How to Setup DKIM with Qmail Toaster: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (65 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
1. DKIM sign all email with global key | 1. DKIM sign all email with global key | ||
'''Set up signing framework''' | |||
# yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser | # yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser | ||
# qmailctl stop | # qmailctl stop | ||
# | # cd /var/qmail/bin | ||
# wget -P /var/qmail/bin https://raw.githubusercontent.com/qmtoaster/dkim/master/qmail-remote | # mv qmail-remote qmail-remote.orig | ||
# | <!--# wget -P /var/qmail/bin https://raw.githubusercontent.com/qmtoaster/dkim/master/qmail-remote--> | ||
<!--# wget https://manuel.mausz.at/coding/qmail-dkim/qmail-dkim-0.3.pl--> | |||
# wget https://raw.githubusercontent.com/qmtoaster/dkim/master/mail-dkim-0.3.pl | |||
# chmod 755 mail-dkim-0.3.pl && chown root:qmail mail-dkim-0.3.pl | |||
# ln -s mail-dkim-0.3.pl qmail-remote | |||
# mkdir /var/qmail/control/dkim | # mkdir /var/qmail/control/dkim | ||
# chown -R qmailr:qmail /var/qmail/control/dkim | # chown -R qmailr:qmail /var/qmail/control/dkim | ||
# | # cd dkim | ||
# openssl genrsa -out | # wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml | ||
# openssl genrsa -out global.key 2048 && chmod 644 global.key | |||
# openssl rsa -in | # openssl rsa -in global.key -pubout -out global.txt | ||
# | # perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' global.txt | ||
# qmailctl start | # qmailctl start | ||
# cat signconf.xml<span style="color:tomato"> | |||
# cat | |||
<dkimsign> | <dkimsign> | ||
<!-- per default sign all mails using dkim --> | |||
<global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> | <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> | ||
<types id="dkim" /> | <types id="dkim" /> | ||
<types id="domainkey" method="nofws" /> | |||
</global> | </global> | ||
</dkimsign> | </dkimsign></span> | ||
# cat global.txt<span style="color:tomato"> | |||
# cat | dkim1._domainkey IN TXT "k=rsa; p=******************************"</span><br> | ||
'''Create DNS TXT record from the above file 'public.txt'''' | |||
dkim1._domainkey IN TXT "k=rsa; p=******************************" | |||
Create DNS TXT record | |||
Host Text | Host Text | ||
dkim1._domainkey v=DKIM1; k=rsa; p=************************* | dkim1._domainkey v=DKIM1; k=rsa; p=*************************<br> | ||
'''Your DKIM global key setup is done. Send email to Yahoo or GMail, inspect header.''' | |||
2. DKIM sign domain with specific key | 2. DKIM sign domain with specific key | ||
# cd /var/qmail/control/dkim | # cd /var/qmail/control/dkim | ||
# openssl genrsa -out | # openssl genrsa -out dom.com.key 2048 && chmod 644 dom.com.key | ||
# | # openssl rsa -in dom.com.key -pubout -out dom.com.txt | ||
# perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' dom.com.txt | |||
# cat dom.com.txt<span style="color:tomato"> | |||
# cat | dkim1._domainkey IN TXT "k=rsa; p=******************************"</span><br> | ||
'''Create DNS TXT record from the above file 'dom.com.txt'''' | |||
dkim1._domainkey IN TXT "k=rsa; p=******************************" | |||
Create DNS TXT record | |||
Host Text | Host Text | ||
dkim1._domainkey v=DKIM1; k=rsa; p=************************* | dkim1._domainkey v=DKIM1; k=rsa; p=*************************<br> | ||
# cat signconf.xml<span style="color:tomato"> | |||
# cat | |||
<dkimsign> | <dkimsign> | ||
<!-- per default sign all mails using dkim --> | |||
<global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> | <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> | ||
<types id="dkim" /> | <types id="dkim" /> | ||
<types id="domainkey" method="nofws" /> | <types id="domainkey" method="nofws" /> | ||
</ | </global><span style="color:red"><strong><br> | ||
</dkimsign> | <!-- dkim sign dom.com --> | ||
</ | <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1"> | ||
<types id="dkim" /> | |||
<types id="domainkey" method="nofws" /> | |||
</dom.com></span></strong><br> | |||
</dkimsign></span> | |||
3. DKIM no signing for domain | 3. DKIM no signing for domain | ||
# cd /var/qmail/control/dkim | |||
# cat signconf.xml<span style="color:tomato"> | |||
<dkimsign> | <dkimsign> | ||
<!-- per default sign all mails using dkim --> | |||
<global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> | <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> | ||
<types id="dkim" /> | <types id="dkim" /> | ||
</global> | <types id="domainkey" method="nofws" /> | ||
< | </global><br> | ||
<!-- dkim sign dom.com --> | |||
<dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1"> | |||
<types id="dkim" /> | <types id="dkim" /> | ||
<types id="domainkey" method="nofws" /> | <types id="domainkey" method="nofws" /> | ||
</ | </dom.com><br><span style="color:red"><strong><strong> | ||
< | <!-- no dkim signing nosigndom.com --> | ||
</dkimsign> | <nosigndom.com /></span></strong><br> | ||
</ | </dkimsign></span> | ||
4. DKIM verification (Spamassassin preferred): | 4. DKIM verification (Spamassassin preferred): | ||
Assumes: | Assumes: | ||
a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp | a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp | ||
b. /var/qmail/bin/qmail-queue is a link. | b. /var/qmail/bin/qmail-queue is a link. | ||
c. 'export DKVERIFY=1' and '/usr/bin/softlimit -m 128000000' in /var/qmail/supervise/smtp/run | |||
# qmailctl stop | # qmailctl stop | ||
# cd /var/qmail/bin | # cd /var/qmail/bin | ||
# wget http://www.qmailtoaster.org/dkimverify.pl | # wget http://www.qmailtoaster.org/dkimverify.pl | ||
| Line 106: | Line 97: | ||
Send email to user on the host | Send email to user on the host | ||
Check email header dkim verification | Check email header dkim verification | ||
3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending | Notes: | ||
1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com | |||
with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required | |||
to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL/Yahoo | |||
email account sending to either or both accounts DKIM signatures could be verified. | |||
Click to test | |||
2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility: | |||
a) # yum install epel-release opendkim* | |||
b) # opendkim-testkey -vvvv -d otherdomain.com -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1<br> | |||
opendkim-testkey: using default configfile /etc/opendkim.conf | |||
opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions | |||
opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key | |||
opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com' | |||
opendkim-testkey: key OK<br> | |||
3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending | |||
to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified | |||
and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It | |||
seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening | |||
in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list | |||
for this issue. Hopefully, this issue is merely a configuration setting, if not, that it is resolved soon. | |||
Latest revision as of 21:18, 24 April 2024
Source: Manuel Mausz' Perl script
1. DKIM sign all email with global key
Set up signing framework # yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser # qmailctl stop # cd /var/qmail/bin # mv qmail-remote qmail-remote.orig # wget https://raw.githubusercontent.com/qmtoaster/dkim/master/mail-dkim-0.3.pl # chmod 755 mail-dkim-0.3.pl && chown root:qmail mail-dkim-0.3.pl # ln -s mail-dkim-0.3.pl qmail-remote # mkdir /var/qmail/control/dkim # chown -R qmailr:qmail /var/qmail/control/dkim # cd dkim # wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml # openssl genrsa -out global.key 2048 && chmod 644 global.key # openssl rsa -in global.key -pubout -out global.txt # perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' global.txt # qmailctl start # cat signconf.xml <dkimsign> <!-- per default sign all mails using dkim --> <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> <types id="dkim" /> <types id="domainkey" method="nofws" /> </global> </dkimsign> # cat global.txt dkim1._domainkey IN TXT "k=rsa; p=******************************"
Create DNS TXT record from the above file 'public.txt' Host Text dkim1._domainkey v=DKIM1; k=rsa; p=*************************
Your DKIM global key setup is done. Send email to Yahoo or GMail, inspect header.
2. DKIM sign domain with specific key
# cd /var/qmail/control/dkim # openssl genrsa -out dom.com.key 2048 && chmod 644 dom.com.key # openssl rsa -in dom.com.key -pubout -out dom.com.txt # perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' dom.com.txt # cat dom.com.txt dkim1._domainkey IN TXT "k=rsa; p=******************************"
Create DNS TXT record from the above file 'dom.com.txt' Host Text dkim1._domainkey v=DKIM1; k=rsa; p=*************************
# cat signconf.xml <dkimsign> <!-- per default sign all mails using dkim --> <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> <types id="dkim" /> <types id="domainkey" method="nofws" /> </global>
<!-- dkim sign dom.com --> <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1"> <types id="dkim" /> <types id="domainkey" method="nofws" /> </dom.com>
</dkimsign>
3. DKIM no signing for domain
# cd /var/qmail/control/dkim
# cat signconf.xml
<dkimsign>
<!-- per default sign all mails using dkim -->
<global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
<types id="dkim" />
<types id="domainkey" method="nofws" />
</global>
<!-- dkim sign dom.com -->
<dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1">
<types id="dkim" />
<types id="domainkey" method="nofws" />
</dom.com>
<!-- no dkim signing nosigndom.com -->
<nosigndom.com />
</dkimsign>
4. DKIM verification (Spamassassin preferred):
Assumes: a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp b. /var/qmail/bin/qmail-queue is a link. c. 'export DKVERIFY=1' and '/usr/bin/softlimit -m 128000000' in /var/qmail/supervise/smtp/run # qmailctl stop # cd /var/qmail/bin # wget http://www.qmailtoaster.org/dkimverify.pl # wget http://www.qmailtoaster.org/qmail-queue.pl.sh # chown root:root dkimverify.pl # chown qmailq:qmail qmail-queue.pl.sh # chmod 755 dkimverify.pl # chmod 4777 qmail-queue.pl.sh # unlink qmail-queue # ln -s qmail-queue.pl.sh qmail-queue # qmailctl start Send email to user on the host Check email header dkim verification
Notes: 1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL/Yahoo email account sending to either or both accounts DKIM signatures could be verified. Click to test 2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility: a) # yum install epel-release opendkim* b) # opendkim-testkey -vvvv -d otherdomain.com -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1
opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com' opendkim-testkey: key OK
3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list for this issue. Hopefully, this issue is merely a configuration setting, if not, that it is resolved soon.