https://wiki.hobby.nl/api.php?action=feedcontributions&feedformat=atom&user=2A05%3AF080%3A0%3A300%3AB848%3A81C0%3A7F18%3AAA86Hobbynet Admin Wiki - User contributions [en]2026-05-14T14:21:14ZUser contributionsMediaWiki 1.40.1https://wiki.hobby.nl/index.php?title=DKIM&diff=78342DKIM2020-04-05T11:07:30Z<p>2A05:F080:0:300:B848:81C0:7F18:AA86: /* Key maken */</p>
<hr />
<div>===Inleiding===<br />
Om minder snel als spammer te worden aangemerkt kan de mail "ge-signed" worden. Hiervoor moet OpenDKIM geinstalleerd worden en een kleine aanpassing aan de postfix configuratie gemaakt worden.<br />
===Installatie===<br />
Gebruik zoals altijd apt-get of aptitude om een package te instaleren.<br />
<pre><br />
apt-get install opendkim opendkim-tools<br />
</pre><br />
===Configuratie===<br />
De configuratie van OpenDKIM staat in /etc/opendkim.conf en dient er als volgt ui te zien:<br />
<pre><br />
# This is a basic configuration that can easily be adapted to suit a standard<br />
# installation. For more advanced options, see opendkim.conf(5) and/or<br />
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.<br />
#<br />
#Domain example.com<br />
#KeyFile /etc/opendkim/201205.private<br />
#Selector 201205<br />
#<br />
# Commonly-used options<br />
Canonicalization relaxed/simple<br />
Mode sv<br />
SubDomains yes<br />
# Log to syslog<br />
Syslog yes<br />
LogWhy yes<br />
# Required to use local socket with MTAs that access the socket as a non-<br />
# privileged user (e.g. Postfix)<br />
UMask 022<br />
UserID opendkim:opendkim<br />
#<br />
KeyTable /etc/opendkim/KeyTable<br />
SigningTable /etc/opendkim/SigningTable<br />
ExternalIgnoreList /etc/opendkim/TrustedHosts<br />
InternalHosts /etc/opendkim/TrustedHosts<br />
#<br />
Socket inet:8891@localhost<br />
#EOF<br />
</pre><br />
Voor uitleg over de diverse parameters, kijk bijvoorbeeld op [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy deze site].<br />
<br />
===Directory structuur===<br />
Er moet een directory structuur gemaakt worden om trusted hosts, key tables, signing tables en crypto keys op te slaan. Maak daartoe /etc/opendkim aan met daarin de volgende files en directory: <br />
<pre><br />
root@mail-lb1:/etc/opendkim# ls -l<br />
total 16<br />
-rw-r--r-- 1 root root 90 May 25 14:23 KeyTable<br />
-rw-r--r-- 1 root root 38 May 25 14:24 SigningTable<br />
-rw-r--r-- 1 root root 151 May 28 22:42 TrustedHosts<br />
drwxr-xr-x 3 root root 4096 May 25 14:26 keys<br />
</pre><br />
In de directory komen de keys van de domeinen te staan. <br />
===Key maken===<br />
Er is een script die maakt de keys aan en voegt de key toe aan de juiste tabellen<br />
/usr/local/hobbynet/bin/maakopendkim.sh '''domeinnaam'''<br />
<br />
Als je dit script uitvoerd zet de keys op beide servers update de tabellen en herstart dkim na afloop verteld hij ook wat je in dns moet zetten<br />
<pre><br />
root@mail-lb1:/etc/opendkim# /usr/local/hobbynet/bin/maakopendkim.sh joomla-dev.hobby.nl<br />
<br />
Zet dit in de DNS zone voor: joomla-dev.hobby.nl<br />
<br />
default._domainkey.joomla-dev.hobby.nl. IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; "<br />
"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw2jWysEKHJVxB+Mz2/94YREk2CZ4iqUwsLtGwRQPraMnOQNsZaC0Ze4YtSJgtmaIdqqnrgkvmWQoG4lcHcJ9a4lyTh//BO1eNGVtTWfAl6L1s4Y647crTnDobqDJKl6oAW8G9pA0clnwLoWxhIEVkd1KHPcp4YGzKR4VywYVpc8bU+Qim2yLwlf7AtB67lOT43H53vBjtAntm4"<br />
"8aDZr3oN9K/LmYUw66n4BjcJQ8E9jdF2/HIVLPu2tOCP7I8LPAUjrW/v9b9v4P2aC6olxK93IcldGjrFd/S79nRvWBrOkPPj65EsQNLx6hWO97z6VqQD9pP4MinGpSOQ3nC3minRxR4qu9o45T8MditxO8ojjbF1sHxadRZPqa140E7Zxo5qEhhsb+e3rQgGYvina/LGxmef7C94e5/HFcgepN6WySMrFWJh1HXeBydScboX/j3gL7yNty"<br />
"FMg4bwthQB1TwCEsVpviQjDBo02nd3QtBupUWzcWuR61d6oBgoOCqUnS8uLTyDdo5lXUrjl6Kduja6tolEbJt5JWCviKNPobINqfKr4R4HVpBo+koLMqyzRxswomzYXort/YWSZJmkXKVeMKGW89GZhz5qRr9rOJUFQc/IdTy8C4bdaDV/8hOX0wtrPPEzT4FU5mb9oNLntHy1wm7PKZR0SNdoUylSS+vYcCAwEAAQ==" ) ; ----- DKIM key default for joomla-dev.hobby.nl<br />
</pre><br />
<br />
===De Postfix kant===<br />
Tevens moet in /etc/default/opendkim alles uitgecommentarieerd worden en deze regel toegevoegd worden:<br />
<pre><br />
SOCKET="inet:8891@localhost"<br />
</pre><br />
Dit socket dient aan Postfix bekend te worden gemaakt. Voeg de volgende regels aan /etc/postfix/main.cf toe:<br />
<pre><br />
# DKIM<br />
milter_default_action = accept<br />
milter_protocol = 2<br />
smtpd_milters = inet:localhost:8891<br />
non_smtpd_milters = inet:localhost:8891<br />
</pre><br />
Hierdoor controleert en zet Postfix nu ook dkim handtekeningen. Vergeet niet Postfix te herstarten.<br />
<br />
===Testen===<br />
De configuratie kan worden getest door een lege mail te sturen naar '''check-auth@verifier.port25.com'''. Als alles werkt zal in de reply '''DKIM check: pass''' staan onder '''Summary of Results'''. Voor de geïnteresseerde is het hele bericht opgenomen. <br />
<pre><br />
==========================================================<br />
Summary of Results<br />
==========================================================<br />
SPF check: pass<br />
"iprev" check: pass<br />
DKIM check: pass<br />
SpamAssassin check: ham<br />
<br />
==========================================================<br />
Details:<br />
==========================================================<br />
<br />
HELO hostname: mail-lb1.hobby.nl<br />
Source IP: 212.72.224.72<br />
mail-from: rootmail@hobby.nl<br />
<br />
----------------------------------------------------------<br />
SPF check details:<br />
----------------------------------------------------------<br />
Result: pass<br />
ID(s) verified: smtp.mailfrom=rootmail@hobby.nl<br />
<br />
DNS record(s):<br />
hobby.nl. 60 IN TXT "v=spf1 ip4:212.72.224.0/21 ip4:95.97.35.96/29 ip4:80.253.112.0/24 ip4:94.232.160.0/24 ip6:2a02:968::/32 -all"<br />
<br />
<br />
----------------------------------------------------------<br />
"iprev" check details:<br />
----------------------------------------------------------<br />
Result: pass (matches mail-lb1.hobby.nl)<br />
ID(s) verified: policy.iprev=212.72.224.72<br />
<br />
DNS record(s):<br />
72.224.72.212.in-addr.arpa. 60 IN PTR mail-lb1.hobby.nl.<br />
mail-lb1.hobby.nl. 60 IN A 212.72.224.72<br />
<br />
<br />
----------------------------------------------------------<br />
DKIM check details:<br />
----------------------------------------------------------<br />
Result: pass (matches From: rootmail@hobby.nl)<br />
ID(s) verified: header.d=hobby.nl<br />
<br />
Canonicalized Headers:<br />
reply-to:rootmail@hobby.nl'0D''0A'<br />
to:check-auth@verifier.port25.com'0D''0A'<br />
from:Hobbynet'20'rootmaill'20'<rootmail@hobby.nl>'0D''0A'<br />
subject:test'0D''0A'<br />
date:Thu,'20'31'20'May'20'2018'20'21:48:24'20'+0200'0D''0A'<br />
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=hobby.nl;'20's=default;'20't=1527796105;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=Reply-To:To:From:Subject:Date;'20'b=<br />
<br />
Canonicalized Body:<br />
'0D''0A'<br />
<br />
<br />
DNS record(s):<br />
default._domainkey.hobby.nl. 60 IN TXT "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyHQygiGyUV+o4WTsNIbxfYPyADNedPojfVfn2YrCZJ6WFhBi6RNKKJndqE+VGgtScSI1fkLRCyquVPTGICUAnUbUQL2NbGQNyo0T8wBJy5QTarir10IMue/2QtjaPnDkwa4m35Bl9YKm4SgeaTd7A/OWXsO2BAgCYfiAHsFvK6e6u4zwcD1ZlGH9bSrgm5x6ucHkROq9aV0R0Pr/+SGkT+9Zs1L/TqbX0OvoKmG+raffHVghG8USo1EVWzFSi7gURqP6C8f9HW4HfLnR203C8uJMHSzBvPv5PbM+kc/QTu1AE478a6aZyaUsEhHQQx7OV08crT6UsdyUHQlQpgl8aR+MwAyrEH54AAPzYjfN5KNsZ35flf2/Yj6X5KtGeG0ZVMR2cew1z3SKTFXg+rq+TWF3EqhiD3fzTypSYk5nhKpKpMYtoU7JytF4Xw02fyJpbiVdAGsLqibM+rY+4qp+C/t1HKHVavGePdg5iBE/Y+lOqG6dJvXpWe7JjEz7HfZOz69XN0ryL5/JUzfCpf7lvyJ3LKET4OuBbSwypzNeDX+DaAHb4qdwNFJGq8H0DjFFFagmPQSeHZdX7qTtIiOSbogFXab2Yz9Yw38GedKk9UQPSdCLqdzeFEZWuTXDn/NdRA7PqWuAUxoe68O57Esz4dnyLqB1Xrs74IzTRpLhiSECAwEAAQ=="<br />
<br />
Public key used for verification: default._domainkey.hobby.nl (4096 bits)<br />
<br />
NOTE: DKIM checking has been performed based on the latest DKIM specs<br />
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for<br />
older versions. If you are using Port25's PowerMTA, you need to use<br />
version 3.2r11 or later to get a compatible version of DKIM.<br />
<br />
----------------------------------------------------------<br />
SpamAssassin check details:<br />
----------------------------------------------------------<br />
SpamAssassin v3.4.0 (2014-02-07)<br />
<br />
Result: ham (-2.0 points, 5.0 required)<br />
<br />
pts rule name description<br />
---- ---------------------- --------------------------------------------------<br />
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no<br />
trust<br />
[212.72.224.72 listed in list.dnswl.org]<br />
-0.0 SPF_PASS SPF: sender matches SPF record<br />
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%<br />
[score: 0.0000]<br />
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's<br />
domain<br />
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid<br />
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature<br />
<br />
<br />
<br />
==============================================================<br />
Explanation of the possible results (based on RFCs 7601, 7208)<br />
==============================================================<br />
<br />
<br />
DKIM Results<br />
============<br />
<br />
none: The message was not signed.<br />
<br />
pass: The message was signed, the signature or signatures were<br />
acceptable to the ADMD, and the signature(s) passed verification<br />
tests.<br />
<br />
fail: The message was signed and the signature or signatures were<br />
acceptable to the ADMD, but they failed the verification test(s).<br />
<br />
policy: The message was signed, but some aspect of the signature or<br />
signatures was not acceptable to the ADMD.<br />
<br />
neutral: The message was signed, but the signature or signatures<br />
contained syntax errors or were not otherwise able to be<br />
processed. This result is also used for other failures not<br />
covered elsewhere in this list.<br />
<br />
temperror: The message could not be verified due to some error that<br />
is likely transient in nature, such as a temporary inability to<br />
retrieve a public key. A later attempt may produce a final<br />
result.<br />
<br />
permerror: The message could not be verified due to some error that<br />
is unrecoverable, such as a required header field being absent. A<br />
later attempt is unlikely to produce a final result.<br />
<br />
<br />
SPF Results<br />
===========<br />
<br />
none: Either (a) no syntactically valid DNS domain name was extracted from<br />
the SMTP session that could be used as the one to be authorized, or<br />
(b) no SPF records were retrieved from the DNS.<br />
<br />
neutral: The ADMD has explicitly stated that it is not asserting whether<br />
the IP address is authorized.<br />
<br />
pass: An explicit statement that the client is authorized to inject mail<br />
with the given identity.<br />
<br />
fail: An explicit statement that the client is not authorized to use the<br />
domain in the given identity.<br />
<br />
softfail: A weak statement by the publishing ADMD that the host is probably<br />
not authorized. It has not published a stronger, more definitive policy<br />
that results in a "fail".<br />
<br />
temperror: The SPF verifier encountered a transient (generally DNS) error<br />
while performing the check. A later retry may succeed without further<br />
DNS operator action.<br />
<br />
permerror: The domain's published records could not be correctly interpreted.<br />
This signals an error condition that definitely requires DNS operator<br />
intervention to be resolved.<br />
<br />
<br />
"iprev" Results<br />
===============<br />
<br />
pass: The DNS evaluation succeeded, i.e., the "reverse" and<br />
"forward" lookup results were returned and were in agreement.<br />
<br />
fail: The DNS evaluation failed. In particular, the "reverse" and<br />
"forward" lookups each produced results, but they were not in<br />
agreement, or the "forward" query completed but produced no<br />
result, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an<br />
RCODE of 0 (NOERROR) in a reply containing no answers, was<br />
returned.<br />
<br />
temperror: The DNS evaluation could not be completed due to some<br />
error that is likely transient in nature, such as a temporary DNS<br />
error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or<br />
other error condition resulted. A later attempt may produce a<br />
final result.<br />
<br />
permerror: The DNS evaluation could not be completed because no PTR<br />
data are published for the connecting IP address, e.g., a DNS<br />
RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR)<br />
in a reply containing no answers, was returned. This prevented<br />
completion of the evaluation. A later attempt is unlikely to<br />
produce a final result.<br />
<br />
<br />
<br />
<br />
==========================================================<br />
Original Email<br />
==========================================================<br />
<br />
Return-Path: <rootmail@hobby.nl><br />
Received: from mail-lb1.hobby.nl (212.72.224.72) by verifier.port25.com id h218om2e8s48 for <check-auth@verifier.port25.com>; Thu, 31 May 2018 19:48:27 +0000 (envelope-from <rootmail@hobby.nl>)<br />
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=rootmail@hobby.nl;<br />
iprev=pass (matches mail-lb1.hobby.nl) policy.iprev=212.72.224.72;<br />
dkim=pass (matches From: rootmail@hobby.nl) header.d=hobby.nl<br />
Received: from localhost (localhost [127.0.0.1])<br />
by mail-lb1.hobby.nl (Postfix) with ESMTP id 8396E5FDEA<br />
for <check-auth@verifier.port25.com>; Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
X-Virus-Scanned: Debian amavisd-new at mail-lb1.hobby.nl<br />
Received: from mail-lb1.hobby.nl ([127.0.0.1])<br />
by localhost (mail-lb1.hobby.nl [127.0.0.1]) (amavisd-new, port 10024)<br />
with ESMTP id bnAxJuumS9FK for <check-auth@verifier.port25.com>;<br />
Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
Received: from [192.168.10.12] (vandenbussche.xs4all.nl [83.163.218.172])<br />
(using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))<br />
(No client certificate requested)<br />
(Authenticated sender: egbert@vandenbussche.nl)<br />
by mail-lb1.hobby.nl (Postfix) with ESMTPSA id 51FE55FDE6<br />
for <check-auth@verifier.port25.com>; Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hobby.nl; s=default;<br />
t=1527796105; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;<br />
h=Reply-To:To:From:Subject:Date;<br />
b=allKIIWMLMVr0ufrCeIkA8T7VF6xZ9PpPDEG80vqoQraDkwa8FAal+ZXhK/Y/nwtO<br />
XYzhEZmOHSYtvTplFppuvXCsbK2q/ZYf881CounLX/w+Ko0ZNIgJwsOz7WX7MJLDXS<br />
cp13/hRVzNYv0LBsI1sz6cXKkNhVxWEShaIjsSW84bQgAAznR0zG9ZYLuVEXm614T0<br />
cz56At+ONbF/8wqBy3rYRBjJ+66xvajO5DfKX94zJErCpvyoiTYCtO5uf0H3sIsiDs<br />
l7a7IUV3Ituzw0+VNpnRP1J3cNxI7j51EGaoUI1w501cCV6f0wC/qbXd9UVHBAl78g<br />
84j+gS4ImtTe9hR3llRnW+2TfuWradddBjUSkX1UiZDORvMkZM+J2pCgFYxU1GXoR+<br />
GHnDPYqW9KDfuVAHUYU6iZ4eDrijS/Y5OBhix1mAX4/XkYaagpbXD9tr/43nNGV3YU<br />
O8S91tFCgik86DfD5b98lxrr61KHb0X/brYF9l8oBvG9L9nuK0g9r90NeLwhmn88dm<br />
Ll4wN0yIHI3yxEQtli6CdZ4H6gJczv6CRp74U/oNyO8PWIm7Nu4grCtWNPXuOzcHjr<br />
FsGPJun8WFVjwVPeKoEOgUTI27g4nfbHkXQEBb9ykQVvVpe44RXbruS81rfKoPThAw<br />
AU/un1L18tPKxUU+jtT2m2hI=<br />
Reply-To: rootmail@hobby.nl<br />
To: check-auth@verifier.port25.com<br />
From: Hobbynet rootmaill <rootmail@hobby.nl><br />
Subject: test<br />
Openpgp: preference=signencrypt<br />
Autocrypt: addr=rootmail@hobby.nl; prefer-encrypt=mutual; keydata=<br />
xsFNBFZ2htYBEADt6zlAySAIrmfb6mRkAPuekeaAM6jIw6n4vdcpGdYi1fL63uZypoh61Ra7<br />
lF8SGs3uNhR6EyfJt/54Wsfami+KE4x5nd0dwPAWEwMaruxwKHBmGU1X/895EoRa3aa6PsEc<br />
SGyfJplaCscyTneEdsrhtdqKdJi/be8YunhAuYfu1rEaT8FU+hz1itWJJ/YZycscSA8Cb91d<br />
w8dUkJamdK0KtaHXOq0pZcJPICtzd0zQIYuouJM1nAjPqQ6GYWu+TebJorWlrHKIzX9WCE1D<br />
4wxktMXC+CCwRrV7YLV48ouMuqFejEYvBPjdiIqfxI+vw3bYmtRg0aQ0i3cvadnq6rYS1P6Y<br />
nAKk3U1v1Pr83FPUCgTFTpQqHbNJiRDa3tFkVFrY7YtnW4+iHJ8gT2HLOkzpxq/jkhf6gwSQ<br />
GgzAf7hepWBUWpKsd501ezVSoza3WQ4laIqvUaYcMGpdeY2vkHASuBulF/QyOk25PBQGVMjL<br />
IKovZKIkCp3ghXmYeNjMvtIih3Zh3edH4eekVpP4tgFkdddwguA/yEYYyvFv8KGBvBrQCMzF<br />
ghhDRJ6cZL1ewEwuVkGH9qXlM/Gfw4NUo/APuGbbU2PXSxzdxOxbJX2XuRripIsVTVwWKAeb<br />
SAitSSFP8B5talGvV3pKooYxAMNa27LRkoZbMjSOVFJ2yeIUHQARAQABzSBFZ2JlcnQgPGVn<br />
YmVydEB2YW5kZW5idXNzY2hlLm5sPsLBggQTAQgALAIbIwUJCWYBgAcLCQgHAwIBBhUIAgkK<br />
CwQWAgMBAh4BAheABQJWdoj5AhkBAAoJEElE8PvYS2x3wFYP/jy1Ym+6oQDPuHNauYnujpe5<br />
DyZOUrPTHdDqg+HjSXzoozeQGeKpIeAZj7ZXSpfGr4mPaPn8gaWxr6ibQAkVYvTZ4MttoqFo<br />
cT3ePbUGHnagNcwAZJlcoNJQ6S92YYVWryFn0F8JMUcnQzUaJyUOIaf5pcdJcbA6bPBcMa8X<br />
oHSEyD48Dauir7QpsDTurfTooRBZrlLXMkQCeO+FR2R+2WXt7JxQEv1tDZ6xCS/CTMdibszn<br />
fQqlEMj6qNdLh7ymM8umqFlfPx8xRTom8ClkhJryDpV3yYiz380aOt3SCzee68GOwXyM98+P<br />
GD9QSzlhxjh6GF5bhW4jEH5uLByjIUQNDIBDvuqSIWWnBE39zoGqvlAlO9ZOtYaHprCREBkF<br />
IQHiHqOLMkzBHkHJOrqmROkDXpUSeso1rQZEo/13axZyu4JCgHEGONhCDrzZWjK2ASPQZzjL<br />
dAKkuvfIJlwS0yctYWcaK6ttPLyteujWjHbfvJRT6BRLlr0YnmSZs86xWpYnXMrG9xa886Us<br />
kswQd7c2QZuBpLgHW3KzrFvCd/LKp3UvPiVUigK6Xgoi7xwwxfv8O4EeZYO2U35w5SPlg+Mz<br />
FEJVH2whxboMrHZRhLtyPKY0+qqkLP2LxphUAeNRWNOJIXiazTq1/4Y5dVK1zIq6gg2dBMmH<br />
PHx8fQAnhphZzsFNBFZ2htYBEAC7NDbfwBKMD8VRlVUxIds4+0SGsRUhwHQJrU0Tn8vzFiRS<br />
GBtDuOdAPyt8GDrjh2c2PKno9piQnbojqKGJ0HvGoHzfm9axb0S4CPgGfcIrSjyQIu4+kpCj<br />
tatSaxtuvqqpxNBx9ylfubJgTKW96m8K8twbXc6QczMsd6zSt4U5ER8EWrlT1JB+mW+hNuQW<br />
4VQ1A6f0JRQqXOA1b23yNW621CfT9r9t4OpDug9vWyGXyQjjLoiMRsGVH5B/37UXn2BS14wh<br />
2xLj+eh9V1pN4S1IZVv/k0EdRwn9VC/bSGgTbk6P6oOM7LrV+BM7yQHoFOO5HPb2jJB+ynVu<br />
K4/n0Xe/Zcfp2OPAm9qn5Z0lkTSHRxvCMWxxNoAgirzj/KdNnuDVU7SdRulynIcczqj68adV<br />
uEyPeu1mwhOTku7eQnlFmGhkD5oJfg/IPdb7OmnpWsFPfyowG/nR7oPAFVkoNfRRqtUpHIM4<br />
k+2Xm/lWxYHzlzVF9SzbLWKs3/J9tyVb7xNAlr8gcbwgO8bOwWUiAG6hSMD1yLdox92seRPY<br />
mnhOC6PCG3KKqCH7wBZ84Ez0BDqYDqSzq4/PlCnJrMk3ewb/fuGiMF7kgYHThvdZUeyRgUoY<br />
yG7i3R3XRFDUiN5m7SyuRUUdgHwznb2e8Pf/IMYtTZh737bgM+mWc/YlJq+cmQARAQABwsFl<br />
BBgBCAAPBQJWdobWAhsMBQkJZgGAAAoJEElE8PvYS2x3Ad0QAN/WS9Mc0MdhJi7fqhq5dU4X<br />
QfviUMA5CkWboNiOG57OR1C0a4XJcFCDcgmsYRhMYDj4qw7M+z3fcjFJnEwqHHoIhzsvGbDs<br />
Dra8QkP188tx+Uzf4wMnEVCVzOuL5ji36OlxegF5wjj5CTtso237hhcI82+xAnqXteA5pJMw<br />
DunRmhEkjpJjxkUtr4vyOSzGBmMP3sWGbq0uVbWacxggb1r56+uKrQULVEnCa4P64d8RPKn7<br />
Dsn/Pqf7n+nLevBertj5roQNceXeGIpu0k45wVFUtCA9Rc1Y6myNs0aq8Cw5LKTLemI+uT4y<br />
Okky89vroZqG/XetHAXxjZGm+kyMbu3ThvIzOSb5+hTfWcTa8zybUvujkfiejfhRDZ9GWjXS<br />
iK20nZ8d2WwTqPDOMySozXFUJoT6TqTJ/I7m9vJj2mz+xPRLHaAVVKF7rMP8Gw+6g9uWbHs1<br />
SXAZH/CgQTAJwQ+FxWC657Q+bjg11lmjCHpDMxxFnIdqYiIaKjocQzI2SP67Yr94W0trumOR<br />
fZm3nietLoSVVkak0z+SBJZ4/S+XbkDmLnUDG3GJq/QCXFAFVv02VS76gvVYaxFuVWOUIuXf<br />
SkWKoa6vs12Cx30Hp/BfdftCHH6IuhzXspKK+br9CqDrRZcHzMB42/QPYcDa/BZBzudBXsZd<br />
M+CrfDxPMyd7<br />
Organization: HCC!Hobbynet<br />
Message-ID: <bc4cc04a-de4c-54f7-37c4-ffb6f589fb4b@hobby.nl><br />
Date: Thu, 31 May 2018 21:48:24 +0200<br />
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101<br />
Thunderbird/52.8.0<br />
MIME-Version: 1.0<br />
Content-Type: text/plain; charset=utf-8<br />
Content-Language: nl<br />
Content-Transfer-Encoding: 7bit<br />
</pre></div>2A05:F080:0:300:B848:81C0:7F18:AA86https://wiki.hobby.nl/index.php?title=DKIM&diff=78340DKIM2020-04-05T11:03:39Z<p>2A05:F080:0:300:B848:81C0:7F18:AA86: /* De Postfix kant */</p>
<hr />
<div>===Inleiding===<br />
Om minder snel als spammer te worden aangemerkt kan de mail "ge-signed" worden. Hiervoor moet OpenDKIM geinstalleerd worden en een kleine aanpassing aan de postfix configuratie gemaakt worden.<br />
===Installatie===<br />
Gebruik zoals altijd apt-get of aptitude om een package te instaleren.<br />
<pre><br />
apt-get install opendkim opendkim-tools<br />
</pre><br />
===Configuratie===<br />
De configuratie van OpenDKIM staat in /etc/opendkim.conf en dient er als volgt ui te zien:<br />
<pre><br />
# This is a basic configuration that can easily be adapted to suit a standard<br />
# installation. For more advanced options, see opendkim.conf(5) and/or<br />
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.<br />
#<br />
#Domain example.com<br />
#KeyFile /etc/opendkim/201205.private<br />
#Selector 201205<br />
#<br />
# Commonly-used options<br />
Canonicalization relaxed/simple<br />
Mode sv<br />
SubDomains yes<br />
# Log to syslog<br />
Syslog yes<br />
LogWhy yes<br />
# Required to use local socket with MTAs that access the socket as a non-<br />
# privileged user (e.g. Postfix)<br />
UMask 022<br />
UserID opendkim:opendkim<br />
#<br />
KeyTable /etc/opendkim/KeyTable<br />
SigningTable /etc/opendkim/SigningTable<br />
ExternalIgnoreList /etc/opendkim/TrustedHosts<br />
InternalHosts /etc/opendkim/TrustedHosts<br />
#<br />
Socket inet:8891@localhost<br />
#EOF<br />
</pre><br />
Voor uitleg over de diverse parameters, kijk bijvoorbeeld op [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy deze site].<br />
<br />
===Directory structuur===<br />
Er moet een directory structuur gemaakt worden om trusted hosts, key tables, signing tables en crypto keys op te slaan. Maak daartoe /etc/opendkim aan met daarin de volgende files en directory: <br />
<pre><br />
root@mail-lb1:/etc/opendkim# ls -l<br />
total 16<br />
-rw-r--r-- 1 root root 90 May 25 14:23 KeyTable<br />
-rw-r--r-- 1 root root 38 May 25 14:24 SigningTable<br />
-rw-r--r-- 1 root root 151 May 28 22:42 TrustedHosts<br />
drwxr-xr-x 3 root root 4096 May 25 14:26 keys<br />
</pre><br />
In de directory komen de keys van de domeinen te staan. <br />
===Key maken===<br />
Er is een script die maakt de keys aan en voegt de key toe aan de juiste tabellen<br />
/usr/local/hobbynet/bin/maakopendkim.sh '''domeinnaam'''<br />
<br />
===De Postfix kant===<br />
Tevens moet in /etc/default/opendkim alles uitgecommentarieerd worden en deze regel toegevoegd worden:<br />
<pre><br />
SOCKET="inet:8891@localhost"<br />
</pre><br />
Dit socket dient aan Postfix bekend te worden gemaakt. Voeg de volgende regels aan /etc/postfix/main.cf toe:<br />
<pre><br />
# DKIM<br />
milter_default_action = accept<br />
milter_protocol = 2<br />
smtpd_milters = inet:localhost:8891<br />
non_smtpd_milters = inet:localhost:8891<br />
</pre><br />
Hierdoor controleert en zet Postfix nu ook dkim handtekeningen. Vergeet niet Postfix te herstarten.<br />
<br />
===Testen===<br />
De configuratie kan worden getest door een lege mail te sturen naar '''check-auth@verifier.port25.com'''. Als alles werkt zal in de reply '''DKIM check: pass''' staan onder '''Summary of Results'''. Voor de geïnteresseerde is het hele bericht opgenomen. <br />
<pre><br />
==========================================================<br />
Summary of Results<br />
==========================================================<br />
SPF check: pass<br />
"iprev" check: pass<br />
DKIM check: pass<br />
SpamAssassin check: ham<br />
<br />
==========================================================<br />
Details:<br />
==========================================================<br />
<br />
HELO hostname: mail-lb1.hobby.nl<br />
Source IP: 212.72.224.72<br />
mail-from: rootmail@hobby.nl<br />
<br />
----------------------------------------------------------<br />
SPF check details:<br />
----------------------------------------------------------<br />
Result: pass<br />
ID(s) verified: smtp.mailfrom=rootmail@hobby.nl<br />
<br />
DNS record(s):<br />
hobby.nl. 60 IN TXT "v=spf1 ip4:212.72.224.0/21 ip4:95.97.35.96/29 ip4:80.253.112.0/24 ip4:94.232.160.0/24 ip6:2a02:968::/32 -all"<br />
<br />
<br />
----------------------------------------------------------<br />
"iprev" check details:<br />
----------------------------------------------------------<br />
Result: pass (matches mail-lb1.hobby.nl)<br />
ID(s) verified: policy.iprev=212.72.224.72<br />
<br />
DNS record(s):<br />
72.224.72.212.in-addr.arpa. 60 IN PTR mail-lb1.hobby.nl.<br />
mail-lb1.hobby.nl. 60 IN A 212.72.224.72<br />
<br />
<br />
----------------------------------------------------------<br />
DKIM check details:<br />
----------------------------------------------------------<br />
Result: pass (matches From: rootmail@hobby.nl)<br />
ID(s) verified: header.d=hobby.nl<br />
<br />
Canonicalized Headers:<br />
reply-to:rootmail@hobby.nl'0D''0A'<br />
to:check-auth@verifier.port25.com'0D''0A'<br />
from:Hobbynet'20'rootmaill'20'<rootmail@hobby.nl>'0D''0A'<br />
subject:test'0D''0A'<br />
date:Thu,'20'31'20'May'20'2018'20'21:48:24'20'+0200'0D''0A'<br />
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=hobby.nl;'20's=default;'20't=1527796105;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=Reply-To:To:From:Subject:Date;'20'b=<br />
<br />
Canonicalized Body:<br />
'0D''0A'<br />
<br />
<br />
DNS record(s):<br />
default._domainkey.hobby.nl. 60 IN TXT "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyHQygiGyUV+o4WTsNIbxfYPyADNedPojfVfn2YrCZJ6WFhBi6RNKKJndqE+VGgtScSI1fkLRCyquVPTGICUAnUbUQL2NbGQNyo0T8wBJy5QTarir10IMue/2QtjaPnDkwa4m35Bl9YKm4SgeaTd7A/OWXsO2BAgCYfiAHsFvK6e6u4zwcD1ZlGH9bSrgm5x6ucHkROq9aV0R0Pr/+SGkT+9Zs1L/TqbX0OvoKmG+raffHVghG8USo1EVWzFSi7gURqP6C8f9HW4HfLnR203C8uJMHSzBvPv5PbM+kc/QTu1AE478a6aZyaUsEhHQQx7OV08crT6UsdyUHQlQpgl8aR+MwAyrEH54AAPzYjfN5KNsZ35flf2/Yj6X5KtGeG0ZVMR2cew1z3SKTFXg+rq+TWF3EqhiD3fzTypSYk5nhKpKpMYtoU7JytF4Xw02fyJpbiVdAGsLqibM+rY+4qp+C/t1HKHVavGePdg5iBE/Y+lOqG6dJvXpWe7JjEz7HfZOz69XN0ryL5/JUzfCpf7lvyJ3LKET4OuBbSwypzNeDX+DaAHb4qdwNFJGq8H0DjFFFagmPQSeHZdX7qTtIiOSbogFXab2Yz9Yw38GedKk9UQPSdCLqdzeFEZWuTXDn/NdRA7PqWuAUxoe68O57Esz4dnyLqB1Xrs74IzTRpLhiSECAwEAAQ=="<br />
<br />
Public key used for verification: default._domainkey.hobby.nl (4096 bits)<br />
<br />
NOTE: DKIM checking has been performed based on the latest DKIM specs<br />
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for<br />
older versions. If you are using Port25's PowerMTA, you need to use<br />
version 3.2r11 or later to get a compatible version of DKIM.<br />
<br />
----------------------------------------------------------<br />
SpamAssassin check details:<br />
----------------------------------------------------------<br />
SpamAssassin v3.4.0 (2014-02-07)<br />
<br />
Result: ham (-2.0 points, 5.0 required)<br />
<br />
pts rule name description<br />
---- ---------------------- --------------------------------------------------<br />
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no<br />
trust<br />
[212.72.224.72 listed in list.dnswl.org]<br />
-0.0 SPF_PASS SPF: sender matches SPF record<br />
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%<br />
[score: 0.0000]<br />
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's<br />
domain<br />
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid<br />
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature<br />
<br />
<br />
<br />
==============================================================<br />
Explanation of the possible results (based on RFCs 7601, 7208)<br />
==============================================================<br />
<br />
<br />
DKIM Results<br />
============<br />
<br />
none: The message was not signed.<br />
<br />
pass: The message was signed, the signature or signatures were<br />
acceptable to the ADMD, and the signature(s) passed verification<br />
tests.<br />
<br />
fail: The message was signed and the signature or signatures were<br />
acceptable to the ADMD, but they failed the verification test(s).<br />
<br />
policy: The message was signed, but some aspect of the signature or<br />
signatures was not acceptable to the ADMD.<br />
<br />
neutral: The message was signed, but the signature or signatures<br />
contained syntax errors or were not otherwise able to be<br />
processed. This result is also used for other failures not<br />
covered elsewhere in this list.<br />
<br />
temperror: The message could not be verified due to some error that<br />
is likely transient in nature, such as a temporary inability to<br />
retrieve a public key. A later attempt may produce a final<br />
result.<br />
<br />
permerror: The message could not be verified due to some error that<br />
is unrecoverable, such as a required header field being absent. A<br />
later attempt is unlikely to produce a final result.<br />
<br />
<br />
SPF Results<br />
===========<br />
<br />
none: Either (a) no syntactically valid DNS domain name was extracted from<br />
the SMTP session that could be used as the one to be authorized, or<br />
(b) no SPF records were retrieved from the DNS.<br />
<br />
neutral: The ADMD has explicitly stated that it is not asserting whether<br />
the IP address is authorized.<br />
<br />
pass: An explicit statement that the client is authorized to inject mail<br />
with the given identity.<br />
<br />
fail: An explicit statement that the client is not authorized to use the<br />
domain in the given identity.<br />
<br />
softfail: A weak statement by the publishing ADMD that the host is probably<br />
not authorized. It has not published a stronger, more definitive policy<br />
that results in a "fail".<br />
<br />
temperror: The SPF verifier encountered a transient (generally DNS) error<br />
while performing the check. A later retry may succeed without further<br />
DNS operator action.<br />
<br />
permerror: The domain's published records could not be correctly interpreted.<br />
This signals an error condition that definitely requires DNS operator<br />
intervention to be resolved.<br />
<br />
<br />
"iprev" Results<br />
===============<br />
<br />
pass: The DNS evaluation succeeded, i.e., the "reverse" and<br />
"forward" lookup results were returned and were in agreement.<br />
<br />
fail: The DNS evaluation failed. In particular, the "reverse" and<br />
"forward" lookups each produced results, but they were not in<br />
agreement, or the "forward" query completed but produced no<br />
result, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an<br />
RCODE of 0 (NOERROR) in a reply containing no answers, was<br />
returned.<br />
<br />
temperror: The DNS evaluation could not be completed due to some<br />
error that is likely transient in nature, such as a temporary DNS<br />
error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or<br />
other error condition resulted. A later attempt may produce a<br />
final result.<br />
<br />
permerror: The DNS evaluation could not be completed because no PTR<br />
data are published for the connecting IP address, e.g., a DNS<br />
RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR)<br />
in a reply containing no answers, was returned. This prevented<br />
completion of the evaluation. A later attempt is unlikely to<br />
produce a final result.<br />
<br />
<br />
<br />
<br />
==========================================================<br />
Original Email<br />
==========================================================<br />
<br />
Return-Path: <rootmail@hobby.nl><br />
Received: from mail-lb1.hobby.nl (212.72.224.72) by verifier.port25.com id h218om2e8s48 for <check-auth@verifier.port25.com>; Thu, 31 May 2018 19:48:27 +0000 (envelope-from <rootmail@hobby.nl>)<br />
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=rootmail@hobby.nl;<br />
iprev=pass (matches mail-lb1.hobby.nl) policy.iprev=212.72.224.72;<br />
dkim=pass (matches From: rootmail@hobby.nl) header.d=hobby.nl<br />
Received: from localhost (localhost [127.0.0.1])<br />
by mail-lb1.hobby.nl (Postfix) with ESMTP id 8396E5FDEA<br />
for <check-auth@verifier.port25.com>; Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
X-Virus-Scanned: Debian amavisd-new at mail-lb1.hobby.nl<br />
Received: from mail-lb1.hobby.nl ([127.0.0.1])<br />
by localhost (mail-lb1.hobby.nl [127.0.0.1]) (amavisd-new, port 10024)<br />
with ESMTP id bnAxJuumS9FK for <check-auth@verifier.port25.com>;<br />
Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
Received: from [192.168.10.12] (vandenbussche.xs4all.nl [83.163.218.172])<br />
(using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))<br />
(No client certificate requested)<br />
(Authenticated sender: egbert@vandenbussche.nl)<br />
by mail-lb1.hobby.nl (Postfix) with ESMTPSA id 51FE55FDE6<br />
for <check-auth@verifier.port25.com>; Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hobby.nl; s=default;<br />
t=1527796105; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;<br />
h=Reply-To:To:From:Subject:Date;<br />
b=allKIIWMLMVr0ufrCeIkA8T7VF6xZ9PpPDEG80vqoQraDkwa8FAal+ZXhK/Y/nwtO<br />
XYzhEZmOHSYtvTplFppuvXCsbK2q/ZYf881CounLX/w+Ko0ZNIgJwsOz7WX7MJLDXS<br />
cp13/hRVzNYv0LBsI1sz6cXKkNhVxWEShaIjsSW84bQgAAznR0zG9ZYLuVEXm614T0<br />
cz56At+ONbF/8wqBy3rYRBjJ+66xvajO5DfKX94zJErCpvyoiTYCtO5uf0H3sIsiDs<br />
l7a7IUV3Ituzw0+VNpnRP1J3cNxI7j51EGaoUI1w501cCV6f0wC/qbXd9UVHBAl78g<br />
84j+gS4ImtTe9hR3llRnW+2TfuWradddBjUSkX1UiZDORvMkZM+J2pCgFYxU1GXoR+<br />
GHnDPYqW9KDfuVAHUYU6iZ4eDrijS/Y5OBhix1mAX4/XkYaagpbXD9tr/43nNGV3YU<br />
O8S91tFCgik86DfD5b98lxrr61KHb0X/brYF9l8oBvG9L9nuK0g9r90NeLwhmn88dm<br />
Ll4wN0yIHI3yxEQtli6CdZ4H6gJczv6CRp74U/oNyO8PWIm7Nu4grCtWNPXuOzcHjr<br />
FsGPJun8WFVjwVPeKoEOgUTI27g4nfbHkXQEBb9ykQVvVpe44RXbruS81rfKoPThAw<br />
AU/un1L18tPKxUU+jtT2m2hI=<br />
Reply-To: rootmail@hobby.nl<br />
To: check-auth@verifier.port25.com<br />
From: Hobbynet rootmaill <rootmail@hobby.nl><br />
Subject: test<br />
Openpgp: preference=signencrypt<br />
Autocrypt: addr=rootmail@hobby.nl; prefer-encrypt=mutual; keydata=<br />
xsFNBFZ2htYBEADt6zlAySAIrmfb6mRkAPuekeaAM6jIw6n4vdcpGdYi1fL63uZypoh61Ra7<br />
lF8SGs3uNhR6EyfJt/54Wsfami+KE4x5nd0dwPAWEwMaruxwKHBmGU1X/895EoRa3aa6PsEc<br />
SGyfJplaCscyTneEdsrhtdqKdJi/be8YunhAuYfu1rEaT8FU+hz1itWJJ/YZycscSA8Cb91d<br />
w8dUkJamdK0KtaHXOq0pZcJPICtzd0zQIYuouJM1nAjPqQ6GYWu+TebJorWlrHKIzX9WCE1D<br />
4wxktMXC+CCwRrV7YLV48ouMuqFejEYvBPjdiIqfxI+vw3bYmtRg0aQ0i3cvadnq6rYS1P6Y<br />
nAKk3U1v1Pr83FPUCgTFTpQqHbNJiRDa3tFkVFrY7YtnW4+iHJ8gT2HLOkzpxq/jkhf6gwSQ<br />
GgzAf7hepWBUWpKsd501ezVSoza3WQ4laIqvUaYcMGpdeY2vkHASuBulF/QyOk25PBQGVMjL<br />
IKovZKIkCp3ghXmYeNjMvtIih3Zh3edH4eekVpP4tgFkdddwguA/yEYYyvFv8KGBvBrQCMzF<br />
ghhDRJ6cZL1ewEwuVkGH9qXlM/Gfw4NUo/APuGbbU2PXSxzdxOxbJX2XuRripIsVTVwWKAeb<br />
SAitSSFP8B5talGvV3pKooYxAMNa27LRkoZbMjSOVFJ2yeIUHQARAQABzSBFZ2JlcnQgPGVn<br />
YmVydEB2YW5kZW5idXNzY2hlLm5sPsLBggQTAQgALAIbIwUJCWYBgAcLCQgHAwIBBhUIAgkK<br />
CwQWAgMBAh4BAheABQJWdoj5AhkBAAoJEElE8PvYS2x3wFYP/jy1Ym+6oQDPuHNauYnujpe5<br />
DyZOUrPTHdDqg+HjSXzoozeQGeKpIeAZj7ZXSpfGr4mPaPn8gaWxr6ibQAkVYvTZ4MttoqFo<br />
cT3ePbUGHnagNcwAZJlcoNJQ6S92YYVWryFn0F8JMUcnQzUaJyUOIaf5pcdJcbA6bPBcMa8X<br />
oHSEyD48Dauir7QpsDTurfTooRBZrlLXMkQCeO+FR2R+2WXt7JxQEv1tDZ6xCS/CTMdibszn<br />
fQqlEMj6qNdLh7ymM8umqFlfPx8xRTom8ClkhJryDpV3yYiz380aOt3SCzee68GOwXyM98+P<br />
GD9QSzlhxjh6GF5bhW4jEH5uLByjIUQNDIBDvuqSIWWnBE39zoGqvlAlO9ZOtYaHprCREBkF<br />
IQHiHqOLMkzBHkHJOrqmROkDXpUSeso1rQZEo/13axZyu4JCgHEGONhCDrzZWjK2ASPQZzjL<br />
dAKkuvfIJlwS0yctYWcaK6ttPLyteujWjHbfvJRT6BRLlr0YnmSZs86xWpYnXMrG9xa886Us<br />
kswQd7c2QZuBpLgHW3KzrFvCd/LKp3UvPiVUigK6Xgoi7xwwxfv8O4EeZYO2U35w5SPlg+Mz<br />
FEJVH2whxboMrHZRhLtyPKY0+qqkLP2LxphUAeNRWNOJIXiazTq1/4Y5dVK1zIq6gg2dBMmH<br />
PHx8fQAnhphZzsFNBFZ2htYBEAC7NDbfwBKMD8VRlVUxIds4+0SGsRUhwHQJrU0Tn8vzFiRS<br />
GBtDuOdAPyt8GDrjh2c2PKno9piQnbojqKGJ0HvGoHzfm9axb0S4CPgGfcIrSjyQIu4+kpCj<br />
tatSaxtuvqqpxNBx9ylfubJgTKW96m8K8twbXc6QczMsd6zSt4U5ER8EWrlT1JB+mW+hNuQW<br />
4VQ1A6f0JRQqXOA1b23yNW621CfT9r9t4OpDug9vWyGXyQjjLoiMRsGVH5B/37UXn2BS14wh<br />
2xLj+eh9V1pN4S1IZVv/k0EdRwn9VC/bSGgTbk6P6oOM7LrV+BM7yQHoFOO5HPb2jJB+ynVu<br />
K4/n0Xe/Zcfp2OPAm9qn5Z0lkTSHRxvCMWxxNoAgirzj/KdNnuDVU7SdRulynIcczqj68adV<br />
uEyPeu1mwhOTku7eQnlFmGhkD5oJfg/IPdb7OmnpWsFPfyowG/nR7oPAFVkoNfRRqtUpHIM4<br />
k+2Xm/lWxYHzlzVF9SzbLWKs3/J9tyVb7xNAlr8gcbwgO8bOwWUiAG6hSMD1yLdox92seRPY<br />
mnhOC6PCG3KKqCH7wBZ84Ez0BDqYDqSzq4/PlCnJrMk3ewb/fuGiMF7kgYHThvdZUeyRgUoY<br />
yG7i3R3XRFDUiN5m7SyuRUUdgHwznb2e8Pf/IMYtTZh737bgM+mWc/YlJq+cmQARAQABwsFl<br />
BBgBCAAPBQJWdobWAhsMBQkJZgGAAAoJEElE8PvYS2x3Ad0QAN/WS9Mc0MdhJi7fqhq5dU4X<br />
QfviUMA5CkWboNiOG57OR1C0a4XJcFCDcgmsYRhMYDj4qw7M+z3fcjFJnEwqHHoIhzsvGbDs<br />
Dra8QkP188tx+Uzf4wMnEVCVzOuL5ji36OlxegF5wjj5CTtso237hhcI82+xAnqXteA5pJMw<br />
DunRmhEkjpJjxkUtr4vyOSzGBmMP3sWGbq0uVbWacxggb1r56+uKrQULVEnCa4P64d8RPKn7<br />
Dsn/Pqf7n+nLevBertj5roQNceXeGIpu0k45wVFUtCA9Rc1Y6myNs0aq8Cw5LKTLemI+uT4y<br />
Okky89vroZqG/XetHAXxjZGm+kyMbu3ThvIzOSb5+hTfWcTa8zybUvujkfiejfhRDZ9GWjXS<br />
iK20nZ8d2WwTqPDOMySozXFUJoT6TqTJ/I7m9vJj2mz+xPRLHaAVVKF7rMP8Gw+6g9uWbHs1<br />
SXAZH/CgQTAJwQ+FxWC657Q+bjg11lmjCHpDMxxFnIdqYiIaKjocQzI2SP67Yr94W0trumOR<br />
fZm3nietLoSVVkak0z+SBJZ4/S+XbkDmLnUDG3GJq/QCXFAFVv02VS76gvVYaxFuVWOUIuXf<br />
SkWKoa6vs12Cx30Hp/BfdftCHH6IuhzXspKK+br9CqDrRZcHzMB42/QPYcDa/BZBzudBXsZd<br />
M+CrfDxPMyd7<br />
Organization: HCC!Hobbynet<br />
Message-ID: <bc4cc04a-de4c-54f7-37c4-ffb6f589fb4b@hobby.nl><br />
Date: Thu, 31 May 2018 21:48:24 +0200<br />
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101<br />
Thunderbird/52.8.0<br />
MIME-Version: 1.0<br />
Content-Type: text/plain; charset=utf-8<br />
Content-Language: nl<br />
Content-Transfer-Encoding: 7bit<br />
</pre></div>2A05:F080:0:300:B848:81C0:7F18:AA86https://wiki.hobby.nl/index.php?title=DKIM&diff=78338DKIM2020-04-05T11:02:51Z<p>2A05:F080:0:300:B848:81C0:7F18:AA86: /* Directory structuur */</p>
<hr />
<div>===Inleiding===<br />
Om minder snel als spammer te worden aangemerkt kan de mail "ge-signed" worden. Hiervoor moet OpenDKIM geinstalleerd worden en een kleine aanpassing aan de postfix configuratie gemaakt worden.<br />
===Installatie===<br />
Gebruik zoals altijd apt-get of aptitude om een package te instaleren.<br />
<pre><br />
apt-get install opendkim opendkim-tools<br />
</pre><br />
===Configuratie===<br />
De configuratie van OpenDKIM staat in /etc/opendkim.conf en dient er als volgt ui te zien:<br />
<pre><br />
# This is a basic configuration that can easily be adapted to suit a standard<br />
# installation. For more advanced options, see opendkim.conf(5) and/or<br />
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.<br />
#<br />
#Domain example.com<br />
#KeyFile /etc/opendkim/201205.private<br />
#Selector 201205<br />
#<br />
# Commonly-used options<br />
Canonicalization relaxed/simple<br />
Mode sv<br />
SubDomains yes<br />
# Log to syslog<br />
Syslog yes<br />
LogWhy yes<br />
# Required to use local socket with MTAs that access the socket as a non-<br />
# privileged user (e.g. Postfix)<br />
UMask 022<br />
UserID opendkim:opendkim<br />
#<br />
KeyTable /etc/opendkim/KeyTable<br />
SigningTable /etc/opendkim/SigningTable<br />
ExternalIgnoreList /etc/opendkim/TrustedHosts<br />
InternalHosts /etc/opendkim/TrustedHosts<br />
#<br />
Socket inet:8891@localhost<br />
#EOF<br />
</pre><br />
Voor uitleg over de diverse parameters, kijk bijvoorbeeld op [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy deze site].<br />
<br />
===Directory structuur===<br />
Er moet een directory structuur gemaakt worden om trusted hosts, key tables, signing tables en crypto keys op te slaan. Maak daartoe /etc/opendkim aan met daarin de volgende files en directory: <br />
<pre><br />
root@mail-lb1:/etc/opendkim# ls -l<br />
total 16<br />
-rw-r--r-- 1 root root 90 May 25 14:23 KeyTable<br />
-rw-r--r-- 1 root root 38 May 25 14:24 SigningTable<br />
-rw-r--r-- 1 root root 151 May 28 22:42 TrustedHosts<br />
drwxr-xr-x 3 root root 4096 May 25 14:26 keys<br />
</pre><br />
In de directory komen de keys van de domeinen te staan. <br />
===Key maken===<br />
Er is een script die maakt de keys aan en voegt de key toe aan de juiste tabellen<br />
/usr/local/hobbynet/bin/maakopendkim.sh '''domeinnaam'''<br />
<br />
===De Postfix kant===<br />
Tevens moet in /etc/default/opendkim alles uitgecommentarieerd worden en deze regel toegevoegd worden:<br />
<pre><br />
SOCKET="inet:8891@localhost"<br />
</pre><br />
Dit socket dient aan Postfix bekend te worden gemaakt. Voeg de volgende regels aan /etc/postfix/main.cf toe:<br />
<pre><br />
#milter tbv dkim<br />
milter_default_action = accept<br />
milter_protocol = 6<br />
smtpd_milters = inet:localhost:8891<br />
non_smtpd_milters = inet:localhost:8891<br />
</pre><br />
Hierdoor controleert en zet Postfix nu ook dkim handtekeningen. Vergeet niet Postfix te herstarten.<br />
===Testen===<br />
De configuratie kan worden getest door een lege mail te sturen naar '''check-auth@verifier.port25.com'''. Als alles werkt zal in de reply '''DKIM check: pass''' staan onder '''Summary of Results'''. Voor de geïnteresseerde is het hele bericht opgenomen. <br />
<pre><br />
==========================================================<br />
Summary of Results<br />
==========================================================<br />
SPF check: pass<br />
"iprev" check: pass<br />
DKIM check: pass<br />
SpamAssassin check: ham<br />
<br />
==========================================================<br />
Details:<br />
==========================================================<br />
<br />
HELO hostname: mail-lb1.hobby.nl<br />
Source IP: 212.72.224.72<br />
mail-from: rootmail@hobby.nl<br />
<br />
----------------------------------------------------------<br />
SPF check details:<br />
----------------------------------------------------------<br />
Result: pass<br />
ID(s) verified: smtp.mailfrom=rootmail@hobby.nl<br />
<br />
DNS record(s):<br />
hobby.nl. 60 IN TXT "v=spf1 ip4:212.72.224.0/21 ip4:95.97.35.96/29 ip4:80.253.112.0/24 ip4:94.232.160.0/24 ip6:2a02:968::/32 -all"<br />
<br />
<br />
----------------------------------------------------------<br />
"iprev" check details:<br />
----------------------------------------------------------<br />
Result: pass (matches mail-lb1.hobby.nl)<br />
ID(s) verified: policy.iprev=212.72.224.72<br />
<br />
DNS record(s):<br />
72.224.72.212.in-addr.arpa. 60 IN PTR mail-lb1.hobby.nl.<br />
mail-lb1.hobby.nl. 60 IN A 212.72.224.72<br />
<br />
<br />
----------------------------------------------------------<br />
DKIM check details:<br />
----------------------------------------------------------<br />
Result: pass (matches From: rootmail@hobby.nl)<br />
ID(s) verified: header.d=hobby.nl<br />
<br />
Canonicalized Headers:<br />
reply-to:rootmail@hobby.nl'0D''0A'<br />
to:check-auth@verifier.port25.com'0D''0A'<br />
from:Hobbynet'20'rootmaill'20'<rootmail@hobby.nl>'0D''0A'<br />
subject:test'0D''0A'<br />
date:Thu,'20'31'20'May'20'2018'20'21:48:24'20'+0200'0D''0A'<br />
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=hobby.nl;'20's=default;'20't=1527796105;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=Reply-To:To:From:Subject:Date;'20'b=<br />
<br />
Canonicalized Body:<br />
'0D''0A'<br />
<br />
<br />
DNS record(s):<br />
default._domainkey.hobby.nl. 60 IN TXT "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyHQygiGyUV+o4WTsNIbxfYPyADNedPojfVfn2YrCZJ6WFhBi6RNKKJndqE+VGgtScSI1fkLRCyquVPTGICUAnUbUQL2NbGQNyo0T8wBJy5QTarir10IMue/2QtjaPnDkwa4m35Bl9YKm4SgeaTd7A/OWXsO2BAgCYfiAHsFvK6e6u4zwcD1ZlGH9bSrgm5x6ucHkROq9aV0R0Pr/+SGkT+9Zs1L/TqbX0OvoKmG+raffHVghG8USo1EVWzFSi7gURqP6C8f9HW4HfLnR203C8uJMHSzBvPv5PbM+kc/QTu1AE478a6aZyaUsEhHQQx7OV08crT6UsdyUHQlQpgl8aR+MwAyrEH54AAPzYjfN5KNsZ35flf2/Yj6X5KtGeG0ZVMR2cew1z3SKTFXg+rq+TWF3EqhiD3fzTypSYk5nhKpKpMYtoU7JytF4Xw02fyJpbiVdAGsLqibM+rY+4qp+C/t1HKHVavGePdg5iBE/Y+lOqG6dJvXpWe7JjEz7HfZOz69XN0ryL5/JUzfCpf7lvyJ3LKET4OuBbSwypzNeDX+DaAHb4qdwNFJGq8H0DjFFFagmPQSeHZdX7qTtIiOSbogFXab2Yz9Yw38GedKk9UQPSdCLqdzeFEZWuTXDn/NdRA7PqWuAUxoe68O57Esz4dnyLqB1Xrs74IzTRpLhiSECAwEAAQ=="<br />
<br />
Public key used for verification: default._domainkey.hobby.nl (4096 bits)<br />
<br />
NOTE: DKIM checking has been performed based on the latest DKIM specs<br />
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for<br />
older versions. If you are using Port25's PowerMTA, you need to use<br />
version 3.2r11 or later to get a compatible version of DKIM.<br />
<br />
----------------------------------------------------------<br />
SpamAssassin check details:<br />
----------------------------------------------------------<br />
SpamAssassin v3.4.0 (2014-02-07)<br />
<br />
Result: ham (-2.0 points, 5.0 required)<br />
<br />
pts rule name description<br />
---- ---------------------- --------------------------------------------------<br />
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no<br />
trust<br />
[212.72.224.72 listed in list.dnswl.org]<br />
-0.0 SPF_PASS SPF: sender matches SPF record<br />
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%<br />
[score: 0.0000]<br />
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's<br />
domain<br />
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid<br />
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature<br />
<br />
<br />
<br />
==============================================================<br />
Explanation of the possible results (based on RFCs 7601, 7208)<br />
==============================================================<br />
<br />
<br />
DKIM Results<br />
============<br />
<br />
none: The message was not signed.<br />
<br />
pass: The message was signed, the signature or signatures were<br />
acceptable to the ADMD, and the signature(s) passed verification<br />
tests.<br />
<br />
fail: The message was signed and the signature or signatures were<br />
acceptable to the ADMD, but they failed the verification test(s).<br />
<br />
policy: The message was signed, but some aspect of the signature or<br />
signatures was not acceptable to the ADMD.<br />
<br />
neutral: The message was signed, but the signature or signatures<br />
contained syntax errors or were not otherwise able to be<br />
processed. This result is also used for other failures not<br />
covered elsewhere in this list.<br />
<br />
temperror: The message could not be verified due to some error that<br />
is likely transient in nature, such as a temporary inability to<br />
retrieve a public key. A later attempt may produce a final<br />
result.<br />
<br />
permerror: The message could not be verified due to some error that<br />
is unrecoverable, such as a required header field being absent. A<br />
later attempt is unlikely to produce a final result.<br />
<br />
<br />
SPF Results<br />
===========<br />
<br />
none: Either (a) no syntactically valid DNS domain name was extracted from<br />
the SMTP session that could be used as the one to be authorized, or<br />
(b) no SPF records were retrieved from the DNS.<br />
<br />
neutral: The ADMD has explicitly stated that it is not asserting whether<br />
the IP address is authorized.<br />
<br />
pass: An explicit statement that the client is authorized to inject mail<br />
with the given identity.<br />
<br />
fail: An explicit statement that the client is not authorized to use the<br />
domain in the given identity.<br />
<br />
softfail: A weak statement by the publishing ADMD that the host is probably<br />
not authorized. It has not published a stronger, more definitive policy<br />
that results in a "fail".<br />
<br />
temperror: The SPF verifier encountered a transient (generally DNS) error<br />
while performing the check. A later retry may succeed without further<br />
DNS operator action.<br />
<br />
permerror: The domain's published records could not be correctly interpreted.<br />
This signals an error condition that definitely requires DNS operator<br />
intervention to be resolved.<br />
<br />
<br />
"iprev" Results<br />
===============<br />
<br />
pass: The DNS evaluation succeeded, i.e., the "reverse" and<br />
"forward" lookup results were returned and were in agreement.<br />
<br />
fail: The DNS evaluation failed. In particular, the "reverse" and<br />
"forward" lookups each produced results, but they were not in<br />
agreement, or the "forward" query completed but produced no<br />
result, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an<br />
RCODE of 0 (NOERROR) in a reply containing no answers, was<br />
returned.<br />
<br />
temperror: The DNS evaluation could not be completed due to some<br />
error that is likely transient in nature, such as a temporary DNS<br />
error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or<br />
other error condition resulted. A later attempt may produce a<br />
final result.<br />
<br />
permerror: The DNS evaluation could not be completed because no PTR<br />
data are published for the connecting IP address, e.g., a DNS<br />
RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR)<br />
in a reply containing no answers, was returned. This prevented<br />
completion of the evaluation. A later attempt is unlikely to<br />
produce a final result.<br />
<br />
<br />
<br />
<br />
==========================================================<br />
Original Email<br />
==========================================================<br />
<br />
Return-Path: <rootmail@hobby.nl><br />
Received: from mail-lb1.hobby.nl (212.72.224.72) by verifier.port25.com id h218om2e8s48 for <check-auth@verifier.port25.com>; Thu, 31 May 2018 19:48:27 +0000 (envelope-from <rootmail@hobby.nl>)<br />
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=rootmail@hobby.nl;<br />
iprev=pass (matches mail-lb1.hobby.nl) policy.iprev=212.72.224.72;<br />
dkim=pass (matches From: rootmail@hobby.nl) header.d=hobby.nl<br />
Received: from localhost (localhost [127.0.0.1])<br />
by mail-lb1.hobby.nl (Postfix) with ESMTP id 8396E5FDEA<br />
for <check-auth@verifier.port25.com>; Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
X-Virus-Scanned: Debian amavisd-new at mail-lb1.hobby.nl<br />
Received: from mail-lb1.hobby.nl ([127.0.0.1])<br />
by localhost (mail-lb1.hobby.nl [127.0.0.1]) (amavisd-new, port 10024)<br />
with ESMTP id bnAxJuumS9FK for <check-auth@verifier.port25.com>;<br />
Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
Received: from [192.168.10.12] (vandenbussche.xs4all.nl [83.163.218.172])<br />
(using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))<br />
(No client certificate requested)<br />
(Authenticated sender: egbert@vandenbussche.nl)<br />
by mail-lb1.hobby.nl (Postfix) with ESMTPSA id 51FE55FDE6<br />
for <check-auth@verifier.port25.com>; Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hobby.nl; s=default;<br />
t=1527796105; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;<br />
h=Reply-To:To:From:Subject:Date;<br />
b=allKIIWMLMVr0ufrCeIkA8T7VF6xZ9PpPDEG80vqoQraDkwa8FAal+ZXhK/Y/nwtO<br />
XYzhEZmOHSYtvTplFppuvXCsbK2q/ZYf881CounLX/w+Ko0ZNIgJwsOz7WX7MJLDXS<br />
cp13/hRVzNYv0LBsI1sz6cXKkNhVxWEShaIjsSW84bQgAAznR0zG9ZYLuVEXm614T0<br />
cz56At+ONbF/8wqBy3rYRBjJ+66xvajO5DfKX94zJErCpvyoiTYCtO5uf0H3sIsiDs<br />
l7a7IUV3Ituzw0+VNpnRP1J3cNxI7j51EGaoUI1w501cCV6f0wC/qbXd9UVHBAl78g<br />
84j+gS4ImtTe9hR3llRnW+2TfuWradddBjUSkX1UiZDORvMkZM+J2pCgFYxU1GXoR+<br />
GHnDPYqW9KDfuVAHUYU6iZ4eDrijS/Y5OBhix1mAX4/XkYaagpbXD9tr/43nNGV3YU<br />
O8S91tFCgik86DfD5b98lxrr61KHb0X/brYF9l8oBvG9L9nuK0g9r90NeLwhmn88dm<br />
Ll4wN0yIHI3yxEQtli6CdZ4H6gJczv6CRp74U/oNyO8PWIm7Nu4grCtWNPXuOzcHjr<br />
FsGPJun8WFVjwVPeKoEOgUTI27g4nfbHkXQEBb9ykQVvVpe44RXbruS81rfKoPThAw<br />
AU/un1L18tPKxUU+jtT2m2hI=<br />
Reply-To: rootmail@hobby.nl<br />
To: check-auth@verifier.port25.com<br />
From: Hobbynet rootmaill <rootmail@hobby.nl><br />
Subject: test<br />
Openpgp: preference=signencrypt<br />
Autocrypt: addr=rootmail@hobby.nl; prefer-encrypt=mutual; keydata=<br />
xsFNBFZ2htYBEADt6zlAySAIrmfb6mRkAPuekeaAM6jIw6n4vdcpGdYi1fL63uZypoh61Ra7<br />
lF8SGs3uNhR6EyfJt/54Wsfami+KE4x5nd0dwPAWEwMaruxwKHBmGU1X/895EoRa3aa6PsEc<br />
SGyfJplaCscyTneEdsrhtdqKdJi/be8YunhAuYfu1rEaT8FU+hz1itWJJ/YZycscSA8Cb91d<br />
w8dUkJamdK0KtaHXOq0pZcJPICtzd0zQIYuouJM1nAjPqQ6GYWu+TebJorWlrHKIzX9WCE1D<br />
4wxktMXC+CCwRrV7YLV48ouMuqFejEYvBPjdiIqfxI+vw3bYmtRg0aQ0i3cvadnq6rYS1P6Y<br />
nAKk3U1v1Pr83FPUCgTFTpQqHbNJiRDa3tFkVFrY7YtnW4+iHJ8gT2HLOkzpxq/jkhf6gwSQ<br />
GgzAf7hepWBUWpKsd501ezVSoza3WQ4laIqvUaYcMGpdeY2vkHASuBulF/QyOk25PBQGVMjL<br />
IKovZKIkCp3ghXmYeNjMvtIih3Zh3edH4eekVpP4tgFkdddwguA/yEYYyvFv8KGBvBrQCMzF<br />
ghhDRJ6cZL1ewEwuVkGH9qXlM/Gfw4NUo/APuGbbU2PXSxzdxOxbJX2XuRripIsVTVwWKAeb<br />
SAitSSFP8B5talGvV3pKooYxAMNa27LRkoZbMjSOVFJ2yeIUHQARAQABzSBFZ2JlcnQgPGVn<br />
YmVydEB2YW5kZW5idXNzY2hlLm5sPsLBggQTAQgALAIbIwUJCWYBgAcLCQgHAwIBBhUIAgkK<br />
CwQWAgMBAh4BAheABQJWdoj5AhkBAAoJEElE8PvYS2x3wFYP/jy1Ym+6oQDPuHNauYnujpe5<br />
DyZOUrPTHdDqg+HjSXzoozeQGeKpIeAZj7ZXSpfGr4mPaPn8gaWxr6ibQAkVYvTZ4MttoqFo<br />
cT3ePbUGHnagNcwAZJlcoNJQ6S92YYVWryFn0F8JMUcnQzUaJyUOIaf5pcdJcbA6bPBcMa8X<br />
oHSEyD48Dauir7QpsDTurfTooRBZrlLXMkQCeO+FR2R+2WXt7JxQEv1tDZ6xCS/CTMdibszn<br />
fQqlEMj6qNdLh7ymM8umqFlfPx8xRTom8ClkhJryDpV3yYiz380aOt3SCzee68GOwXyM98+P<br />
GD9QSzlhxjh6GF5bhW4jEH5uLByjIUQNDIBDvuqSIWWnBE39zoGqvlAlO9ZOtYaHprCREBkF<br />
IQHiHqOLMkzBHkHJOrqmROkDXpUSeso1rQZEo/13axZyu4JCgHEGONhCDrzZWjK2ASPQZzjL<br />
dAKkuvfIJlwS0yctYWcaK6ttPLyteujWjHbfvJRT6BRLlr0YnmSZs86xWpYnXMrG9xa886Us<br />
kswQd7c2QZuBpLgHW3KzrFvCd/LKp3UvPiVUigK6Xgoi7xwwxfv8O4EeZYO2U35w5SPlg+Mz<br />
FEJVH2whxboMrHZRhLtyPKY0+qqkLP2LxphUAeNRWNOJIXiazTq1/4Y5dVK1zIq6gg2dBMmH<br />
PHx8fQAnhphZzsFNBFZ2htYBEAC7NDbfwBKMD8VRlVUxIds4+0SGsRUhwHQJrU0Tn8vzFiRS<br />
GBtDuOdAPyt8GDrjh2c2PKno9piQnbojqKGJ0HvGoHzfm9axb0S4CPgGfcIrSjyQIu4+kpCj<br />
tatSaxtuvqqpxNBx9ylfubJgTKW96m8K8twbXc6QczMsd6zSt4U5ER8EWrlT1JB+mW+hNuQW<br />
4VQ1A6f0JRQqXOA1b23yNW621CfT9r9t4OpDug9vWyGXyQjjLoiMRsGVH5B/37UXn2BS14wh<br />
2xLj+eh9V1pN4S1IZVv/k0EdRwn9VC/bSGgTbk6P6oOM7LrV+BM7yQHoFOO5HPb2jJB+ynVu<br />
K4/n0Xe/Zcfp2OPAm9qn5Z0lkTSHRxvCMWxxNoAgirzj/KdNnuDVU7SdRulynIcczqj68adV<br />
uEyPeu1mwhOTku7eQnlFmGhkD5oJfg/IPdb7OmnpWsFPfyowG/nR7oPAFVkoNfRRqtUpHIM4<br />
k+2Xm/lWxYHzlzVF9SzbLWKs3/J9tyVb7xNAlr8gcbwgO8bOwWUiAG6hSMD1yLdox92seRPY<br />
mnhOC6PCG3KKqCH7wBZ84Ez0BDqYDqSzq4/PlCnJrMk3ewb/fuGiMF7kgYHThvdZUeyRgUoY<br />
yG7i3R3XRFDUiN5m7SyuRUUdgHwznb2e8Pf/IMYtTZh737bgM+mWc/YlJq+cmQARAQABwsFl<br />
BBgBCAAPBQJWdobWAhsMBQkJZgGAAAoJEElE8PvYS2x3Ad0QAN/WS9Mc0MdhJi7fqhq5dU4X<br />
QfviUMA5CkWboNiOG57OR1C0a4XJcFCDcgmsYRhMYDj4qw7M+z3fcjFJnEwqHHoIhzsvGbDs<br />
Dra8QkP188tx+Uzf4wMnEVCVzOuL5ji36OlxegF5wjj5CTtso237hhcI82+xAnqXteA5pJMw<br />
DunRmhEkjpJjxkUtr4vyOSzGBmMP3sWGbq0uVbWacxggb1r56+uKrQULVEnCa4P64d8RPKn7<br />
Dsn/Pqf7n+nLevBertj5roQNceXeGIpu0k45wVFUtCA9Rc1Y6myNs0aq8Cw5LKTLemI+uT4y<br />
Okky89vroZqG/XetHAXxjZGm+kyMbu3ThvIzOSb5+hTfWcTa8zybUvujkfiejfhRDZ9GWjXS<br />
iK20nZ8d2WwTqPDOMySozXFUJoT6TqTJ/I7m9vJj2mz+xPRLHaAVVKF7rMP8Gw+6g9uWbHs1<br />
SXAZH/CgQTAJwQ+FxWC657Q+bjg11lmjCHpDMxxFnIdqYiIaKjocQzI2SP67Yr94W0trumOR<br />
fZm3nietLoSVVkak0z+SBJZ4/S+XbkDmLnUDG3GJq/QCXFAFVv02VS76gvVYaxFuVWOUIuXf<br />
SkWKoa6vs12Cx30Hp/BfdftCHH6IuhzXspKK+br9CqDrRZcHzMB42/QPYcDa/BZBzudBXsZd<br />
M+CrfDxPMyd7<br />
Organization: HCC!Hobbynet<br />
Message-ID: <bc4cc04a-de4c-54f7-37c4-ffb6f589fb4b@hobby.nl><br />
Date: Thu, 31 May 2018 21:48:24 +0200<br />
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101<br />
Thunderbird/52.8.0<br />
MIME-Version: 1.0<br />
Content-Type: text/plain; charset=utf-8<br />
Content-Language: nl<br />
Content-Transfer-Encoding: 7bit<br />
</pre></div>2A05:F080:0:300:B848:81C0:7F18:AA86https://wiki.hobby.nl/index.php?title=DKIM&diff=78336DKIM2020-04-05T11:01:10Z<p>2A05:F080:0:300:B848:81C0:7F18:AA86: /* Directory structuur */</p>
<hr />
<div>===Inleiding===<br />
Om minder snel als spammer te worden aangemerkt kan de mail "ge-signed" worden. Hiervoor moet OpenDKIM geinstalleerd worden en een kleine aanpassing aan de postfix configuratie gemaakt worden.<br />
===Installatie===<br />
Gebruik zoals altijd apt-get of aptitude om een package te instaleren.<br />
<pre><br />
apt-get install opendkim opendkim-tools<br />
</pre><br />
===Configuratie===<br />
De configuratie van OpenDKIM staat in /etc/opendkim.conf en dient er als volgt ui te zien:<br />
<pre><br />
# This is a basic configuration that can easily be adapted to suit a standard<br />
# installation. For more advanced options, see opendkim.conf(5) and/or<br />
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.<br />
#<br />
#Domain example.com<br />
#KeyFile /etc/opendkim/201205.private<br />
#Selector 201205<br />
#<br />
# Commonly-used options<br />
Canonicalization relaxed/simple<br />
Mode sv<br />
SubDomains yes<br />
# Log to syslog<br />
Syslog yes<br />
LogWhy yes<br />
# Required to use local socket with MTAs that access the socket as a non-<br />
# privileged user (e.g. Postfix)<br />
UMask 022<br />
UserID opendkim:opendkim<br />
#<br />
KeyTable /etc/opendkim/KeyTable<br />
SigningTable /etc/opendkim/SigningTable<br />
ExternalIgnoreList /etc/opendkim/TrustedHosts<br />
InternalHosts /etc/opendkim/TrustedHosts<br />
#<br />
Socket inet:8891@localhost<br />
#EOF<br />
</pre><br />
Voor uitleg over de diverse parameters, kijk bijvoorbeeld op [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy deze site].<br />
<br />
===Directory structuur===<br />
Er moet een directory structuur gemaakt worden om trusted hosts, key tables, signing tables en crypto keys op te slaan. Maak daartoe /etc/opendkim aan met daarin de volgende files en directory: <br />
<pre><br />
root@mail-lb1:/etc/opendkim# ls -l<br />
total 16<br />
-rw-r--r-- 1 root root 90 May 25 14:23 KeyTable<br />
-rw-r--r-- 1 root root 38 May 25 14:24 SigningTable<br />
-rw-r--r-- 1 root root 151 May 28 22:42 TrustedHosts<br />
drwxr-xr-x 3 root root 4096 May 25 14:26 keys<br />
</pre><br />
In de directory komen de keys van de domeinen te staan. Een key voor hobby.nl genereer je met dit script zet meteen rechten goed en kopieerd de keys naar mail-lb2:<br />
/usr/local/hobbynet/bin/maakopendkim.sh '''domeinnaam'''<br />
Verander vervolgens de owner en group van default.private naar opendkim. Plaats de inhoud van default in de zone file van het domein en update de zone.<br />
<br />
===De Postfix kant===<br />
Tevens moet in /etc/default/opendkim alles uitgecommentarieerd worden en deze regel toegevoegd worden:<br />
<pre><br />
SOCKET="inet:8891@localhost"<br />
</pre><br />
Dit socket dient aan Postfix bekend te worden gemaakt. Voeg de volgende regels aan /etc/postfix/main.cf toe:<br />
<pre><br />
#milter tbv dkim<br />
milter_default_action = accept<br />
milter_protocol = 6<br />
smtpd_milters = inet:localhost:8891<br />
non_smtpd_milters = inet:localhost:8891<br />
</pre><br />
Hierdoor controleert en zet Postfix nu ook dkim handtekeningen. Vergeet niet Postfix te herstarten.<br />
===Testen===<br />
De configuratie kan worden getest door een lege mail te sturen naar '''check-auth@verifier.port25.com'''. Als alles werkt zal in de reply '''DKIM check: pass''' staan onder '''Summary of Results'''. Voor de geïnteresseerde is het hele bericht opgenomen. <br />
<pre><br />
==========================================================<br />
Summary of Results<br />
==========================================================<br />
SPF check: pass<br />
"iprev" check: pass<br />
DKIM check: pass<br />
SpamAssassin check: ham<br />
<br />
==========================================================<br />
Details:<br />
==========================================================<br />
<br />
HELO hostname: mail-lb1.hobby.nl<br />
Source IP: 212.72.224.72<br />
mail-from: rootmail@hobby.nl<br />
<br />
----------------------------------------------------------<br />
SPF check details:<br />
----------------------------------------------------------<br />
Result: pass<br />
ID(s) verified: smtp.mailfrom=rootmail@hobby.nl<br />
<br />
DNS record(s):<br />
hobby.nl. 60 IN TXT "v=spf1 ip4:212.72.224.0/21 ip4:95.97.35.96/29 ip4:80.253.112.0/24 ip4:94.232.160.0/24 ip6:2a02:968::/32 -all"<br />
<br />
<br />
----------------------------------------------------------<br />
"iprev" check details:<br />
----------------------------------------------------------<br />
Result: pass (matches mail-lb1.hobby.nl)<br />
ID(s) verified: policy.iprev=212.72.224.72<br />
<br />
DNS record(s):<br />
72.224.72.212.in-addr.arpa. 60 IN PTR mail-lb1.hobby.nl.<br />
mail-lb1.hobby.nl. 60 IN A 212.72.224.72<br />
<br />
<br />
----------------------------------------------------------<br />
DKIM check details:<br />
----------------------------------------------------------<br />
Result: pass (matches From: rootmail@hobby.nl)<br />
ID(s) verified: header.d=hobby.nl<br />
<br />
Canonicalized Headers:<br />
reply-to:rootmail@hobby.nl'0D''0A'<br />
to:check-auth@verifier.port25.com'0D''0A'<br />
from:Hobbynet'20'rootmaill'20'<rootmail@hobby.nl>'0D''0A'<br />
subject:test'0D''0A'<br />
date:Thu,'20'31'20'May'20'2018'20'21:48:24'20'+0200'0D''0A'<br />
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=hobby.nl;'20's=default;'20't=1527796105;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=Reply-To:To:From:Subject:Date;'20'b=<br />
<br />
Canonicalized Body:<br />
'0D''0A'<br />
<br />
<br />
DNS record(s):<br />
default._domainkey.hobby.nl. 60 IN TXT "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyHQygiGyUV+o4WTsNIbxfYPyADNedPojfVfn2YrCZJ6WFhBi6RNKKJndqE+VGgtScSI1fkLRCyquVPTGICUAnUbUQL2NbGQNyo0T8wBJy5QTarir10IMue/2QtjaPnDkwa4m35Bl9YKm4SgeaTd7A/OWXsO2BAgCYfiAHsFvK6e6u4zwcD1ZlGH9bSrgm5x6ucHkROq9aV0R0Pr/+SGkT+9Zs1L/TqbX0OvoKmG+raffHVghG8USo1EVWzFSi7gURqP6C8f9HW4HfLnR203C8uJMHSzBvPv5PbM+kc/QTu1AE478a6aZyaUsEhHQQx7OV08crT6UsdyUHQlQpgl8aR+MwAyrEH54AAPzYjfN5KNsZ35flf2/Yj6X5KtGeG0ZVMR2cew1z3SKTFXg+rq+TWF3EqhiD3fzTypSYk5nhKpKpMYtoU7JytF4Xw02fyJpbiVdAGsLqibM+rY+4qp+C/t1HKHVavGePdg5iBE/Y+lOqG6dJvXpWe7JjEz7HfZOz69XN0ryL5/JUzfCpf7lvyJ3LKET4OuBbSwypzNeDX+DaAHb4qdwNFJGq8H0DjFFFagmPQSeHZdX7qTtIiOSbogFXab2Yz9Yw38GedKk9UQPSdCLqdzeFEZWuTXDn/NdRA7PqWuAUxoe68O57Esz4dnyLqB1Xrs74IzTRpLhiSECAwEAAQ=="<br />
<br />
Public key used for verification: default._domainkey.hobby.nl (4096 bits)<br />
<br />
NOTE: DKIM checking has been performed based on the latest DKIM specs<br />
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for<br />
older versions. If you are using Port25's PowerMTA, you need to use<br />
version 3.2r11 or later to get a compatible version of DKIM.<br />
<br />
----------------------------------------------------------<br />
SpamAssassin check details:<br />
----------------------------------------------------------<br />
SpamAssassin v3.4.0 (2014-02-07)<br />
<br />
Result: ham (-2.0 points, 5.0 required)<br />
<br />
pts rule name description<br />
---- ---------------------- --------------------------------------------------<br />
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no<br />
trust<br />
[212.72.224.72 listed in list.dnswl.org]<br />
-0.0 SPF_PASS SPF: sender matches SPF record<br />
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%<br />
[score: 0.0000]<br />
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's<br />
domain<br />
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid<br />
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature<br />
<br />
<br />
<br />
==============================================================<br />
Explanation of the possible results (based on RFCs 7601, 7208)<br />
==============================================================<br />
<br />
<br />
DKIM Results<br />
============<br />
<br />
none: The message was not signed.<br />
<br />
pass: The message was signed, the signature or signatures were<br />
acceptable to the ADMD, and the signature(s) passed verification<br />
tests.<br />
<br />
fail: The message was signed and the signature or signatures were<br />
acceptable to the ADMD, but they failed the verification test(s).<br />
<br />
policy: The message was signed, but some aspect of the signature or<br />
signatures was not acceptable to the ADMD.<br />
<br />
neutral: The message was signed, but the signature or signatures<br />
contained syntax errors or were not otherwise able to be<br />
processed. This result is also used for other failures not<br />
covered elsewhere in this list.<br />
<br />
temperror: The message could not be verified due to some error that<br />
is likely transient in nature, such as a temporary inability to<br />
retrieve a public key. A later attempt may produce a final<br />
result.<br />
<br />
permerror: The message could not be verified due to some error that<br />
is unrecoverable, such as a required header field being absent. A<br />
later attempt is unlikely to produce a final result.<br />
<br />
<br />
SPF Results<br />
===========<br />
<br />
none: Either (a) no syntactically valid DNS domain name was extracted from<br />
the SMTP session that could be used as the one to be authorized, or<br />
(b) no SPF records were retrieved from the DNS.<br />
<br />
neutral: The ADMD has explicitly stated that it is not asserting whether<br />
the IP address is authorized.<br />
<br />
pass: An explicit statement that the client is authorized to inject mail<br />
with the given identity.<br />
<br />
fail: An explicit statement that the client is not authorized to use the<br />
domain in the given identity.<br />
<br />
softfail: A weak statement by the publishing ADMD that the host is probably<br />
not authorized. It has not published a stronger, more definitive policy<br />
that results in a "fail".<br />
<br />
temperror: The SPF verifier encountered a transient (generally DNS) error<br />
while performing the check. A later retry may succeed without further<br />
DNS operator action.<br />
<br />
permerror: The domain's published records could not be correctly interpreted.<br />
This signals an error condition that definitely requires DNS operator<br />
intervention to be resolved.<br />
<br />
<br />
"iprev" Results<br />
===============<br />
<br />
pass: The DNS evaluation succeeded, i.e., the "reverse" and<br />
"forward" lookup results were returned and were in agreement.<br />
<br />
fail: The DNS evaluation failed. In particular, the "reverse" and<br />
"forward" lookups each produced results, but they were not in<br />
agreement, or the "forward" query completed but produced no<br />
result, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an<br />
RCODE of 0 (NOERROR) in a reply containing no answers, was<br />
returned.<br />
<br />
temperror: The DNS evaluation could not be completed due to some<br />
error that is likely transient in nature, such as a temporary DNS<br />
error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or<br />
other error condition resulted. A later attempt may produce a<br />
final result.<br />
<br />
permerror: The DNS evaluation could not be completed because no PTR<br />
data are published for the connecting IP address, e.g., a DNS<br />
RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR)<br />
in a reply containing no answers, was returned. This prevented<br />
completion of the evaluation. A later attempt is unlikely to<br />
produce a final result.<br />
<br />
<br />
<br />
<br />
==========================================================<br />
Original Email<br />
==========================================================<br />
<br />
Return-Path: <rootmail@hobby.nl><br />
Received: from mail-lb1.hobby.nl (212.72.224.72) by verifier.port25.com id h218om2e8s48 for <check-auth@verifier.port25.com>; Thu, 31 May 2018 19:48:27 +0000 (envelope-from <rootmail@hobby.nl>)<br />
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=rootmail@hobby.nl;<br />
iprev=pass (matches mail-lb1.hobby.nl) policy.iprev=212.72.224.72;<br />
dkim=pass (matches From: rootmail@hobby.nl) header.d=hobby.nl<br />
Received: from localhost (localhost [127.0.0.1])<br />
by mail-lb1.hobby.nl (Postfix) with ESMTP id 8396E5FDEA<br />
for <check-auth@verifier.port25.com>; Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
X-Virus-Scanned: Debian amavisd-new at mail-lb1.hobby.nl<br />
Received: from mail-lb1.hobby.nl ([127.0.0.1])<br />
by localhost (mail-lb1.hobby.nl [127.0.0.1]) (amavisd-new, port 10024)<br />
with ESMTP id bnAxJuumS9FK for <check-auth@verifier.port25.com>;<br />
Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
Received: from [192.168.10.12] (vandenbussche.xs4all.nl [83.163.218.172])<br />
(using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))<br />
(No client certificate requested)<br />
(Authenticated sender: egbert@vandenbussche.nl)<br />
by mail-lb1.hobby.nl (Postfix) with ESMTPSA id 51FE55FDE6<br />
for <check-auth@verifier.port25.com>; Thu, 31 May 2018 21:48:25 +0200 (CEST)<br />
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hobby.nl; s=default;<br />
t=1527796105; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;<br />
h=Reply-To:To:From:Subject:Date;<br />
b=allKIIWMLMVr0ufrCeIkA8T7VF6xZ9PpPDEG80vqoQraDkwa8FAal+ZXhK/Y/nwtO<br />
XYzhEZmOHSYtvTplFppuvXCsbK2q/ZYf881CounLX/w+Ko0ZNIgJwsOz7WX7MJLDXS<br />
cp13/hRVzNYv0LBsI1sz6cXKkNhVxWEShaIjsSW84bQgAAznR0zG9ZYLuVEXm614T0<br />
cz56At+ONbF/8wqBy3rYRBjJ+66xvajO5DfKX94zJErCpvyoiTYCtO5uf0H3sIsiDs<br />
l7a7IUV3Ituzw0+VNpnRP1J3cNxI7j51EGaoUI1w501cCV6f0wC/qbXd9UVHBAl78g<br />
84j+gS4ImtTe9hR3llRnW+2TfuWradddBjUSkX1UiZDORvMkZM+J2pCgFYxU1GXoR+<br />
GHnDPYqW9KDfuVAHUYU6iZ4eDrijS/Y5OBhix1mAX4/XkYaagpbXD9tr/43nNGV3YU<br />
O8S91tFCgik86DfD5b98lxrr61KHb0X/brYF9l8oBvG9L9nuK0g9r90NeLwhmn88dm<br />
Ll4wN0yIHI3yxEQtli6CdZ4H6gJczv6CRp74U/oNyO8PWIm7Nu4grCtWNPXuOzcHjr<br />
FsGPJun8WFVjwVPeKoEOgUTI27g4nfbHkXQEBb9ykQVvVpe44RXbruS81rfKoPThAw<br />
AU/un1L18tPKxUU+jtT2m2hI=<br />
Reply-To: rootmail@hobby.nl<br />
To: check-auth@verifier.port25.com<br />
From: Hobbynet rootmaill <rootmail@hobby.nl><br />
Subject: test<br />
Openpgp: preference=signencrypt<br />
Autocrypt: addr=rootmail@hobby.nl; prefer-encrypt=mutual; keydata=<br />
xsFNBFZ2htYBEADt6zlAySAIrmfb6mRkAPuekeaAM6jIw6n4vdcpGdYi1fL63uZypoh61Ra7<br />
lF8SGs3uNhR6EyfJt/54Wsfami+KE4x5nd0dwPAWEwMaruxwKHBmGU1X/895EoRa3aa6PsEc<br />
SGyfJplaCscyTneEdsrhtdqKdJi/be8YunhAuYfu1rEaT8FU+hz1itWJJ/YZycscSA8Cb91d<br />
w8dUkJamdK0KtaHXOq0pZcJPICtzd0zQIYuouJM1nAjPqQ6GYWu+TebJorWlrHKIzX9WCE1D<br />
4wxktMXC+CCwRrV7YLV48ouMuqFejEYvBPjdiIqfxI+vw3bYmtRg0aQ0i3cvadnq6rYS1P6Y<br />
nAKk3U1v1Pr83FPUCgTFTpQqHbNJiRDa3tFkVFrY7YtnW4+iHJ8gT2HLOkzpxq/jkhf6gwSQ<br />
GgzAf7hepWBUWpKsd501ezVSoza3WQ4laIqvUaYcMGpdeY2vkHASuBulF/QyOk25PBQGVMjL<br />
IKovZKIkCp3ghXmYeNjMvtIih3Zh3edH4eekVpP4tgFkdddwguA/yEYYyvFv8KGBvBrQCMzF<br />
ghhDRJ6cZL1ewEwuVkGH9qXlM/Gfw4NUo/APuGbbU2PXSxzdxOxbJX2XuRripIsVTVwWKAeb<br />
SAitSSFP8B5talGvV3pKooYxAMNa27LRkoZbMjSOVFJ2yeIUHQARAQABzSBFZ2JlcnQgPGVn<br />
YmVydEB2YW5kZW5idXNzY2hlLm5sPsLBggQTAQgALAIbIwUJCWYBgAcLCQgHAwIBBhUIAgkK<br />
CwQWAgMBAh4BAheABQJWdoj5AhkBAAoJEElE8PvYS2x3wFYP/jy1Ym+6oQDPuHNauYnujpe5<br />
DyZOUrPTHdDqg+HjSXzoozeQGeKpIeAZj7ZXSpfGr4mPaPn8gaWxr6ibQAkVYvTZ4MttoqFo<br />
cT3ePbUGHnagNcwAZJlcoNJQ6S92YYVWryFn0F8JMUcnQzUaJyUOIaf5pcdJcbA6bPBcMa8X<br />
oHSEyD48Dauir7QpsDTurfTooRBZrlLXMkQCeO+FR2R+2WXt7JxQEv1tDZ6xCS/CTMdibszn<br />
fQqlEMj6qNdLh7ymM8umqFlfPx8xRTom8ClkhJryDpV3yYiz380aOt3SCzee68GOwXyM98+P<br />
GD9QSzlhxjh6GF5bhW4jEH5uLByjIUQNDIBDvuqSIWWnBE39zoGqvlAlO9ZOtYaHprCREBkF<br />
IQHiHqOLMkzBHkHJOrqmROkDXpUSeso1rQZEo/13axZyu4JCgHEGONhCDrzZWjK2ASPQZzjL<br />
dAKkuvfIJlwS0yctYWcaK6ttPLyteujWjHbfvJRT6BRLlr0YnmSZs86xWpYnXMrG9xa886Us<br />
kswQd7c2QZuBpLgHW3KzrFvCd/LKp3UvPiVUigK6Xgoi7xwwxfv8O4EeZYO2U35w5SPlg+Mz<br />
FEJVH2whxboMrHZRhLtyPKY0+qqkLP2LxphUAeNRWNOJIXiazTq1/4Y5dVK1zIq6gg2dBMmH<br />
PHx8fQAnhphZzsFNBFZ2htYBEAC7NDbfwBKMD8VRlVUxIds4+0SGsRUhwHQJrU0Tn8vzFiRS<br />
GBtDuOdAPyt8GDrjh2c2PKno9piQnbojqKGJ0HvGoHzfm9axb0S4CPgGfcIrSjyQIu4+kpCj<br />
tatSaxtuvqqpxNBx9ylfubJgTKW96m8K8twbXc6QczMsd6zSt4U5ER8EWrlT1JB+mW+hNuQW<br />
4VQ1A6f0JRQqXOA1b23yNW621CfT9r9t4OpDug9vWyGXyQjjLoiMRsGVH5B/37UXn2BS14wh<br />
2xLj+eh9V1pN4S1IZVv/k0EdRwn9VC/bSGgTbk6P6oOM7LrV+BM7yQHoFOO5HPb2jJB+ynVu<br />
K4/n0Xe/Zcfp2OPAm9qn5Z0lkTSHRxvCMWxxNoAgirzj/KdNnuDVU7SdRulynIcczqj68adV<br />
uEyPeu1mwhOTku7eQnlFmGhkD5oJfg/IPdb7OmnpWsFPfyowG/nR7oPAFVkoNfRRqtUpHIM4<br />
k+2Xm/lWxYHzlzVF9SzbLWKs3/J9tyVb7xNAlr8gcbwgO8bOwWUiAG6hSMD1yLdox92seRPY<br />
mnhOC6PCG3KKqCH7wBZ84Ez0BDqYDqSzq4/PlCnJrMk3ewb/fuGiMF7kgYHThvdZUeyRgUoY<br />
yG7i3R3XRFDUiN5m7SyuRUUdgHwznb2e8Pf/IMYtTZh737bgM+mWc/YlJq+cmQARAQABwsFl<br />
BBgBCAAPBQJWdobWAhsMBQkJZgGAAAoJEElE8PvYS2x3Ad0QAN/WS9Mc0MdhJi7fqhq5dU4X<br />
QfviUMA5CkWboNiOG57OR1C0a4XJcFCDcgmsYRhMYDj4qw7M+z3fcjFJnEwqHHoIhzsvGbDs<br />
Dra8QkP188tx+Uzf4wMnEVCVzOuL5ji36OlxegF5wjj5CTtso237hhcI82+xAnqXteA5pJMw<br />
DunRmhEkjpJjxkUtr4vyOSzGBmMP3sWGbq0uVbWacxggb1r56+uKrQULVEnCa4P64d8RPKn7<br />
Dsn/Pqf7n+nLevBertj5roQNceXeGIpu0k45wVFUtCA9Rc1Y6myNs0aq8Cw5LKTLemI+uT4y<br />
Okky89vroZqG/XetHAXxjZGm+kyMbu3ThvIzOSb5+hTfWcTa8zybUvujkfiejfhRDZ9GWjXS<br />
iK20nZ8d2WwTqPDOMySozXFUJoT6TqTJ/I7m9vJj2mz+xPRLHaAVVKF7rMP8Gw+6g9uWbHs1<br />
SXAZH/CgQTAJwQ+FxWC657Q+bjg11lmjCHpDMxxFnIdqYiIaKjocQzI2SP67Yr94W0trumOR<br />
fZm3nietLoSVVkak0z+SBJZ4/S+XbkDmLnUDG3GJq/QCXFAFVv02VS76gvVYaxFuVWOUIuXf<br />
SkWKoa6vs12Cx30Hp/BfdftCHH6IuhzXspKK+br9CqDrRZcHzMB42/QPYcDa/BZBzudBXsZd<br />
M+CrfDxPMyd7<br />
Organization: HCC!Hobbynet<br />
Message-ID: <bc4cc04a-de4c-54f7-37c4-ffb6f589fb4b@hobby.nl><br />
Date: Thu, 31 May 2018 21:48:24 +0200<br />
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101<br />
Thunderbird/52.8.0<br />
MIME-Version: 1.0<br />
Content-Type: text/plain; charset=utf-8<br />
Content-Language: nl<br />
Content-Transfer-Encoding: 7bit<br />
</pre></div>2A05:F080:0:300:B848:81C0:7F18:AA86