How to Setup DKIM with Qmail Toaster: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
No edit summary
No edit summary
 
(96 intermediate revisions by the same user not shown)
Line 1: Line 1:
Source: [https://manuel.mausz.at/coding/qmail-dkim/ Manuel Mausz'] Perl script


1. Global key (default for all domains) [[ https://manuel.mausz.at/coding/qmail-dkim/ Here ]]
1. DKIM sign all email with global key
        # yum install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
        # wget https://raw.githubusercontent.com/qmtoaster/dkim/master/qmail-remote
        # wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml
        # mkdir /var/qmail/control/dkim
        # mv signconf.xml /var/qmail/control/dkim/
        # chown -R qmailr:qmail /var/qmail/control/dkim/
        CentOS 7
        # dknewkey /var/qmail/control/dkim/global.key 1024 > /var/qmail/control/dkim/public.txt
        # perl -pi -e 's/global.key._domainkey/dkim1/' /var/qmail/control/dkim/public.txt
        CentOS 8/9
        # openssl genrsa -out /var/qmail/control/dkim/global.key 2048
        # chmod 644 /var/qmail/control/dkim/global.key
        # openssl rsa -in /var/qmail/control/dkim/global.key -pubout -out ./temp.txt
        # cat ./temp.txt | grep -v - | tr -d '\n' | sed '1s/^/dkim1 IN TXT "k=rsa; p=/' &> /var/qmail/control/dkim/public.txt
        # echo "\"" >> /var/qmail/control/dkim/public.txt && rm ./temp.txt
        # qmailctl stop
        # mv /var/qmail/bin/qmail-remote /var/qmail/bin/qmail-remote.orig
        # mv qmail-remote /var/qmail/bin
        # chmod 777 /var/qmail/bin/qmail-remote
        # chown root:qmail /var/qmail/bin/qmail-remote
        # qmailctl start
        # cat /var/qmail/control/dkim/public.txt


          dkim1._domainkey      IN      TXT    "k=rsa; p=******************************"
'''Set up signing framework'''
# yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
# qmailctl stop
# cd /var/qmail/bin
# mv qmail-remote qmail-remote.orig
<!--# wget -P /var/qmail/bin  https://raw.githubusercontent.com/qmtoaster/dkim/master/qmail-remote-->
<!--# wget https://manuel.mausz.at/coding/qmail-dkim/qmail-dkim-0.3.pl-->
# wget https://raw.githubusercontent.com/qmtoaster/dkim/master/mail-dkim-0.3.pl
# chmod 755 mail-dkim-0.3.pl && chown root:qmail mail-dkim-0.3.pl
# ln -s mail-dkim-0.3.pl qmail-remote
# mkdir /var/qmail/control/dkim
# chown -R qmailr:qmail /var/qmail/control/dkim
# cd dkim
# wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml
# openssl genrsa -out global.key 2048 && chmod 644 global.key
# openssl rsa -in global.key -pubout -out global.txt
# perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' global.txt
# qmailctl start
# cat signconf.xml<span style="color:tomato">
<dkimsign>
  &lt;!-- per default sign all mails using dkim --&gt;
  <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
    <types id="dkim" />
    <types id="domainkey" method="nofws" />
  </global>
</dkimsign></span>
# cat global.txt<span style="color:tomato">
  dkim1._domainkey      IN      TXT    "k=rsa; p=******************************"</span><br>
'''Create DNS TXT record from the above file 'public.txt''''
  Host                                Text
  dkim1._domainkey      v=DKIM1; k=rsa; p=*************************<br>
'''Your DKIM global key setup is done. Send email to Yahoo or GMail, inspect header.'''


        Create DNS TXT record for your domain using the output from public.txt above
2. DKIM sign domain with specific key
# cd /var/qmail/control/dkim
# openssl genrsa -out dom.com.key 2048 && chmod 644 dom.com.key
# openssl rsa -in dom.com.key -pubout -out dom.com.txt
# perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' dom.com.txt
# cat dom.com.txt<span style="color:tomato">
  dkim1._domainkey      IN      TXT    "k=rsa; p=******************************"</span><br>
'''Create DNS TXT record from the above file 'dom.com.txt''''
Host                                Text
  dkim1._domainkey      v=DKIM1; k=rsa; p=*************************<br>
# cat signconf.xml<span style="color:tomato">
<dkimsign>
  &lt;!-- per default sign all mails using dkim --&gt;
  <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
  <types id="dkim" />
  <types id="domainkey" method="nofws" />
  </global><span style="color:red"><strong><br>
  &lt;!-- dkim sign dom.com --&gt;
  <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1">
  <types id="dkim" />
  <types id="domainkey" method="nofws" />
  </dom.com></span></strong><br>
</dkimsign></span>
3. DKIM no signing for domain


          Host                                Text
# cd /var/qmail/control/dkim
          dkim1._domainkey      v=DKIM1; k=rsa; p=*************************
# cat signconf.xml<span style="color:tomato">
<dkimsign>
  &lt;!-- per default sign all mails using dkim --&gt;
  <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
  <types id="dkim" />
  <types id="domainkey" method="nofws" />
  </global><br>
  &lt;!-- dkim sign dom.com --&gt;
  <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1">
  <types id="dkim" />
  <types id="domainkey" method="nofws" />
  </dom.com><br><span style="color:red"><strong><strong>
  &lt;!-- no dkim signing nosigndom.com --&gt;
  <nosigndom.com /></span></strong><br>
</dkimsign></span>


        Your DKIM setup is done.
4. DKIM verification (Spamassassin preferred):
        To test send mail to any yahoo email id and check headers. If errors show in headers then wait for changes to reflect in DNS.
2. DKIM key (other than default)
        Centos 7
        # dknewkey /var/qmail/control/dkim/otherdomain.com.key 1024 > /var/qmail/control/dkim/otherdomain.com.txt
        # perl -pi -e 's/^.*\.key/dkim1/' /var/qmail/control/dkim/otherdomain.com.txt
        CentOS 8/9
        # cd /var/qmail/control/dkim
        # openssl genrsa -out ./otherdomain.com.key 2048 && openssl rsa -in ./otherdomain.com.key -pubout -out ./temp.txt
        # chmod 644 ./otherdomain.com.key
        # cat ./temp.txt | grep -v - | tr -d '\n' | sed '1s/^/dkim1 IN TXT "k=rsa; p=/' &> ./otherdomain.com.txt
        # echo "\"" >> ./otherdomain.com.txt && rm ./temp.txt


        # cat /var/qmail/control/dkim/otherdomain.com.txt
Assumes: 
  a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp
  b. /var/qmail/bin/qmail-queue is a link.
  c. 'export DKVERIFY=1' and '/usr/bin/softlimit -m 128000000' in /var/qmail/supervise/smtp/run
# qmailctl stop
# cd /var/qmail/bin
# wget http://www.qmailtoaster.org/dkimverify.pl
# wget http://www.qmailtoaster.org/qmail-queue.pl.sh
# chown root:root dkimverify.pl
# chown qmailq:qmail qmail-queue.pl.sh
# chmod 755 dkimverify.pl
# chmod 4777 qmail-queue.pl.sh
# unlink qmail-queue
# ln -s qmail-queue.pl.sh qmail-queue
# qmailctl start
Send email to user on the host
Check email header dkim verification


          dkim1._domainkey      IN      TXT    "k=rsa; p=******************************"


        Create DNS TXT record for otherdomain.com using the output from the text file 'otherdomain.com.txt'
Notes:  
 
1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com
          Host                                Text
    with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required
          dkim1._domainkey      v=DKIM1; k=rsa; p=*************************
    to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL/Yahoo
 
    email account sending to either or both accounts DKIM signatures could be verified.
        # vi /var/qmail/control/dkim/signconf.xml (Add)
    Click to test
 
2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility:
          <otherdomain.com domain="otherdomain.com" keyfile="/var/qmail/control/dkim/otherdomain.com.key" selector="dkim1">
    a) # yum install epel-release opendkim*
            <types id="dkim" />
    b) # opendkim-testkey -vvvv -d otherdomain.com  -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1<br>
            <types id="domainkey" method="nofws" />
        opendkim-testkey: using default configfile /etc/opendkim.conf
          </otherdomain.com>
        opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions
 
        opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key
        So file looks like this:
        opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com'
 
        opendkim-testkey: key OK<br>
        <dkimsign>
3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending
          <!-- per default sign all mails using dkim -->
    to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified
          <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
    and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It  
            <types id="dkim" />
    seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening  
          </global>
    in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list
          <otherdomain.com domain="otherdomain.com" keyfile="/var/qmail/control/dkim/otherdomain.com.key" selector="dkim1">
    for this issue. Hopefully, this issue is  merely a configuration setting, if not, that it is resolved soon.
            <types id="dkim" />
            <types id="domainkey" method="nofws" />
          </otherdomain.com>
        </dkimsign>
 
3. Prevent DKIM signing for a domain
        # vi /var/qmail/control/dkim/signconf.xml (Add)
 
          <nonsigneddomain.com />
 
        So file looks like this:
 
        <dkimsign>
          <!-- per default sign all mails using dkim -->
          <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
            <types id="dkim" />
          </global>
          <otherdomain.com domain="otherdomain.com" keyfile="/var/qmail/control/dkim/otherdomain.com.key" selector="dkim1">
            <types id="dkim" />
            <types id="domainkey" method="nofws" />
          </otherdomain.com>
          <nonsigneddomain.com />
        </dkimsign>
 
4. DKIM verification (no patch):
        Assumes 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp
        && /var/qmail/bin/qmail-queue is a link.
        Note: Spamassassin has DKIM verification making this unnecessary.
            # qmailctl stop
            Add 'export DKVERIFY=1' to /var/qmail/supervise/smtp/run
            Increase softlimit to 128000000 in /var/qmail/supervise/smtp/run
            # cd /var/qmail/bin
            # wget http://www.qmailtoaster.org/dkimverify.pl
            # wget http://www.qmailtoaster.org/qmail-queue.pl.sh
            # chown root:root dkimverify.pl
            # chown qmailq:qmail qmail-queue.pl.sh
            # chmod 755 dkimverify.pl
            # chmod 4777 qmail-queue.pl.sh
            # unlink qmail-queue
            # ln -s qmail-queue.pl.sh qmail-queue
            # qmailctl start
            Send email to user on the host
            Check email header dkim verification
 
  Notes:  
          1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com
            with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required
            to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL or Yahoo
            email account sending to either or both accounts DKIM signatures could be verified.
            Click to test
          2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility:
            a) # yum install epel-release opendkim*
            b) # opendkim-testkey -vvvv -d otherdomain.com  -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1
 
                  opendkim-testkey: using default configfile /etc/opendkim.conf
                  opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions
                  opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key
                  opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com'
                  opendkim-testkey: key OK
 
          3) dknewkey creates by default a 384 bit key. For a larger key use the following syntax :
            # dknewkey domain.tld.key 1024 > domain.tld.txt
          4) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending
            to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified
            and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It  
            seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening  
            in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list
            for this issue. Hopefully, this issue is  merely a configuration setting, if not, that it is resolved soon.

Latest revision as of 21:18, 24 April 2024

Source: Manuel Mausz' Perl script

1. DKIM sign all email with global key 

Set up signing framework
# yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
# qmailctl stop
# cd /var/qmail/bin
# mv qmail-remote qmail-remote.orig
# wget https://raw.githubusercontent.com/qmtoaster/dkim/master/mail-dkim-0.3.pl
# chmod 755 mail-dkim-0.3.pl && chown root:qmail mail-dkim-0.3.pl
# ln -s mail-dkim-0.3.pl qmail-remote
# mkdir /var/qmail/control/dkim
# chown -R qmailr:qmail /var/qmail/control/dkim
# cd dkim
# wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml
# openssl genrsa -out global.key 2048 && chmod 644 global.key
# openssl rsa -in global.key -pubout -out global.txt
# perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' global.txt
# qmailctl start
# cat signconf.xml
<dkimsign>
 <!-- per default sign all mails using dkim -->
 <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
   <types id="dkim" />
   <types id="domainkey" method="nofws" />
 </global>
</dkimsign>
# cat global.txt
 dkim1._domainkey      IN      TXT     "k=rsa; p=******************************"

Create DNS TXT record from the above file 'public.txt'
 Host                                Text
 dkim1._domainkey       	v=DKIM1; k=rsa; p=*************************

Your DKIM global key setup is done. Send email to Yahoo or GMail, inspect header.

2. DKIM sign domain with specific key 

# cd /var/qmail/control/dkim
# openssl genrsa -out dom.com.key 2048 && chmod 644 dom.com.key
# openssl rsa -in dom.com.key -pubout -out dom.com.txt
# perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' dom.com.txt
# cat dom.com.txt
 dkim1._domainkey       IN      TXT     "k=rsa; p=******************************"

Create DNS TXT record from the above file 'dom.com.txt'
Host                                Text
 dkim1._domainkey       	v=DKIM1; k=rsa; p=*************************

# cat signconf.xml
<dkimsign>
 <!-- per default sign all mails using dkim -->
 <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
  <types id="dkim" />
  <types id="domainkey" method="nofws" />
 </global>

 <!-- dkim sign dom.com -->
 <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1">
  <types id="dkim" />
  <types id="domainkey" method="nofws" />
 </dom.com>

</dkimsign>

3. DKIM no signing for domain 

# cd /var/qmail/control/dkim
# cat signconf.xml
<dkimsign>
 <!-- per default sign all mails using dkim -->
 <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
  <types id="dkim" />
  <types id="domainkey" method="nofws" />
 </global>

 <!-- dkim sign dom.com -->
 <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1">
  <types id="dkim" />
  <types id="domainkey" method="nofws" />
 </dom.com>

 <!-- no dkim signing nosigndom.com -->
 <nosigndom.com />

</dkimsign>

4. DKIM verification (Spamassassin preferred): 

Assumes:  
  a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp 
  b. /var/qmail/bin/qmail-queue is a link.
  c. 'export DKVERIFY=1' and '/usr/bin/softlimit -m 128000000' in /var/qmail/supervise/smtp/run
# qmailctl stop
# cd /var/qmail/bin
# wget http://www.qmailtoaster.org/dkimverify.pl
# wget http://www.qmailtoaster.org/qmail-queue.pl.sh
# chown root:root dkimverify.pl
# chown qmailq:qmail qmail-queue.pl.sh
# chmod 755 dkimverify.pl
# chmod 4777 qmail-queue.pl.sh
# unlink qmail-queue
# ln -s qmail-queue.pl.sh qmail-queue
# qmailctl start
Send email to user on the host
Check email header dkim verification



Notes: 
1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com
   with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required
   to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL/Yahoo
   email account sending to either or both accounts DKIM signatures could be verified.
   Click to test
2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility:
   a) # yum install epel-release opendkim*
   b) # opendkim-testkey -vvvv -d otherdomain.com  -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1

        opendkim-testkey: using default configfile /etc/opendkim.conf
        opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions
        opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key
        opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com'
        opendkim-testkey: key OK

3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending
   to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified
   and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It 
   seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening 
   in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list
   for this issue. Hopefully, this issue is  merely a configuration setting, if not, that it is resolved soon.
Retrieved from "http://wiki.qmailtoaster.org:80/index.php?title=How_to_Setup_DKIM_with_Qmail_Toaster&oldid=1087"