[howto] Installing and using opendkim with EFA 3.0.0.7

Questions and answers about how to do stuff
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

[howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

Hi All,

[edit: see below]

I'm looking to implement DKIM and I was wondering if anyone has already done so successfully with EFA.

I'm trying to avoid doing something that will break my efa installation in horrible ways during future updates.

Any advice appreciated.
Last edited by pdwalker on 27 Mar 2015 05:21, edited 2 times in total.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Does anyone have any experience using DKIM with 3.0.0.7?

Post by pdwalker »

Well, I'll take that as a "no"

Fortunately, I found this set of instructions:
https://www.howtoforge.com/set-up-dkim- ... g-opendkim

Basically, these instructions are basically correct for doing it in EFA, but with some minor changes. I'll document what I did differently a bit later.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: [solved] [pending writeup] Does anyone have any experience using DKIM with 3.0.0.7?

Post by shawniverson »

:text-bravo:

Keep us posted. :D
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

[howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

These instructions reference the howto article Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM

1 Requirements
no change, skip

2 Preliminary Notes
no change, skip

3 Download and install OpenDKIM

Code: Select all

yum install openssl-devel opendkim
nothing else needs to be done as the opendkim package from the rpmforge repository takes care of everything else. This repository is already configured in EFA

The opendkim dependencies install only the necessary sendmail packages needed. Installing sendmail-devel will result in sendmail being installed as well. Don't do that.

4 Create a new user
5 Create working directories
6 Copy the startup script to /etc/init.d/
skip these, already done

7 Generate keys for signing
remember to replace example.com with <YOURDOMAIN>, otherwise just follow the same instructions.

I named my key 'default' as they did in the example

Code: Select all

mkdir /etc/opendkim/keys/<YOURDOMAIN>
opendkim-genkey -D /etc/opendkim/keys/<YOURDOMAIN>/ -d <YOURDOMAIN> -s default
chown -R opendkim:opendkim /etc/opendkim/keys/<YOURDOMAIN>
mv /etc/opendkim/keys/<YOURDOMAIN>/default.private /etc/opendkim/keys/<YOURDOMAIN>/default
8 Edit configuration files
These are the settings I used. Some of them needed to be added, some uncommented and some altered from the installed default configuration file. Pay attention to the ones that start with a value of "refile"

/etc/opendkim.conf

Code: Select all

PidFile             /var/run/opendkim/opendkim.pid
Mode                sv
Syslog              yes
SyslogSuccess       yes
LogWhy              yes
UserID              opendkim:opendkim
Socket              inet:8891@localhost
Umask               002
Canonicalization    relaxed/simple
Selector            default
KeyFile             /etc/opendkim/keys/default.private
KeyTable            refile:/etc/opendkim/KeyTable
SigningTable        refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts       refile:/etc/opendkim/TrustedHosts
AutoRestart         yes
AutoRestartRate     10/1h
/etc/opendkim/KeyTable

Code: Select all

default._domainkey.<YOURDOMAIN> <YOURDOMAIN>:default:/etc/opendkim/keys/<YOURDOMAIN>/default
/etc/opendkim/SigningTable

Code: Select all

*@<YOURDOMAIN> default._domainkey.<YOURDOMAIN>
/etc/opendkim/TrustedHosts

Code: Select all

127.0.0.1
<ip address of EFA appliance>
<ip address of internal mail server that uses efa as a smarthost>
<another internal ip address of another mail server>
<yet another internal mail server, etc, etc>
9 Edit your Postfix configuration
/etc/postfix/main.cf, append at the end

Code: Select all

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol			= 2
10 Start OpenDKIM and restart Postfix
no need to "rehash"
no need to check for sendmail as we shouldn't have installed it.

start opendkim

Code: Select all

service opendkim start
if your opendkim.conf is correct, and your referenced keys are in the right place and named correctly, opendkim will start without a problem. Otherwise, the error messages were pretty self-explanatory.

restart mailscanner/postfix

Code: Select all

service MailScanner restart
12 Adding DNS Records
Strangely enough, this is the part that gave me the most trouble as I wasn't putting in the text records correctly.

Code: Select all

cat /etc/opendkim/keys/<YOURDOMAIN>/default.txt
assuming a value of
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=7k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQABMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp4" ; ----- DKIM default for example.com
your DNS TXT record name is
default._domainkey
your DNS record type is TXT
your DNS record value is
v=DKIM1; g=*; k=rsa; p=7k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQABMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp4
Don't keep the comment from the generated default.txt file. There is a limit on DNS records using UDP, and if the record is too big, the nameserver will have to make a TCP connection to get it all (slower)

While you are there, you should consider creating an SPF record as well. (you've already done that, right?)

Set the TTL to a low value (10 minutes?) until you are sure you've gotten it correct and everything tests properly. Then you can increase the TTL to something more reasonable, like a day or a week.

13 Testing your setup
as suggested - send one email addressed to both autorespond+dkim@dk.elandsys.com and check-auth@verifier.port25.com. Both will give you detailed information about the success/failure of your DKIM and SPF setup.

Lastly
You can also see from the SpamAssassin scoring if your DKIM is correct. Outgoing mail will show the following if it is correct

Code: Select all

 0.10	DKIM_SIGNED    Message has a DKIM or DK signature, not necessarily valid
-0.10	DKIM_VALID     Message has at least one valid DKIM or DK signature
-0.10	DKIM_VALID_AU  Message has a valid DKIM or DK signature from author's domain
resulting in a slight -0.1 modification to your spam score.

If it's incorrect, you'll see a slight increase in the score for having an invalid DKIM setup.

Code: Select all

0.10	DKIM_SIGNED    Message has a DKIM or DK signature, not necessarily valid
0.10	T_DKIM_INVALID Message has at least one valid DKIM or DK signature
All in all, it's pretty straight forward. More complex signing requirements will require more careful attention paid to the opendkim configuration, but aside from that, it has minimal impact on the EFA installation - just the 4 line addition to the postfix main.cf file

PS: I've done this from memory from a day later. Hopefully I've not forgotten anything.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

Isn't the internet a wonderful invention? (except for spam, of course)
TheN4cer
Posts: 11
Joined: 09 Jun 2015 21:31

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by TheN4cer »

I got this setup up and running, but verifying via http://dkimvalidator.com and other sites gives a DKIM failure with a wrong body hash.
Google says that some people have turned off the watermark in MailScanner, but that did not work for me. Anyone else having this issue?

Thanks.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

I'll test mine again with your link and see if I still correctly validate.

What domain are you using? I'd like to look at your DKIM key as well.
TheN4cer
Posts: 11
Joined: 09 Jun 2015 21:31

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by TheN4cer »

Let me know how your tests turn out. I will PM you domain info.
TheN4cer
Posts: 11
Joined: 09 Jun 2015 21:31

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by TheN4cer »

Guess I can't use PM yet, I emailed you the domain.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

got it.

testing now.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

I think I found the problem. Somehow your domainkey is identical to mine. That shouldn't be.

Can you tell me how you generated your domain key?

[edit: Doh!]

Sorry, I only looked at the beginning of the domain key, not the whole thing. They are different. Let me keep looking.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

According to http://dkimcore.org/c/keycheck/, your dkim key is correct.

Can you email me the different results from your http://dkimvalidator.com/results results page for your domain? I think I need to see what exactly is failing.
TheN4cer
Posts: 11
Joined: 09 Jun 2015 21:31

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by TheN4cer »

Will do.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

Ok, your test message to me shows:

Code: Select all

Spam Report:	
Score	Matching Rule	Description
 0.80	BAYES_50	     Bayes spam probability is 40 to 60%
 0.10	DKIM_SIGNED  	Message has a DKIM or DK signature, not necessarily valid
 0.00	HTML_MESSAGE	 HTML included in message
 0.00	SPF_FAIL        SPF: sender does not match SPF record (fail)
-0.00	SPF_HELO_PASS	SPF: HELO matches SPF record
 0.01	T_DKIM_INVALID
I can see the message is signed, but it gets a header verification error. It would appear that something is altering the message between efa and the rest of the world.

Can you give me a block diagram of your mail flow?

mine is [ms exchange server] <--> [efa] <--> [rest of the world]

do you have something between the efa box and the rest of the world that is altering the messages somehow?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

Also, what messages show up in /var/log/maillog?

I see messages like this with a successful signing of an outgoing message
Jun 11 13:55:29 efa opendkim[1276]: 7C20B180052: DKIM-Signature field added (s=default, d=<MYDOMAIN>)
TheN4cer
Posts: 11
Joined: 09 Jun 2015 21:31

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by TheN4cer »

The EFA box is the last hop, so it goes:

Exchange edge --> EFA --> internet

I do get the headers in /var/log/maillog also

opendkim[29685]: 9E6035812D4: DKIM-Signature field added (s=default, d=xxx.com)

This is so bizarre. I played around w/ setting opendkim to relaxed/relaxed but that did not help.
TheN4cer
Posts: 11
Joined: 09 Jun 2015 21:31

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by TheN4cer »

Well, I got the DKIM errors to go away after disabling the Inline Non-Spam signature option. I modified the signatures, so I wonder if that is it.
I am going to take a look and see if those files have any strange characters in there.
TheN4cer
Posts: 11
Joined: 09 Jun 2015 21:31

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by TheN4cer »

I can't seem to see any strange things in the files under /etc/MailScanner/reports/en.
I changed the inline.sig.in.txt and inline.sig.in.html files.

Can you verify that you have the non-spam signature option turned on?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

I do not have that option turned on.

My guess is that the message is getting signed, and then modified by the inline not spam sig. If that's the case, then the order this happens will need to be adjusted.

I'm just guessing here.

I'll test it tomorrow and see what it does to my dkim setup.
TheN4cer
Posts: 11
Joined: 09 Jun 2015 21:31

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by TheN4cer »

OK, let me know how that test goes. I have it turned off for now.
TheN4cer
Posts: 11
Joined: 09 Jun 2015 21:31

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by TheN4cer »

Just wondering how your tests went? Right now I have the inline signatures off, but users would like them turned back on.
Maybe I should post this as a new issue?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

Whoops. I just realized I let this fall by the wayside. My apologies.

Did you ever resolve your problem?
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by ovizii »

What is the current status of EFA regarding DKim signing?
I know I can manually set it up but I was wondering if there are any plans to integrating it into the "setup" so you can supply the DKIm keys to EFa for a domain and it will do the rest on its own?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: [howto] Installing and using opendkim with EFA 3.0.0.7

Post by pdwalker »

the answer to your question is up thread
https://github.com/E-F-A/v3/issues/163
Post Reply