DKIM With dkim-milter & Domainkeys In Postfix Using dk-milter

Discussion in 'Server Operation' started by pg001, Jul 29, 2008.

  1. pg001

    pg001 New Member

    Iam running Cento 5.2 perfect server with ISPConfig, with Domainkeys In Postfix Using dk-milter. Everything is running well and perfect, the emails are being signed, thanks for the howto's. I'm just wondering though, can I also implement Postfix DKIM With dkim-milter?

    I want to know if it is possible to implement them both and what adjustments I would need to do. Thanks in advance.
     
  2. topdog

    topdog HowtoForge Supporter

    You can do both, there are tutorials on doing both here on howtoforge
     
  3. pg001

    pg001 New Member

    wow! that's cool, thanks. can you please point me to a link where I could find it?
     
  4. topdog

    topdog HowtoForge Supporter

  5. pg001

    pg001 New Member

    I followed the how to and I got no errors until on the "Configure Postfix " section I got stucked, here are my concerns:

    1. "Append to the existing milters if you have other milters already configured. " -how do I exactly do this?

    2. Since I did not know what to do, I added the this code:
    Code:
    smtpd_milters = unix:/var/run/dkim-milter/dkim.sock
    non_smtpd_milters = unix:/var/run/dkim-milter/dkim.sock
    to the bottom of /etc/postfix/main.cf file. Is this the right way to do it?

    3. When I did #2 and started dkim-milter I got this error:
    Code:
    Starting DKIM milter (dkim-filter #0): dkim-filter: smfi_opensocket() failed
                                                               [FAILED]
    thanks in advance... sorry for the bugging, I'm just a linux newbie trying to learn how to setup good email delivery. :)
     
  6. topdog

    topdog HowtoForge Supporter

    1. Append means add to what is already there.
    3. Check the permissions on the socket file.
     
  7. pg001

    pg001 New Member

    this is what I get:

    Code:
    [root@server1 /]# ls -la /var/run/dkim-milter/dkim.sock
    srwxrwx--- 1 dkim-milt mail 0 Jul 30 17:20 /var/run/dkim-milter/dkim.sock
    is it correct?
     
  8. topdog

    topdog HowtoForge Supporter

    Try restarting the dkim-milter and see if u get the error again are you running with selinux enabled ?
     
  9. pg001

    pg001 New Member

    the restart did the trick! No I did not have selinux enabled, it was disabled from the start. Here's the restart result:
    Code:
    [root@server1 /]# service dkim-milter restart
    Shutting down all DKIM milter (dkim-filter):               [  OK  ]
    Cleanup for DKIM milter (dkim-filter #0):
    Starting DKIM milter (dkim-filter #0):                     [  OK  ]
    I tried sending email to my gmail account but I don't see "Signed by: ..." on the headers, here's how my headers look,

    [​IMG]

    it does not look the same with what's on the howto.

    plus when I send email to yahoo I get this errorr on my mail que
    Code:
    postqueue -p
    -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
    E7DFB78C4BB      812 Wed Jul 30 18:34:42  web1_user@oneXXXXXs.us
    (host b.mx.mail.yahoo.com[66.196.97.250] refused to talk to me: 421 Message from (xxx.92.28.183) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html)
                                             xxxxxx@yahoo.com
     
    Last edited: Jul 30, 2008
  10. topdog

    topdog HowtoForge Supporter

    May be the signing is not taking place look at the original message in gmail and see the headers

    To do that click the arror on the reply button.
     
  11. pg001

    pg001 New Member

    ok this is how it looks:

    Code:
    Delivered-To: XXXXXX@gmail.com
    Received: by 10.151.9.19 with SMTP id m19cs339643ybi;
            Wed, 30 Jul 2008 03:32:15 -0700 (PDT)
    Received: by 10.114.133.1 with SMTP id g1mr8165581wad.123.1217413934294;
            Wed, 30 Jul 2008 03:32:14 -0700 (PDT)
    Return-Path: <web1_user@onexxxxxxs.us>
    Received: from server1.onexxxxxxs.us ([xxx.92.28.183])
            by mx.google.com with ESMTP id m28si1759939poh.10.2008.07.30.03.32.11;
            Wed, 30 Jul 2008 03:32:14 -0700 (PDT)
    Received-SPF: pass (google.com: domain of web1_user@onexxxxxs.us designates xxx.92.28.183 as permitted sender) client-ip=xxx.92.28.183;
    Authentication-Results: mx.google.com; spf=pass (google.com: domain of web1_user@onexxxxxxxs.us designates xxx.92.28.183 as permitted sender) smtp.mail=web1_user@onexxxxxs.us; dkim=neutral header.i=@onexxxxs.us
    Received: from 192.168.1.100 (localhost.localdomain [127.0.0.1])
    	by server1.onexxxxxxs.us (Postfix) with ESMTP id 0085578C4BB
    	for <xxxxxx@gmail.com>; Wed, 30 Jul 2008 18:32:08 +0800 (PHT)
    X-DKIM: Sendmail DKIM Filter v2.2.1 server1.onexxxxxxs.us 0085578C4BB
    DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=onexxxxxs.us;
    	s=default; t=1217413929; bh=Zpsxuy+yXsq4w+8ENBqBCjnNTiU=;
    	h=Message-ID:Date:Subject:From:To:Reply-To:User-Agent:MIME-Version:
    	 Content-Type:Content-Transfer-Encoding; b=hdewiGxyUcF7RXF1ZY6PLx+r
    	ubFf3uLYWrLr0QsrDVQztXpESFVOkTGb1mIeASSM/u0G7ejTyI79NaM8XxCI9Buv4Iv
    	C7i6O2k3MlsxLLmEZw6W5wz7fLi/2eYi92o1dM6yvLnveo0Si+eMdl1b+4Zav5elKzR
    	ij/YwY1CKIhuI=
    Received: from 192.168.1.110
            (SquirrelMail authenticated user web1_user)
            by server1.onexxxxxxxxs.us with HTTP;
            Wed, 30 Jul 2008 18:32:09 +0800 (PHT)
    Message-ID: <1777.192.168.1.110.1217413929.squirrel@server1.onexxxxxxs.us>
    Date: Wed, 30 Jul 2008 18:32:09 +0800 (PHT)
    Subject: Testing
    From: "XXulxxxxx" <web1_user@onexxxxxxs.us>
    To: xxxxxxx@gmail.com
    Reply-To: web1_user@onexxxxxxs.us
    User-Agent: SquirrelMail/1.5.1
    MIME-Version: 1.0
    Content-Type: text/plain;charset=iso-8859-1
    Content-Transfer-Encoding: 8bit
    
    go!
     
  12. topdog

    topdog HowtoForge Supporter

    Its coming up neutral meaning may be it could not pick up your key from dns.
     
  13. pg001

    pg001 New Member

    but it has been signed right? here's how my pri.mydomain.us looks like:

    Code:
    $TTL        86400
    @       IN      SOA     ns1.xxxxxxxxxx.us. paul.xxxxxxxxxx.us. (
                            2008072812       ; serial, todays date + todays serial #
                            28800              ; refresh, seconds
                            7200              ; retry, seconds
                            604800              ; expire, seconds
                            86400 )            ; minimum, seconds
    ;
                    NS      ns1.xxxxxxxxxx.us.              ; Inet Address of name server 1
                    NS      ns9.zoneedit.com.              ; Inet Address of name server 2
    ;
    
      MX      10 mail.xxxxxxxxxx.us.
    
    xxxxxxxxxx.us.      A        119.92.28.183
    www       A       119.92.28.183
    ns1       A       119.92.28.183
    mail       A       119.92.28.183
    
    ftp       CNAME  [url]www.xxxxxxxxxx.us[/url].
    webmail       CNAME  [url]www.xxxxxxxxxx.us[/url].
    smtp       CNAME  mail.xxxxxxxxxx.us.
    pop3       CNAME  mail.xxxxxxxxxx.us.
    
    
    xxxxxxxxxx.us.       TXT  "v=spf1 a mx ptr ~all"
    
    ;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;
    default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALJP4zvQAvfVTR8R4o9Y8jqaDalFOUYvBfAzRkawEtv4TA1ij8Ku0EfAyoBMQAqW6UgtxTvWQVwWOP7an2QIaCECAwEAAQ==" ; ----- DomainKey default for xxxxxxxxxx.us
    _domainkey IN TXT "t=y; o=~"
    default2._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDekPn/K81GiNXz7ncHNl5Xdl8IDdqJFoeG4ZJg4iKYxyHbb5tUN++jYdftTTC+mAZg/3Wf5DkKaIzb7l1Ug2e2qNppv9kDib088y1flLj9ItnT+wvs6EZG2A3EXao2LFK4iv896fSoXYewzxjYQRstytS8ebLWFUpuWnmKqp2acwIDAQAB" ; ----- DKIM default for xxxxxxxxxx.us
     
  14. topdog

    topdog HowtoForge Supporter

    Okay i think you are signing using default which is a domainkey key instead of signing using default2.
     
  15. pg001

    pg001 New Member

    I did change that already, here's my /etc/sysconfig/dkim-milter

    Code:
    # Default values
    #
    USER="dkim-milt"
    PORT=local:/var/run/dkim-milter/dkim.sock
    SIGNING_DOMAIN="XXXXXXX.us"
    SELECTOR_NAME="default2"
    KEYFILE="/etc/dkim-milter/${SIGNING_DOMAIN}_${SELECTOR_NAME}.key.pem"
    SIGNER=yes
    VERIFIER=yes
    CANON=simple
    SIGALG=rsa-sha1
    REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
    EXTRA_ARGS="-h -l -D"
    I also did a restart for named, dkim, and postfix already.

    here's the gmail full headers (wow we finally did IT!!!):


    Code:
    Delivered-To: xxxxxx@gmail.com
    Received: by 10.141.142.4 with SMTP id u4cs139139rvn;
            Wed, 30 Jul 2008 05:09:56 -0700 (PDT)
    Received: by 10.114.182.1 with SMTP id e1mr8323931waf.143.1217419796347;
            Wed, 30 Jul 2008 05:09:56 -0700 (PDT)
    Return-Path: <web1_user@xxxxxxxxxx.us>
    Received: from server1.xxxxxxxxxx.us ([xxx.92.28.183])
            by mx.google.com with ESMTP id m29si1953233poh.4.2008.07.30.05.09.53;
            Wed, 30 Jul 2008 05:09:56 -0700 (PDT)
    Received-SPF: pass (google.com: domain of web1_user@xxxxxxxxxx.us designates xxx.92.28.183 as permitted sender) client-ip=xxx.92.28.183;
    Authentication-Results: mx.google.com; spf=pass (google.com: domain of web1_user@xxxxxxxxxx.us designates xxx.92.28.183 as permitted sender) smtp.mail=web1_user@xxxxxxxxxx.us; [B]dkim=pass[/B] header.i=@xxxxxxxxxx.us
    Received: from 192.168.1.100 (localhost.localdomain [127.0.0.1])
    	by server1.xxxxxxxxxx.us (Postfix) with ESMTP id 410E978C4BB
    	for <xxxxxx@gmail.com>; Wed, 30 Jul 2008 20:09:51 +0800 (PHT)
    X-DKIM: Sendmail DKIM Filter v2.2.1 server1.xxxxxxxxxx.us 410E978C4BB
    DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=xxxxxxxxxx.us;
    	s=default2; t=1217419791; bh=+eogg8h8qzD7CUn3p8Fe6Rvj7p4=;
    	h=Message-ID:Date:Subject:From:To:Reply-To:User-Agent:MIME-Version:
    	 Content-Type:Content-Transfer-Encoding; b=YK5GpXoxqhtIjOvpV+d6k95D
    	PMbwGNUbCI3GU2SjycHYeXwdj6UHVfKeg9NbM94t32OXX4bBC3+0nkWbgy5zbhWz08l
    	HSvN86xLsV1PVSe8Z9Nzdeo/bBr+QeOJLMCl2jIxZiZRZUxEVEX+fk2e72sAfDJixU9
    	SQQcRiX20tyzQ=
    Received: from 192.168.1.110
            (SquirrelMail authenticated user web1_user)
            by server1.xxxxxxxxxx.us with HTTP;
            Wed, 30 Jul 2008 20:09:51 +0800 (PHT)
    Message-ID: <3714.192.168.1.110.1217419791.squirrel@server1.xxxxxxxxxx.us>
    Date: Wed, 30 Jul 2008 20:09:51 +0800 (PHT)
    Subject: Testing DKIM
    From: "Paul Gabuya" <web1_user@xxxxxxxxxx.us>
    To: xxxxxx@gmail.com
    Reply-To: web1_user@xxxxxxxxxx.us
    User-Agent: SquirrelMail/1.5.1
    MIME-Version: 1.0
    Content-Type: text/plain;charset=iso-8859-1
    Content-Transfer-Encoding: 8bit
    
    Thanks for assisting me TOPDOG
    kudo's to you topdog you're the man!!!! Thank you very much. I hope this thread could also help other newbies like me.
     
  16. pg001

    pg001 New Member

    after dkim-milter worked, dk-milter failed again, I don't know what went wrong:

    when I start or restart domainkeys I get this error:

    Code:
    [root@server1 /]#  service dk-milter start
    Starting DomainKeys milter (dk-filter #0): dk-filter: smfi_opensocket() failed
                                                               [FAILED]
    Code:
    [root@server1 /]#  service dk-milter restart
    Shutting down all DomainKeys milter (dk-filter):           [FAILED]
    Cleanup for DomainKeys milter (dk-filter #0):
    Starting DomainKeys milter (dk-filter #0): dk-filter: smfi_opensocket() failed
                                                               [FAILED]
    looking at the dk socket permissions I get this:
    Code:
    [root@server1 /]# ls -la /var/run/dk-milter/dk.sock
    srwxrwx--- 1 dk-milt mail 0 Jul 30 07:08 /var/run/dk-milter/dk.sock
    here's my /etc/sysconfig/dk-milter:
    Code:
    # Default values
    #
    USER="dk-milt"
    PORT="local:/var/run/dk-milter/dk.sock"
    #PORT="inet:10034@localhost"
    SIGNING_DOMAIN="xxxxxxxxxx.us"
    SELECTOR_NAME="default"
    KEYFILE="/etc/mail/domainkeys/dk_new.pem"
    SIGNER=yes
    VERIFIER=yes
    CANON=simple
    REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
    EXTRA_ARGS="-h -l -D"
    MILTER_GROUP="mail"
    bottom of my /etc/postfix/main.cf looks like this:

    on my maillog I get this error:
    Code:
    Jul 31 12:53:28 server1 dk-filter[16309]: Sendmail DomainKeys Filter: Unable to bind to port local:/var/run/dk-milter/dk.sock
    : Address already in use
    Jul 31 12:53:28 server1 dk-filter[16309]: Sendmail DomainKeys Filter: Unable to create listening socket on conn local:/var/ru
    n/dk-milter/dk.sock
    Jul 31 12:53:28 server1 dk-filter[16309]: smfi_opensocket() failed
     
  17. topdog

    topdog HowtoForge Supporter

    Your postfix should look like this
    Code:
    smtpd_milters = unix:/var/run/dk-milter/dk.sock unix:/var/run/dkim-milter/dkim.sock
    non_smtpd_milters = unix:/var/run/dk-milter/dk.sock unix:/var/run/dkim-milter/dkim.sock
    Stop dk-milter, remove the socket file and then start it and see if that helps.
     
  18. pg001

    pg001 New Member

    that worked but my dkim for gmail is showing up neutral again :D

    EDIT

    it's both working now after I restarted postfix, dkim-milter, and dk-milter. thanks again....
     
    Last edited: Jul 31, 2008

Share This Page