Hi.
In the phase of having side by side migration of EFA 3.x to EFA 4.x
We will be probably migrating components and custom settings one-by-one (WHITELISTS, DMARC, DKIM, FAIL2BAN settings).
Is there any good tutorial how to migrate DKIM,DMARC settings?
with best regards
B
			
			
									
						
										
						Any instructions how to manually move DKIM and DMARC
- shawniverson
- Posts: 3783
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Any instructions how to manually move DKIM and DMARC
https://wiki.efa-project.org/doku.php?i ... m_v3_to_v4
opendmarc migration should be similar to opendkim
			
			
									
						
										
						opendmarc migration should be similar to opendkim
Re: Any instructions how to manually move DKIM and DMARC
Here are my v3 to v4 upgrade notes that may be of some use.
viewtopic.php?f=5&t=4325
I don't recall doing anything special for dmark, other than updating the configuration file.
			
			
									
						
										
						viewtopic.php?f=5&t=4325
I don't recall doing anything special for dmark, other than updating the configuration file.
Re: Any instructions how to manually move DKIM and DMARC
I see a lot of differences in config for DKIM in EFA 3.x comparing to EFA 4.x fresh installation.
Comparison of files:
EFA 3.x (FILE: /etc/opendkim.conf)
##
## opendkim.conf -- configuration file for OpenDKIM filter
##
AutoRestart Yes
AutoRestartRate 10/1h
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy Yes
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:8891@localhost
Syslog Yes
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UMask 022
UserID opendkim:opendkim
EFA 4.x fresh install (FILE: /etc/opendkim.conf)
Selector default
## Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits 1024
## Gives the location of a private key to be used for signing ALL messages. This
## directive is ignored if KeyTable is enabled.
#KeyFile /etc/opendkim/keys/default.private
## Gives the location of a file mapping key names to signing keys. In simple terms,
## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
## directive in the configuration file. Requires SigningTable be enabled.
# KeyTable /etc/opendkim/KeyTable
## Defines a table used to select one or more signatures to apply to a message based
## on the address found in the From: header field. In simple terms, this tells
## OpenDKIM how to use your keys. Requires KeyTable be enabled.
# SigningTable refile:/etc/opendkim/SigningTable
## Identifies a set of "external" hosts that may send mail through the server as one
## of the signing domains without credentials as such.
# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
## Identifies a set "internal" hosts whose mail should be signed rather than verified.
# InternalHosts refile:/etc/opendkim/TrustedHosts
## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
## whose mail should be neither signed nor verified by this filter. See man
## page for file format.
# PeerList X.X.X.X
## Always oversign From (sign using actual From and a null From to prevent
## malicious signatures header fields (From and/or others) between the signer
## and the verifier. From is oversigned by default in the Fedora package
## because it is often the identity key used by reputation systems and thus
## somewhat security sensitive.
OversignHeaders From
## Instructs the DKIM library to maintain its own local cache of keys and
## policies retrieved from DNS, rather than relying on the nameserver for
## caching service. Useful if the nameserver being used by the filter is
## not local.
# QueryCache yes
- I can't remember how I did or where did I take configuration steps for configuring DKIM/DMARC on EFA 3.x, I think it was somewhere on this forum ...
- Instructions on "https://wiki.efa-project.org/doku.php?i ... m_v3_to_v4" have a step:
cp -ra /mnt/etc/opendkim/* /etc/opendkim (answer yes to overwrite)
but we don't have /mnt/etc/opendkim
[root@efa mnt]# find / -name opendkim
/var/spool/opendkim
/var/lock/subsys/opendkim
/var/run/opendkim
/usr/sbin/opendkim
/usr/local/share/doc/opendkim
/usr/local/share/doc/opendkim/opendkim
/usr/local/sbin/opendkim
/usr/local/src/opendkim-2.4.2/opendkim
/usr/local/src/opendkim-2.4.2/opendkim/.libs/opendkim
/usr/local/src/opendkim-2.4.2/opendkim/opendkim
/usr/local/src/opendkim-2.4.2/contrib/init/generic/opendkim
/usr/local/src/opendkim-2.4.2/contrib/init/redhat/opendkim
/usr/local/src/opendkim-2.4.2/contrib/init/solaris/opendkim
/usr/local/include/opendkim
/etc/sysconfig/opendkim
/etc/rc.d/init.d/opendkim
/etc/opendkim
			
			
									
						
										
						Comparison of files:
EFA 3.x (FILE: /etc/opendkim.conf)
##
## opendkim.conf -- configuration file for OpenDKIM filter
##
AutoRestart Yes
AutoRestartRate 10/1h
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy Yes
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:8891@localhost
Syslog Yes
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UMask 022
UserID opendkim:opendkim
EFA 4.x fresh install (FILE: /etc/opendkim.conf)
Selector default
## Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits 1024
## Gives the location of a private key to be used for signing ALL messages. This
## directive is ignored if KeyTable is enabled.
#KeyFile /etc/opendkim/keys/default.private
## Gives the location of a file mapping key names to signing keys. In simple terms,
## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
## directive in the configuration file. Requires SigningTable be enabled.
# KeyTable /etc/opendkim/KeyTable
## Defines a table used to select one or more signatures to apply to a message based
## on the address found in the From: header field. In simple terms, this tells
## OpenDKIM how to use your keys. Requires KeyTable be enabled.
# SigningTable refile:/etc/opendkim/SigningTable
## Identifies a set of "external" hosts that may send mail through the server as one
## of the signing domains without credentials as such.
# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
## Identifies a set "internal" hosts whose mail should be signed rather than verified.
# InternalHosts refile:/etc/opendkim/TrustedHosts
## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
## whose mail should be neither signed nor verified by this filter. See man
## page for file format.
# PeerList X.X.X.X
## Always oversign From (sign using actual From and a null From to prevent
## malicious signatures header fields (From and/or others) between the signer
## and the verifier. From is oversigned by default in the Fedora package
## because it is often the identity key used by reputation systems and thus
## somewhat security sensitive.
OversignHeaders From
## Instructs the DKIM library to maintain its own local cache of keys and
## policies retrieved from DNS, rather than relying on the nameserver for
## caching service. Useful if the nameserver being used by the filter is
## not local.
# QueryCache yes
- I can't remember how I did or where did I take configuration steps for configuring DKIM/DMARC on EFA 3.x, I think it was somewhere on this forum ...
- Instructions on "https://wiki.efa-project.org/doku.php?i ... m_v3_to_v4" have a step:
cp -ra /mnt/etc/opendkim/* /etc/opendkim (answer yes to overwrite)
but we don't have /mnt/etc/opendkim
[root@efa mnt]# find / -name opendkim
/var/spool/opendkim
/var/lock/subsys/opendkim
/var/run/opendkim
/usr/sbin/opendkim
/usr/local/share/doc/opendkim
/usr/local/share/doc/opendkim/opendkim
/usr/local/sbin/opendkim
/usr/local/src/opendkim-2.4.2/opendkim
/usr/local/src/opendkim-2.4.2/opendkim/.libs/opendkim
/usr/local/src/opendkim-2.4.2/opendkim/opendkim
/usr/local/src/opendkim-2.4.2/contrib/init/generic/opendkim
/usr/local/src/opendkim-2.4.2/contrib/init/redhat/opendkim
/usr/local/src/opendkim-2.4.2/contrib/init/solaris/opendkim
/usr/local/include/opendkim
/etc/sysconfig/opendkim
/etc/rc.d/init.d/opendkim
/etc/opendkim
Re: Any instructions how to manually move DKIM and DMARC
How can dkim/dmarc inbound/outbound mail flow be tested @pdwalker ?
			
			
									
						
										
						Re: Any instructions how to manually move DKIM and DMARC
Apologies, I've been away from the forums for a while.  
Answer to follow as I have to look it up myself again.
			
			
									
						
										
						Answer to follow as I have to look it up myself again.
Re: Any instructions how to manually move DKIM and DMARC
Hi.
Thank you for your reply.
With the help of Shawn on IRC chanell #efa-project I had sucesssfully moved DKIM and DMARC to EFA 4.x
On DMARC I didn't have to do anything special, for DKIM I had copied the keys and compared&merged dkim.conf efa3 vs efa4. Alll good!
With best regards
BostjanC
			
			
									
						
										
						Thank you for your reply.
With the help of Shawn on IRC chanell #efa-project I had sucesssfully moved DKIM and DMARC to EFA 4.x
On DMARC I didn't have to do anything special, for DKIM I had copied the keys and compared&merged dkim.conf efa3 vs efa4. Alll good!
With best regards
BostjanC
Re: Any instructions how to manually move DKIM and DMARC
There's an IRC channel?
Glad to hear you have everything working.
			
			
									
						
										
						Glad to hear you have everything working.
Re: Any instructions how to manually move DKIM and DMARC
Yep, and Shawn is very responsive on that IRC channel:
https://wiki.efa-project.org/doku.php?id=irc_channel
			
			
									
						
										
						https://wiki.efa-project.org/doku.php?id=irc_channel

