easy DKIM question, at least i think it is...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

easy DKIM question, at least i think it is...

Fazzina, Angelo
Hi, i have a small DKIM question.   config files are at bottom of email.
I got it working but don't understand why ?

The one change i made to get it to work was add
137.99.0.0/16 to the TrustedHosts file.

So  tests with from of  [hidden email] and [hidden email] are getting signed and I see it in the Postfix logs.


My question:
my prod servers(3 of them)  smtp.uconn.edu allow authenticated users to send over 465 and 587.
So they could come from any IP address in the world.
I assume all users are using a from address of [hidden email] or  [hidden email].
Is it possible to get emails signed with DKIM ?



These are the 3 files i configured
SigningTable =
        *@appmail.uconn.edu dkim1._domainkey.mta4.uits.uconn.edu
        *@uconn.edu dkim1._domainkey.mta4.uits.uconn.edu
        *@uits.uconn.edu dkim1._domainkey.mta4.uits.uconn.edu

KeyTable =
        dkim1._domainkey.mta4.uits.uconn.edu mta4.uits.uconn.edu:dkim1:/etc/opendkim/keys/uconn/dkim1.private

TrustedHosts =
        127.0.0.1
        137.99.0.0/16
        ::1

This is the opendkim.conf file =

PidFile /var/run/opendkim/opendkim.pid
Mode    sv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  inet:8891@localhost
Umask   002
SendReports     yes
ReportAddress   "UITS-SSG OpenDKIM" <[hidden email]>
SoftwareHeader  yes
Canonicalization        relaxed/simple
Selector        dkim1
MinimumKeyBits  1024
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts

-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


Reply | Threaded
Open this post in threaded view
|

Re: easy DKIM question, at least i think it is...

Dominic Raferd


On 20 October 2017 at 18:28, Fazzina, Angelo <[hidden email]> wrote:
Hi, i have a small DKIM question.   config files are at bottom of email.
I got it working but don't understand why ?

The one change i made to get it to work was add
137.99.0.0/16 to the TrustedHosts file.

So  tests with from of  [hidden email] and [hidden email] are getting signed and I see it in the Postfix logs.


My question:
my prod servers(3 of them)  smtp.uconn.edu allow authenticated users to send over 465 and 587.
So they could come from any IP address in the world.
I assume all users are using a from address of [hidden email] or  [hidden email].
Is it possible to get emails signed with DKIM ?



These are the 3 files i configured
SigningTable =
        *@appmail.uconn.edu dkim1._domainkey.mta4.uits.uconn.edu
        *@uconn.edu dkim1._domainkey.mta4.uits.uconn.edu
        *@uits.uconn.edu dkim1._domainkey.mta4.uits.uconn.edu

KeyTable =
        dkim1._domainkey.mta4.uits.uconn.edu mta4.uits.uconn.edu:dkim1:/etc/opendkim/keys/uconn/dkim1.private

TrustedHosts =
        127.0.0.1
        137.99.0.0/16
        ::1

This is the opendkim.conf file =

PidFile /var/run/opendkim/opendkim.pid
Mode    sv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  inet:8891@localhost
Umask   002
SendReports     yes
ReportAddress   "UITS-SSG OpenDKIM" <[hidden email]>
SoftwareHeader  yes
Canonicalization        relaxed/simple
Selector        dkim1
MinimumKeyBits  1024
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts

Referring to man opendkim.conf, under 'Mode' I see you are using mode (b) in which case I think 'Selector' should not be defined. (I use mode (a), which is rather simpler.) Try removing 'Selector' from opendkim.conf and see what happens.

Presuming that your setup already blocks unauthenticated senders purporting to be from @your_domain, I don't think you should need or have to rely on InternalHosts or ExternalIgnoreList. Emails that need signing, and do not need testing for an existing valid signature, should be identified solely from SigningTable.​ There shouldn't be any that don't need signing *and* don't need testing for a valid signature (i.e. that need to be specified in ExternalIgnoreList) except perhaps for an intranet mail system - emails must either be from the outside world and require testing for dkim, or be from a recognised sender using one of your domains, and require a signature to be added. Similarly there shouldn't be any, even from the local system, that are not from one of your domains and do need a signature adding (i.e. that need to be specified in InternalHosts).

If rewriting any (local) sender addresses be sure to use postfix's canonical_maps and not smtp_generic_maps so that the change precedes the adding of the signature by opendkim.