help on setting up dkim on centos 5

[tesna]

I followed up this guide but I getting trouble to get all outbound email to be signed. For incoming mails it appears verified ok.

incoming email message header sent from gmail.com

Code:

X-DKIM: Sendmail DKIM Filter v2.2.1 mail.tesna.net 326414DF962B
Authentication-Results: mail.tesna.net; dkim=pass (1024-bit key) header.i=@gmail.com

I followed every step in the guide, but I'm not able to make it works.

here's the log from /var/log/maillog: (XXX is my ID/IP addresss)

Code:

Mar 13 22:32:34 server1 dkim-filter[5335]: Sendmail DKIM Filter v2.2.1 starting (args: -u dkim-milt -p local:/var/run/dkim-milter/dkim.sock -d tesna.net -k /etc/dkim-milter/tesna.net_default.key.pem -s default -b sv -c simple -S rsa-sha1 -C bad=r,dns=t,int=t,no=a,miss=r -h -l -D -P /var/run/dkim-filter0.pid)
Mar 13 22:32:44 server1 postfix/postfix-script: stopping the Postfix mail system
Mar 13 22:32:44 server1 postfix/master[22423]: terminating on signal 15
Mar 13 22:32:48 server1 sendmail[5787]: alias database /etc/aliases rebuilt by root
Mar 13 22:32:48 server1 sendmail[5787]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
Mar 13 22:32:54 server1 postfix/postfix-script: starting the Postfix mail system
Mar 13 22:32:54 server1 postfix/master[7270]: daemon started -- version 2.3.3, configuration /etc/postfix
Mar 13 22:35:38 server1 postfix/smtpd[19815]: warning: XXX.XXX.XXX.XXX: hostname rsvd-XXX-XXX.XXX.XXX.XXX.in-addr.arpa verification failed: Name or service not known
Mar 13 22:35:38 server1 postfix/smtpd[19815]: connect from unknown[203.169.59.126]
Mar 13 22:35:43 server1 postfix/smtpd[19815]: 638EE4DF962B: client=unknown[203.169.59.126]
Mar 13 22:35:45 server1 postfix/cleanup[20274]: 638EE4DF962B: message-id=<47DA0D69.1020600@tesna.net>
Mar 13 22:35:45 server1 dkim-filter[5335]: (unknown-jobid) external host rsvd-jgc-126.59.169.203.in-addr.arpa attempted to send as tesna.net
Mar 13 22:35:45 server1 postfix/qmgr[7276]: 638EE4DF962B: from=<tesna@tesna.net>, size=592, nrcpt=1 (queue active)
Mar 13 22:35:46 server1 postfix/smtpd[19815]: disconnect from unknown[203.169.59.126]
Mar 13 22:35:46 server1 postfix/smtp[21510]: 638EE4DF962B: to=<XXXXXXXX@gmail.com>, relay=gmail-smtp-in.l.google.com[72.14.247.27]:25, delay=5.5, delays=4.2/0.01/0.39/0.89, dsn=2.0.0, status=sent (250 2.0.0 OK 1205472946 32si21938537aga.20)
Mar 13 22:35:46 server1 postfix/qmgr[7276]: 638EE4DF962B: removed

and this this the log when receiving email from gmail

Code:

Mar 13 21:52:39 server1 postfix/smtpd[24512]: connect from fg-out-1718.google.com[72.14.220.158]
Mar 13 21:52:43 server1 postfix/smtpd[24512]: 326414DF962B: client=fg-out-1718.google.com[72.14.220.158]
Mar 13 21:52:43 server1 postfix/cleanup[25654]: 326414DF962B: message-id=<8084d9860803132152q22b843e6j8c061ffaae806f6c@mail.gmail.com>
Mar 13 21:52:43 server1 dkim-filter[14012]: 326414DF962B SSL error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short
Mar 13 21:52:43 server1 postfix/qmgr[22444]: 326414DF962B: from=<XXXXXX@gmail.com>, size=1801, nrcpt=1 (queue active)
Mar 13 21:52:43 server1 postfix/local[25717]: 326414DF962B: to=<XXXXXXX@tesna.net>, relay=local, delay=3.3, delays=3.2/0.1/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Mar 13 21:52:43 server1 postfix/qmgr[22444]: 326414DF962B: removed
Mar 13 21:53:14 server1 postfix/smtpd[24512]: disconnect from fg-out-1718.google.com[72.14.220.158]

[topdog]

Please post your config, am sure its just a small this as postfix is able to talk to the milter. Are you trying to sign multiple domains ?

[tesna]

No I'm not trying to sign multiple domains, maybe I'll try that once this works. here's my /etc/sysconfig/dkim-milter

Code:

USER="dkim-milt"
PORT=local:/var/run/dkim-milter/dkim.sock
SIGNING_DOMAIN="tesna.net"
SELECTOR_NAME="default"
KEYFILE="/etc/dkim-milter/${SIGNING_DOMAIN}_${SELECTOR_NAME}.key.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
SIGALG=rsa-sha1
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"

and I add this on main.cf postfix config file

Code:

smtpd_milters = unix:/var/run/dkim-milter/dkim.sock
non_smtpd_milters = unix:/var/run/dkim-milter/dkim.sock

[topdog]

Code:

ls -l /etc/dkim-milter/

[tesna]

Code:

[root@server1 ~]# ls -l /etc/dkim-milter/
total 4
-rwx------ 1 dkim-milt dkim-milt 891 Mar 12 20:29 tesna.net_default.key.pem

Btw, yesterday I tried to also add dk-milter into postfix with different selector name (default for dkim, dk for domainkeys). But it behaves the same way as dkim-milter. Only verify incoming mails.

Code:

X-DKIM: Sendmail DKIM Filter v2.2.1 mail.tesna.net 47E4B4DF95AC
Authentication-Results: mail.tesna.net; dkim=pass (1024-bit key) header.i=@gmail.com
X-DomainKeys: Sendmail DomainKeys Filter v0.6.0 mail.tesna.net 47E4B4DF95AC
Authentication-Results: mail.tesna.net from=XXXXXX@gmail.com; domainkeys=pass (testing)

Code:

smtpd_milters = unix:/var/run/dk-milter/dk.sock unix:/var/run/dkim-milter/dkim.sock
non_smtpd_milters = unix:/var/run/dk-milter/dk.sock unix:/var/run/dkim-milter/dkim.sock

Code:

[root@server1 domainkeys]# ls -l /etc/mail/domainkeys/
total 4
-rw------- 1 dk-milt dk-milt 493 Mar 15 01:02 dk_tesna.net.pem

dk-milter condig:

Code:

USER="dk-milt"
PORT="local:/var/run/dk-milter/dk.sock"
SIGNING_DOMAIN="tesna.net"
SELECTOR_NAME="dk"
KEYFILE="/etc/mail/domainkeys/dk_${SIGNING_DOMAIN}.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
MILTER_GROUP="mail"

[tesna]

Update, after I reconfigure smtpd to use tls somehow the outgoing emails are signed using both DK and DKIM. Thanks for your support!

[topdog]

Are you sure it was not working before TLS ? as your config is correct, what replies were you getting from the test autoresponder ?

[tesna]

yes I'm sure it wasn't working. Other than enabling the TLS I'm also enabling smtp-auth.

Code:

Note: The authentication results are not available as there was no signature header or the signature could not be verified

Btw, bit out of topic. I tried to add virus/spam scanner using amavisd, but the emails are bounced back when I enable DK+DKIM milters + amavisd content_checker. However, if I enable only the amavisd content filter only (disable DK+DKIM milters) or vice versa, my postfix is able to receive emails. What spam filtering/virus checking engine did you use on your mail server configured with dkim milters?

Code:

Mar 16 21:16:13 server1 postfix/smtpd[24391]: connect from fg-out-1718.google.com[72.14.220.155]
Mar 16 21:16:13 server1 postfix/smtpd[24391]: E265B4E11B6C: client=fg-out-1718.google.com[72.14.220.155]
Mar 16 21:16:14 server1 postfix/cleanup[24418]: E265B4E11B6C: message-id=<8084d9860803162116j6cbfb4e7iffd9ceed65786942@mail.gmail.com>
Mar 16 21:16:14 server1 dkim-filter[15403]: E265B4E11B6C SSL error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short
Mar 16 21:16:14 server1 postfix/qmgr[21902]: E265B4E11B6C: from=<XXXXX@gmail.com>, size=1800, nrcpt=1 (queue active)
Mar 16 21:16:15 server1 postfix/smtpd[24433]: connect from unknown[127.0.0.1]

Mar 17 04:16:15 server1 postfix/smtpd[24433]: NOQUEUE: milter-reject: CONNECT from unknown[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
Mar 17 04:16:15 server1 postfix/smtpd[24433]: NOQUEUE: milter-reject: EHLO from unknown[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
Mar 17 04:16:15 server1 postfix/smtpd[24433]: NOQUEUE: milter-reject: MAIL from unknown[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=ESMTP helo=<localhost>
Mar 16 21:16:15 server1 amavis[28352]: (28352-02) Negative SMTP resp to DATA: 503 5.5.1 Error: need MAIL command
Mar 17 04:16:15 server1 postfix/smtpd[24433]: disconnect from unknown[127.0.0.1]
Mar 16 21:16:15 server1 amavis[28352]: (28352-02) Negative SMTP resp. to QUIT: 503 5.5.1 Error: need RCPT command
Mar 16 21:16:15 server1 amavis[28352]: (28352-02) (!)FWD via SMTP: <XXXXXX@gmail.com> -> <tesna@tesna.net>,BODY=7BIT 451 4.6.0 Failed, id=28352-02, from MTA([127.0.0.1]:10025): 451 4.7.1 Service unavailable - try again later
Mar 16 21:16:15 server1 amavis[28352]: (28352-02) Blocked MTA-BLOCKED, [72.14.220.155] [72.14.220.155] <XXXXXX@gmail.com> -> <XXXXXX@tesna.net>, Message-ID: <8084d9860803162116j6cbfb4e7iffd9ceed65786942@mail.gmail.com>, mail_id: cZWcsLfuyozB, Hits: 0, size: 2088, 901 ms
Mar 16 21:16:15 server1 postfix/smtp[24423]: E265B4E11B6C: to=<XXXXX@tesna.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.7, delays=0.78/0.01/0/0.9, dsn=4.7.1, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.7.1 Service unavailable - try again later (in reply to end of DATA command))

[topdog]

Amavis for me is too resource intensive, i have everything hooked into my postfix.

virus/image/pdf spam -> clamav via clamav-milter
spam -> spamassassin via spamass-milter
domain keys -> dk-milter
dkim -> dkim-milter
rbls -> spamhaus and spamcop
rogue clients -> postfix checks

And all works well highly effective

[tesna]

Thanks for your suggestion I really appreciate it.

Btw, I've configured spamass-milter and clamav-milter according to one of your guide (http://howtoforge.com/virtual-hostin...-on-centos5.1), except I didn't add the fuccy ocr thing. But both seems fine but spams are not tagged or the results/scores are not added to email headers. I got the headers from dkim, dk, clamav, spf indicated the auth/scanning results but not spamassassin.

here's the log of sample email sent from yahoo to my email account

Code:

Mar 24 14:36:13 server1 postfix/virtual[11916]: 6C86B48503E4: to=<XXXX@XXXX.net>, relay=virtual, delay=0.35, delays=0.01/0.33/0/0, dsn=2.0.0, status=deliverable (delivers to maildir)
Mar 24 14:36:13 server1 postfix/qmgr[17787]: 6C86B48503E4: removed
Mar 24 14:36:47 server1 postfix/policy-spf[12116]: handler sender_policy_framework: is decisive.
Mar 24 14:36:47 server1 postfix/policy-spf[12116]: : Policy action=PREPEND Received-SPF: none (yahoo.com: No applicable sender policy available) receiver=server1.tesna.net; identity=mfrom; envelope-from="tesna_rh@yahoo.com"; helo=web58413.mail.re3.yahoo.com; client-ip=68.142.236.181
Mar 24 14:36:47 server1 postfix/smtpd[11872]: 9AF5E48503E4: client=web58413.mail.re3.yahoo.com[68.142.236.181]
Mar 24 14:36:47 server1 postfix/cleanup[11912]: 9AF5E48503E4: message-id=<915104.36333.qm@web58413.mail.re3.yahoo.com>
Mar 24 14:36:48 server1 spamd[30667]: spamd: connection from xxx.xxxx.net [127.0.0.1] at port 45600
Mar 24 14:36:48 server1 spamd[30667]: spamd: setuid to root succeeded
Mar 24 14:36:48 server1 spamd[30667]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody
Mar 24 14:36:48 server1 spamd[30667]: spamd: processing message <915104.36333.qm@web58413.mail.re3.yahoo.com> for root:99
Mar 24 14:36:48 server1 spamd[30667]: spamd: clean message (0.0/5.0) for root:99 in 0.3 seconds, 3956 bytes.
Mar 24 14:36:48 server1 spamd[30667]: spamd: result: . 0 - scantime=0.3,size=3956,user=root,uid=99,required_score=5.0,rhost=xxxx.xxxx.net,raddr=127.0.0.1,rport=45600,mid=<915104.36333.qm@web58413.mail.re3.yahoo.com>,autolearn=ham
Mar 24 14:36:48 server1 spamass-milter[30032]: Could not extract score from <>
Mar 24 14:36:48 server1 spamd[26346]: prefork: child states: II
Mar 24 14:36:48 server1 postfix/qmgr[17787]: 9AF5E48503E4: from=<xxxxxx@yahoo.com>, size=3766, nrcpt=1 (queue active)
Mar 24 14:36:49 server1 postfix/smtpd[11872]: disconnect from web58413.mail.re3.yahoo.com[68.142.236.181]
Mar 24 14:36:52 server1 postfix/virtual[11916]: 9AF5E48503E4: to=<xxxx@xxxx.net>, relay=virtual, delay=40, delays=36/0/0/3.8, dsn=2.0.0, status=sent (delivered to maildir)

and this is the header from my email

Code:

Received-SPF: none (yahoo.com: No applicable sender policy available) receiver=xxxx.xxxx.net; identity=mfrom; envelope-from="xxxxxx@yahoo.com"; helo=web58413.mail.re3.yahoo.com; client-ip=68.142.236.181
X-DomainKeys: Sendmail DomainKeys Filter v0.6.0 mail.tesna.net 9AF5E48503E4
Authentication-Results: XXXX from=XXXXX@yahoo.com; domainkeys=pass (testing)
X-DKIM: Sendmail DKIM Filter v2.2.1 xxx.xxx.net 9AF5E48503E4
Received: from web58413.mail.re3.yahoo.com (web58413.mail.re3.yahoo.com [68.142.236.181])
	by xxxx.xxxx.net (Postfix) with SMTP id 9AF5E48503E4
	for <xxx@xxxx.net>; Mon, 24 Mar 2008 14:36:12 +0900 (JST)
Received: (qmail 39910 invoked by uid 60001); 24 Mar 2008 05:36:11 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
  b=1gliDB/3G8RjcILSGAVwyIsz482AvKg2cYQsH2JR/um3n7Gp0jIEJYhOv1iR6t/P8p4s7zdxU3IJcDEu4SdNd6oxNjTWzHnvfK+8zHW0f8gCFQL7a4SFH8dADRVjpzT1lOeaQNx9ioSXAT5pLahLgJLOC6HvMSfoeN68EmjM2Pc=;
X-YMail-OSG: PGLq8qAVM1nPWn3Mmlhwo2_bASw0evNEDJx2UFlUA77yWksib01x_XqBWcWEsEsNqbgbHd3ptXu0JnbgE6.bKWkBWv1QNEmBarfVQqgiGGBcjKE-
Received: from [203.169.59.126] by web58413.mail.re3.yahoo.com via HTTP; Sun, 23 Mar 2008 22:36:11 PDT
Date: Sun, 23 Mar 2008 22:36:11 -0700 (PDT)
From: XXXXXX
Subject: testing
To: XXXXXX
In-Reply-To: <20080324135701.20932@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <915104.36333.qm@web58413.mail.re3.yahoo.com>
X-Virus-Scanned: ClamAV version 0.92.1, clamav-milter version 0.92.1 on xxxx.xxxx.net
X-Virus-Status: Clean
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on xxxx.xxxx.net

Or that is the behavior normal? I saw the score in the logs above, but then after that it says couldn't extract score from <> ?