Quantcast

need little help with DKIM, if possible.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

need little help with DKIM, if possible.

Fazzina, Angelo

Hi,

I ran this.

opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM

which created the private key and selector name

 

 

I created an entry in DNS and it shows up when I run this.

dig any mta4.uits.uconn.edu

 

My issue is how do I get this command to work ?

dig 2017_uconn_DKIM._domainkey.mta4.uits.uconn.edu TXT

 

 

I am learning by reverse engineering the fact that I saw this worked.

dig google._domainkey.protodave.com TXT

got it from here. https://protodave.com/security/checking-your-dkim-dns-record/

 

Anyone with time to help thanks, if your too busy no problem.

-ALF

 

P.S. this is all POC stuff not in production.

 

 

 

-Angelo Fazzina

Operating Systems Programmer / Analyst

University of Connecticut,  UITS, SSG, Server Systems

860-486-9075

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: need little help with DKIM, if possible.

Wietse Venema
Fazzina, Angelo:

> Hi,
> I ran this.
> opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM
> which created the private key and selector name
>
>
> I created an entry in DNS and it shows up when I run this.
> dig any mta4.uits.uconn.edu
>
> My issue is how do I get this command to work ?
> dig 2017_uconn_DKIM._domainkey.mta4.uits.uconn.edu TXT

Works for me, and I tried all three hosts with the NS record for
uconn.edu.
>
> I am learning by reverse engineering the fact that I saw this
> worked.  dig google._domainkey.protodave.com TXT got it from here.
> https://protodave.com/security/checking-your-dkim-dns-record

Reverse engineering is not needed. All internet protocol specs are
on-line, available at no cost other than your Internet connection.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: need little help with DKIM, if possible.

Doug Barton
In reply to this post by Fazzina, Angelo

--------------------------------------------
On Thu, 3/16/17, Fazzina, Angelo <[hidden email]> wrote:

 Subject: need little help with DKIM, if possible.
 To: "[hidden email]" <[hidden email]>
 Date: Thursday, March 16, 2017, 12:19 PM

 Hi,  I ran this.
 opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM
 which created the private key and selector name

[] That selector name is inappropriate. If you want to use something that long, use dashes instead of underscores. But there is no reason to use something that complicated. I just use 'dkim' for mine.  

 I am learning by reverse engineering

[] Don't do that. :)  Different sites have different needs, and you really don't need anything as complex as Google's.
   
This is a pretty good tutorial for a single domain:
https://help.ubuntu.com/community/Postfix/DKIM

Obviously you can ignore the Ubuntu-specific parts if you're not using Ubuntu. Also, I would not use autorestart, see the man page for why. If you are setting up multiple domains the configuration is slightly more complex, but still not that difficult.

In regards to your DNS question, assuming you pick 'dkim' for your selector, and your domain is 'uconn.edu' you would want to put the following record in the uconn.edu zone file:

dkim._domainkey TXT     ( "v=DKIM1; k=rsa; t=y;"
"p=<key stuff goes here>;" )

When you're done testing you can remove t=y; from the above example.

hope this helps,

Doug
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: need little help with DKIM, if possible.

Fazzina, Angelo

Thank you Doug,

I fixed the name so the unsupported character "_" is not used.

Please review my latest test, as I have a question.

 

Is there anything in the DKIM config files I can change to get rid of this message ?

 

Authentication-Results: verifier.port25.com; dkim=pass (signature verifies; identity doesn't match any headers) header.d=mta4.uits.uconn.edu

 

Am I supposed to get the headers to match ?

 

 

RAW DATA BELOW:

 

Thank you for using the verifier,

 

The Port25 Solutions, Inc. team

 

==========================================================

Summary of Results

==========================================================

SPF check:          neutral

DomainKeys check:   neutral

DKIM check:         pass

SpamAssassin check: ham

 

 

----------------------------------------------------------

DKIM check details:

----------------------------------------------------------

Result:         pass (signature verifies; identity doesn't match any headers)

ID(s) verified: header.d=mta4.uits.uconn.edu

Canonicalized Headers:

    to:[hidden email]'0D''0A'

    from:"Fazzina,'20'Angelo"'20'<[hidden email]>'0D''0A'

    date:Wed,'20'29'20'Mar'20'2017'20'15:29:26'20'-0400'0D''0A'

    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=mta4.uits.uconn.edu;'20's=dkim1;'20't=1490815766;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=To:From:Date:From;'20'b=

 

Canonicalized Body:

    '0D''0A'

   

 

DNS record(s):

    dkim1._domainkey.mta4.uits.uconn.edu. 60 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/YIuJIABa9M7Ox5AXs6CP6z26d/i9JDrHW58YU/OzfsEr6yADboIOydCaiiVaNuwtkbxcatzd6/iutxWbAiY51rRAvVdBs2YIoGO6Glzeev66ft8I fMnHgxND438KIsdOjUmJZuglFJUWGzCYDSC1eq/zqDVncFwTxWkKW/qtxQIDAQAB"

 

Public key used for verification: dkim1._domainkey.mta4.uits.uconn.edu (1024 bits)

 

NOTE: DKIM checking has been performed based on the latest DKIM specs

(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for

older versions.  If you are using Port25's PowerMTA, you need to use

version 3.2r11 or later to get a compatible version of DKIM.

 

 

 

==========================================================

Original Email

==========================================================

 

Return-Path: <[hidden email]>

Received: from mta4.uits.uconn.edu (137.99.25.243) by verifier.port25.com id hrg5hc20i3g1 for <[hidden email]>; Wed, 29 Mar 2017 15:29:26 -0400 (envelope-from <[hidden email]>)

Authentication-Results: verifier.port25.com; spf=neutral (SPF-Result: None) smtp.mailfrom=[hidden email]

Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=[hidden email]

Authentication-Results: verifier.port25.com; dkim=pass (signature verifies; identity doesn't match any headers) header.d=mta4.uits.uconn.edu

Received: from [137.99.80.129] (angelo.uits.uconn.edu [137.99.80.129])

                by mta4.uits.uconn.edu (Postfix) with ESMTPSA id 3583C16F

                for <[hidden email]>; Wed, 29 Mar 2017 15:29:26 -0400 (EDT)

DKIM-Filter: OpenDKIM Filter v2.11.0 mta4.uits.uconn.edu 3583C16F

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mta4.uits.uconn.edu;

                s=dkim1; t=1490815766;

                bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;

                h=To:From:Date:From;

                b=t9zhBtRbQBNOIsdN1oa5DS51oRGWuczFcpqP+DjgZ8/ezzZk+8VvbHwITT5sGVVHj

                CqbJSALLhbkUszq7XjYzV9Ro9A3EzudgNImg5PWL74sbPYdUg4BNiCce8UCqAb2xsh

                nRXMvBq1QINwxp+oCOyi6Y4jE7E91NzYdk5v5SiI=

To: [hidden email]

From: "Fazzina, Angelo" <[hidden email]>

Message-ID: <[hidden email]>

Date: Wed, 29 Mar 2017 15:29:26 -0400

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101

Thunderbird/45.4.0

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8; format=flowed

Content-Transfer-Encoding: 7bit

 

-Angelo Fazzina

Operating Systems Programmer / Analyst

University of Connecticut,  UITS, SSG, Server Systems

860-486-9075

 

-----Original Message-----
From: Doug [mailto:[hidden email]]
Sent: Friday, March 17, 2017 1:52 AM
To: [hidden email]; Fazzina, Angelo <[hidden email]>
Subject: Re: need little help with DKIM, if possible.

 

 

--------------------------------------------

On Thu, 3/16/17, Fazzina, Angelo <[hidden email]> wrote:

 

Subject: need little help with DKIM, if possible.

To: "[hidden email]" <[hidden email]>

Date: Thursday, March 16, 2017, 12:19 PM

 

Hi,  I ran this.

 opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM

 which created the private key and selector name

 

[] That selector name is inappropriate. If you want to use something that long, use dashes instead of underscores. But there is no reason to use something that complicated. I just use 'dkim' for mine. 

 

I am learning by reverse engineering

 

[] Don't do that. :)  Different sites have different needs, and you really don't need anything as complex as Google's.

   

This is a pretty good tutorial for a single domain:

https://help.ubuntu.com/community/Postfix/DKIM

 

Obviously you can ignore the Ubuntu-specific parts if you're not using Ubuntu. Also, I would not use autorestart, see the man page for why. If you are setting up multiple domains the configuration is slightly more complex, but still not that difficult.

 

In regards to your DNS question, assuming you pick 'dkim' for your selector, and your domain is 'uconn.edu' you would want to put the following record in the uconn.edu zone file:

 

dkim._domainkey TXT     ( "v=DKIM1; k=rsa; t=y;"

"p=<key stuff goes here>;" )

 

When you're done testing you can remove t=y; from the above example.

 

hope this helps,

 

Doug

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: need little help with DKIM, if possible.

Dominic Raferd


On 29 March 2017 at 20:36, Fazzina, Angelo <[hidden email]> wrote:

Thank you Doug,

I fixed the name so the unsupported character "_" is not used.

Please review my latest test, as I have a question.

 

Is there anything in the DKIM config files I can change to get rid of this message ?

 

Authentication-Results: verifier.port25.com; dkim=pass (signature verifies; identity doesn't match any headers) header.d=mta4.uits.uconn.edu

 

Am I supposed to get the headers to match ?

DKIM check details:

Result:         pass (signature verifies; identity doesn't match any headers)

ID(s) verified: header.d=mta4.uits.uconn.edu

Canonicalized Headers:

    [hidden email]'0D''0A'

    from:"Fazzina,'20'Angelo"'20'<[hidden email]

[hidden email]

[hidden email]>'0D''0A'

    date:Wed,'20'29'20'Mar'20'2017'20'15:29:26'20'-0400'0D''0A'

    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=

mta4.uits.uconn.edu;'20's=dkim1;'20't=1490815766;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=To:From:Date:From;'20'b=


​The problem I think is that you have set up a dkim record for emails from domain ​
mta4.uits.uconn.edu
 but you are sending an email from [hidden email] (i.e. the internal 'From:' header is set to [hidden email][hidden email]). Hence the report that the dkim identity ('d=') doesn't match any headers.
Loading...