DKIM signing for wildcard sub domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

DKIM signing for wildcard sub domains

Kent
Hi All,

I'm trying to get DKIM signing working on our postfix mail server.

We have a wildcard domain   *.school.kiwi.    We are providing a mail service for our clients - who each have their own sub-domain  eg.  abc.school.kiwi  or   cde.school.kiwi


I have two servers, both are identical setups running centOS and Postfix 2.  One is named mx01.school.kiwi  and the other is named  mx02.school.kiwi
Note: When I created the 'default.private' - I did so on mx01  and copied it to mx02 so they are the same.  I assume this is the correct approach ?


I've followed the instructions per this page:  https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/
> opendkim: OpenDKIM Filter v2.11.0



I've set up my KeyTable:
> default._dkim.school.kiwi school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private



And my SigningTable:
> *school.kiwi default._dkim.school.kiwi                                                                                                                                                          
> .school.kiwi default._dkim.school.kiwi                                                                                                                                                          

This is the current setup.  I've tried different variations including  *@school.kiwi,  *@*school.kiwi,  *@.school.kiwi  and  *@*.school.kiwi


My TrustedHosts:
> 127.0.0.1                                                                                                                                                                                        
> ::1                                                                                                                                                                                              
> school.kiwi                                                                                                                                                                                      
> .school.kiwi                                                                                                                                                                                    



And finally  opendkim.conf itself with:
> # KeyFile       /etc/opendkim/keys/default.private
> KeyTable        /etc/opendkim/KeyTable
> SigningTable    refile:/etc/opendkim/SigningTable
> ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
> InternalHosts   refile:/etc/opendkim/TrustedHosts



This is what I see in the  /var/lo/maillog  when I send an e-mail to my gmail account.

> Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0 from=<[hidden email]>
> Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426: message-id=<[hidden email]>
> Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426: from=<[hidden email]>, size=4645, nrcpt=1 (queue active)
> Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426: to=<[hidden email]>, relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4, delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK 1513130134 33si417943ply.308 - gsmtp)
> Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427: message-id=<[hidden email]>
> Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender delivery status notification: 8A3D22084427
> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>, size=2632, nrcpt=1 (queue active)
> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed
> Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427: to=<[hidden email]>, relay=schoolkiwi, delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via schoolkiwi service)
> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed
>



When I view a received e-mail, I can see the following line in the message headers.

> DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426



But not DKIM signature itself.   I've obviously something, but not sure what to look at next.


Any assistance appreciated to get this working with emails from  [hidden email]


thanks

Kent.

Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing for wildcard sub domains

Maarten

Think you are missing something like this in main.cf

milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters =  $smtpd_milters
milter_default_action = accept

http://www.postfix.org/postconf.5.html#smtpd_milters


On 2017-12-13 03:10, Kent wrote:

> Hi All,
>
> I'm trying to get DKIM signing working on our postfix mail server.
>
> We have a wildcard domain   *.school.kiwi.    We are providing a mail
> service for our clients - who each have their own sub-domain  eg.
> abc.school.kiwi  or   cde.school.kiwi
>
>
> I have two servers, both are identical setups running centOS and
> Postfix 2.  One is named mx01.school.kiwi  and the other is named
> mx02.school.kiwi
> Note: When I created the 'default.private' - I did so on mx01  and
> copied it to mx02 so they are the same.  I assume this is the correct
> approach ?
>
>
> I've followed the instructions per this page:
> https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/
>> opendkim: OpenDKIM Filter v2.11.0
>
>
>
> I've set up my KeyTable:
>> default._dkim.school.kiwi
>> school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private
>
>
>
> And my SigningTable:
>> *school.kiwi default._dkim.school.kiwi
>> .school.kiwi default._dkim.school.kiwi
>
> This is the current setup.  I've tried different variations including
> *@school.kiwi,  *@*school.kiwi,  *@.school.kiwi  and  *@*.school.kiwi
>
>
> My TrustedHosts:
>> 127.0.0.1
>> ::1
>> school.kiwi
>> .school.kiwi
>
>
>
> And finally  opendkim.conf itself with:
>> # KeyFile       /etc/opendkim/keys/default.private
>> KeyTable        /etc/opendkim/KeyTable
>> SigningTable    refile:/etc/opendkim/SigningTable
>> ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
>> InternalHosts   refile:/etc/opendkim/TrustedHosts
>
>
>
> This is what I see in the  /var/lo/maillog  when I send an e-mail to
> my gmail account.
>
>> Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0
>> from=<[hidden email]>
>> Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426:
>> message-id=<[hidden email]>
>> Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426:
>> from=<[hidden email]>, size=4645, nrcpt=1
>> (queue active)
>> Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection
>> established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2
>> with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
>> Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426:
>> to=<[hidden email]>,
>> relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4,
>> delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK
>> 1513130134 33si417943ply.308 - gsmtp)
>> Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427:
>> message-id=<[hidden email]>
>> Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender
>> delivery status notification: 8A3D22084427
>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>,
>> size=2632, nrcpt=1 (queue active)
>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed
>> Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427:
>> to=<[hidden email]>, relay=schoolkiwi,
>> delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via
>> schoolkiwi service)
>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed
>>
>
>
>
> When I view a received e-mail, I can see the following line in the
> message headers.
>
>> DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426
>
>
>
> But not DKIM signature itself.   I've obviously something, but not
> sure what to look at next.
>
>
> Any assistance appreciated to get this working with emails from
> [hidden email]
>
>
> thanks
>
> Kent.
Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing for wildcard sub domains

anvartay
Yes and also it is recommended to setup different selector for each server and different key per server.

You can test DKIM signature using this website:
http://dkimvalidator.com/

Anvar Kuchkartaev 
[hidden email]
  Original Message  
From: Maarten
Sent: miércoles, 13 de diciembre de 2017 08:14
To: Postfix users; [hidden email]
Subject: Re: DKIM signing for wildcard sub domains



Think you are missing something like this in main.cf

milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

http://www.postfix.org/postconf.5.html#smtpd_milters


On 2017-12-13 03:10, Kent wrote:

> Hi All,
>
> I'm trying to get DKIM signing working on our postfix mail server.
>
> We have a wildcard domain *.school.kiwi. We are providing a mail
> service for our clients - who each have their own sub-domain eg.
> abc.school.kiwi or cde.school.kiwi
>
>
> I have two servers, both are identical setups running centOS and
> Postfix 2. One is named mx01.school.kiwi and the other is named
> mx02.school.kiwi
> Note: When I created the 'default.private' - I did so on mx01 and
> copied it to mx02 so they are the same. I assume this is the correct
> approach ?
>
>
> I've followed the instructions per this page:
> https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/
>> opendkim: OpenDKIM Filter v2.11.0
>
>
>
> I've set up my KeyTable:
>> default._dkim.school.kiwi
>> school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private
>
>
>
> And my SigningTable:
>> *school.kiwi default._dkim.school.kiwi
>> .school.kiwi default._dkim.school.kiwi
>
> This is the current setup. I've tried different variations including
> *@school.kiwi, *@*school.kiwi, *@.school.kiwi and *@*.school.kiwi
>
>
> My TrustedHosts:
>> 127.0.0.1
>> ::1
>> school.kiwi
>> .school.kiwi
>
>
>
> And finally opendkim.conf itself with:
>> # KeyFile /etc/opendkim/keys/default.private
>> KeyTable /etc/opendkim/KeyTable
>> SigningTable refile:/etc/opendkim/SigningTable
>> ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
>> InternalHosts refile:/etc/opendkim/TrustedHosts
>
>
>
> This is what I see in the /var/lo/maillog when I send an e-mail to
> my gmail account.
>
>> Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0
>> from=<[hidden email]>
>> Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426:
>> message-id=<[hidden email]>
>> Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426:
>> from=<[hidden email]>, size=4645, nrcpt=1
>> (queue active)
>> Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection
>> established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2
>> with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
>> Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426:
>> to=<[hidden email]>,
>> relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4,
>> delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK
>> 1513130134 33si417943ply.308 - gsmtp)
>> Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427:
>> message-id=<[hidden email]>
>> Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender
>> delivery status notification: 8A3D22084427
>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>,
>> size=2632, nrcpt=1 (queue active)
>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed
>> Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427:
>> to=<[hidden email]>, relay=schoolkiwi,
>> delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via
>> schoolkiwi service)
>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed
>>
>
>
>
> When I view a received e-mail, I can see the following line in the
> message headers.
>
>> DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426
>
>
>
> But not DKIM signature itself. I've obviously something, but not
> sure what to look at next.
>
>
> Any assistance appreciated to get this working with emails from
> [hidden email]
>
>
> thanks
>
> Kent.


Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing for wildcard sub domains

Maarten
In reply to this post by Maarten
dkim runs on 8891:

tcp        0      0 127.0.0.1:8891          0.0.0.0:*              
LISTEN      969/opendkim

This way it will sign the mails, that way you should see something like
this:

Dec 13 08:14:43 localhost postfix/smtpd[21935]: connect from
supernova.feedmebits.nl[46.105.136.80]
Dec 13 08:14:43 localhost postfix/smtpd[21935]: Anonymous TLS connection
established from supernova.feedmebits.nl[46.105.136.80]: TLSv1.2 with
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 13 08:14:43 localhost postfix/smtpd[21935]: A1346749:
client=supernova.feedmebits.nl[46.105.136.80], sasl_method=CRAM-MD5,
sasl_username=maarten
Dec 13 08:14:43 localhost postfix/cleanup[21938]: A1346749: hold: header
Received: from a.mx.feedmebits.nl (supernova.feedmebits.nl
[46.105.136.80])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
(256/256 bits))??(Client did not
  present a certificate)??by supernov from
supernova.feedmebits.nl[46.105.136.80];
from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<a.mx.feedmebits.nl>
Dec 13 08:14:43 localhost postfix/cleanup[21938]: A1346749:
message-id=<[hidden email]>
Dec 13 08:14:43 localhost opendkim[969]: A1346749: DKIM-Signature field
added (s=default, d=feedmebits.nl)


On 2017-12-13 08:14, Maarten wrote:

> Think you are missing something like this in main.cf
>
> milter_protocol = 2
> smtpd_milters = inet:localhost:8891
> non_smtpd_milters =  $smtpd_milters
> milter_default_action = accept
>
> http://www.postfix.org/postconf.5.html#smtpd_milters
>
>
> On 2017-12-13 03:10, Kent wrote:
>> Hi All,
>>
>> I'm trying to get DKIM signing working on our postfix mail server.
>>
>> We have a wildcard domain   *.school.kiwi.    We are providing a mail
>> service for our clients - who each have their own sub-domain  eg.
>> abc.school.kiwi  or   cde.school.kiwi
>>
>>
>> I have two servers, both are identical setups running centOS and
>> Postfix 2.  One is named mx01.school.kiwi  and the other is named
>> mx02.school.kiwi
>> Note: When I created the 'default.private' - I did so on mx01  and
>> copied it to mx02 so they are the same.  I assume this is the correct
>> approach ?
>>
>>
>> I've followed the instructions per this page:
>> https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/
>>> opendkim: OpenDKIM Filter v2.11.0
>>
>>
>>
>> I've set up my KeyTable:
>>> default._dkim.school.kiwi
>>> school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private
>>
>>
>>
>> And my SigningTable:
>>> *school.kiwi default._dkim.school.kiwi
>>> .school.kiwi default._dkim.school.kiwi
>>
>> This is the current setup.  I've tried different variations including
>> *@school.kiwi,  *@*school.kiwi,  *@.school.kiwi  and  *@*.school.kiwi
>>
>>
>> My TrustedHosts:
>>> 127.0.0.1
>>> ::1
>>> school.kiwi
>>> .school.kiwi
>>
>>
>>
>> And finally  opendkim.conf itself with:
>>> # KeyFile       /etc/opendkim/keys/default.private
>>> KeyTable        /etc/opendkim/KeyTable
>>> SigningTable    refile:/etc/opendkim/SigningTable
>>> ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
>>> InternalHosts   refile:/etc/opendkim/TrustedHosts
>>
>>
>>
>> This is what I see in the  /var/lo/maillog  when I send an e-mail to
>> my gmail account.
>>
>>> Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0
>>> from=<[hidden email]>
>>> Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426:
>>> message-id=<[hidden email]>
>>> Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426:
>>> from=<[hidden email]>, size=4645, nrcpt=1
>>> (queue active)
>>> Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection
>>> established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2
>>> with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
>>> Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426:
>>> to=<[hidden email]>,
>>> relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4,
>>> delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK
>>> 1513130134 33si417943ply.308 - gsmtp)
>>> Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427:
>>> message-id=<[hidden email]>
>>> Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender
>>> delivery status notification: 8A3D22084427
>>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>,
>>> size=2632, nrcpt=1 (queue active)
>>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed
>>> Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427:
>>> to=<[hidden email]>, relay=schoolkiwi,
>>> delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via
>>> schoolkiwi service)
>>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed
>>>
>>
>>
>>
>> When I view a received e-mail, I can see the following line in the
>> message headers.
>>
>>> DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426
>>
>>
>>
>> But not DKIM signature itself.   I've obviously something, but not
>> sure what to look at next.
>>
>>
>> Any assistance appreciated to get this working with emails from
>> [hidden email]
>>
>>
>> thanks
>>
>> Kent.
Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing for wildcard sub domains

Kent
In reply to this post by Maarten
Hi Maarten,

Apologies - I missed this when I was copying my setup.

I already have these lines in my  /etc/postfix.main.cf file.


When an e-mail comes in, I'm seeing these lines in the maillog:
> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: mail-lf0-f51.google.com [209.85.215.51] not internal
> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: not authenticated
> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: DKIM verification successful

So I believe postfix is passing both incoming and outgoing mail via opendkim.

It's just my setup isn't adding the 'DKIM' into the outgoing mail.

Kent.



> On 13/12/2017, at 8:14 PM, Maarten <[hidden email]> wrote:
>
>
> Think you are missing something like this in main.cf
>
> milter_protocol = 2
> smtpd_milters = inet:localhost:8891
> non_smtpd_milters =  $smtpd_milters
> milter_default_action = accept
>
> http://www.postfix.org/postconf.5.html#smtpd_milters

Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing for wildcard sub domains

Maarten
Check  /etc/opendkim.conf. And the line that Says Mode.

You probably have it set like this:
Mode v

Change it to:
Mode sv

sign
verify

On 2017-12-13 08:32, Kent wrote:

> Hi Maarten,
>
> Apologies - I missed this when I was copying my setup.
>
> I already have these lines in my  /etc/postfix.main.cf file.
>
>
> When an e-mail comes in, I'm seeing these lines in the maillog:
>> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E:
>> mail-lf0-f51.google.com [209.85.215.51] not internal
>> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: not authenticated
>> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: DKIM verification
>> successful
>
> So I believe postfix is passing both incoming and outgoing mail via
> opendkim.
>
> It's just my setup isn't adding the 'DKIM' into the outgoing mail.
>
> Kent.
>
>
>
>> On 13/12/2017, at 8:14 PM, Maarten <[hidden email]> wrote:
>>
>>
>> Think you are missing something like this in main.cf
>>
>> milter_protocol = 2
>> smtpd_milters = inet:localhost:8891
>> non_smtpd_milters =  $smtpd_milters
>> milter_default_action = accept
>>
>> http://www.postfix.org/postconf.5.html#smtpd_milters
Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing for wildcard sub domains

Maarten
So right now since it's set to only verify incoming  mail signtures you
are seeing  the line "DKIM verification sucessful"

You should see the signing happening in the logs:

Dec 13 08:36:32 localhost opendkim[969]: ED6EDFB7: DKIM-Signature field
added (s=default, d=feedmebits.nl)




On 2017-12-13 08:36, Maarten wrote:

> Check  /etc/opendkim.conf. And the line that Says Mode.
>
> You probably have it set like this:
> Mode v
>
> Change it to:
> Mode sv
>
> sign
> verify
>
> On 2017-12-13 08:32, Kent wrote:
>> Hi Maarten,
>>
>> Apologies - I missed this when I was copying my setup.
>>
>> I already have these lines in my  /etc/postfix.main.cf file.
>>
>>
>> When an e-mail comes in, I'm seeing these lines in the maillog:
>>> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E:
>>> mail-lf0-f51.google.com [209.85.215.51] not internal
>>> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: not authenticated
>>> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: DKIM verification
>>> successful
>>
>> So I believe postfix is passing both incoming and outgoing mail via
>> opendkim.
>>
>> It's just my setup isn't adding the 'DKIM' into the outgoing mail.
>>
>> Kent.
>>
>>
>>
>>> On 13/12/2017, at 8:14 PM, Maarten <[hidden email]>
>>> wrote:
>>>
>>>
>>> Think you are missing something like this in main.cf
>>>
>>> milter_protocol = 2
>>> smtpd_milters = inet:localhost:8891
>>> non_smtpd_milters =  $smtpd_milters
>>> milter_default_action = accept
>>>
>>> http://www.postfix.org/postconf.5.html#smtpd_milters
Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing for wildcard sub domains

Kent
In reply to this post by anvartay
Hi Anvar,

> Yes and also it is recommended to setup different selector for each server and different key per server.

I'm not sure I fully understand what you are saying.

So I should have created a separate 'default.private' for each server ?   How would this work on my DNS server - would they have to have unique identifiers so that the TXT record on the mail server could be added for both servers as well ?


I don't want to create a separate DKIM for each sub domain - there are potentially 100's for all our clients.  I want a DKIM for the top level  'school.kiwi' domain which is then used for each of the sub domains.

Is this possible ?


Kent.




> On 13/12/2017, at 8:23 PM, Anvar Kuchkartaev <[hidden email]> wrote:
>
> Yes and also it is recommended to setup different selector for each server and different key per server.
>
> You can test DKIM signature using this website:
> ‎http://dkimvalidator.com/
>
> Anvar Kuchkartaev
> [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing for wildcard sub domains

anvartay
In your case you are using selector with the name default. If you use
opendkim-genkey -s mx0 then it will generate key for mx0 selector‎ (you must update dns records accordingly instead of default._domainkey.school.kiwi mx0._domainkey.school.kiwi and for mx1 generate with selector mx1 and dns record mx1._domainkey.school.kiwi) ‎

If you want to create one key which will be copied accross servers and applied for subdomains use --subdomains option to generate key for subdomains and in dns record use also s=*

Dns record in my case:

Question section:
----------------------------
mx1._domainkey.aegisnet.eu TXT

Answer section:
----------------------------
mx1._domainkey.aegisnet.eu. 21599 IN TXT "v=DKIM1; k=rsa; s=*; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAspG5C7Cb9NipLjFCOdlPWqMybUqqAqnbbts4txUgFJ6XyyDQ58FKNKQmgKP7+/UHaYdPEEyrVJ34SUhg5gx+UWljm/ERROmPA7yDjzX2XZQDhaX1Rl+yZpLc9t1VrAhNHvvmdwiD0KZ3pJXVDYrYZp5NerINpq460Ra4GxUcmIeun" "Vy2eAlfVk2LA7keNlf4UU+Sw3z66A0Yr+JgAf3/YRTDgPFM5vHYL3IHmiz9+ZH+GnGG+xTjm24k0SOr1mqtjkwORNtYg1aub5JmTtc7GaqH6w6cyBVmUylFx3TWL8MlqlxBKkrlQnPG/O7Z1kgUzoS8zx447p0/N1JyyS24rwIDAQAB"


Authority section:
----------------------------


Additional section:
----------------------------


Anvar Kuchkartaev 
[hidden email]
  Original Message  
From: Kent
Sent: miércoles, 13 de diciembre de 2017 08:40
To: Postfix users
Cc: Anvar Kuchkartaev
Subject: Re: DKIM signing for wildcard sub domains


Hi Anvar,

> Yes and also it is recommended to setup different selector for each server and different key per server.

I'm not sure I fully understand what you are saying.

So I should have created a separate 'default.private' for each server ? How would this work on my DNS server - would they have to have unique identifiers so that the TXT record on the mail server could be added for both servers as well ?


I don't want to create a separate DKIM for each sub domain - there are potentially 100's for all our clients. I want a DKIM for the top level 'school.kiwi' domain which is then used for each of the sub domains.

Is this possible ?


Kent.




> On 13/12/2017, at 8:23 PM, Anvar Kuchkartaev <[hidden email]> wrote:
>
> Yes and also it is recommended to setup different selector for each server and different key per server.
>
> You can test DKIM signature using this website:
> ‎http://dkimvalidator.com/
>
> Anvar Kuchkartaev
> [hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing for wildcard sub domains

anvartay
Just quick fix I wrote wrong instructions s=* means for all services.
You have to edit 
/etc/opendkim.conf 
Subdomains Yes

And 

/etc/opendkim/SigningTable

example.com default._domainkey.example.com
.example.com default._domainkey.example.com

Anvar Kuchkartaev 
[hidden email]
  Original Message  
From: Anvar Kuchkartaev
Sent: miércoles, 13 de diciembre de 2017 09:02
To: Kent; Postfix users
Subject: Re: DKIM signing for wildcard sub domains


In your case you are using selector with the name default. If you use
opendkim-genkey -s mx0 then it will generate key for mx0 selector‎ (you must update dns records accordingly instead of default._domainkey.school.kiwi mx0._domainkey.school.kiwi and for mx1 generate with selector mx1 and dns record mx1._domainkey.school.kiwi) ‎

If you want to create one key which will be copied accross servers and applied for subdomains use --subdomains option to generate key for subdomains and in dns record use also s=*

Dns record in my case:

Question section:
----------------------------
mx1._domainkey.aegisnet.eu TXT

Answer section:
----------------------------
mx1._domainkey.aegisnet.eu. 21599 IN TXT "v=DKIM1; k=rsa; s=*; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAspG5C7Cb9NipLjFCOdlPWqMybUqqAqnbbts4txUgFJ6XyyDQ58FKNKQmgKP7+/UHaYdPEEyrVJ34SUhg5gx+UWljm/ERROmPA7yDjzX2XZQDhaX1Rl+yZpLc9t1VrAhNHvvmdwiD0KZ3pJXVDYrYZp5NerINpq460Ra4GxUcmIeun" "Vy2eAlfVk2LA7keNlf4UU+Sw3z66A0Yr+JgAf3/YRTDgPFM5vHYL3IHmiz9+ZH+GnGG+xTjm24k0SOr1mqtjkwORNtYg1aub5JmTtc7GaqH6w6cyBVmUylFx3TWL8MlqlxBKkrlQnPG/O7Z1kgUzoS8zx447p0/N1JyyS24rwIDAQAB"


Authority section:
----------------------------


Additional section:
----------------------------


Anvar Kuchkartaev 
[hidden email]
  Original Message  
From: Kent
Sent: miércoles, 13 de diciembre de 2017 08:40
To: Postfix users
Cc: Anvar Kuchkartaev
Subject: Re: DKIM signing for wildcard sub domains


Hi Anvar,

> Yes and also it is recommended to setup different selector for each server and different key per server.

I'm not sure I fully understand what you are saying.

So I should have created a separate 'default.private' for each server ? How would this work on my DNS server - would they have to have unique identifiers so that the TXT record on the mail server could be added for both servers as well ?


I don't want to create a separate DKIM for each sub domain - there are potentially 100's for all our clients. I want a DKIM for the top level 'school.kiwi' domain which is then used for each of the sub domains.

Is this possible ?


Kent.




> On 13/12/2017, at 8:23 PM, Anvar Kuchkartaev <[hidden email]> wrote:
>
> Yes and also it is recommended to setup different selector for each server and different key per server.
>
> You can test DKIM signature using this website:
> ‎http://dkimvalidator.com/
>
> Anvar Kuchkartaev
> [hidden email]




Reply | Threaded
Open this post in threaded view
|

Re: DKIM signing for wildcard sub domains

Benny Pedersen-2
In reply to this post by Kent
Kent skrev den 2017-12-13 08:40:

> Is this possible ?

no

http://www.opendkim.org/opendkim-atpszone.8.html

unless its atps signed

imho your server hostnaame must be dkim signed

then you can reuse keys to subdomain signing

its complex setup, so join opendkim maillist asking specific to this