which resulted in me not finding out about postmulti until I had a working setup using this manual approach. I will consider redoing my setup using postmulti at a later stage.
Setup
1: Install opendkim
- Kudos to pdwalker for supplying the instructions.
- Make sure it works before proceeding
2: Install opendmarc
- Kudos to thewomble for supplying the instructions.
- Make sure it works before proceeding
3: Assign an extra IP address to EFA
4 Add NEW IP ADDRESS to hosts file
5 Reboot EFA
- Verify that new IP is pingable from remote client
- Verify local name resolution on new ip and hostname
6 Stop services
7 Copy your existing postfix to a new folder
8 Create new spool directory structure for postfix-smtp
9 Edit Configuration files
/etc/postfix/master.cf
- Change line:
- Change line:
These should be added if missing or changed accordingly if present.
/etc/postfix-smtp/main.cf
These should be added if missing or changed accordingly if present.
/etc/opendkim.conf
The file should resemble this when properly configured
/etc/opendmarc.conf
The file should resemble this when properly configured
/etc/opendkim/NoFilterHost
Read the comments pertaining to PeerList to learn how to ignore your entire internal network should you so please.
- vi /etc/rc.local
11 Start services
12 Verification
Tail your /var/log/maillog file and verify that all services are starting properly - and make sure they do before attempting to verify mail flow.
13 Send mail from your internal mail server to the internet
- Make sure it is received by MAIN, scanned and sent to SMTP
- Make sure SMTP receives it, DKIM signs it and sends it to the internet
14 Send an inbound email
- Make sure it is received by MAIN, verified and sent to your internal mail server
Note 1
MAIN and SMTP are both using the same DMARC and DKIM instances. Both DKIM and DMARC are therefore configured to ignore emails from the internal mail server because 1) MAIN will never have to verify nor sign any emails originating on the inside and 2) SMTP will never receive any emails from the internal mail server (as it is the smart host for MAIN only). This configuration allows MAIN to verify all inbound email using DKIM and DMARC whilst SMTP does all outbound DKIM signing. Also - since SMTP is doing only DKIM signing I have removed the DMARC service all together from this postfix instance. My reasoning for setting it up this way was to leave as much as possible on the original EFA whilst only having the secondary doing outbound DKIM-signing.
------ End Write-up ------
I have checked spelling, order and config files many times over and hopefully I haven't missed anything or done something all together outrageous.
If you find any issues, have questions or would like to improve on my setup (Aside from postmulti that is ) - please leave a comment. And as I said - I am no Linux expert but I will try to answer any questions you might have.
//UlfThomas
------ Version control ------
23/11: Visual changes only by formatting additional sections as code
This is quick write-up of how I switched from one to two postfix instances primarily to solve proper dkim-signing of outbound email together with the additions of the EFA spam-links. The background for doing this was that emails were being signed by dkim before EFA inserted the links hence dkim verification would fail since the email would be changed after it was signed. My setup results in dkim being signed as the final operation before the mail is sent to the internet.
My setup is as follows:Please note:
- both postfix instances are utilizing the same instances of opendkim and opendmarc which requires some specific configration. This is highlighted in the write-up.
- In the configuration files I have replaced any information pertaining to my setup. Please read them and modify accordingly before saving your configuration files.
- Internal Exchange mail server
- EFA running two postfix instances (MAIN: original postfix instaces, SMTP: new postfix instance)
- Implements DKIM and DMARC
- 3 domains
Mail flow:
- Exchange using MAIN as smart host
- MAIN using SMTP as smart host
- SMTP delivers mail to the internet
- MAIN receives mail from the internet
Final setup (outbound):
1: Mail sent from Exchange to MAIN
3: DMARC on MAIN (see note 1)
4: MailScanner on MAIN as per default configuration
5: Mail sent to SMTP
6: DKIM on SMTP (see note 1)
7: Mail leaving my setup
Final setup (inbound):
1: Mail received by MAIN
2: DMARC on MAIN (see note 1)
3: DKIM on MAIN
4: MailScanner on MAIN
5: Mail delivered to internal mail server
As a general warning: I am no expert in Linux which resulted in me not finding out about postmulti until I had a working setup using this manual approach. I will consider redoing my setup using postmulti at a later stage.
Setup
1: Install opendkim
- Kudos to pdwalker for supplying the instructions.
- Make sure it works before proceeding
2: Install opendmarc
- Kudos to thewomble for supplying the instructions.
- Make sure it works before proceeding
3: Assign an extra IP address to EFA
Code: Select all
cd /etc/sysconfig/network-scripts
cp ifcfg-eth0 ifcfg-eth0:1
vi ifcfg-eth0:1
IPADDR=NEW IP ADDRESS
Code: Select all
vi /etc/hosts
NEW IP ADDRESS SMTP.DOMAIN.COM
- Verify that new IP is pingable from remote client
- Verify local name resolution on new ip and hostname
6 Stop services
Code: Select all
service opendkim stop
service opendmarc stop
service postfix stop
Code: Select all
cp -rp /etc/postfix /etc/postfix-smtp
Code: Select all
mkdir /var/spool/postfix-smtp
postfix -c /etc/postfix-smtp check
/etc/postfix/master.cf
- Change line:
tosmtp inet n - n - - smtpd
/etc/postfix-smtp/master.cfsmtp inet n - n - - smtpd -o smtp_bind_address=ORIGINAL IP ADDRESS
- Change line:
tosmtp inet n - n - - smtpd
/etc/postfix/main.cfsmtp inet n - n - - smtpd -o smtp_bind_address=NEW IP ADDRESS
These should be added if missing or changed accordingly if present.
Code: Select all
alternate_config_directories = /etc/postfix-smtp
myhostname = MAIN.domain.com
relayhost = NEW IP ADDRESS
syslog_name = MAIN
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
These should be added if missing or changed accordingly if present.
Code: Select all
inet_interfaces = NEW IP ADDRESS
myhostname = SMPT.domain.com
queue_directory = /var/spool/postfix-smtp
relayhost = <if required>
syslog_name = SMTP
smtpd_milters = inet:127.0.0.1:8891
The file should resemble this when properly configured
Code: Select all
PidFile /var/run/opendkim/opendkim.pid
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
UserID opendkim:opendkim
Socket inet:8891@localhost
Umask 002
SendReports yes
## Specifies the sending address to be used on From: headers of outgoing
## failure reports. By default, the e-mail address of the user executing
## the filter is used (executing_user@hostname).
ReportAddress "DOMAIN Sender" <SENDER@DOMAIN.COM>
SoftwareHeader yes
Canonicalization relaxed/simple
Selector default
MinimumKeyBits 1024
KeyFile /etc/opendkim/keys/default.private
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
PeerList refile:/etc/opendkim/NoFilterHost
OversignHeaders From
AutoRestart yes
AutoRestartRate 10/1h
The file should resemble this when properly configured
Code: Select all
AuthservID HOSTNAME
AuthservIDWithJobID true
AutoRestart true
AutoRestartCount 0
AutoRestartRate 10/1h
CopyFailuresTo RECIPIENT@DOMAIN.COM
FailureReportsBcc RECIPIENT@DOMAIN.COM
FailureReportsOnNone true
FailureReportsSentBy SENDER@DOMAIN.COM
HistoryFile /etc/opendmarc/opendmarc.dat
IgnoreAuthenticatedClients true
IgnoreHosts /etc/opendmarc/ignore.hosts
IgnoreMailFrom <HERE I HAVE LISTED ALL MY TLD's>
MilterDebug 2
PidFile /var/run/opendmarc.pid
PublicSuffixList /etc/opendmarc/effective_tld_names.dat
RecordAllMessages false
Socket inet:8893@localhost
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
SyslogFacility opendmarc
TrustedAuthservIDs HOSTNAME,<MX NAME>
UserID opendmarc
Code: Select all
my.internal.server myinternal.domain IP.OF.INTERAL.SERVER
10 Add postfix-smtp to start-up scriptNoFilterHost was not part of the install documentation I used to install opendkim, but I added it to be able to ignore my internal mail server. I would also like to point out that I am using the same DKIM details to sign all my domains - this can be achieved by merely duplicating the information contained in the files KeyTable and SigningTable.
- vi /etc/rc.local
Code: Select all
postfix -c /etc/postfix-smtp start
Code: Select all
service postfix start
postfix -c /etc/postfix-smtp start
service opendkim start
service opendmarc start
Tail your /var/log/maillog file and verify that all services are starting properly - and make sure they do before attempting to verify mail flow.
13 Send mail from your internal mail server to the internet
- Make sure it is received by MAIN, scanned and sent to SMTP
- Make sure SMTP receives it, DKIM signs it and sends it to the internet
14 Send an inbound email
- Make sure it is received by MAIN, verified and sent to your internal mail server
Note 1
MAIN and SMTP are both using the same DMARC and DKIM instances. Both DKIM and DMARC are therefore configured to ignore emails from the internal mail server because 1) MAIN will never have to verify nor sign any emails originating on the inside and 2) SMTP will never receive any emails from the internal mail server (as it is the smart host for MAIN only). This configuration allows MAIN to verify all inbound email using DKIM and DMARC whilst SMTP does all outbound DKIM signing. Also - since SMTP is doing only DKIM signing I have removed the DMARC service all together from this postfix instance. My reasoning for setting it up this way was to leave as much as possible on the original EFA whilst only having the secondary doing outbound DKIM-signing.
------ End Write-up ------
I have checked spelling, order and config files many times over and hopefully I haven't missed anything or done something all together outrageous.
If you find any issues, have questions or would like to improve on my setup (Aside from postmulti that is ) - please leave a comment. And as I said - I am no Linux expert but I will try to answer any questions you might have.
//UlfThomas
------ Version control ------
23/11: Visual changes only by formatting additional sections as code
Last edited by ulfthomas on 23 Nov 2017 09:00, edited 1 time in total.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
This is awesomesauce. Will be taking a deep look at this.
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Were you able to replicate this?
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Someone know if something has changed?
I've got:
Sign Clean Messages = No
Sign Messages Already Processed = no
And I'm getting DKIM result = fail Details: body has been altered
What else i need to do?
Thanks!
I've got:
Sign Clean Messages = No
Sign Messages Already Processed = no
And I'm getting DKIM result = fail Details: body has been altered
What else i need to do?
Thanks!
Re: [howto] Installing and using opendkim with EFA 3.0.0.7
Never mind, i got it.
[efabox]$ EFA-Configure
9) Spam Settings
1) Non Spam Settings
Disabling Signatures worked like a charm!
Thanks!
[efabox]$ EFA-Configure
9) Spam Settings
1) Non Spam Settings
Disabling Signatures worked like a charm!
Thanks!