ISPConfig & DKIM

Discussion in 'General' started by sistematico, Jun 20, 2014.

  1. sistematico

    sistematico New Member

  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    I would use post #1 - but better use my original-post located here. ;)

    If you are using ISPConfig >= 3.0.5.4 you can skip some steps from the install - or better use INSTALL.TXT from the archive.
     
  3. sistematico

    sistematico New Member

    Thank you

    Thank you! It Working!! :D
     
  4. sistematico

    sistematico New Member

    Almost :(
    Code:
    This message is an automatic response from Port25's authentication verifier
    service at verifier.port25.com.  The service allows email senders to perform
    a simple check of various sender authentication mechanisms.  It is provided
    free of charge, in the hope that it is useful to the email community.  While
    it is not officially supported, we welcome any feedback you may have at
    <[email protected]>.
    
    Thank you for using the verifier,
    
    The Port25 Solutions, Inc. team
    
    ==========================================================
    Summary of Results
    ==========================================================
    SPF check:          pass
    DomainKeys check:   neutral
    DKIM check:         fail
    Sender-ID check:    pass
    SpamAssassin check: ham
    
    ==========================================================
    Details:
    ==========================================================
    
    HELO hostname:  second_domain_removed
    Source IP:      ip_removed
    mail-from:      [email protected]_removed.com
    
    ----------------------------------------------------------
    SPF check details:
    ----------------------------------------------------------
    Result:         pass 
    ID(s) verified: [email protected]_removed.com
    DNS record(s):
        domain_removed.com. SPF (no records)
        domain_removed.com. 1800 IN TXT "v=spf1 ip4:ip_removed ~all"
    
    ----------------------------------------------------------
    DomainKeys check details:
    ----------------------------------------------------------
    Result:         neutral (message not signed)
    ID(s) verified: [email protected]_removed.com
    DNS record(s):
    
    ----------------------------------------------------------
    DKIM check details:
    ----------------------------------------------------------
    Result:         fail (signature doesn't verify)
    ID(s) verified: 
    Canonicalized Headers:
        Message-ID:'20'<[email protected]_removed.com>'0D''0A'
        Date:'20'Mon,'20'23'20'Jun'20'2014'20'13:48:54'20'-0400'0D''0A'
        From:'20'=?ISO-8859-1?Q?R=E1dio_Som_do_Mato?='20'<[email protected]_removed.com>'0D''0A'
        MIME-Version:'20'1.0'0D''0A'
        To:[email protected]'0D''0A'
        Content-Type:'20'multipart/alternative;'0D''0A'
        '20'boundary="------------020908050307040403040206"'0D''0A'
        DKIM-Signature:'20'v=1;'20'a=rsa-sha1;'20'c=simple/simple;'20'd=domain_removed.com;'0D''0A'
        '09's=default;'20't=1403545787;'20'bh=RLN5lQBId/f7IHZNWWOL/UMStsw=;'0D''0A'
        '09'h=Message-ID:Date:From:MIME-Version:To:Content-Type;'0D''0A'
        '09'b=
    
    Canonicalized Body:
        This'20'is'20'a'20'multi-part'20'message'20'in'20'MIME'20'format.'0D''0A'
        --------------020908050307040403040206'0D''0A'
        Content-Type:'20'text/plain;'20'charset=us-ascii;'20'format=flowed'0D''0A'
        Content-Transfer-Encoding:'20'7bit'0D''0A'
        '0D''0A'
        '0D''0A'
        '0D''0A'
        --------------020908050307040403040206'0D''0A'
        Content-Type:'20'text/html;'20'charset=us-ascii'0D''0A'
        Content-Transfer-Encoding:'20'7bit'0D''0A'
        '0D''0A'
        <html><head>'0D''0A'
        <meta'20'http-equiv="content-type"'20'content="text/html;'20'charset=ISO-8859-1"></head><body'0D''0A'
        '20'style="font-family:'20'Calibri;"'20'bgcolor=""'20'text="">'0D''0A'
        <div'20'style="font-family:'20'Calibri;"><br></div>'0D''0A'
        </body>'0D''0A'
        </html>'0D''0A'
        '0D''0A'
        --------------020908050307040403040206--'0D''0A'
        
    
    DNS record(s):
        default._domainkey.domain_removed.com. 1800 IN TXT "v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlihiLpdxWARX5/H/09si7Ocsn8bm1pGl18MsvpfulAGMWd2CSr0o+yF5xOEo17sOhdypWntHJzbCOHhdV9jqfGLwk+Ybz3DXeX2MaNHt9hq16X4cp4ZeGcXUvjUY3YUESYFbFit5KYAoIDEbWyT/ZnyC5TfA4hLc/G5H4UONOawIDAQAB"
    
    Public key used for verification: default._domainkey.domain_removed.com (1024 bits)
    
    NOTE: DKIM checking has been performed based on the latest DKIM specs
    (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
    older versions.  If you are using Port25's PowerMTA, you need to use
    version 3.2r11 or later to get a compatible version of DKIM.
    
    ----------------------------------------------------------
    Sender-ID check details:
    ----------------------------------------------------------
    Result:         pass 
    ID(s) verified: [email protected]_removed.com
    DNS record(s):
        domain_removed.com. SPF (no records)
        domain_removed.com. 1800 IN TXT "v=spf1 ip4:ip_removed ~all"
    
    ----------------------------------------------------------
    SpamAssassin check details:
    ----------------------------------------------------------
    SpamAssassin v3.3.1 (2010-03-16)
    
    Result:         ham  (2.7 points, 5.0 required)
    
     pts rule name              description
    ---- ---------------------- --------------------------------------------------
     0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                                See
                                http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                                 for more information.
                                [URIs: domain_removed.com]
    -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                                [score: 0.0000]
     0.4 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
     0.0 HTML_MESSAGE           BODY: HTML included in message
     0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
     1.8 MISSING_SUBJECT        Missing Subject: header
     2.3 EMPTY_MESSAGE          Message appears to have no textual parts and no
                                Subject: text
    
    ==========================================================
    Explanation of the possible results (from RFC 5451)
    ==========================================================
    
    SPF and Sender-ID Results
    =========================
    
    "none"
          No policy records were published at the sender's DNS domain.
    
    "neutral"
          The sender's ADMD has asserted that it cannot or does not
          want to assert whether or not the sending IP address is authorized
          to send mail using the sender's DNS domain.
    
    "pass"
          The client is authorized by the sender's ADMD to inject or
          relay mail on behalf of the sender's DNS domain.
    
    "policy"
         The client is authorized to inject or relay mail on behalf
          of the sender's DNS domain according to the authentication
          method's algorithm, but local policy dictates that the result is
          unacceptable.
    
    "fail"
          This client is explicitly not authorized to inject or
          relay mail using the sender's DNS domain.
    
    "softfail"
          The sender's ADMD believes the client was not authorized
          to inject or relay mail using the sender's DNS domain, but is
          unwilling to make a strong assertion to that effect.
    
    "temperror"
          The message could not be verified due to some error that
          is likely transient in nature, such as a temporary inability to
          retrieve a policy record from DNS.  A later attempt may produce a
          final result.
    
    "permerror"
          The message could not be verified due to some error that
          is unrecoverable, such as a required header field being absent or
          a syntax error in a retrieved DNS TXT record.  A later attempt is
          unlikely to produce a final result.
    
    
    DKIM and DomainKeys Results
    ===========================
    
    "none"
          The message was not signed.
    
    "pass"
          The message was signed, the signature or signatures were
          acceptable to the verifier, and the signature(s) passed
          verification tests.
    
    "fail"
          The message was signed and the signature or signatures were
          acceptable to the verifier, but they failed the verification
          test(s).
    
    "policy"
          The message was signed but the signature or signatures were
          not acceptable to the verifier.
    
    "neutral"
          The message was signed but the signature or signatures
          contained syntax errors or were not otherwise able to be
          processed.  This result SHOULD also be used for other
          failures not covered elsewhere in this list.
    
    "temperror"
          The message could not be verified due to some error that
          is likely transient in nature, such as a temporary inability
          to retrieve a public key.  A later attempt may produce a
          final result.
    
    "permerror"
          The message could not be verified due to some error that
          is unrecoverable, such as a required header field being
          absent. A later attempt is unlikely to produce a final result.
    
    
    ==========================================================
    Original Email
    ==========================================================
    
    Return-Path: <[email protected]_removed.com>
    Received: from second_domain_removed (ip_removed) by verifier.port25.com id hl1kbu11u9cv for <[email protected]>; Mon, 23 Jun 2014 13:49:51 -0400 (envelope-from <[email protected]_removed.com>)
    Authentication-Results: verifier.port25.com; spf=pass [email protected]_removed.com
    Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) [email protected]_removed.com
    Authentication-Results: verifier.port25.com; dkim=fail (signature doesn't verify) 
    Authentication-Results: verifier.port25.com; sender-id=pass [email protected]_removed.com
    Received: from localhost (localhost [127.0.0.1])
    	by second_domain_removed (Postfix) with ESMTP id C8BC925651
    	for <[email protected]>; Mon, 23 Jun 2014 13:49:47 -0400 (EDT)
    X-DKIM: Sendmail DKIM Filter v2.8.3 second_domain_removed C8BC925651
    DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=domain_removed.com;
    	s=default; t=1403545787; bh=RLN5lQBId/f7IHZNWWOL/UMStsw=;
    	h=Message-ID:Date:From:MIME-Version:To:Content-Type;
    	b=TteP7KzB4C27yr4QZyiDxGZRRauANIlWogpRPUv18X5q6ixBTr12i2uOrEDHk8RX0
    	 QmO+n6WDxQ266Kabyu1tu3gkTihnrSj3JVrW8ShFYTEEweEZRLR4LNC8jpsXpn9Hsd
    	 oxSzP8N7//tnMe8HwaApNRI6EcmvNuUJOzZF9buA=
    X-Virus-Scanned: amavisd-new at second_domain_removed
    Received: from second_domain_removed ([127.0.0.1])
    	by localhost (second_domain_removed [127.0.0.1]) (amavisd-new, port 10026) with ESMTP
    	id Lv5Zjk6Mpsq8 for <[email protected]>;
    	Mon, 23 Jun 2014 13:49:19 -0400 (EDT)
    Received: from [192.168.1.1] (179.177.9.130.dynamic.adsl.gvt.net.br [179.177.9.130])
    	(Authenticated sender: [email protected]_removed.com)
    	by second_domain_removed (Postfix) with ESMTPSA id 161512321E
    	for <[email protected]>; Mon, 23 Jun 2014 13:49:18 -0400 (EDT)
    X-DKIM: Sendmail DKIM Filter v2.8.3 second_domain_removed 161512321E
    Message-ID: <[email protected]_removed.com>
    Date: Mon, 23 Jun 2014 13:48:54 -0400
    From: =?ISO-8859-1?Q?R=E1dio_Som_do_Mato?= <[email protected]_removed.com>
    User-Agent: Postbox 3.0.11 (Windows/20140602)
    MIME-Version: 1.0
    To: [email protected]
    Content-Type: multipart/alternative;
     boundary="------------020908050307040403040206"
    
    This is a multi-part message in MIME format.
    --------------020908050307040403040206
    Content-Type: text/plain; charset=us-ascii; format=flowed
    Content-Transfer-Encoding: 7bit
    
    
    
    --------------020908050307040403040206
    Content-Type: text/html; charset=us-ascii
    Content-Transfer-Encoding: 7bit
    
    <html><head>
    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"></head><body
     style="font-family: Calibri;" bgcolor="" text="">
    <div style="font-family: Calibri;"><br></div>
    </body>
    </html>
    
    --------------020908050307040403040206--
    
    Code:
    [[email protected] ~]# ls -l /etc/postfix/dkim
    total 24
    -rw-r--r-- 1 root root 902 Jun 21 05:41 brum.ms.private
    -rw-r--r-- 1 root root 272 Jun 21 05:41 brum.ms.public
    -rw-r--r-- 1 root root 906 Jun 21 05:42 sdm.fm.private
    -rw-r--r-- 1 root root 272 Jun 21 05:42 sdm.fm.public
    -rw-r--r-- 1 root root 902 Jun 21 04:36 somdomato.com.private
    -rw-r--r-- 1 root root 272 Jun 21 04:36 somdomato.com.public
    
     
    Last edited: Jun 23, 2014
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Could you provide some more informations? Is amavisd-new testkeys and amavisd-new showkeys working? Did you add everything to postfix master.cf and main.cf? Is amavis really running?
     
  6. sistematico

    sistematico New Member

    Code:
    [[email protected] ~]# amavisd testkeys
    TESTING#1: default._domainkey.somdomato.com  => pass
    TESTING#2: default._domainkey.brum.ms        => pass
    TESTING#3: default._domainkey.sdm.fm         => pass
    
    Code:
    [[email protected] ~]# LANG=C /etc/init.d/amavisd status
    amavisd (pid 17967 17966 17956) is running...
    
    /etc/postfix/master.cf: http://ix.io/d7S
    /etc/postfix/main.cf: http://ix.io/d7T

    Code:
    [[email protected] ~]# uname -a
    Linux sdm.fm 2.6.32-431.1.2.0.1.el6.x86_64 #1 SMP Fri Dec 13 13:06:13 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
    
    Code:
    [[email protected] ~]# cat /etc/centos-release
    CentOS release 6.5 (Final)
    
    Thanks.
     
  7. florian030

    florian030 ISPConfig Developer ISPConfig Developer

  8. Clouseau

    Clouseau Member

    If I have one web hosting server with mail on it and I allow only my clients to send and recieve mail through smtp installed on it and I have no internal network just 127.0.0.1 and ip of the server, what would be the best practice to configure dkim with amavis?

    I see http://blog.schaal-24.de/ispconfig/dkim-patch-1-0/?lang=en in INSTALL.TXT

    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re

    Why would I need this /etc/postfix/tag_as_originating.re and this /etc/postfix/tag_as_foreign.re? Those match two paths for amavis-new services, one for originating from inside(right?) and the other from originating from outside? How would I configure that with mynetworks only 127.0.0.0/8?
     
  9. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    each mail is delivered to postfix and scanned by amavis, if you send a mail from postfix to amavis. you try to remove tag_as_originating.

    In general i don´t know why you use a web-server to let only send mail. i would relay all mails from the web-server to the mail-server (so you can remove amavis and dovecot from the web-server).
     
  10. Clouseau

    Clouseau Member

    I probably wasn't to precise. There is only one server with ispconfig on it. I do receive and send mail, its a classic ispconfig install. My question is do I need this:

    regexp:/etc/postfix/tag_as_originating.re and
    regexp: /etc/postfix/tag_as_foreign.re

    if I only have this in $mynetworks 127.0.0.1 and ip of server. Could I just enable amavis to sign with dkim all mails that are send and check dkim signage of all incoming emails? Why the two services/paths of amavis? I tried to find information regarding what is originating and what is foregn but don't understand. I suppose orignating is the mail that is coming from internal users(defined in $mynetworks variable) and users that are authenticated all over the web.
    What is foreign there for? I would only allow using smtp to my clients with account in ispconfig panel. Is foreign for a client that has another email account ie. [email protected] and is using my smtp for sending mail with that gmail account? He is authenticated to my SMTP with an account that he has in ispconfig but the field from is From:[email protected] Is that for foreign? If yes, than I understand because amavis must not sign with dkim those mails...
     
  11. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    You need the tag_as-files to integrate amavis in the mailflow. Please read the amavis-documentation about dkim.
     
  12. Clouseau

    Clouseau Member

    Ok, got it. Originating is for signing mail that users in internal network and authenticated ones are sending. Foreing is for not signing mail that is coming from around a world to my users :)
    Also verifying dkim doesn't need any configuration regarding postfix and paths, it is only configured in amavis.

    So, does the DKIM plugin use signing with amavis only or does it use also a milter? I presume it uses only amavis. If that is true, which I think is a way to go regarding information in your link, I read this: "Configuring multiple mail paths in Postfix"

    "In master.cf set up two listening smtpd services for receiving filtered mail from amavisd (as per README.postfix), one on tcp port 10025 (for inbound mail) and the other on port 10027 (for originating mail). If a signing milter is in use it will be attached to a smtpd service on 10027 only. If no milters are in use and signing is done by amavisd, both smtpd services can have exactly the same settings, and in fact only one suffices, in which case redirecting $forward_method and $notify_method to 'smtp:[127.0.0.1]:10027' in later example can be disregarded."

    So if amavis is the one that is doing the signing we need only one service on port 10025 in postfix to recive the signed or not signed mail from amavis. The other one on 10027 is not needed :)
     
    Last edited: Dec 1, 2014
  13. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    I will think about what you posted. But i´m not sure if this may affects the mail-flow an dkim-validating.

    The dkim-patch itself controls only the keys stored in the amavis-config. There is no milter for this in the default-setup
     
  14. Clouseau

    Clouseau Member

    Great. The milter is not needed as amavis is doing the signing and validating of dkim and that is ok.

    I looked ath the files in the patch and I think this would be enough to done in master.cf, basically it's all the same without 127.0.0.1:10027 service:

    127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtp_send_xforward_command=yes
    #The next two options are not needed as there is no milter that does the signing
    # -o milter_default_action=accept
    # -o milter_macro_daemon_name=ORIGINATING


    And amavis.conf.dkim
    $inet_socket_port = [10024,10026];
    $forward_method = 'smtp:[127.0.0.1]:10025';
    $interface_policy{'10026'} = 'ORIGINATING';
    $policy_bank{'ORIGINATING'} = {
    originating => 1,smtpd_discard_ehlo_keywords => ['8BITMIME'],
    };
    @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16);
    $signed_header_fields{'received'} = 0;
    $enable_dkim_verification = 1;
    $enable_dkim_signing = 1;
    @dkim_signature_options_bysender_maps = ({ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

    Please test it before on some testing server and sorry if this is the wrong place to post this.
     
    Last edited: Jan 3, 2015
  15. Clouseau

    Clouseau Member

    florian, I can confirm this works. Because there is no milter an amavis is signing the mails, the above config is sufficient. I have changed that from your patch to above, there is no need for second postfix service listening on port 10027 :)
     
  16. Orlox

    Orlox New Member

    Edit: I found the problem. For a weird reason amavis was using as a conf file the /etc/amavisd/amavisd.conf while patch was making changes to /etc/amavisd.conf
    What makes it more strange is that /usr/sbin/amavisd declares /etc/amavisd.conf as conf file
    What i did was to fix it
    mv /etc/amavisd/amavisd.conf /backup/amavisd.conf.amavisdir
    ln -s /etc/amavisd.conf /etc/amavisd/amavisd.conf
    and all work ok :)
    Hello
    I have problem with amavisd to sign my emails
    I think I have tried everything by now.
    I am on a centos 7
    The server was built with this guide The Perfect Server – CentOS 7.1
    I am using the DKim patch
    My amavisd.conf
    Code:
    removed
    My main.cf
    Code:
    removed
    My master.cf
    Code:
    removed
    My maillog
    Code:
    removed
    error for others to find
    dkim: not signing mail which is not originating from our site

    Every idea is welcomed
    Thank you in advance
     
    Last edited: Jan 21, 2016

Share This Page