DKIMproxy Information.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

DKIMproxy Information.

Linux Addict
Hi, Please excuse me if it is not relevant on this forum.

I am planning to use domain keys and dkim for our domain just to send mails outside.

Is DKIMproxy good enough to cover both older Yahoo Domainkeys and new DKIM?

thanks you.

~LA
Reply | Threaded
Open this post in threaded view
|

Re: DKIMproxy Information.

Noel Jones-2
Linux Addict wrote:

> Hi, Please excuse me if it is not relevant on this forum.
>
> I am planning to use domain keys and dkim for our domain just to send
> mails outside.
>
> Is DKIMproxy good enough to cover both older Yahoo Domainkeys and new DKIM?
>
> thanks you.
>
> ~LA

dkimproxy supports both DKIM and DomainKeys.
http://dkimproxy.sourceforge.net/

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: DKIMproxy Information.

Linux Addict


On Mon, Nov 10, 2008 at 5:19 PM, Noel Jones <[hidden email]> wrote:
Linux Addict wrote:
Hi, Please excuse me if it is not relevant on this forum.

I am planning to use domain keys and dkim for our domain just to send mails outside.

Is DKIMproxy good enough to cover both older Yahoo Domainkeys and new DKIM?

thanks you.

~LA

dkimproxy supports both DKIM and DomainKeys.
http://dkimproxy.sourceforge.net/

--
Noel Jones


While I read through this, I understand that to use domain keys, the client has to send mails through submission port 587. Does that sound right? Just to use domainkeys, all clients to has to send mails to port 587 instead of port 25? Please clarify. Thank you

~LA
Reply | Threaded
Open this post in threaded view
|

Re: DKIMproxy Information.

Brian Evans - Postfix List
Linux Addict wrote:
>
> While I read through this, I understand that to use domain keys, the
> client has to send mails through submission port 587. Does that sound
> right? Just to use domainkeys, all clients to has to send mails to
> port 587 instead of port 25? Please clarify. Thank you
The submission port is required for signing due to the nature of trust.

Common administrative practices include submission on 587 for trusted
clients only and should not be permitted on the internet.
This port should be firewalled outside of your network.

It is difficult to sign on port 25 because the only way to do so is by a
FILTER statement which would override any other FILTER or content_filter
statements.

Using other methods, such as amavisd-new 2.6+, may allow this on port 25
with built in policies.
That topic is better suited to their list though.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: DKIMproxy Information.

Charles Marcus
On 11/11/2008 4:35 PM, Brian Evans - Postfix List wrote:

> Linux Addict wrote:
>> While I read through this, I understand that to use domain keys, the
>> client has to send mails through submission port 587. Does that sound
>> right? Just to use domainkeys, all clients to has to send mails to
>> port 587 instead of port 25? Please clarify. Thank you
> The submission port is required for signing due to the nature of trust.
>
> Common administrative practices include submission on 587 for trusted
> clients only and should not be permitted on the internet.
> This port should be firewalled outside of your network.

Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is true.

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: DKIMproxy Information.

Charles Marcus
On 11/11/2008 4:49 PM, Charles Marcus wrote:
>> Common administrative practices include submission on 587 for
>> trusted clients only and should not be permitted on the internet.
>> This port should be firewalled outside of your network.

> Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is
> true.

Well... correction...

Port 587 is designed to provide smtp_auth services to trusted clients
VIA an UNtrusted network (like the internet)...

So, no WAY should it be firewalled - just limit it to sasl_auth based
sessions - and hopefully you enforce strong password policies too...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

using ip alias

Octavio-3
Hi

my server have some public IPs and I want to use one that is not the primary (eth0:0) but when I send email always use the one in eth0 despite the postfix is have as interface just the one in eth0:0 and lo

Thanks

Octavio



¡Todo sobre Amor y Sexo!
La guía completa para tu vida en Mujer de Hoy:
http://mujerdehoy.telemundo.yahoo.com/
Reply | Threaded
Open this post in threaded view
|

Re: using ip alias

Wietse Venema
Octavio:
[ Charset UTF-8 unsupported, converting... ]
> Hi
>
> my server have some public IPs and I want to use one that is not
> the primary (eth0:0) but when I send email always use the one in
> eth0 despite the postfix is have as interface just the one in
> eth0:0 and lo

See:
http://www.postfix.org/postconf.5.htmnl#smtp_bind_address
http://www.postfix.org/postconf.5.htmnl#inet_interfaces

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: DKIMproxy Information.

Linux Addict
In reply to this post by Charles Marcus


On Tue, Nov 11, 2008 at 4:53 PM, Charles Marcus <[hidden email]> wrote:
On 11/11/2008 4:49 PM, Charles Marcus wrote:
>> Common administrative practices include submission on 587 for
>> trusted clients only and should not be permitted on the internet.
>> This port should be firewalled outside of your network.

> Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is
> true.

Well... correction...

Port 587 is designed to provide smtp_auth services to trusted clients
VIA an UNtrusted network (like the internet)...

So, no WAY should it be firewalled - just limit it to sasl_auth based
sessions - and hopefully you enforce strong password policies too...

--

Best regards,

Charles


My reason for configuring domain keys is yahoo not filtering my mails as spam. I dont want to go back and change more than 1000 clients port from 25 to 587.


So is there anyway we can achieve domainkeys authentication on port 25?

Thanks,
LA
Reply | Threaded
Open this post in threaded view
|

Re: DKIMproxy Information.

mouss-2
Linux Addict wrote:

> On Tue, Nov 11, 2008 at 4:53 PM, Charles Marcus
> <[hidden email]>wrote:
>
>> On 11/11/2008 4:49 PM, Charles Marcus wrote:
>>>> Common administrative practices include submission on 587 for
>>>> trusted clients only and should not be permitted on the internet.
>>>> This port should be firewalled outside of your network.
>>> Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is
>>> true.
>> Well... correction...
>>
>> Port 587 is designed to provide smtp_auth services to trusted clients
>> VIA an UNtrusted network (like the internet)...
>>
>> So, no WAY should it be firewalled - just limit it to sasl_auth based
>> sessions - and hopefully you enforce strong password policies too...
>>
>> --
>>
>> Best regards,
>>
>> Charles
>>
>
>
> My reason for configuring domain keys is yahoo not filtering my mails as
> spam.

because you think once you sign your mail they will deliver it to Inbox?

> I dont want to go back and change more than 1000 clients port from 25
> to 587.
>
if they come from specific networks, you can use a NAT implementation to
redirect them to port 587. otherwise, see below.

>
> So is there anyway we can achieve domainkeys authentication on port 25?
>

smtpd_client_restrictions =
        check_client_access pcre:/etc/postfix/filter_outbound
        permit_mynetworks
        permit_sasl_authenticated
        check_client_access pcre:/etc/postfix/filter_inbound

== filter_outbound
# pass to "outbound" filter
/./ FILTER scan:[127.0.0.1]:10586

== filter_inbound
# pass to "inbound" filter
/./ FILTER scan:[127.0.0.1]:10024

if you wonder what that does:
- if mail comes from mynetworks or is sasl authenticated, then it is
passed to port 10586
- otherwise, it is passed to port 10024



Reply | Threaded
Open this post in threaded view
|

Re: DKIMproxy Information.

Linux Addict


On Wed, Nov 12, 2008 at 12:44 PM, mouss <[hidden email]> wrote:
Linux Addict wrote:
On Tue, Nov 11, 2008 at 4:53 PM, Charles Marcus
<[hidden email]>wrote:

On 11/11/2008 4:49 PM, Charles Marcus wrote:
Common administrative practices include submission on 587 for
trusted clients only and should not be permitted on the internet.
This port should be firewalled outside of your network.
Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is
true.
Well... correction...

Port 587 is designed to provide smtp_auth services to trusted clients
VIA an UNtrusted network (like the internet)...

So, no WAY should it be firewalled - just limit it to sasl_auth based
sessions - and hopefully you enforce strong password policies too...

--

Best regards,

Charles



My reason for configuring domain keys is yahoo not filtering my mails as
spam.

because you think once you sign your mail they will deliver it to Inbox?

:-)  I know they may or may not. As an admin, we are trying our best.

 


I dont want to go back and change more than 1000 clients port from 25
to 587.

if they come from specific networks, you can use a NAT implementation to redirect them to port 587. otherwise, see below.



So is there anyway we can achieve domainkeys authentication on port 25?


smtpd_client_restrictions =
       check_client_access pcre:/etc/postfix/filter_outbound
       permit_mynetworks
       permit_sasl_authenticated
       check_client_access pcre:/etc/postfix/filter_inbound

== filter_outbound
# pass to "outbound" filter
/./     FILTER scan:[127.0.0.1]:10586

== filter_inbound
# pass to "inbound" filter
/./     FILTER scan:[127.0.0.1]:10024

if you wonder what that does:
- if mail comes from mynetworks or is sasl authenticated, then it is passed to port 10586
- otherwise, it is passed to port 10024




Reply | Threaded
Open this post in threaded view
|

Re: DKIMproxy Information.

Mark Martinec-5
In reply to this post by mouss-2
mouss wrote:

> > So is there anyway we can achieve domainkeys authentication on port 25?
>
> smtpd_client_restrictions =
> check_client_access pcre:/etc/postfix/filter_outbound
> permit_mynetworks
> permit_sasl_authenticated
> check_client_access pcre:/etc/postfix/filter_inbound
>
> == filter_outbound
> # pass to "outbound" filter
> /./ FILTER scan:[127.0.0.1]:10586
>
> == filter_inbound
> # pass to "inbound" filter
> /./ FILTER scan:[127.0.0.1]:10024
>
> if you wonder what that does:
> - if mail comes from mynetworks or is sasl authenticated, then it is
> passed to port 10586
> - otherwise, it is passed to port 10024


Right. Then on the amavisd-new side (amavisd.conf):

$inet_socket_port = [10024,10586];
$interface_policy{'10586'} = 'ORIGINATING';

$enable_dkim_signing = 1;
$enable_dkim_verification = 1;
dkim_key('example.org', 'myselector', '/var/db/dkim/mykey1.pem');
dkim_key('example.net', 'mysel2',     '/var/db/dkim/mykey2.pem');

$policy_bank{'ORIGINATING'} = {  # mail originates from our users
  originating => 1,  # permits DKIM signing (among other things)
    # force MTA conversion to 7-bit before DKIM signing
    # to avoid later conversions, destroying signature:
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
}


If you haven't already made DKIM signing keys, amavisd can
do it for you:

# amavisd genrsa /var/db/dkim/mykey1.pem
# amavisd genrsa /var/db/dkim/mykey2.pem

and after adding dkim_key() lines to amavisd.conf, show them in
a format directly suitable for inclusion into a DNS zone file:

# amavisd showkeys

and after updating DNS zone file and reloading zone:

# amavisd testkeys

Reload amavisd, all done. More in RELEASE_NOTES.


  Mark