Cannot sign with DKIM on same-server web and mail

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Cannot sign with DKIM on same-server web and mail

linkcheck
I've looked online for solutions to this problem (including postfix and
sendmail documentation) but with no luck so far.

I've  been running a Postfix mail server for several years (currently Linux
Mint 18.1 (Ubuntu 16.4) with postfix 3.1.0) and implemented SPF, DKIM and
DMARC a few years ago. All works well for about two dozen domains.

I also have a Windows web server which sends out mail from web forms via the
mail server (using a local mail sender client) to the domains hosted on the
mail server through port 25. This has also worked well for many years and
achieves passes for SPF, DKIM and DMARC.

I have a second, recentlly set up web server - Apache 2.4.18 - on the same
VPS as the mail server. It's form mail is sent using php's mail() which
sends via "/usr/sbin/sendmail -t -i". This does not, by default, DKIM sign,
although remote recipients pass SPF and DMARC. In order to get DKIM
authentication I have removed the no_milters option from master.cf's
receive_override_options. This, of course, adds a second DKIM signature to
each email from Windows forms and general mail.

What changes to main/master do I need to make in order to DKIM sign all mail
once only, preferably before spamassassin?

master.cf extract...
pickup    fifo  n       -       n       60      1       pickup
  -o content_filter=
  -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
#  ,no_milters

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=spamfilter

main.cf extract...
inet_interfaces = all
milter_default_action = accept
milter_protocol = 6
# list of: clamav, dkim, dmarc
smtpd_milters =
unix:/var/run/clamav/clamav-milter.ctl,local:/var/run/opendkim/opendkim.sock,inet:localhost:8893
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,inet:localhost:8893





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Cannot sign with DKIM on same-server web and mail

Jaroslaw Rafa
Dnia 31.10.2019 o godz. 12:16:56 linkcheck pisze:
>
> What changes to main/master do I need to make in order to DKIM sign all mail
> once only, preferably before spamassassin?

Not long ago I asked a similar question here.

The best answer is to use spamassassin as a milter, not as a post-queue
content filter as you have (and as I had).
After I changed configuration to run spamassassin as milter, everything is
signed only once.

This is the relevant part of my config:

main.cf:

smtpd_milters = inet:localhost:10025, unix:spamass/spamass.sock
non_smtpd_milters = inet:localhost:10025

(DKIM is running on localhost:10025)

master.cf:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_milters=inet:localhost:10025

As you can see, I don't run spamassassin on outgoing mail (either submitted
via /usr/sbin/sendmail or via submission port - in both cases there is only
DKIM specified in milters, and spamassassin is run only for smtpd. If you
want to run spamassassin for outgoing mail too, you should add
unix:spamass/spamass.sock to non_smtpd_milters as well and remove the "-o
smtpd_milters=..." line from aobove master.cf entry.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Cannot sign with DKIM on same-server web and mail

linkcheck
Jaroslaw Rafa wrote
> Dnia 31.10.2019 o godz. 12:16:56 linkcheck pisze:
> The best answer is to use spamassassin as a milter, not as a post-queue
> content filter as you have (and as I had).
> After I changed configuration to run spamassassin as milter, everything is
> signed only once.

Thanks, but not sure that's the answer.

I tried running spamassassin as a milter when I first set up postfix and
eventually had to resort to the setup I gave.

Also, note that the problem I'm trying to solve is apache posting through
pickup, which does not DKIM sign due to DKIM being applied before pickup, as
I understand it.




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Cannot sign with DKIM on same-server web and mail

Jaroslaw Rafa
In reply to this post by linkcheck
> Also, note that the problem I'm trying to solve is apache posting through
> pickup, which does not DKIM sign due to DKIM being applied before pickup, as
> I understand it.

To have DKIM applied to messages posted via pickup, you have to include DKIM milter in non_smtpd_milters= . This parameter applies to messages posted via pickup, while smtpd_milters= applies to messages posted via SMTP client.

But if you do that and run spamassassin as content filter, every message will be signed twice. That's why you have to run spamassassin as milter as well.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Reply | Threaded
Open this post in threaded view
|

Re: Cannot sign with DKIM on same-server web and mail

@lbutlr
In reply to this post by linkcheck
On 01 Nov 2019, at 10:03, linkcheck <[hidden email]> wrote:
> Jaroslaw Rafa wrote
>> Dnia 31.10.2019 o godz. 12:16:56 linkcheck pisze:
>> The best answer is to use spamassassin as a milter, not as a post-queue
>> content filter as you have (and as I had).
>> After I changed configuration to run spamassassin as milter, everything is
>> signed only once.
>
> Thanks, but not sure that's the answer.

It definitely is.

> I tried running spamassassin as a milter when I first set up postfix and
> eventually had to resort to the setup I gave.

Had to why?

> Also, note that the problem I'm trying to solve is apache posting through
> pickup, which does not DKIM sign due to DKIM being applied before pickup, as
> I understand it.

Apache should not be posting mail via pickup. Use an SMTP plugin that authenticates just like anyone else.



--
Oh, he's just like any other man, only more so.

Reply | Threaded
Open this post in threaded view
|

Re: Cannot sign with DKIM on same-server web and mail

linkcheck
In reply to this post by Jaroslaw Rafa
Sorry for the delay in replying. I've been looking at this and trying to make
it work in my head, but keep coming up with DKIM running twice. Please bear
with me. Your setup of...

smtpd_milters = inet:localhost:10025, unix:spamass/spamass.sock
non_smtpd_milters = inet:localhost:10025

...suggests to me that the sequence of operation is DKIM followed by SPAMASS
(both from smtpd_milters, assuming they run in sequence) followed by DKIM
via pickup... And I see the flaw in that now!

Pickup only gets run from sendmail which is called by content_filter OR by
apache. So that now makes sense. Taken me hours to see that. :(

So what I need is, as you said, to remove content_filter in master.cf and in
main.cf to put in a new sequence...

smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
unix:spamass/spamass.sock, unix:/var/run/clamav/clamav-milter.ctl,
unix:/var/run/opendmarc/opendmarc.sock

non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

I assume I do not need to include dmarc in the non_smtpd_milters since it's
outgoing only. Should I move dmarc between dkim and spamass in
smtpd_milters?

If the above is correct my remaining problem would be to determine which of
the various spamassassin / spamass-milter / spamd file groups I have to set
up and where to put the sock.

Thanks for your input. Sorry I doubted you first posting. :(




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Cannot sign with DKIM on same-server web and mail

Jaroslaw Rafa
Dnia  4.11.2019 o godz. 04:31:51 linkcheck pisze:
>
> Pickup only gets run from sendmail which is called by content_filter OR by
> apache. So that now makes sense. Taken me hours to see that. :(
>
> So what I need is, as you said, to remove content_filter in master.cf and in
> main.cf to put in a new sequence...

Exactly :) That's the whole point of this setup - to avoid running pickup a
second time.

> I assume I do not need to include dmarc in the non_smtpd_milters since it's
> outgoing only. Should I move dmarc between dkim and spamass in
> smtpd_milters?

I don't know as I don't use DMARC. I only DKIM sign outgoing mail, I don't
verify DKIM nor DMARC on incoming mail. Just try what order works best.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Cannot sign with DKIM on same-server web and mail

linkcheck
In reply to this post by @lbutlr
@lbutlr wrote
> On 01 Nov 2019, at 10:03, linkcheck &lt;

> postfix@.co

> &gt; wrote:
>> Jaroslaw Rafa wrote
> Apache should not be posting mail via pickup. Use an SMTP plugin that
> authenticates just like anyone else.

If the mail and web servers were separate I would agree but there is a lot
of overhead in adding (eg) phpmail when all that is required is a simple
non-authenticated posting into postfix's sendmail




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Cannot sign with DKIM on same-server web and mail

linkcheck
In reply to this post by Jaroslaw Rafa
Jaroslaw Rafa wrote
> Dnia  4.11.2019 o godz. 04:31:51 linkcheck pisze:
> I don't know as I don't use DMARC. I only DKIM sign outgoing mail, I don't
> verify DKIM nor DMARC on incoming mail. Just try what order works best.

Ok. Thanks for all the help. :)




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html