need little help with DKIM, if possible.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

need little help with DKIM, if possible.

Fazzina, Angelo

Hi,

I ran this.

opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM

which created the private key and selector name

 

 

I created an entry in DNS and it shows up when I run this.

dig any mta4.uits.uconn.edu

 

My issue is how do I get this command to work ?

dig 2017_uconn_DKIM._domainkey.mta4.uits.uconn.edu TXT

 

 

I am learning by reverse engineering the fact that I saw this worked.

dig google._domainkey.protodave.com TXT

got it from here. https://protodave.com/security/checking-your-dkim-dns-record/

 

Anyone with time to help thanks, if your too busy no problem.

-ALF

 

P.S. this is all POC stuff not in production.

 

 

 

-Angelo Fazzina

Operating Systems Programmer / Analyst

University of Connecticut,  UITS, SSG, Server Systems

860-486-9075

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: need little help with DKIM, if possible.

Wietse Venema
Fazzina, Angelo:

> Hi,
> I ran this.
> opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM
> which created the private key and selector name
>
>
> I created an entry in DNS and it shows up when I run this.
> dig any mta4.uits.uconn.edu
>
> My issue is how do I get this command to work ?
> dig 2017_uconn_DKIM._domainkey.mta4.uits.uconn.edu TXT

Works for me, and I tried all three hosts with the NS record for
uconn.edu.
>
> I am learning by reverse engineering the fact that I saw this
> worked.  dig google._domainkey.protodave.com TXT got it from here.
> https://protodave.com/security/checking-your-dkim-dns-record

Reverse engineering is not needed. All internet protocol specs are
on-line, available at no cost other than your Internet connection.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: need little help with DKIM, if possible.

Doug Barton
In reply to this post by Fazzina, Angelo

--------------------------------------------
On Thu, 3/16/17, Fazzina, Angelo <[hidden email]> wrote:

 Subject: need little help with DKIM, if possible.
 To: "[hidden email]" <[hidden email]>
 Date: Thursday, March 16, 2017, 12:19 PM

 Hi,  I ran this.
 opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM
 which created the private key and selector name

[] That selector name is inappropriate. If you want to use something that long, use dashes instead of underscores. But there is no reason to use something that complicated. I just use 'dkim' for mine.  

 I am learning by reverse engineering

[] Don't do that. :)  Different sites have different needs, and you really don't need anything as complex as Google's.
   
This is a pretty good tutorial for a single domain:
https://help.ubuntu.com/community/Postfix/DKIM

Obviously you can ignore the Ubuntu-specific parts if you're not using Ubuntu. Also, I would not use autorestart, see the man page for why. If you are setting up multiple domains the configuration is slightly more complex, but still not that difficult.

In regards to your DNS question, assuming you pick 'dkim' for your selector, and your domain is 'uconn.edu' you would want to put the following record in the uconn.edu zone file:

dkim._domainkey TXT     ( "v=DKIM1; k=rsa; t=y;"
"p=<key stuff goes here>;" )

When you're done testing you can remove t=y; from the above example.

hope this helps,

Doug
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: need little help with DKIM, if possible.

Fazzina, Angelo

Thank you Doug,

I fixed the name so the unsupported character "_" is not used.

Please review my latest test, as I have a question.

 

Is there anything in the DKIM config files I can change to get rid of this message ?

 

Authentication-Results: verifier.port25.com; dkim=pass (signature verifies; identity doesn't match any headers) header.d=mta4.uits.uconn.edu

 

Am I supposed to get the headers to match ?

 

 

RAW DATA BELOW:

 

Thank you for using the verifier,

 

The Port25 Solutions, Inc. team

 

==========================================================

Summary of Results

==========================================================

SPF check:          neutral

DomainKeys check:   neutral

DKIM check:         pass

SpamAssassin check: ham

 

 

----------------------------------------------------------

DKIM check details:

----------------------------------------------------------

Result:         pass (signature verifies; identity doesn't match any headers)

ID(s) verified: header.d=mta4.uits.uconn.edu

Canonicalized Headers:

    to:[hidden email]'0D''0A'

    from:"Fazzina,'20'Angelo"'20'<[hidden email]>'0D''0A'

    date:Wed,'20'29'20'Mar'20'2017'20'15:29:26'20'-0400'0D''0A'

    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=mta4.uits.uconn.edu;'20's=dkim1;'20't=1490815766;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=To:From:Date:From;'20'b=

 

Canonicalized Body:

    '0D''0A'

   

 

DNS record(s):

    dkim1._domainkey.mta4.uits.uconn.edu. 60 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/YIuJIABa9M7Ox5AXs6CP6z26d/i9JDrHW58YU/OzfsEr6yADboIOydCaiiVaNuwtkbxcatzd6/iutxWbAiY51rRAvVdBs2YIoGO6Glzeev66ft8I fMnHgxND438KIsdOjUmJZuglFJUWGzCYDSC1eq/zqDVncFwTxWkKW/qtxQIDAQAB"

 

Public key used for verification: dkim1._domainkey.mta4.uits.uconn.edu (1024 bits)

 

NOTE: DKIM checking has been performed based on the latest DKIM specs

(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for

older versions.  If you are using Port25's PowerMTA, you need to use

version 3.2r11 or later to get a compatible version of DKIM.

 

 

 

==========================================================

Original Email

==========================================================

 

Return-Path: <[hidden email]>

Received: from mta4.uits.uconn.edu (137.99.25.243) by verifier.port25.com id hrg5hc20i3g1 for <[hidden email]>; Wed, 29 Mar 2017 15:29:26 -0400 (envelope-from <[hidden email]>)

Authentication-Results: verifier.port25.com; spf=neutral (SPF-Result: None) smtp.mailfrom=[hidden email]

Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=[hidden email]

Authentication-Results: verifier.port25.com; dkim=pass (signature verifies; identity doesn't match any headers) header.d=mta4.uits.uconn.edu

Received: from [137.99.80.129] (angelo.uits.uconn.edu [137.99.80.129])

                by mta4.uits.uconn.edu (Postfix) with ESMTPSA id 3583C16F

                for <[hidden email]>; Wed, 29 Mar 2017 15:29:26 -0400 (EDT)

DKIM-Filter: OpenDKIM Filter v2.11.0 mta4.uits.uconn.edu 3583C16F

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mta4.uits.uconn.edu;

                s=dkim1; t=1490815766;

                bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;

                h=To:From:Date:From;

                b=t9zhBtRbQBNOIsdN1oa5DS51oRGWuczFcpqP+DjgZ8/ezzZk+8VvbHwITT5sGVVHj

                CqbJSALLhbkUszq7XjYzV9Ro9A3EzudgNImg5PWL74sbPYdUg4BNiCce8UCqAb2xsh

                nRXMvBq1QINwxp+oCOyi6Y4jE7E91NzYdk5v5SiI=

To: [hidden email]

From: "Fazzina, Angelo" <[hidden email]>

Message-ID: <[hidden email]>

Date: Wed, 29 Mar 2017 15:29:26 -0400

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101

Thunderbird/45.4.0

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8; format=flowed

Content-Transfer-Encoding: 7bit

 

-Angelo Fazzina

Operating Systems Programmer / Analyst

University of Connecticut,  UITS, SSG, Server Systems

860-486-9075

 

-----Original Message-----
From: Doug [mailto:[hidden email]]
Sent: Friday, March 17, 2017 1:52 AM
To: [hidden email]; Fazzina, Angelo <[hidden email]>
Subject: Re: need little help with DKIM, if possible.

 

 

--------------------------------------------

On Thu, 3/16/17, Fazzina, Angelo <[hidden email]> wrote:

 

Subject: need little help with DKIM, if possible.

To: "[hidden email]" <[hidden email]>

Date: Thursday, March 16, 2017, 12:19 PM

 

Hi,  I ran this.

 opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM

 which created the private key and selector name

 

[] That selector name is inappropriate. If you want to use something that long, use dashes instead of underscores. But there is no reason to use something that complicated. I just use 'dkim' for mine. 

 

I am learning by reverse engineering

 

[] Don't do that. :)  Different sites have different needs, and you really don't need anything as complex as Google's.

   

This is a pretty good tutorial for a single domain:

https://help.ubuntu.com/community/Postfix/DKIM

 

Obviously you can ignore the Ubuntu-specific parts if you're not using Ubuntu. Also, I would not use autorestart, see the man page for why. If you are setting up multiple domains the configuration is slightly more complex, but still not that difficult.

 

In regards to your DNS question, assuming you pick 'dkim' for your selector, and your domain is 'uconn.edu' you would want to put the following record in the uconn.edu zone file:

 

dkim._domainkey TXT     ( "v=DKIM1; k=rsa; t=y;"

"p=<key stuff goes here>;" )

 

When you're done testing you can remove t=y; from the above example.

 

hope this helps,

 

Doug

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: need little help with DKIM, if possible.

Dominic Raferd


On 29 March 2017 at 20:36, Fazzina, Angelo <[hidden email]> wrote:

Thank you Doug,

I fixed the name so the unsupported character "_" is not used.

Please review my latest test, as I have a question.

 

Is there anything in the DKIM config files I can change to get rid of this message ?

 

Authentication-Results: verifier.port25.com; dkim=pass (signature verifies; identity doesn't match any headers) header.d=mta4.uits.uconn.edu

 

Am I supposed to get the headers to match ?

DKIM check details:

Result:         pass (signature verifies; identity doesn't match any headers)

ID(s) verified: header.d=mta4.uits.uconn.edu

Canonicalized Headers:

    [hidden email]'0D''0A'

    from:"Fazzina,'20'Angelo"'20'<[hidden email]

[hidden email]

[hidden email]>'0D''0A'

    date:Wed,'20'29'20'Mar'20'2017'20'15:29:26'20'-0400'0D''0A'

    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=

mta4.uits.uconn.edu;'20's=dkim1;'20't=1490815766;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=To:From:Date:From;'20'b=


​The problem I think is that you have set up a dkim record for emails from domain ​
mta4.uits.uconn.edu
 but you are sending an email from [hidden email] (i.e. the internal 'From:' header is set to [hidden email][hidden email]). Hence the report that the dkim identity ('d=') doesn't match any headers.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: need little help with DKIM, if possible.

Fazzina, Angelo

Thank you Dominic,

 

I think I am starting to confuse the 2 sides of the coin and wanted clarification.

 

If I setup DKIM, it is to be used by whom ?

Is it for anyone including my own domain, when an @uconn.edu email is received, it is to be checked ?

 

A.      Does my DKIM entry in DNS help with sending from [hidden email]  to [hidden email] ?

B.      Does my DKIM entry in DNS help with sending from [hidden email] to [hidden email]?

C.      Does my DKIM entry in DNS help with sending from  [hidden email] to [hidden email] ?

 

In “C” I am thinking emails from staff to student and vice versa. Staff on O365 and students on Google Apps.

Both cloud solutions.

Student to staff would go  google ->  to my MX record which is spam appliance -> postfix box -> O365 servers

Staff to Student  would go O365 -> to my MX record which is spam appliance -> postfix box  -> Google servers

 

Thanks to anyone willing to go down the rabbit hole here….

-ALF

 

-Angelo Fazzina

Operating Systems Programmer / Analyst

University of Connecticut,  UITS, SSG, Server Systems

860-486-9075

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Dominic Raferd
Sent: Wednesday, March 29, 2017 3:56 PM
To: Postfix users <[hidden email]>
Subject: Re: need little help with DKIM, if possible.

 

 

 

On 29 March 2017 at 20:36, Fazzina, Angelo <[hidden email]> wrote:

Thank you Doug,

I fixed the name so the unsupported character "_" is not used.

Please review my latest test, as I have a question.

 

Is there anything in the DKIM config files I can change to get rid of this message ?

 

Authentication-Results: verifier.port25.com; dkim=pass (signature verifies; identity doesn't match any headers) header.d=mta4.uits.uconn.edu

 

Am I supposed to get the headers to match ?

DKIM check details:

Result:         pass (signature verifies; identity doesn't match any headers)

ID(s) verified: header.d=mta4.uits.uconn.edu

Canonicalized Headers:

    [hidden email]'0D''0A'

    from:"Fazzina,'20'Angelo"'20'<

[hidden email]

[hidden email]>'0D''0A'

    date:Wed,'20'29'20'Mar'20'2017'20'15:29:26'20'-0400'0D''0A'

    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=

mta4.uits.uconn.edu;'20's=dkim1;'20't=1490815766;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=To:From:Date:From;'20'b=

 

​The problem I think is that you have set up a dkim record for emails from domain ​

mta4.uits.uconn.edu but you are sending an email from [hidden email]

[hidden email] (i.e. the internal 'From:' header is set to 

[hidden email]

[hidden email]). Hence the report that the dkim identity ('d=') doesn't match any headers.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: need little help with DKIM, if possible.

P.V.Anthony
On 30/03/2017 23:19, Fazzina, Angelo wrote:

> If I setup DKIM, it is to be used by whom ?
>
> Is it for anyone including my own domain, when an @uconn.edu email is
> received, it is to be checked ?
>
>
>
> A.      Does my DKIM entry in DNS help with sending from
> [hidden email]<mailto:[hidden email]> to
> [hidden email]<mailto:[hidden email]>?
>
> B.      Does my DKIM entry in DNS help with sending from
> [hidden email]<mailto:[hidden email]>to
> [hidden email]<mailto:[hidden email]>?
>
> C.      Does my DKIM entry in DNS help with sending from
> [hidden email]<mailto:[hidden email]>to [hidden email]<mailto:[hidden email]>?
>
>
>
> In “C” I am thinking emails from staff to student and vice versa. Staff
> on O365 and students on Google Apps.
>
> Both cloud solutions.
>
> *Student to staff*would go  google ->  to my MX record which is spam
> appliance -> postfix box -> O365 servers
>
> *Staff to Student* would go O365 -> to my MX record which is spam
> appliance -> postfix box  -> Google servers
Not sure about your case. I will share my case.

my domain mindmedia.com.sg has a dns entry like so.

;; QUESTION SECTION:
;default._domainkey.mindmedia.com.sg. IN TXT

;; ANSWER SECTION:
default._domainkey.mindmedia.com.sg. 3600 IN TXT "v=DKIM1; t=s;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/XW/fnNOu4RjJhtQGT2OfSyw5VtjqMPco1Sf9XlYMVi9dFBrPIJR6+Hmu93SOLQQvUdVIqG8PZuAG177Ke2+ZKxwEFZycuC6xey5MxLGKaVD9GuQPAeHpzRg9NQmz9qjnRkd315CgKUxqMx7pg6dcDsE2tqnU+FGxx65EAsczUQIDAQAB"

In the my email server that host emails for mindmedia.com.sg has a DKIM
Private-key.

Everytime I send email using smtp through my server that is hosting my
emails, an application linked with postfix, will sign my every email
using the mindmedia.com.sg's DKIM Private-key.

The receiving party's smtp server will check the dkim signature header
in the email with the one in the txt dns entry of
default._domainkey.mindmedia.com.sg.

If it verify, then dkim has passed.

This is my understanding.

I hope this helps.

P.V.Anthony


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: need little help with DKIM, if possible.

Dominic Raferd
In reply to this post by Fazzina, Angelo
​​


On 30 March 2017 at 16:19, Fazzina, Angelo <[hidden email]> wrote:

Thank you Dominic,

 

I think I am starting to confuse the 2 sides of the coin and wanted clarification.

 

If I setup DKIM, it is to be used by whom ?

Is it for anyone including my own domain, when an @uconn.edu email is received, it is to be checked ?

 

A.      Does my DKIM entry in DNS help with sending from [hidden email]  to [hidden email] ?

B.      Does my DKIM entry in DNS help with sending from [hidden email] to [hidden email]?

C.      Does my DKIM entry in DNS help with sending from  [hidden email] to [hidden email] ?

 

In “C” I am thinking emails from staff to student and vice versa. Staff on O365 and students on Google Apps.

Both cloud solutions.

Student to staff would go  google ->  to my MX record which is spam appliance -> postfix box -> O365 servers

Staff to Student  would go O365 -> to my MX record which is spam appliance -> postfix box  -> Google servers


As I understand it, ​DKIM requires a separate DNS record for each subdomain to which it will apply (unlike DMARC). So if you want to send emails with header 'From: ​​alf02013@​​appmail.uconn.edu' and you want these to have a useful DKIM header, then there must be a DNS TXT entry at mykey._domainkey.appmail.uconn.edu, and the private key to which this relates must have been used by your mailserver to generate the DKIM header (with s=mykey) that appears in your email. With a separate but similar DNS TXT entry at mykey._domainkey.uconn.edu, the same private key could be used by your mailserver to generate a valid DKIM header for an email from [hidden email].

Any MUA can check your DKIM header to see whether the email is unmodified since the DKIM header was created by the private keyholder; but a valid DKIM header means very little unless it matches (is 'aligned with') the domain in the 'From' header, since a malefactor can still create an email faking your 'From' address and insert their own valid DKIM header based on their own domain (which will verify against their DNS TXT record). DMARC takes DKIM and adds in the concept of alignment, but of course it first requires that you are using DKIM.

Unfortunately in the real world DKIM is often used badly, including by large organisations that should know better, so an unaligned DKIM header (or one that is faulty in some other way) is only an indication that there just might be a problem and nothing more. Similarly the presence of a DKIM TXT entry in DNS does not guarantee that all valid emails from this domain will have a DKIM header. This is another advantage of DMARC with p=reject, because no organisation can afford to have such a policy unless it is confident that its emails will all be correctly signed and aligned.

If any of the above is wrong, I hope someone will explain better.

Dominic
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: need little help with DKIM, if possible.

Viktor Dukhovni

> On Mar 30, 2017, at 12:35 PM, Dominic Raferd <[hidden email]> wrote:
>
> As I understand it, ​DKIM requires a separate DNS record for each subdomain

No, DKIM has no such requirement.  The DKIM signing domain "d=" in the
DKIM signature header is not constrained to match the domain in the
rfc2822 "From:" header.  All that DKIM conveys is the identity of the
domain responsible for the content.  DKIM authenticates the origin
domain, not the author.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: need little help with DKIM, if possible.

Dominic Raferd


On 30 March 2017 at 17:42, Viktor Dukhovni <[hidden email]> wrote:

> On Mar 30, 2017, at 12:35 PM, Dominic Raferd <[hidden email]> wrote:
>
> As I understand it, ​DKIM requires a separate DNS record for each subdomain

No, DKIM has no such requirement.  The DKIM signing domain "d=" in the
DKIM signature header is not constrained to match the domain in the
rfc2822 "From:" header.  All that DKIM conveys is the identity of the
domain responsible for the content.  DKIM authenticates the origin
domain, not the author.

​Thanks Viktor on reflection that is clearly right. What I should have said is that valid DKIM only proves that the content of the email came from the domain in the From header​ if this domain matches the one in the DKIM header. 

BTW I recently discovered a neat Thunderbird Add-On 'DKIM Verifier' which can colour(color) the background to the sender name (i.e. From header) green if the domain matches the DKIM domain (example: P.V. Anthony's email in this thread, mine too I hope), orange if they mismatch (example: Angelo's emails in this thread), no colour if there is no DKIM (example: your emails in this thread), red if the DKIM signature is bad.
Loading...