Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th March 2008, 07:05
tesna tesna is offline
Junior Member
 
Join Date: Mar 2008
Posts: 7
Thanks: 1
Thanked 0 Times in 0 Posts
Default help on setting up dkim on centos 5

I followed up this guide but I getting trouble to get all outbound email to be signed. For incoming mails it appears verified ok.

incoming email message header sent from gmail.com
Code:
X-DKIM: Sendmail DKIM Filter v2.2.1 mail.tesna.net 326414DF962B
Authentication-Results: mail.tesna.net; dkim=pass (1024-bit key) header.i=@gmail.com
I followed every step in the guide, but I'm not able to make it works.

here's the log from /var/log/maillog: (XXX is my ID/IP addresss)
Code:
Mar 13 22:32:34 server1 dkim-filter[5335]: Sendmail DKIM Filter v2.2.1 starting (args: -u dkim-milt -p local:/var/run/dkim-milter/dkim.sock -d tesna.net -k /etc/dkim-milter/tesna.net_default.key.pem -s default -b sv -c simple -S rsa-sha1 -C bad=r,dns=t,int=t,no=a,miss=r -h -l -D -P /var/run/dkim-filter0.pid)
Mar 13 22:32:44 server1 postfix/postfix-script: stopping the Postfix mail system
Mar 13 22:32:44 server1 postfix/master[22423]: terminating on signal 15
Mar 13 22:32:48 server1 sendmail[5787]: alias database /etc/aliases rebuilt by root
Mar 13 22:32:48 server1 sendmail[5787]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
Mar 13 22:32:54 server1 postfix/postfix-script: starting the Postfix mail system
Mar 13 22:32:54 server1 postfix/master[7270]: daemon started -- version 2.3.3, configuration /etc/postfix
Mar 13 22:35:38 server1 postfix/smtpd[19815]: warning: XXX.XXX.XXX.XXX: hostname rsvd-XXX-XXX.XXX.XXX.XXX.in-addr.arpa verification failed: Name or service not known
Mar 13 22:35:38 server1 postfix/smtpd[19815]: connect from unknown[203.169.59.126]
Mar 13 22:35:43 server1 postfix/smtpd[19815]: 638EE4DF962B: client=unknown[203.169.59.126]
Mar 13 22:35:45 server1 postfix/cleanup[20274]: 638EE4DF962B: message-id=<47DA0D69.1020600@tesna.net>
Mar 13 22:35:45 server1 dkim-filter[5335]: (unknown-jobid) external host rsvd-jgc-126.59.169.203.in-addr.arpa attempted to send as tesna.net
Mar 13 22:35:45 server1 postfix/qmgr[7276]: 638EE4DF962B: from=<tesna@tesna.net>, size=592, nrcpt=1 (queue active)
Mar 13 22:35:46 server1 postfix/smtpd[19815]: disconnect from unknown[203.169.59.126]
Mar 13 22:35:46 server1 postfix/smtp[21510]: 638EE4DF962B: to=<XXXXXXXX@gmail.com>, relay=gmail-smtp-in.l.google.com[72.14.247.27]:25, delay=5.5, delays=4.2/0.01/0.39/0.89, dsn=2.0.0, status=sent (250 2.0.0 OK 1205472946 32si21938537aga.20)
Mar 13 22:35:46 server1 postfix/qmgr[7276]: 638EE4DF962B: removed
and this this the log when receiving email from gmail

Code:
Mar 13 21:52:39 server1 postfix/smtpd[24512]: connect from fg-out-1718.google.com[72.14.220.158]
Mar 13 21:52:43 server1 postfix/smtpd[24512]: 326414DF962B: client=fg-out-1718.google.com[72.14.220.158]
Mar 13 21:52:43 server1 postfix/cleanup[25654]: 326414DF962B: message-id=<8084d9860803132152q22b843e6j8c061ffaae806f6c@mail.gmail.com>
Mar 13 21:52:43 server1 dkim-filter[14012]: 326414DF962B SSL error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short
Mar 13 21:52:43 server1 postfix/qmgr[22444]: 326414DF962B: from=<XXXXXX@gmail.com>, size=1801, nrcpt=1 (queue active)
Mar 13 21:52:43 server1 postfix/local[25717]: 326414DF962B: to=<XXXXXXX@tesna.net>, relay=local, delay=3.3, delays=3.2/0.1/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Mar 13 21:52:43 server1 postfix/qmgr[22444]: 326414DF962B: removed
Mar 13 21:53:14 server1 postfix/smtpd[24512]: disconnect from fg-out-1718.google.com[72.14.220.158]
Reply With Quote
Sponsored Links
  #2  
Old 14th March 2008, 11:14
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Please post your config, am sure its just a small this as postfix is able to talk to the milter. Are you trying to sign multiple domains ?
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
The Following User Says Thank You to topdog For This Useful Post:
tesna (16th March 2008)
  #3  
Old 15th March 2008, 00:16
tesna tesna is offline
Junior Member
 
Join Date: Mar 2008
Posts: 7
Thanks: 1
Thanked 0 Times in 0 Posts
Default

No I'm not trying to sign multiple domains, maybe I'll try that once this works. here's my /etc/sysconfig/dkim-milter

Code:
USER="dkim-milt"
PORT=local:/var/run/dkim-milter/dkim.sock
SIGNING_DOMAIN="tesna.net"
SELECTOR_NAME="default"
KEYFILE="/etc/dkim-milter/${SIGNING_DOMAIN}_${SELECTOR_NAME}.key.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
SIGALG=rsa-sha1
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
and I add this on main.cf postfix config file
Code:
smtpd_milters = unix:/var/run/dkim-milter/dkim.sock
non_smtpd_milters = unix:/var/run/dkim-milter/dkim.sock
Reply With Quote
  #4  
Old 15th March 2008, 17:24
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Code:
ls -l /etc/dkim-milter/
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #5  
Old 15th March 2008, 23:51
tesna tesna is offline
Junior Member
 
Join Date: Mar 2008
Posts: 7
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Code:
[root@server1 ~]# ls -l /etc/dkim-milter/
total 4
-rwx------ 1 dkim-milt dkim-milt 891 Mar 12 20:29 tesna.net_default.key.pem
Btw, yesterday I tried to also add dk-milter into postfix with different selector name (default for dkim, dk for domainkeys). But it behaves the same way as dkim-milter. Only verify incoming mails.

Code:
X-DKIM: Sendmail DKIM Filter v2.2.1 mail.tesna.net 47E4B4DF95AC
Authentication-Results: mail.tesna.net; dkim=pass (1024-bit key) header.i=@gmail.com
X-DomainKeys: Sendmail DomainKeys Filter v0.6.0 mail.tesna.net 47E4B4DF95AC
Authentication-Results: mail.tesna.net from=XXXXXX@gmail.com; domainkeys=pass (testing)
Code:
smtpd_milters = unix:/var/run/dk-milter/dk.sock unix:/var/run/dkim-milter/dkim.sock
non_smtpd_milters = unix:/var/run/dk-milter/dk.sock unix:/var/run/dkim-milter/dkim.sock
Code:
[root@server1 domainkeys]# ls -l /etc/mail/domainkeys/
total 4
-rw------- 1 dk-milt dk-milt 493 Mar 15 01:02 dk_tesna.net.pem
dk-milter condig:
Code:
USER="dk-milt"
PORT="local:/var/run/dk-milter/dk.sock"
SIGNING_DOMAIN="tesna.net"
SELECTOR_NAME="dk"
KEYFILE="/etc/mail/domainkeys/dk_${SIGNING_DOMAIN}.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
MILTER_GROUP="mail"

Last edited by tesna; 15th March 2008 at 23:56.
Reply With Quote
  #6  
Old 16th March 2008, 04:51
tesna tesna is offline
Junior Member
 
Join Date: Mar 2008
Posts: 7
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Update, after I reconfigure smtpd to use tls somehow the outgoing emails are signed using both DK and DKIM. Thanks for your support!
Reply With Quote
  #7  
Old 16th March 2008, 12:22
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Are you sure it was not working before TLS ? as your config is correct, what replies were you getting from the test autoresponder ?
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #8  
Old 17th March 2008, 07:37
tesna tesna is offline
Junior Member
 
Join Date: Mar 2008
Posts: 7
Thanks: 1
Thanked 0 Times in 0 Posts
Default

yes I'm sure it wasn't working. Other than enabling the TLS I'm also enabling smtp-auth.

Code:
Note: The authentication results are not available as there was no signature header or the signature could not be verified
Btw, bit out of topic. I tried to add virus/spam scanner using amavisd, but the emails are bounced back when I enable DK+DKIM milters + amavisd content_checker. However, if I enable only the amavisd content filter only (disable DK+DKIM milters) or vice versa, my postfix is able to receive emails. What spam filtering/virus checking engine did you use on your mail server configured with dkim milters?

Code:
Mar 16 21:16:13 server1 postfix/smtpd[24391]: connect from fg-out-1718.google.com[72.14.220.155]
Mar 16 21:16:13 server1 postfix/smtpd[24391]: E265B4E11B6C: client=fg-out-1718.google.com[72.14.220.155]
Mar 16 21:16:14 server1 postfix/cleanup[24418]: E265B4E11B6C: message-id=<8084d9860803162116j6cbfb4e7iffd9ceed65786942@mail.gmail.com>
Mar 16 21:16:14 server1 dkim-filter[15403]: E265B4E11B6C SSL error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short
Mar 16 21:16:14 server1 postfix/qmgr[21902]: E265B4E11B6C: from=<XXXXX@gmail.com>, size=1800, nrcpt=1 (queue active)
Mar 16 21:16:15 server1 postfix/smtpd[24433]: connect from unknown[127.0.0.1]

Mar 17 04:16:15 server1 postfix/smtpd[24433]: NOQUEUE: milter-reject: CONNECT from unknown[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
Mar 17 04:16:15 server1 postfix/smtpd[24433]: NOQUEUE: milter-reject: EHLO from unknown[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
Mar 17 04:16:15 server1 postfix/smtpd[24433]: NOQUEUE: milter-reject: MAIL from unknown[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=ESMTP helo=<localhost>
Mar 16 21:16:15 server1 amavis[28352]: (28352-02) Negative SMTP resp to DATA: 503 5.5.1 Error: need MAIL command
Mar 17 04:16:15 server1 postfix/smtpd[24433]: disconnect from unknown[127.0.0.1]
Mar 16 21:16:15 server1 amavis[28352]: (28352-02) Negative SMTP resp. to QUIT: 503 5.5.1 Error: need RCPT command
Mar 16 21:16:15 server1 amavis[28352]: (28352-02) (!)FWD via SMTP: <XXXXXX@gmail.com> -> <tesna@tesna.net>,BODY=7BIT 451 4.6.0 Failed, id=28352-02, from MTA([127.0.0.1]:10025): 451 4.7.1 Service unavailable - try again later
Mar 16 21:16:15 server1 amavis[28352]: (28352-02) Blocked MTA-BLOCKED, [72.14.220.155] [72.14.220.155] <XXXXXX@gmail.com> -> <XXXXXX@tesna.net>, Message-ID: <8084d9860803162116j6cbfb4e7iffd9ceed65786942@mail.gmail.com>, mail_id: cZWcsLfuyozB, Hits: 0, size: 2088, 901 ms
Mar 16 21:16:15 server1 postfix/smtp[24423]: E265B4E11B6C: to=<XXXXX@tesna.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.7, delays=0.78/0.01/0/0.9, dsn=4.7.1, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.7.1 Service unavailable - try again later (in reply to end of DATA command))
Reply With Quote
  #9  
Old 21st March 2008, 09:52
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Amavis for me is too resource intensive, i have everything hooked into my postfix.

virus/image/pdf spam -> clamav via clamav-milter
spam -> spamassassin via spamass-milter
domain keys -> dk-milter
dkim -> dkim-milter
rbls -> spamhaus and spamcop
rogue clients -> postfix checks

And all works well highly effective
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #10  
Old 24th March 2008, 08:48
tesna tesna is offline
Junior Member
 
Join Date: Mar 2008
Posts: 7
Thanks: 1
Thanked 0 Times in 0 Posts
 
Default

Thanks for your suggestion I really appreciate it.

Btw, I've configured spamass-milter and clamav-milter according to one of your guide (http://howtoforge.com/virtual-hostin...-on-centos5.1), except I didn't add the fuccy ocr thing. But both seems fine but spams are not tagged or the results/scores are not added to email headers. I got the headers from dkim, dk, clamav, spf indicated the auth/scanning results but not spamassassin.

here's the log of sample email sent from yahoo to my email account

Code:
Mar 24 14:36:13 server1 postfix/virtual[11916]: 6C86B48503E4: to=<XXXX@XXXX.net>, relay=virtual, delay=0.35, delays=0.01/0.33/0/0, dsn=2.0.0, status=deliverable (delivers to maildir)
Mar 24 14:36:13 server1 postfix/qmgr[17787]: 6C86B48503E4: removed
Mar 24 14:36:47 server1 postfix/policy-spf[12116]: handler sender_policy_framework: is decisive.
Mar 24 14:36:47 server1 postfix/policy-spf[12116]: : Policy action=PREPEND Received-SPF: none (yahoo.com: No applicable sender policy available) receiver=server1.tesna.net; identity=mfrom; envelope-from="tesna_rh@yahoo.com"; helo=web58413.mail.re3.yahoo.com; client-ip=68.142.236.181
Mar 24 14:36:47 server1 postfix/smtpd[11872]: 9AF5E48503E4: client=web58413.mail.re3.yahoo.com[68.142.236.181]
Mar 24 14:36:47 server1 postfix/cleanup[11912]: 9AF5E48503E4: message-id=<915104.36333.qm@web58413.mail.re3.yahoo.com>
Mar 24 14:36:48 server1 spamd[30667]: spamd: connection from xxx.xxxx.net [127.0.0.1] at port 45600
Mar 24 14:36:48 server1 spamd[30667]: spamd: setuid to root succeeded
Mar 24 14:36:48 server1 spamd[30667]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody
Mar 24 14:36:48 server1 spamd[30667]: spamd: processing message <915104.36333.qm@web58413.mail.re3.yahoo.com> for root:99
Mar 24 14:36:48 server1 spamd[30667]: spamd: clean message (0.0/5.0) for root:99 in 0.3 seconds, 3956 bytes.
Mar 24 14:36:48 server1 spamd[30667]: spamd: result: . 0 - scantime=0.3,size=3956,user=root,uid=99,required_score=5.0,rhost=xxxx.xxxx.net,raddr=127.0.0.1,rport=45600,mid=<915104.36333.qm@web58413.mail.re3.yahoo.com>,autolearn=ham
Mar 24 14:36:48 server1 spamass-milter[30032]: Could not extract score from <>
Mar 24 14:36:48 server1 spamd[26346]: prefork: child states: II
Mar 24 14:36:48 server1 postfix/qmgr[17787]: 9AF5E48503E4: from=<xxxxxx@yahoo.com>, size=3766, nrcpt=1 (queue active)
Mar 24 14:36:49 server1 postfix/smtpd[11872]: disconnect from web58413.mail.re3.yahoo.com[68.142.236.181]
Mar 24 14:36:52 server1 postfix/virtual[11916]: 9AF5E48503E4: to=<xxxx@xxxx.net>, relay=virtual, delay=40, delays=36/0/0/3.8, dsn=2.0.0, status=sent (delivered to maildir)
and this is the header from my email
Code:
Received-SPF: none (yahoo.com: No applicable sender policy available) receiver=xxxx.xxxx.net; identity=mfrom; envelope-from="xxxxxx@yahoo.com"; helo=web58413.mail.re3.yahoo.com; client-ip=68.142.236.181
X-DomainKeys: Sendmail DomainKeys Filter v0.6.0 mail.tesna.net 9AF5E48503E4
Authentication-Results: XXXX from=XXXXX@yahoo.com; domainkeys=pass (testing)
X-DKIM: Sendmail DKIM Filter v2.2.1 xxx.xxx.net 9AF5E48503E4
Received: from web58413.mail.re3.yahoo.com (web58413.mail.re3.yahoo.com [68.142.236.181])
	by xxxx.xxxx.net (Postfix) with SMTP id 9AF5E48503E4
	for <xxx@xxxx.net>; Mon, 24 Mar 2008 14:36:12 +0900 (JST)
Received: (qmail 39910 invoked by uid 60001); 24 Mar 2008 05:36:11 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
  b=1gliDB/3G8RjcILSGAVwyIsz482AvKg2cYQsH2JR/um3n7Gp0jIEJYhOv1iR6t/P8p4s7zdxU3IJcDEu4SdNd6oxNjTWzHnvfK+8zHW0f8gCFQL7a4SFH8dADRVjpzT1lOeaQNx9ioSXAT5pLahLgJLOC6HvMSfoeN68EmjM2Pc=;
X-YMail-OSG: PGLq8qAVM1nPWn3Mmlhwo2_bASw0evNEDJx2UFlUA77yWksib01x_XqBWcWEsEsNqbgbHd3ptXu0JnbgE6.bKWkBWv1QNEmBarfVQqgiGGBcjKE-
Received: from [203.169.59.126] by web58413.mail.re3.yahoo.com via HTTP; Sun, 23 Mar 2008 22:36:11 PDT
Date: Sun, 23 Mar 2008 22:36:11 -0700 (PDT)
From: XXXXXX
Subject: testing
To: XXXXXX
In-Reply-To: <20080324135701.20932@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <915104.36333.qm@web58413.mail.re3.yahoo.com>
X-Virus-Scanned: ClamAV version 0.92.1, clamav-milter version 0.92.1 on xxxx.xxxx.net
X-Virus-Status: Clean
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on xxxx.xxxx.net

Or that is the behavior normal? I saw the score in the logs above, but then after that it says couldn't extract score from <> ?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Running ISP Config Centos Server as Gateway/Router domh Installation/Configuration 1 29th January 2008 10:26
Help. Apache don't start payne Server Operation 3 17th August 2007 15:57
SuSE as master DNS server and Centos as slave DNS server... sthompson Server Operation 3 17th September 2006 13:24
ISP general manegement setting dont save new setting adrenalinic Installation/Configuration 13 25th May 2006 14:55
Install ISPConfig on CentOS Server, in brief gfts Tips/Tricks/Mods 11 4th April 2006 08:29


All times are GMT +2. The time now is 00:15.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.