Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 3rd November 2009, 12:40
ciprianflorea ciprianflorea is offline
Junior Member
 
Join Date: Nov 2009
Posts: 23
Thanks: 1
Thanked 5 Times in 3 Posts
Default amavis dkim problem

Hi, im trying to setup dkim signatures with amavis
i followed this guide http://www.ijs.si/software/amavisd/a...docs.html#dkim
and all looks good until

$ amavisd testkeys

www1:/etc/amavis/conf.d# amavisd-new testkeys
TESTING: www1.xxx.com._domainkey.www1.xxx.com => fail (message has been altered)

any idea what i did wrong ?

i think this has to do with adding the txt record to mydns server
i have added the entry that was generated by
amavisd showkeys

but for some reason it doesnt display the record when i do dig...
Reply With Quote
Sponsored Links
  #2  
Old 3rd November 2009, 16:59
ciprianflorea ciprianflorea is offline
Junior Member
 
Join Date: Nov 2009
Posts: 23
Thanks: 1
Thanked 5 Times in 3 Posts
Default

no one had the same problem?
Reply With Quote
  #3  
Old 3rd November 2009, 17:34
ciprianflorea ciprianflorea is offline
Junior Member
 
Join Date: Nov 2009
Posts: 23
Thanks: 1
Thanked 5 Times in 3 Posts
Default

Finally i kind of figured out where is the problem but now im stucked on another issue.

How can i insert a DKIM key into mydns record?

i have a generated key i have added a new txt record to mydns but it doesn't show up .

here is how it looks
http://yfrog.com/j8dkimlj
any idea?

Last edited by ciprianflorea; 3rd November 2009 at 17:37.
Reply With Quote
  #4  
Old 4th November 2009, 09:33
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,769
Thanks: 840
Thanked 5,609 Times in 4,420 Posts
Default

The probem might be with the length of the record. mydns-ng has a new edata field for that in the latest version as I've read here, but thats not implemented in ispconfig yet.

http://sourceforge.net/mailarchive/f...me=mydns-users
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 4th November 2009, 14:19
ciprianflorea ciprianflorea is offline
Junior Member
 
Join Date: Nov 2009
Posts: 23
Thanks: 1
Thanked 5 Times in 3 Posts
Default

Well i finally got to insert the txt record but for some reason it is altered and amavis wont recognize it:

here the output

www1:~# dig @127.0.0.1 mail._domainkey.mail.domain.tld. txt

; <<>> DiG 9.5.1-P3 <<>> @127.0.0.1 mail._domainkey.mail.domain.tld. txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39120
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mail._domainkey.mail.domain.tld. IN TXT

;; ANSWER SECTION:
mail._domainkey.mail.domain.tld. 1800 IN TXT "\"v=DKIM1\; p=\"\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+j8TF 4XX+23pdk228z1ie0dUR\"\"zyFSV4/AggUXW2YgYoOk+invQnCRYv/DlLlidlpPQmgFyiUDJ20oyuOeG98zskpw\"\"Affl0yhATIC2v BLOK4X2nOrMbkzHEi52QBxgnJs6bKSftzN+zSTJ8OKkRMcSMUb j\"\"/TaPjVL8vycrVvmAowIDAQAB\""

;; AUTHORITY SECTION:
domain.tld. 1800 IN NS ns1.domain.tld.
domain.tld. 1800 IN NS www1.domain.tld.

;; ADDITIONAL SECTION:
ns1.domain.tld. 1800 IN A 1.2.3.4
www1.domain.tld. 1800 IN A 1.2.3.4

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 4 07:11:53 2009
;; MSG SIZE rcvd: 374

www1:~# amavisd-new testkeys
TESTING: mail._domainkey.mail.domain.tld => invalid (public key: invalid data)


any idea?
Reply With Quote
  #6  
Old 4th November 2009, 15:37
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,769
Thanks: 840
Thanked 5,609 Times in 4,420 Posts
Default

The problem is that the string is escaped with \. Please check the record in the database with phpmyadmin, does it contain the \ too? If not, its a mydns problem and you should check if you have the latest mydns version installed.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 5th November 2009, 09:05
ciprianflorea ciprianflorea is offline
Junior Member
 
Join Date: Nov 2009
Posts: 23
Thanks: 1
Thanked 5 Times in 3 Posts
Default

The string slashes are in database too, but this is kind of tricky because if i remove the slashes the whole thing can degenerate into a big mysql security hole im still searching for a reasonable way for getting this to work. I will post here updates for this matter
Reply With Quote
  #8  
Old 4th January 2010, 17:32
ciprianflorea ciprianflorea is offline
Junior Member
 
Join Date: Nov 2009
Posts: 23
Thanks: 1
Thanked 5 Times in 3 Posts
Default Solved!

After a long fight i finally managed to get dkim signatures to work!
In fact this job is pretty simple:
After you generate the key file (in my case i had 3 key files for three different domains) use the showkeys command to display the key and create a TXT record in MyDns (just use the ISPConfig DNS Interface it will work), after that you have to wait for the changes to reflect on the internet.
I think 24 hours will be enough.

Here is how 50-user amanvisd conf file looks like:

#$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 192.168.1.0/24 x.x.x.x/32);
dkim_key('mail.domain1.com', 'mail', '/var/db/dkim/domain1.com.key.pem');
dkim_key('mail.domain2.com', 'mail', '/var/db/dkim/domain3.com.key.pem');
dkim_key('mail.domain3.com', 'mail', '/var/db/dkim/domain3.com.key.pem');

Now lets cut this into pieces:

$enable_dkim_verification = 1;

I commented this out because i really dont need that amavisd to check the incoming mail for signatures because some useful mails might get spam flagged. If you really think that you will need this you can uncomment this line.

$enable_dkim_signing = 1;

This line enables dkim signing for outgoing mail.

@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

This one sets some dkim signature properties like: hashing algorhitm and key's TTL. I recommend to leave this as it is unless you really know what you are doing.

Now the fun part is here:

@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 192.168.1.0/24 1.2.3.4/32);

Here is a list of hosts that are allowed to send mails thru you mail server, in other words the trusted networks for which amavisd will sign the emails. You have to add here the ip classes/addresses from where you will send your emails. In my case all the emails are sent by The Webmail interface (which uses the loopback address 127.0.0.1/8) and a public ip address which belongs to my network's NAT Gateway (1.2.3.4/32 , Notice the /32 mask which indicates thats only one ip address and not the whole class /24). If you are using your gateway/router as mail server too you will onlu have to add private ip class which your router is serving on (ie: 192.168.1.0/24).

In my case the problem was that i have separate machines for the mail server and gateway and i didnt had a record for my gateway's ip address and amavisd refused to sign my emails.

Anyway now all its working like it should. The funny part is that the stupid Yahoo still marks my messages as spam but this is just matter of time until their spam filters will gather enough information and put my hosts on whitelist.

Hope this will help!
Cheers!


Later Edit: As i was saying some time ago... Yahoo was still marking my messages as spam. A few days ago i did another check, and... surprise... all of my messages got straight into Yahoo's Inbox. Thats so good news... so for those which are disapointed after setting up DKIM signs and the messages end in spam folder don't worry, its just a matter of time... so all you have to do is to wait.

Last edited by ciprianflorea; 3rd March 2010 at 13:58.
Reply With Quote
The Following 3 Users Say Thank You to ciprianflorea For This Useful Post:
esmiz (18th January 2010), falko (5th January 2010), till (4th January 2010)
  #9  
Old 18th January 2010, 02:35
esmiz esmiz is offline
Member
 
Join Date: Dec 2009
Posts: 44
Thanks: 4
Thanked 3 Times in 3 Posts
Default It helps mate, thanks a lot

I've been struggling for 3 days triying to figure out why amavis refused to sign my e-mails.
Your explanation about mynetworks has solved the problem.

Thanks again
Reply With Quote
  #10  
Old 17th March 2010, 21:02
Antennipasi Antennipasi is offline
ISPConfig Developer
 
Join Date: Dec 2008
Location: Finland
Posts: 67
Thanks: 6
Thanked 13 Times in 12 Posts
 
Default

Quote:
Originally Posted by ciprianflorea View Post
Now the fun part is here:

@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 192.168.1.0/24 1.2.3.4/32);
finally got time to implement DKIM myself...
but anyway, if one wants to sign messages for authenticated smtp-users, replacing @mynetworks-line with:
Code:
$interface_policy{'10024'} = 'DKIM_ALWAYS'; 
$policy_bank{'DKIM_ALWAYS'} = { originating => 1, };
does the trick.
Reply With Quote
The Following 2 Users Say Thank You to Antennipasi For This Useful Post:
ciprianflorea (18th March 2010), florix.net (8th December 2011)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange email problem for one of my domains... any help appreciated paulrobert_a Installation/Configuration 5 9th August 2010 15:15
Can't make it work. DKIM with Sendmail fail (signature doesn't verify) ethic Server Operation 0 15th May 2009 01:52
postfix mysql on fedora core5 igongora Installation/Configuration 7 17th April 2007 05:40
CLAMAV & amavis updating problem herbie Server Operation 0 16th February 2007 00:03
SMTP TLS Problem with Mail Client dschmid Installation/Configuration 1 9th December 2005 02:56


All times are GMT +2. The time now is 07:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.