How to Setup DKIM with Qmail Toaster: Difference between revisions

Source: Manuel Mausz' Perl script

1. DKIM sign all email with global key

Install & create necessary files
# yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
# qmailctl stop
# mv /var/qmail/bin/qmail-remote /var/qmail/bin/qmail-remote.orig
# wget -P /var/qmail/bin  https://raw.githubusercontent.com/qmtoaster/dkim/master/qmail-remote
# chmod 777 /var/qmail/bin/qmail-remote && chown root:qmail /var/qmail/bin/qmail-remote
# mkdir /var/qmail/control/dkim
# chown -R qmailr:qmail /var/qmail/control/dkim
# cd /var/qmail/control/dkim
# wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml
# openssl genrsa -out global.key 2048
# chmod 644 global.key
# openssl rsa -in global.key -pubout -out temp.txt
# cat temp.txt | grep -v - | tr -d '\n' | sed '1s/^/dkim1 IN TXT "k=rsa; p=/' &> public.txt
# echo "\"" >> public.txt && rm temp.txt
# qmailctl start
# cat signconf.xml

<dkimsign>
 <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
   <types id="dkim" />
 </global>
</dkimsign>

# cat public.txt

 dkim1._domainkey      IN      TXT     "k=rsa; p=******************************"

Create DNS TXT record from the above file 'public.txt'
 Host                                Text
 dkim1._domainkey       	v=DKIM1; k=rsa; p=*************************

Your DKIM global key setup is done. Send email to Yahoo or GMail, inspect header.

2. DKIM sign domain with specific key

 # cd /var/qmail/control/dkim
 # openssl genrsa -out otherdomain.com.key 2048 && openssl rsa -in otherdomain.com.key -pubout -out temp.txt
 # chmod 644 otherdomain.com.key
 # cat temp.txt | grep -v - | tr -d '\n' | sed '1s/^/dkim1 IN TXT "k=rsa; p=/' &> otherdomain.com.txt
 # echo "\"" >> otherdomain.com.txt && rm temp.txt
 # cat otherdomain.com.txt

  dkim1._domainkey       IN      TXT     "k=rsa; p=******************************"

Create DNS TXT record from the above file 'otherdomain.com.txt'

 Host                                Text
  dkim1._domainkey       	v=DKIM1; k=rsa; p=*************************

 # cat signconf.xml

 <dkimsign>
  <!-- per default sign all mails using dkim -->
  <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
  <types id="dkim" />
  </global>
  <otherdomain.com domain="otherdomain.com" keyfile="/var/qmail/control/dkim/otherdomain.com.key" selector="dkim1">
   <types id="dkim" />
   <types id="domainkey" method="nofws" />
  </otherdomain.com>
 </dkimsign>

3. DKIM no signing for domain

 # cd /var/qmail/control/dkim
 # cat signconf.xml

 <dkimsign>
  <!-- per default sign all mails using dkim -->
  <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
   <types id="dkim" />
  </global>
  <otherdomain.com domain="otherdomain.com" keyfile="/var/qmail/control/dkim/otherdomain.com.key" selector="dkim1">
   <types id="dkim" />
   <types id="domainkey" method="nofws" />
  </otherdomain.com>
  <nonsigneddomain.com />
 </dkimsign>

4. DKIM verification (Spamassassin preferred):

 Assumes:  
   a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp 
   b. /var/qmail/bin/qmail-queue is a link.
 Note: Spamassassin has DKIM verification making this unnecessary.
 # qmailctl stop
     Add 'export DKVERIFY=1' to /var/qmail/supervise/smtp/run
     Increase softlimit to 128000000 in /var/qmail/supervise/smtp/run
 # cd /var/qmail/bin
 # wget http://www.qmailtoaster.org/dkimverify.pl
 # wget http://www.qmailtoaster.org/qmail-queue.pl.sh
 # chown root:root dkimverify.pl
 # chown qmailq:qmail qmail-queue.pl.sh
 # chmod 755 dkimverify.pl
 # chmod 4777 qmail-queue.pl.sh
 # unlink qmail-queue
 # ln -s qmail-queue.pl.sh qmail-queue
 # qmailctl start
 Send email to user on the host
 Check email header dkim verification

   Notes: 
    1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com
       with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required
       to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL/Yahoo
       email account sending to either or both accounts DKIM signatures could be verified.
       Click to test
    2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility:
       a) # yum install epel-release opendkim*
       b) # opendkim-testkey -vvvv -d otherdomain.com  -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1

            opendkim-testkey: using default configfile /etc/opendkim.conf
            opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions
            opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key
            opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com'
            opendkim-testkey: key OK

    3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending
       to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified
       and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It 
       seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening 
       in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list
       for this issue. Hopefully, this issue is  merely a configuration setting, if not, that it is resolved soon.