|
|
Line 1: |
Line 1: |
| Source: [https://manuel.mausz.at/coding/qmail-dkim/ Manuel Mausz'] Perl script
| | <pre>Assumes Apache, MySQL, & PHP installed |
| | Assumes Firewall ports are opened<pre> |
| | <pre> |
| | Necessary php packages |
| | dnf install php-mbstring php-gd php-pecl-zip php-xml php-json unzip |
|
| |
|
| 1. DKIM sign all email with global key
| | Nextcloud package |
| | wget https://download.nextcloud.com/server/releases/latest.zip |
| | unzip latest.zip -d /var/www/html |
| | mkdir /var/www/html/nextcloud/data |
| | chown -R apache:apache /var/www/html/nextcloud/* |
| | chcon -h system_u:object_r:httpd_sys_content_t /var/www/html/nextcloud/ -R |
|
| |
|
| '''Set up signing framework'''
| | Database Setup |
| # yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
| | MYSQLPW=$password |
| # qmailctl stop
| | credfile=~/sql.cnf |
| # cd /var/qmail/bin
| | echo -e "[client]\nuser=root\npassword=$MYSQLPW\nhost=localhost" > $credfile |
| # mv qmail-remote qmail-remote.orig
| | mysql --defaults-extra-file=$credfile -e "CREATE USER nextcloud@localhost IDENTIFIED BY 'p@ssw0rd'" |
| <!--# wget -P /var/qmail/bin https://raw.githubusercontent.com/qmtoaster/dkim/master/qmail-remote-->
| | mysql --defaults-extra-file=$credfile -e "GRANT ALL ON nextcloud.* TO nextcloud@localhost" |
| # wget https://manuel.mausz.at/coding/qmail-dkim/qmail-dkim-0.3.pl
| | mysql --defaults-extra-file=$credfile -e "CREATE DATABASE nextcloud;" |
| # chmod 777 qmail-dkim-0.3.pl && chown root:qmail qmail-dkim-0.3.pl
| | mysql --defaults-extra-file=$credfile -e "FLUSH PRIVILEGES;" |
| # ln -s qmail-dkim-0.3.pl qmail-remote | |
| # mkdir /var/qmail/control/dkim
| |
| # chown -R qmailr:qmail /var/qmail/control/dkim
| |
| # cd /var/qmail/control/dkim
| |
| # wget https://raw.githubusercontent.com/qmtoaster/dkim/master/signconf.xml
| |
| # openssl genrsa -out global.key 2048 && chmod 644 global.key
| |
| # openssl rsa -in global.key -pubout -out global.txt
| |
| # perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' global.txt
| |
| # qmailctl start
| |
| # cat signconf.xml<span style="color:tomato">
| |
| <dkimsign>
| |
| <!-- per default sign all mails using dkim -->
| |
| <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
| |
| <types id="dkim" />
| |
| </global>
| |
| </dkimsign></span>
| |
| # cat global.txt<span style="color:tomato">
| |
| dkim1._domainkey IN TXT "k=rsa; p=******************************"</span><br>
| |
| '''Create DNS TXT record from the above file 'public.txt''''
| |
| Host Text
| |
| dkim1._domainkey v=DKIM1; k=rsa; p=*************************<br>
| |
| '''Your DKIM global key setup is done. Send email to Yahoo or GMail, inspect header.'''
| |
|
| |
|
| 2. DKIM sign domain with specific key
| | Admin Configuration |
| # cd /var/qmail/control/dkim
| | http://nextcloud.host.tld.or.ip/nextcloud |
| # openssl genrsa -out dom.com.key 2048 && chmod 644 dom.com.key
| | Add users |
| # openssl rsa -in dom.com.key -pubout -out dom.com.txt
| | Add Groupware (Mail, Contacts, Calendar, Desktop, TOTP two-factor authentication) |
| # perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g; s/-----END PUBLIC KEY-----/"/g; s/\n//g' dom.com.txt
| |
| # cat dom.com.txt<span style="color:tomato">
| |
| dkim1._domainkey IN TXT "k=rsa; p=******************************"</span><br>
| |
| '''Create DNS TXT record from the above file 'dom.com.txt''''
| |
| Host Text
| |
| dkim1._domainkey v=DKIM1; k=rsa; p=*************************<br>
| |
| # cat signconf.xml<span style="color:tomato">
| |
| <dkimsign>
| |
| <!-- per default sign all mails using dkim -->
| |
| <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
| |
| <types id="dkim" />
| |
| </global><span style="color:red"><strong>
| |
| <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1">
| |
| <types id="dkim" />
| |
| <types id="domainkey" method="nofws" />
| |
| </dom.com></span></strong>
| |
| </dkimsign></span>
| |
| 3. DKIM no signing for domain
| |
|
| |
|
| # cd /var/qmail/control/dkim
| | Users create there own account |
| # cat signconf.xml<span style="color:tomato">
| | </pre> |
| <dkimsign>
| |
| <!-- per default sign all mails using dkim -->
| |
| <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
| |
| <types id="dkim" />
| |
| </global>
| |
| <dom.com domain="dom.com" keyfile="/var/qmail/control/dkim/dom.com.key" selector="dkim1">
| |
| <types id="dkim" />
| |
| <types id="domainkey" method="nofws" />
| |
| </dom.com>
| |
| <span style="color:red"><strong><strong><nonsigneddomain.com /></span></strong>
| |
| </dkimsign></span>
| |
| | |
| 4. DKIM verification (Spamassassin preferred):
| |
| | |
| Assumes:
| |
| a. 'QMAILQUEUE="/var/qmail/bin/simscan"' defined in /etc/tcprules.d/tcp.smtp
| |
| b. /var/qmail/bin/qmail-queue is a link.
| |
| # qmailctl stop
| |
| Add 'export DKVERIFY=1' to /var/qmail/supervise/smtp/run
| |
| Increase softlimit to 128000000 in /var/qmail/supervise/smtp/run
| |
| # cd /var/qmail/bin
| |
| # wget http://www.qmailtoaster.org/dkimverify.pl
| |
| # wget http://www.qmailtoaster.org/qmail-queue.pl.sh
| |
| # chown root:root dkimverify.pl
| |
| # chown qmailq:qmail qmail-queue.pl.sh
| |
| # chmod 755 dkimverify.pl
| |
| # chmod 4777 qmail-queue.pl.sh
| |
| # unlink qmail-queue
| |
| # ln -s qmail-queue.pl.sh qmail-queue
| |
| # qmailctl start
| |
| Send email to user on the host
| |
| Check email header dkim verification
| |
| | |
| | |
| Notes:
| |
| 1) In order to test your settings, simply send an email to: check-auth@verifier.port25.com and/or check-auth2@verifier.port25.com
| |
| with the suject of "test" (without the quotes) and "Just testing" in the body (also without quotes). It is best but not required
| |
| to have a subject and body because this service will also show you how spamassassin rated your email. If you have a GMAIL/Yahoo
| |
| email account sending to either or both accounts DKIM signatures could be verified.
| |
| Click to test
| |
| 2) To test your DKIM signature wiith OpenDKIM's 'opendkim-testkey' utility install opendkim and run the utility:
| |
| a) # yum install epel-release opendkim*
| |
| b) # opendkim-testkey -vvvv -d otherdomain.com -k /var/qmail/control/dkim/otherdomain.com.key -s dkim1<br>
| |
| opendkim-testkey: using default configfile /etc/opendkim.conf
| |
| opendkim-testkey: /var/qmail/control/dkim/otherdomain.com.key: WARNING: unsafe permissions
| |
| opendkim-testkey: key loaded from /var/qmail/control/dkim/otherdomain.com.key
| |
| opendkim-testkey: checking key 'dkim1._domainkey.otherdomain.com'
| |
| opendkim-testkey: key OK<br>
| |
| 3) Testing DKIM signatures sending from Roundcube webmail I found that plain text formatted email caused DKIM failure sending
| |
| to port25.com and GMAIL recipients, but when sending the same email in Roundcube's html format the DKIM signature was verified
| |
| and passed. The same email DKIM signature passed with Squirrelmail, Thunderbird, and OpenDKIM's 'opendkim-testkey' program. It
| |
| seems that certain email clients will add or subtract characters in the email header causing DKIM to fail. This may be happening
| |
| in Roundcube while other clients do not affect the email header adversely. I have a help request in the Roundcube user's list
| |
| for this issue. Hopefully, this issue is merely a configuration setting, if not, that it is resolved soon.
| |