How to Setup DKIM with Qmail Toaster: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
No edit summary
No edit summary
(59 intermediate revisions by the same user not shown)
Line 2: Line 2:


1. DKIM sign all email with global key
1. DKIM sign all email with global key
<pre>
 
  # yum install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
'''Set up signing framework'''
  # wget https://raw.githubusercontent.com/qmtoaster/dkim/master/qmail-remote
  # yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
  # qmailctl stop
# cd /var/qmail/bin
# mv qmail-remote qmail-remote.orig
<!--# wget -P /var/qmail/bin  https://raw.githubusercontent.com/qmtoaster/dkim/master/qmail-remote-->
# wget https://manuel.mausz.at/coding/qmail-dkim/qmail-dkim-0.3.pl
# chmod 777 qmail-dkim-0.3.pl && chown root:qmail qmail-dkim-0.3.pl
# ln -s qmail-dkim-0.3.pl qmail-remote
# mkdir /var/qmail/control/dkim
# chown -R qmailr:qmail /var/qmail/control/dkim
# cd /var/qmail/control/dkim
  # wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml
  # wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml
# mkdir /var/qmail/control/dkim
  # openssl genrsa -out global.key 2048 && chmod 644 global.key
# mv signconf.xml /var/qmail/control/dkim/
  # openssl rsa -in global.key -pubout -out global.txt
# chown -R qmailr:qmail /var/qmail/control/dkim/
  # perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p="/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' global.txt
  # openssl genrsa -out /var/qmail/control/dkim/global.key 2048
# chmod 644 /var/qmail/control/dkim/global.key
  # openssl rsa -in /var/qmail/control/dkim/global.key -pubout -out ./temp.txt
  # cat ./temp.txt | grep -v - | tr -d '\n' | sed '1s/^/dkim1 IN TXT "k=rsa; p=/' &> /var/qmail/control/dkim/public.txt
# echo "\"" >> /var/qmail/control/dkim/public.txt && rm ./temp.txt
# qmailctl stop
# mv /var/qmail/bin/qmail-remote /var/qmail/bin/qmail-remote.orig
# mv qmail-remote /var/qmail/bin
# chmod 777 /var/qmail/bin/qmail-remote
# chown root:qmail /var/qmail/bin/qmail-remote
  # qmailctl start
  # qmailctl start
 
  # cat signconf.xml<span style="color:tomato">
  # cat /var/qmail/control/dkim/signconf.xml
 
  <dkimsign>
  <dkimsign>
   <!-- per default sign all mails using dkim -->
   <!-- per default sign all mails using dkim -->
Line 28: Line 26:
     <types id="dkim" />
     <types id="dkim" />
   </global>
   </global>
  </dkimsign>
  </dkimsign></span>
 
  # cat global.txt<span style="color:tomato">
  # cat /var/qmail/control/dkim/public.txt
   dkim1._domainkey      IN      TXT    "k=rsa; p=******************************"</span><br>
 
'''Create DNS TXT record from the above file 'public.txt''''
   dkim1._domainkey      IN      TXT    "k=rsa; p=******************************"
 
  Create DNS TXT record for your domain using the output from public.txt above
 
   Host                                Text
   Host                                Text
   dkim1._domainkey      v=DKIM1; k=rsa; p=*************************  
   dkim1._domainkey      v=DKIM1; k=rsa; p=*************************<br>
'''Your DKIM global key setup is done. Send email to Yahoo or GMail, inspect header.'''


  Your DKIM setup is done.
  To test send mail to any yahoo email id and check headers. If errors show in headers then wait for changes to reflect in DNS.
</pre>
2. DKIM sign domain with specific key
2. DKIM sign domain with specific key
<pre>
  # cd /var/qmail/control/dkim
  # cd /var/qmail/control/dkim
  # openssl genrsa -out ./otherdomain.com.key 2048 && openssl rsa -in ./otherdomain.com.key -pubout -out ./temp.txt
  # openssl genrsa -out dom.com.key 2048 && chmod 644 dom.com.key
  # chmod 644 ./otherdomain.com.key
# openssl rsa -in dom.com.key -pubout -out dom.com.txt
# cat ./temp.txt | grep -v - | tr -d '\n' | sed '1s/^/dkim1 IN TXT "k=rsa; p=/' &> ./otherdomain.com.txt
  # perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p="/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' dom.com.txt
# echo "\"" >> ./otherdomain.com.txt && rm ./temp.txt
  # cat dom.com.txt<span style="color:tomato">
  # cat /var/qmail/control/dkim/otherdomain.com.txt
   dkim1._domainkey      IN      TXT    "k=rsa; p=******************************"</span><br>
 
  '''Create DNS TXT record from the above file 'dom.com.txt''''
   dkim1._domainkey      IN      TXT    "k=rsa; p=******************************"
 
  Create DNS TXT record for otherdomain.com using the output from the text file 'otherdomain.com.txt'
 
  Host                                Text
  Host                                Text
   dkim1._domainkey      v=DKIM1; k=rsa; p=*************************
   dkim1._domainkey      v=DKIM1; k=rsa; p=*************************<br>
 
  # cat signconf.xml<span style="color:tomato">
  # cat /var/qmail/control/dkim/signconf.xml
 
  <dkimsign>
  <dkimsign>
   <!-- per default sign all mails using dkim -->
   <!-- per default sign all mails using dkim -->
   <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
   <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
   <types id="dkim" />
   <types id="dkim" />
   </global>
   </global><span style="color:red"><strong>
   <otherdomain.com domain="otherdomain.com" keyfile="/var/qmail/control/dkim/otherdomain.com.key" selector="dkim1">
   <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1">
   <types id="dkim" />
   <types id="dkim" />
   <types id="domainkey" method="nofws" />
   <types id="domainkey" method="nofws" />
   </otherdomain.com>
   </dom.com></span></strong>
  </dkimsign>
  </dkimsign></span>
</pre>
3. DKIM no signing for domain
3. DKIM no signing for domain
<pre>
# cat /var/qmail/control/dkim/signconf.xml


# cd /var/qmail/control/dkim
# cat signconf.xml<span style="color:tomato">
  <dkimsign>
  <dkimsign>
   <!-- per default sign all mails using dkim -->
   <!-- per default sign all mails using dkim -->
Line 80: Line 64:
   <types id="dkim" />
   <types id="dkim" />
   </global>
   </global>
   <otherdomain.com domain="otherdomain.com" keyfile="/var/qmail/control/dkim/otherdomain.com.key" selector="dkim1">
   <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1">
   <types id="dkim" />
   <types id="dkim" />
   <types id="domainkey" method="nofws" />
   <types id="domainkey" method="nofws" />
   </otherdomain.com>
   </dom.com>
   <nonsigneddomain.com />
   <span style="color:red"><strong><strong><nonsigneddomain.com /></span></strong>
  </dkimsign>
  </dkimsign></span>
</pre>
 
4. DKIM verification (Spamassassin preferred):
4. DKIM verification (Spamassassin preferred):
<pre>
 
  Assumes:   
  Assumes:   
   a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp  
   a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp  
   b. /var/qmail/bin/qmail-queue is a link.
   b. /var/qmail/bin/qmail-queue is a link.
Note: Spamassassin has DKIM verification making this unnecessary.
  # qmailctl stop
  # qmailctl stop
     Add 'export DKVERIFY=1' to /var/qmail/supervise/smtp/run
     Add 'export DKVERIFY=1' to /var/qmail/supervise/smtp/run
Line 108: Line 91:
  Send email to user on the host
  Send email to user on the host
  Check email header dkim verification
  Check email header dkim verification
</pre>
<pre>
  Notes:
    1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com
      with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required
      to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL/Yahoo
      email account sending to either or both accounts DKIM signatures could be verified.
      Click to test
    2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility:
      a) # yum install epel-release opendkim*
      b) # opendkim-testkey -vvvv -d otherdomain.com  -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1
            opendkim-testkey: using default configfile /etc/opendkim.conf
            opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions
            opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key
            opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com'
            opendkim-testkey: key OK


     3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending
 
      to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified
Notes:
      and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It  
1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com
      seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening  
    with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required
      in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list
    to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL/Yahoo
      for this issue. Hopefully, this issue is  merely a configuration setting, if not, that it is resolved soon.
    email account sending to either or both accounts DKIM signatures could be verified.
</pre>
    Click to test
2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility:
    a) # yum install epel-release opendkim*
     b) # opendkim-testkey -vvvv -d otherdomain.com  -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1<br>
        opendkim-testkey: using default configfile /etc/opendkim.conf
        opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions
        opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key
        opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com'
        opendkim-testkey: key OK<br>
3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending
    to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified
    and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It  
    seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening  
    in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list
    for this issue. Hopefully, this issue is  merely a configuration setting, if not, that it is resolved soon.

Revision as of 17:12, 24 March 2024

Source: Manuel Mausz' Perl script

1. DKIM sign all email with global key

Set up signing framework
# yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
# qmailctl stop
# cd /var/qmail/bin
# mv qmail-remote qmail-remote.orig
# wget https://manuel.mausz.at/coding/qmail-dkim/qmail-dkim-0.3.pl
# chmod 777 qmail-dkim-0.3.pl && chown root:qmail qmail-dkim-0.3.pl
# ln -s qmail-dkim-0.3.pl qmail-remote
# mkdir /var/qmail/control/dkim
# chown -R qmailr:qmail /var/qmail/control/dkim
# cd /var/qmail/control/dkim
# wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml
# openssl genrsa -out global.key 2048 && chmod 644 global.key
# openssl rsa -in global.key -pubout -out global.txt
# perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p="/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' global.txt
# qmailctl start
# cat signconf.xml
<dkimsign>
 <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
   <types id="dkim" />
 </global>
</dkimsign>
# cat global.txt
 dkim1._domainkey      IN      TXT     "k=rsa; p=******************************"
Create DNS TXT record from the above file 'public.txt' Host Text dkim1._domainkey v=DKIM1; k=rsa; p=*************************
Your DKIM global key setup is done. Send email to Yahoo or GMail, inspect header.

2. DKIM sign domain with specific key

# cd /var/qmail/control/dkim
# openssl genrsa -out dom.com.key 2048 && chmod 644 dom.com.key
# openssl rsa -in dom.com.key -pubout -out dom.com.txt
# perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p="/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' dom.com.txt
# cat dom.com.txt
 dkim1._domainkey       IN      TXT     "k=rsa; p=******************************"
Create DNS TXT record from the above file 'dom.com.txt' Host Text dkim1._domainkey v=DKIM1; k=rsa; p=*************************
# cat signconf.xml <dkimsign> <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> <types id="dkim" /> </global> <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1"> <types id="dkim" /> <types id="domainkey" method="nofws" /> </dom.com> </dkimsign>

3. DKIM no signing for domain

# cd /var/qmail/control/dkim
# cat signconf.xml
<dkimsign>
 <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
  <types id="dkim" />
 </global>
 <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1">
  <types id="dkim" />
  <types id="domainkey" method="nofws" />
 </dom.com>
 <nonsigneddomain.com />
</dkimsign>

4. DKIM verification (Spamassassin preferred):

Assumes:  
  a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp 
  b. /var/qmail/bin/qmail-queue is a link.
# qmailctl stop
    Add 'export DKVERIFY=1' to /var/qmail/supervise/smtp/run
    Increase softlimit to 128000000 in /var/qmail/supervise/smtp/run
# cd /var/qmail/bin
# wget http://www.qmailtoaster.org/dkimverify.pl
# wget http://www.qmailtoaster.org/qmail-queue.pl.sh
# chown root:root dkimverify.pl
# chown qmailq:qmail qmail-queue.pl.sh
# chmod 755 dkimverify.pl
# chmod 4777 qmail-queue.pl.sh
# unlink qmail-queue
# ln -s qmail-queue.pl.sh qmail-queue
# qmailctl start
Send email to user on the host
Check email header dkim verification


Notes: 
1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com
   with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required
   to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL/Yahoo
   email account sending to either or both accounts DKIM signatures could be verified.
   Click to test
2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility:
   a) # yum install epel-release opendkim*
   b) # opendkim-testkey -vvvv -d otherdomain.com  -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1
opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com' opendkim-testkey: key OK
3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list for this issue. Hopefully, this issue is merely a configuration setting, if not, that it is resolved soon.