rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:postfix_opendkim

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
doc:appunti:linux:sa:postfix_opendkim [2022/05/23 10:16] – [Add the domain to be signed] niccolodoc:appunti:linux:sa:postfix_opendkim [2023/10/31 10:39] – [OpenDKIM on Postfix with virtual domains] niccolo
Line 6: Line 6:
 apt install opendkim opendkim-tools apt install opendkim opendkim-tools
 </code> </code>
 +
 +In Debian 11 Bullseye the service is controlled (enable, start, stop, etc.) by Systemd:
 +
 +<code>
 +systemctl status opendkim.service
 +</code>
 +
 +The daemon is listening on port **127.0.0.1:8891/TCP**.
 +
 +The same daemon is used both for signing and verifying. Signing is performed when the **From:** address matches the domains to be signed (see the command line option **%%-d%%** or the **SigningTable** option of the ''/etc/opendkim.conf'' configuration file), verifying is performed in other cases.
 +
  
 ===== Create the keys in /etc/dkimkeys/ ===== ===== Create the keys in /etc/dkimkeys/ =====
Line 45: Line 56:
 </file> </file>
  
-===== Add the domain to be signed =====+===== Add the domain (or single sender) to be signed =====
  
 Into the file **/etc/dkimkeys/signingtable** we declare that mails originating from that domain must be signed: Into the file **/etc/dkimkeys/signingtable** we declare that mails originating from that domain must be signed:
Line 63: Line 74:
 ===== Configure OpenDKIM ===== ===== Configure OpenDKIM =====
  
-Into the **/etc/opendkim.conf** file we infor OpenDKIM to look into a **KeyTable** to find keys and into a **SigningTable** to know which domains require signing. The service will listen on port **8891/TCP** (should use //Unix domain socket// instead? Better performances? More painfull because Postfix runs in chroot).+Into the **/etc/opendkim.conf** file we inform OpenDKIM to look into a **KeyTable** to find keys and into a **SigningTable** to know which domains require signing. The service will listen on port **8891/TCP** (should use //Unix domain socket// instead? Better performances? More painfull because Postfix runs in chroot).
  
 <file> <file>
Line 102: Line 113:
 ===== Configure Postfix ===== ===== Configure Postfix =====
  
-To tell Postfix to use the mail filter provided by OpenDKIM, we use the **non_smtpd_milters** option into the file **/etc/postfix/main.cf**. //Non smtpd// means that messages filtered are the ones **not received by the SMTP daemon**, i.e. local submissions via sendmail command line, submissions to the **qmqpd**, ([[wp>Quick Mail Queuing Protocol]] daemomn), re-injected mails.+Message signing with OpenDKIM is performed as a **milter** (mail filter) in Postfix; milters are declared into the **/etc/postfix/main.cf** configuration file. 
 + 
 +Using the **non_smtpd_milters** directive we may add DKIM for locally generated mails, i.e. local submissions via sendmail command line, submissions to the **qmqpd**, ([[wp>Quick Mail Queuing Protocol]] daemomn), re-injected mails. More generally we may apply DKIM signature for all the messages received by the SMTP daemon, using the **smtpd_milters** directive. 
 + 
 +Using custom settings in **/etc/postfix/master.cf**, you can declare specific milters for messages received from your users over the **submission** protocol only (port **587/TCP**). In this snippet of ''master.cf'' we use a custom **mua_milters** directive:
  
 <file> <file>
-# Locally generated mails are filtered with OpenDKIM.+submission inet n           smtpd 
 +  -o syslog_name=postfix/submission 
 +  -o smtpd_tls_security_level=encrypt 
 +  -o smtpd_sasl_auth_enable=yes 
 +  -o smtpd_tls_auth_only=yes 
 +  -o smtpd_client_restrictions=permit_sasl_authenticated,reject 
 +  -o smtpd_milters=$mua_milters 
 +  -o smtpd_sender_restrictions=$mua_sender_restrictions 
 +  -o smtpd_relay_restrictions=$mua_relay_restrictions 
 +</file> 
 + 
 +Having done this, we define the custom **mua_milters** directive in ''main.cf'' to apply SpamAssassin and DKIM filtering on sumbitted messages: 
 + 
 +<file> 
 +# Locally generated mails (e.g. from command line Mutt) are filtered with OpenDKIM.
 non_smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
-# Mails received via SMTP protocol are filtered with OpenDKIM. + 
-This does not include messages received by "postfix/submission/smtpd", +# Mails received via SMTP protocol are filtered with OpenDKIM
-# for that use mua_milters instead? +# messages created using SoGO webmail go through this milter. 
-#smtpd_milters = inet:localhost:8891+smtpd_milters = inet:localhost:8891 
 + 
 +Filters applied (as smtpd_milters) to messages received via SUMBISSION/587; 
 +mua_milters = 
 +    unix:spamass/spamass.sock, 
 +    inet:localhost:8891
 </file> </file>
  
-FIXME This configuration does not sign messages sent to the Postfix service via the **smtp** or **submission** port!+Another important Postfix setting is **milter_default_action**, the default is **tempfail** which means that if the milter does not respond, the message will be held into the queue and retried later. Other settings can be **accept** or **reject**
 + 
 +<file> 
 +milter_default_action = tempfail 
 +</file> 
 + 
 +===== Logging ===== 
 + 
 +When a message passes through the OpenDKIM filter, you get the following line into **mail.log**: 
 + 
 +<code> 
 +opendkim[983999]: 37FDD7D659: DKIM-Signature field added (s=2022, d=rigacci.org) 
 +</code> 
 + 
 +If a message does not match any entry in **/etc/dkimkeys/signingtable**, it will not be signed; the log is: 
 + 
 +<code> 
 +opendkim[983999]: 4778D7D610: no signing table match for 'testmail@rigacci.org' 
 +opendkim[983999]: 4778D7D610: no signature data 
 +</code>
  
 ===== Web References ===== ===== Web References =====
doc/appunti/linux/sa/postfix_opendkim.txt · Last modified: 2023/10/31 11:06 by niccolo