|
|
| Line 1: |
Line 1: |
| Source: [https://manuel.mausz.at/coding/qmail-dkim/ Manuel Mausz'] Perl script
| | <u>'''notlshosts/FQDN'''</u> |
|
| |
|
| 1. DKIM sign all email with global key
| |
|
| |
|
| Install & create necessary files
| | man '''qmail-remote''' excerpt: |
| # yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
| |
| # qmailctl stop
| |
| # mv /var/qmail/bin/qmail-remote /var/qmail/bin/qmail-remote.orig
| |
| # wget -P /var/qmail/bin https://raw.githubusercontent.com/qmtoaster/dkim/master/qmail-remote
| |
| # chmod 777 /var/qmail/bin/qmail-remote && chown root:qmail /var/qmail/bin/qmail-remote
| |
| # mkdir /var/qmail/control/dkim
| |
| # chown -R qmailr:qmail /var/qmail/control/dkim
| |
| # cd /var/qmail/control/dkim
| |
| # wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml
| |
| # openssl genrsa -out global.key 2048
| |
| # chmod 644 global.key
| |
| # openssl rsa -in global.key -pubout -out temp.txt
| |
| # cat temp.txt | grep -v - | tr -d '\n' | sed '1s/^/dkim1 IN TXT "k=rsa; p=/' &> public.txt
| |
| # echo "\"" >> public.txt && rm temp.txt
| |
| # qmailctl start
| |
| # cat signconf.xml
| |
| <span style="color:red">
| |
| <dkimsign>
| |
| <!-- per default sign all mails using dkim -->
| |
| <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
| |
| <types id="dkim" />
| |
| </global>
| |
| </dkimsign>
| |
| </span>
| |
| # cat public.txt
| |
| <span style="color:red">
| |
| dkim1._domainkey IN TXT "k=rsa; p=******************************"</span>
| |
| Create DNS TXT record from the above file 'public.txt'
| |
| Host Text
| |
| dkim1._domainkey v=DKIM1; k=rsa; p=*************************
| |
| Your DKIM global key setup is done. Send email to Yahoo or GMail, inspect header.
| |
|
| |
|
| 2. DKIM sign domain with specific key
| | '''qmail-remote''' will not try TLS on servers for which this file exists ('''FQDN''' is the fully-qualified domain name of the server). ([[tlshosts/FQDN.pem takes precedence over this file however). |
| <pre>
| |
| # cd /var/qmail/control/dkim
| |
| # openssl genrsa -out otherdomain.com.key 2048 && openssl rsa -in otherdomain.com.key -pubout -out temp.txt
| |
| # chmod 644 otherdomain.com.key
| |
| # cat temp.txt | grep -v - | tr -d '\n' | sed '1s/^/dkim1 IN TXT "k=rsa; p=/' &> otherdomain.com.txt
| |
| # echo "\"" >> otherdomain.com.txt && rm temp.txt
| |
| # cat otherdomain.com.txt
| |
|
| |
|
| dkim1._domainkey IN TXT "k=rsa; p=******************************"
| |
|
| |
|
| Create DNS TXT record from the above file 'otherdomain.com.txt'
| | Stop TLS encryption for a particular domain: |
| | | 1) # nslookup -type=mx 'domain.tld' |
| Host Text | | domain.tld mail exchanger = 0 mx.domain.tld. |
| dkim1._domainkey v=DKIM1; k=rsa; p=*************************
| | 2) # mkdir /var/qmail/control/notlshosts/ |
| | | 3) # touch /var/qmail/control/notlshosts/mx.domain.tld |
| # cat signconf.xml
| |
| | |
| <dkimsign>
| |
| <!-- per default sign all mails using dkim -->
| |
| <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
| |
| <types id="dkim" />
| |
| </global>
| |
| <otherdomain.com domain="otherdomain.com" keyfile="/var/qmail/control/dkim/otherdomain.com.key" selector="dkim1">
| |
| <types id="dkim" />
| |
| <types id="domainkey" method="nofws" />
| |
| </otherdomain.com>
| |
| </dkimsign>
| |
| </pre>
| |
| 3. DKIM no signing for domain
| |
| <pre>
| |
| # cd /var/qmail/control/dkim
| |
| # cat signconf.xml
| |
| | |
| <dkimsign>
| |
| <!-- per default sign all mails using dkim -->
| |
| <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
| |
| <types id="dkim" /> | |
| </global>
| |
| <otherdomain.com domain="otherdomain.com" keyfile="/var/qmail/control/dkim/otherdomain.com.key" selector="dkim1">
| |
| <types id="dkim" />
| |
| <types id="domainkey" method="nofws" />
| |
| </otherdomain.com>
| |
| <nonsigneddomain.com />
| |
| </dkimsign>
| |
| </pre>
| |
| 4. DKIM verification (Spamassassin preferred):
| |
| <pre>
| |
| Assumes:
| |
| a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp
| |
| b. /var/qmail/bin/qmail-queue is a link.
| |
| Note: Spamassassin has DKIM verification making this unnecessary.
| |
| # qmailctl stop
| |
| Add 'export DKVERIFY=1' to /var/qmail/supervise/smtp/run
| |
| Increase softlimit to 128000000 in /var/qmail/supervise/smtp/run
| |
| # cd /var/qmail/bin
| |
| # wget http://www.qmailtoaster.org/dkimverify.pl
| |
| # wget http://www.qmailtoaster.org/qmail-queue.pl.sh
| |
| # chown root:root dkimverify.pl
| |
| # chown qmailq:qmail qmail-queue.pl.sh
| |
| # chmod 755 dkimverify.pl
| |
| # chmod 4777 qmail-queue.pl.sh
| |
| # unlink qmail-queue
| |
| # ln -s qmail-queue.pl.sh qmail-queue
| |
| # qmailctl start
| |
| Send email to user on the host
| |
| Check email header dkim verification
| |
| </pre>
| |
| <pre>
| |
| Notes: | |
| 1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com
| |
| with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required
| |
| to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL/Yahoo
| |
| email account sending to either or both accounts DKIM signatures could be verified.
| |
| Click to test
| |
| 2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility:
| |
| a) # yum install epel-release opendkim*
| |
| b) # opendkim-testkey -vvvv -d otherdomain.com -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1
| |
| | |
| opendkim-testkey: using default configfile /etc/opendkim.conf
| |
| opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions
| |
| opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key
| |
| opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com'
| |
| opendkim-testkey: key OK
| |
| | |
| 3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending
| |
| to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified
| |
| and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It
| |
| seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening
| |
| in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list
| |
| for this issue. Hopefully, this issue is merely a configuration setting, if not, that it is resolved soon.
| |
| </pre>
| |