rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:postfix_opendkim

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:appunti:linux:sa:postfix_opendkim [2022/05/12 13:04] – [Configure Postfix] niccolodoc:appunti:linux:sa:postfix_opendkim [2023/10/31 11:06] (current) – [OpenDKIM on Postfix with virtual domains] niccolo
Line 1: Line 1:
 ====== OpenDKIM on Postfix with virtual domains ====== ====== OpenDKIM on Postfix with virtual domains ======
  
-In this article we will install **[[http://www.opendkim.org/|OpenDKIM]]** on a GNU/Linux mail server based on **Debian 11 Buster**. The mail service is provided by **Postfix** configured for virtual domains using **virtual_alias_domains**.+In this tutorial we will install **[[http://www.opendkim.org/|OpenDKIM]]** on a GNU/Linux mail server based on **Debian 11 Buster**. The mail service is provided by **Postfix** configured for virtual domains using **virtual_alias_domains**.
  
 <code> <code>
 apt install opendkim opendkim-tools apt install opendkim opendkim-tools
 </code> </code>
 +
 +In Debian 11 Bullseye the service is controlled (enable, start, stop, etc.) by Systemd:
 +
 +<code>
 +systemctl status opendkim.service
 +</code>
 +
 +Because Postfix is running into a chroot, it cannot access the ''/run/opendkim/opendkim.sock'' Unix socket to communicate with opendkim, so we change the ''Socket'' option into **/etc/opendkim.conf** and make the daemon to be listening on port **127.0.0.1:8891/TCP**:
 +
 +<file>
 +Socket  inet:8891@localhost
 +</file>
 +
 +The same daemon is used both for signing and verifying. Signing is performed when the client connecting to the MUA is authenticated and the **From:** address matches the domains to be signed (see the command line option **%%-d%%** or the **SigningTable** option of the ''/etc/opendkim.conf'' configuration file), verifying is performed in other cases.
  
 ===== Create the keys in /etc/dkimkeys/ ===== ===== Create the keys in /etc/dkimkeys/ =====
Line 45: Line 59:
 </file> </file>
  
-===== Add the domain to be signed =====+===== Add the domain (or single sender) to be signed =====
  
 Into the file **/etc/dkimkeys/signingtable** we declare that mails originating from that domain must be signed: Into the file **/etc/dkimkeys/signingtable** we declare that mails originating from that domain must be signed:
Line 53: Line 67:
 </file> </file>
  
-**NOTICE**: The use of the wildcard to indicate all the mails from a domain, the //signingtable// must be declared with **refile** (regular expression file) into the configuration file. Otherwise you have to specify every mail sender to be signed.+**NOTICE**: The use of the wildcard (to indicate all the senders from a domain) is possibile if //signingtable// is declared with **refile** (regular expression file) into the configuration file. Otherwise you have to specify every single sender address where signing is to be applied.
  
 Remember to reload OpenDKIM after changing the **signingtable**: Remember to reload OpenDKIM after changing the **signingtable**:
Line 63: Line 77:
 ===== Configure OpenDKIM ===== ===== Configure OpenDKIM =====
  
-Into the **/etc/opendkim.conf** file we infor OpenDKIM to look into a **KeyTable** to find keys and into a **SigningTable** to know which domains require signing. The service will listen on port **8891/TCP** (should use //Unix domain socket// instead? Better performances? More painfull because Postfix runs in chroot).+Into the **/etc/opendkim.conf** file we inform OpenDKIM to look into a **KeyTable** to find keys and into a **SigningTable** to know which domains require signing. The service will listen on port **8891/TCP** (should use //Unix domain socket// instead? Better performances? More painfull because Postfix runs in chroot).
  
 <file> <file>
Line 102: Line 116:
 ===== Configure Postfix ===== ===== Configure Postfix =====
  
-To tell Postfix to use the mail filter provided by OpenDKIM, we use the **non_smtpd_milters** option into the file **/etc/postfix/main.cf**. //Non smtpd// means that messages filtered are the ones **not received by the SMTP daemon**, i.e. local submissions via sendmail command line, submissions to the **qmqpd**, ([[wp>Quick Mail Queuing Protocol]] daemomn), re-injected mails.+Message signing with OpenDKIM is performed as a **milter** (mail filter) in Postfix; milters are declared into the **/etc/postfix/main.cf** configuration file. 
 + 
 +Using the **non_smtpd_milters** directive we may add DKIM for locally generated mails, i.e. local submissions via sendmail command line, submissions to the **qmqpd**, ([[wp>Quick Mail Queuing Protocol]] daemomn), re-injected mails. More generally we may apply DKIM signature for all the messages received by the SMTP daemon, using the **smtpd_milters** directive. 
 + 
 +Using custom settings in **/etc/postfix/master.cf**, you can declare specific milters for messages received from your users over the **submission** protocol only (port **587/TCP**). In this snippet of ''master.cf'' we use a custom **mua_milters** directive:
  
 <file> <file>
-# Locally generated mails are filtered with OpenDKIM.+submission inet n           smtpd 
 +  -o syslog_name=postfix/submission 
 +  -o smtpd_tls_security_level=encrypt 
 +  -o smtpd_sasl_auth_enable=yes 
 +  -o smtpd_tls_auth_only=yes 
 +  -o smtpd_client_restrictions=permit_sasl_authenticated,reject 
 +  -o smtpd_milters=$mua_milters 
 +  -o smtpd_sender_restrictions=$mua_sender_restrictions 
 +  -o smtpd_relay_restrictions=$mua_relay_restrictions 
 +</file> 
 + 
 +Having done this, we define the custom **mua_milters** directive in ''main.cf'' to apply SpamAssassin and DKIM filtering on sumbitted messages: 
 + 
 +<file> 
 +# Locally generated mails (e.g. from command line Mutt) are filtered with OpenDKIM.
 non_smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
-# Mails received via SMTP protocol are filtered with OpenDKIM. + 
-This does not include messages received by "postfix/submission/smtpd", +# Mails received via SMTP protocol are filtered with OpenDKIM
-# for that use mua_milters instead? +# messages created using SoGO webmail go through this milter. 
-#smtpd_milters = inet:localhost:8891+smtpd_milters = inet:localhost:8891 
 + 
 +Filters applied (as smtpd_milters) to messages received via SUMBISSION/587; 
 +mua_milters = 
 +    unix:spamass/spamass.sock, 
 +    inet:localhost:8891
 </file> </file>
  
-FIXME This configuration does not sign messages sent to the Postfix service via the **smtp** or **submission** port!+Another important Postfix setting is **milter_default_action**, the default is **tempfail** which means that if the milter does not respond, the message will be held into the queue and retried later. Other settings can be **accept** or **reject**
 + 
 +<file> 
 +milter_default_action = tempfail 
 +</file> 
 + 
 +===== Logging ===== 
 + 
 +When a message passes through the OpenDKIM filter, you get the following line into **mail.log**: 
 + 
 +<code> 
 +opendkim[983999]: 37FDD7D659: DKIM-Signature field added (s=2022, d=rigacci.org) 
 +</code> 
 + 
 +If a message does not match any entry in **/etc/dkimkeys/signingtable**, it will not be signed; the log is: 
 + 
 +<code> 
 +opendkim[983999]: 4778D7D610: no signing table match for 'testmail@rigacci.org' 
 +opendkim[983999]: 4778D7D610: no signature data 
 +</code>
  
 ===== Web References ===== ===== Web References =====
doc/appunti/linux/sa/postfix_opendkim.1652353456.txt.gz · Last modified: 2022/05/12 13:04 by niccolo