DKIM

Inleiding

Om minder snel als spammer te worden aangemerkt kan de mail "ge-signed" worden. Hiervoor moet OpenDKIM geinstalleerd worden en een kleine aanpassing aan de postfix configuratie gemaakt worden.

Installatie

Gebruik zoals altijd apt-get of aptitude om een package te instaleren.

apt-get install opendkim opendkim-tools

Configuratie

De configuratie van OpenDKIM staat in /etc/opendkim.conf en dient er als volgt ui te zien:

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
#
#Domain                  example.com
#KeyFile                 /etc/opendkim/201205.private
#Selector                201205
#
# Commonly-used options
Canonicalization        relaxed/simple
Mode                    sv
SubDomains              yes
# Log to syslog
Syslog                  yes
LogWhy                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   022
UserID                  opendkim:opendkim
#
KeyTable                /etc/opendkim/KeyTable
SigningTable            /etc/opendkim/SigningTable
ExternalIgnoreList      /etc/opendkim/TrustedHosts
InternalHosts           /etc/opendkim/TrustedHosts
#
Socket                  inet:8891@localhost
#EOF

Voor uitleg over de diverse parameters, kijk bijvoorbeeld op deze site.

Directory structuur

Er moet een directory structuur gemaakt worden om trusted hosts, key tables, signing tables en crypto keys op te slaan. Maak daartoe /etc/opendkim aan met daarin de volgende files en directory:

root@mail-lb1:/etc/opendkim# ls -l
total 16
-rw-r--r-- 1 root root   90 May 25 14:23 KeyTable
-rw-r--r-- 1 root root   38 May 25 14:24 SigningTable
-rw-r--r-- 1 root root  151 May 28 22:42 TrustedHosts
drwxr-xr-x 3 root root 4096 May 25 14:26 keys

In de directory komen de keys van de domeinen te staan.

Key maken

Er is een script die maakt de keys aan en voegt de key toe aan de juiste tabellen

  /usr/local/hobbynet/bin/maakopendkim.sh domeinnaam

Als je dit script uitvoerd zet de keys op beide servers update de tabellen en herstart dkim na afloop verteld hij ook wat je in dns moet zetten

root@mail-lb1:/etc/opendkim# /usr/local/hobbynet/bin/maakopendkim.sh joomla-dev.hobby.nl

Zet dit in de DNS zone voor: joomla-dev.hobby.nl

default._domainkey.joomla-dev.hobby.nl. IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; s=email; "
          "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw2jWysEKHJVxB+Mz2/94YREk2CZ4iqUwsLtGwRQPraMnOQNsZaC0Ze4YtSJgtmaIdqqnrgkvmWQoG4lcHcJ9a4lyTh//BO1eNGVtTWfAl6L1s4Y647crTnDobqDJKl6oAW8G9pA0clnwLoWxhIEVkd1KHPcp4YGzKR4VywYVpc8bU+Qim2yLwlf7AtB67lOT43H53vBjtAntm4"
          "8aDZr3oN9K/LmYUw66n4BjcJQ8E9jdF2/HIVLPu2tOCP7I8LPAUjrW/v9b9v4P2aC6olxK93IcldGjrFd/S79nRvWBrOkPPj65EsQNLx6hWO97z6VqQD9pP4MinGpSOQ3nC3minRxR4qu9o45T8MditxO8ojjbF1sHxadRZPqa140E7Zxo5qEhhsb+e3rQgGYvina/LGxmef7C94e5/HFcgepN6WySMrFWJh1HXeBydScboX/j3gL7yNty"
          "FMg4bwthQB1TwCEsVpviQjDBo02nd3QtBupUWzcWuR61d6oBgoOCqUnS8uLTyDdo5lXUrjl6Kduja6tolEbJt5JWCviKNPobINqfKr4R4HVpBo+koLMqyzRxswomzYXort/YWSZJmkXKVeMKGW89GZhz5qRr9rOJUFQc/IdTy8C4bdaDV/8hOX0wtrPPEzT4FU5mb9oNLntHy1wm7PKZR0SNdoUylSS+vYcCAwEAAQ==" )  ; ----- DKIM key default for joomla-dev.hobby.nl

De Postfix kant

Tevens moet in /etc/default/opendkim alles uitgecommentarieerd worden en deze regel toegevoegd worden:

SOCKET="inet:8891@localhost"

Dit socket dient aan Postfix bekend te worden gemaakt. Voeg de volgende regels aan /etc/postfix/main.cf toe:

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Hierdoor controleert en zet Postfix nu ook dkim handtekeningen. Vergeet niet Postfix te herstarten.

Testen

De configuratie kan worden getest door een lege mail te sturen naar check-auth@verifier.port25.com. Als alles werkt zal in de reply DKIM check: pass staan onder Summary of Results. Voor de geïnteresseerde is het hele bericht opgenomen.

==========================================================
Summary of Results
==========================================================
SPF check:          pass
"iprev" check:      pass
DKIM check:         pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  mail-lb1.hobby.nl
Source IP:      212.72.224.72
mail-from:      rootmail@hobby.nl

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: smtp.mailfrom=rootmail@hobby.nl

DNS record(s):
    hobby.nl. 60 IN TXT "v=spf1 ip4:212.72.224.0/21 ip4:95.97.35.96/29 ip4:80.253.112.0/24 ip4:94.232.160.0/24 ip6:2a02:968::/32 -all"


----------------------------------------------------------
"iprev" check details:
----------------------------------------------------------
Result:         pass (matches mail-lb1.hobby.nl)
ID(s) verified: policy.iprev=212.72.224.72

DNS record(s):
    72.224.72.212.in-addr.arpa. 60 IN PTR mail-lb1.hobby.nl.
    mail-lb1.hobby.nl. 60 IN A 212.72.224.72


----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: rootmail@hobby.nl)
ID(s) verified: header.d=hobby.nl

Canonicalized Headers:
    reply-to:rootmail@hobby.nl'0D''0A'
    to:check-auth@verifier.port25.com'0D''0A'
    from:Hobbynet'20'rootmaill'20'<rootmail@hobby.nl>'0D''0A'
    subject:test'0D''0A'
    date:Thu,'20'31'20'May'20'2018'20'21:48:24'20'+0200'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=hobby.nl;'20's=default;'20't=1527796105;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=Reply-To:To:From:Subject:Date;'20'b=

Canonicalized Body:
    '0D''0A'
    

DNS record(s):
    default._domainkey.hobby.nl. 60 IN TXT "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyHQygiGyUV+o4WTsNIbxfYPyADNedPojfVfn2YrCZJ6WFhBi6RNKKJndqE+VGgtScSI1fkLRCyquVPTGICUAnUbUQL2NbGQNyo0T8wBJy5QTarir10IMue/2QtjaPnDkwa4m35Bl9YKm4SgeaTd7A/OWXsO2BAgCYfiAHsFvK6e6u4zwcD1ZlGH9bSrgm5x6ucHkROq9aV0R0Pr/+SGkT+9Zs1L/TqbX0OvoKmG+raffHVghG8USo1EVWzFSi7gURqP6C8f9HW4HfLnR203C8uJMHSzBvPv5PbM+kc/QTu1AE478a6aZyaUsEhHQQx7OV08crT6UsdyUHQlQpgl8aR+MwAyrEH54AAPzYjfN5KNsZ35flf2/Yj6X5KtGeG0ZVMR2cew1z3SKTFXg+rq+TWF3EqhiD3fzTypSYk5nhKpKpMYtoU7JytF4Xw02fyJpbiVdAGsLqibM+rY+4qp+C/t1HKHVavGePdg5iBE/Y+lOqG6dJvXpWe7JjEz7HfZOz69XN0ryL5/JUzfCpf7lvyJ3LKET4OuBbSwypzNeDX+DaAHb4qdwNFJGq8H0DjFFFagmPQSeHZdX7qTtIiOSbogFXab2Yz9Yw38GedKk9UQPSdCLqdzeFEZWuTXDn/NdRA7PqWuAUxoe68O57Esz4dnyLqB1Xrs74IzTRpLhiSECAwEAAQ=="

Public key used for verification: default._domainkey.hobby.nl (4096 bits)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.4.0 (2014-02-07)

Result:         ham (-2.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
                            trust
                            [212.72.224.72 listed in list.dnswl.org]
-0.0 SPF_PASS               SPF: sender matches SPF record
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                            domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature



==============================================================
Explanation of the possible results (based on RFCs 7601, 7208)
==============================================================


DKIM Results
============

none:  The message was not signed.

pass:  The message was signed, the signature or signatures were
    acceptable to the ADMD, and the signature(s) passed verification
    tests.

fail:  The message was signed and the signature or signatures were
    acceptable to the ADMD, but they failed the verification test(s).

policy:  The message was signed, but some aspect of the signature or
    signatures was not acceptable to the ADMD.

neutral:  The message was signed, but the signature or signatures
    contained syntax errors or were not otherwise able to be
    processed.  This result is also used for other failures not
    covered elsewhere in this list.

temperror:  The message could not be verified due to some error that
    is likely transient in nature, such as a temporary inability to
    retrieve a public key.  A later attempt may produce a final
    result.

permerror:  The message could not be verified due to some error that
    is unrecoverable, such as a required header field being absent.  A
    later attempt is unlikely to produce a final result.


SPF Results
===========

none:  Either (a) no syntactically valid DNS domain name was extracted from
    the SMTP session that could be used as the one to be authorized, or
    (b) no SPF records were retrieved from the DNS.

neutral:  The ADMD has explicitly stated that it is not asserting whether
    the IP address is authorized.

pass:  An explicit statement that the client is authorized to inject mail
    with the given identity.

fail:  An explicit statement that the client is not authorized to use the
    domain in the given identity.

softfail:  A weak statement by the publishing ADMD that the host is probably
    not authorized.  It has not published a stronger, more definitive policy
    that results in a "fail".

temperror:  The SPF verifier encountered a transient (generally DNS) error
    while performing the check.  A later retry may succeed without further
    DNS operator action.

permerror: The domain's published records could not be correctly interpreted.
    This signals an error condition that definitely requires DNS operator
    intervention to be resolved.


"iprev" Results
===============

pass:  The DNS evaluation succeeded, i.e., the "reverse" and
    "forward" lookup results were returned and were in agreement.

fail:  The DNS evaluation failed.  In particular, the "reverse" and
    "forward" lookups each produced results, but they were not in
    agreement, or the "forward" query completed but produced no
    result, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an
    RCODE of 0 (NOERROR) in a reply containing no answers, was
    returned.

temperror:  The DNS evaluation could not be completed due to some
    error that is likely transient in nature, such as a temporary DNS
    error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or
    other error condition resulted.  A later attempt may produce a
    final result.

permerror:  The DNS evaluation could not be completed because no PTR
    data are published for the connecting IP address, e.g., a DNS
    RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR)
    in a reply containing no answers, was returned.  This prevented
    completion of the evaluation.  A later attempt is unlikely to
    produce a final result.




==========================================================
Original Email
==========================================================

Return-Path: <rootmail@hobby.nl>
Received: from mail-lb1.hobby.nl (212.72.224.72) by verifier.port25.com id h218om2e8s48 for <check-auth@verifier.port25.com>; Thu, 31 May 2018 19:48:27 +0000 (envelope-from <rootmail@hobby.nl>)
Authentication-Results: verifier.port25.com; spf=pass  smtp.mailfrom=rootmail@hobby.nl;
 iprev=pass (matches mail-lb1.hobby.nl)  policy.iprev=212.72.224.72;
 dkim=pass (matches From: rootmail@hobby.nl)  header.d=hobby.nl
Received: from localhost (localhost [127.0.0.1])
	by mail-lb1.hobby.nl (Postfix) with ESMTP id 8396E5FDEA
	for <check-auth@verifier.port25.com>; Thu, 31 May 2018 21:48:25 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail-lb1.hobby.nl
Received: from mail-lb1.hobby.nl ([127.0.0.1])
	by localhost (mail-lb1.hobby.nl [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id bnAxJuumS9FK for <check-auth@verifier.port25.com>;
	Thu, 31 May 2018 21:48:25 +0200 (CEST)
Received: from [192.168.10.12] (vandenbussche.xs4all.nl [83.163.218.172])
	(using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: egbert@vandenbussche.nl)
	by mail-lb1.hobby.nl (Postfix) with ESMTPSA id 51FE55FDE6
	for <check-auth@verifier.port25.com>; Thu, 31 May 2018 21:48:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hobby.nl; s=default;
	t=1527796105; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
	h=Reply-To:To:From:Subject:Date;
	b=allKIIWMLMVr0ufrCeIkA8T7VF6xZ9PpPDEG80vqoQraDkwa8FAal+ZXhK/Y/nwtO
	 XYzhEZmOHSYtvTplFppuvXCsbK2q/ZYf881CounLX/w+Ko0ZNIgJwsOz7WX7MJLDXS
	 cp13/hRVzNYv0LBsI1sz6cXKkNhVxWEShaIjsSW84bQgAAznR0zG9ZYLuVEXm614T0
	 cz56At+ONbF/8wqBy3rYRBjJ+66xvajO5DfKX94zJErCpvyoiTYCtO5uf0H3sIsiDs
	 l7a7IUV3Ituzw0+VNpnRP1J3cNxI7j51EGaoUI1w501cCV6f0wC/qbXd9UVHBAl78g
	 84j+gS4ImtTe9hR3llRnW+2TfuWradddBjUSkX1UiZDORvMkZM+J2pCgFYxU1GXoR+
	 GHnDPYqW9KDfuVAHUYU6iZ4eDrijS/Y5OBhix1mAX4/XkYaagpbXD9tr/43nNGV3YU
	 O8S91tFCgik86DfD5b98lxrr61KHb0X/brYF9l8oBvG9L9nuK0g9r90NeLwhmn88dm
	 Ll4wN0yIHI3yxEQtli6CdZ4H6gJczv6CRp74U/oNyO8PWIm7Nu4grCtWNPXuOzcHjr
	 FsGPJun8WFVjwVPeKoEOgUTI27g4nfbHkXQEBb9ykQVvVpe44RXbruS81rfKoPThAw
	 AU/un1L18tPKxUU+jtT2m2hI=
Reply-To: rootmail@hobby.nl
To: check-auth@verifier.port25.com
From: Hobbynet rootmaill <rootmail@hobby.nl>
Subject: test
Openpgp: preference=signencrypt
Autocrypt: addr=rootmail@hobby.nl; prefer-encrypt=mutual; keydata=
 xsFNBFZ2htYBEADt6zlAySAIrmfb6mRkAPuekeaAM6jIw6n4vdcpGdYi1fL63uZypoh61Ra7
 lF8SGs3uNhR6EyfJt/54Wsfami+KE4x5nd0dwPAWEwMaruxwKHBmGU1X/895EoRa3aa6PsEc
 SGyfJplaCscyTneEdsrhtdqKdJi/be8YunhAuYfu1rEaT8FU+hz1itWJJ/YZycscSA8Cb91d
 w8dUkJamdK0KtaHXOq0pZcJPICtzd0zQIYuouJM1nAjPqQ6GYWu+TebJorWlrHKIzX9WCE1D
 4wxktMXC+CCwRrV7YLV48ouMuqFejEYvBPjdiIqfxI+vw3bYmtRg0aQ0i3cvadnq6rYS1P6Y
 nAKk3U1v1Pr83FPUCgTFTpQqHbNJiRDa3tFkVFrY7YtnW4+iHJ8gT2HLOkzpxq/jkhf6gwSQ
 GgzAf7hepWBUWpKsd501ezVSoza3WQ4laIqvUaYcMGpdeY2vkHASuBulF/QyOk25PBQGVMjL
 IKovZKIkCp3ghXmYeNjMvtIih3Zh3edH4eekVpP4tgFkdddwguA/yEYYyvFv8KGBvBrQCMzF
 ghhDRJ6cZL1ewEwuVkGH9qXlM/Gfw4NUo/APuGbbU2PXSxzdxOxbJX2XuRripIsVTVwWKAeb
 SAitSSFP8B5talGvV3pKooYxAMNa27LRkoZbMjSOVFJ2yeIUHQARAQABzSBFZ2JlcnQgPGVn
 YmVydEB2YW5kZW5idXNzY2hlLm5sPsLBggQTAQgALAIbIwUJCWYBgAcLCQgHAwIBBhUIAgkK
 CwQWAgMBAh4BAheABQJWdoj5AhkBAAoJEElE8PvYS2x3wFYP/jy1Ym+6oQDPuHNauYnujpe5
 DyZOUrPTHdDqg+HjSXzoozeQGeKpIeAZj7ZXSpfGr4mPaPn8gaWxr6ibQAkVYvTZ4MttoqFo
 cT3ePbUGHnagNcwAZJlcoNJQ6S92YYVWryFn0F8JMUcnQzUaJyUOIaf5pcdJcbA6bPBcMa8X
 oHSEyD48Dauir7QpsDTurfTooRBZrlLXMkQCeO+FR2R+2WXt7JxQEv1tDZ6xCS/CTMdibszn
 fQqlEMj6qNdLh7ymM8umqFlfPx8xRTom8ClkhJryDpV3yYiz380aOt3SCzee68GOwXyM98+P
 GD9QSzlhxjh6GF5bhW4jEH5uLByjIUQNDIBDvuqSIWWnBE39zoGqvlAlO9ZOtYaHprCREBkF
 IQHiHqOLMkzBHkHJOrqmROkDXpUSeso1rQZEo/13axZyu4JCgHEGONhCDrzZWjK2ASPQZzjL
 dAKkuvfIJlwS0yctYWcaK6ttPLyteujWjHbfvJRT6BRLlr0YnmSZs86xWpYnXMrG9xa886Us
 kswQd7c2QZuBpLgHW3KzrFvCd/LKp3UvPiVUigK6Xgoi7xwwxfv8O4EeZYO2U35w5SPlg+Mz
 FEJVH2whxboMrHZRhLtyPKY0+qqkLP2LxphUAeNRWNOJIXiazTq1/4Y5dVK1zIq6gg2dBMmH
 PHx8fQAnhphZzsFNBFZ2htYBEAC7NDbfwBKMD8VRlVUxIds4+0SGsRUhwHQJrU0Tn8vzFiRS
 GBtDuOdAPyt8GDrjh2c2PKno9piQnbojqKGJ0HvGoHzfm9axb0S4CPgGfcIrSjyQIu4+kpCj
 tatSaxtuvqqpxNBx9ylfubJgTKW96m8K8twbXc6QczMsd6zSt4U5ER8EWrlT1JB+mW+hNuQW
 4VQ1A6f0JRQqXOA1b23yNW621CfT9r9t4OpDug9vWyGXyQjjLoiMRsGVH5B/37UXn2BS14wh
 2xLj+eh9V1pN4S1IZVv/k0EdRwn9VC/bSGgTbk6P6oOM7LrV+BM7yQHoFOO5HPb2jJB+ynVu
 K4/n0Xe/Zcfp2OPAm9qn5Z0lkTSHRxvCMWxxNoAgirzj/KdNnuDVU7SdRulynIcczqj68adV
 uEyPeu1mwhOTku7eQnlFmGhkD5oJfg/IPdb7OmnpWsFPfyowG/nR7oPAFVkoNfRRqtUpHIM4
 k+2Xm/lWxYHzlzVF9SzbLWKs3/J9tyVb7xNAlr8gcbwgO8bOwWUiAG6hSMD1yLdox92seRPY
 mnhOC6PCG3KKqCH7wBZ84Ez0BDqYDqSzq4/PlCnJrMk3ewb/fuGiMF7kgYHThvdZUeyRgUoY
 yG7i3R3XRFDUiN5m7SyuRUUdgHwznb2e8Pf/IMYtTZh737bgM+mWc/YlJq+cmQARAQABwsFl
 BBgBCAAPBQJWdobWAhsMBQkJZgGAAAoJEElE8PvYS2x3Ad0QAN/WS9Mc0MdhJi7fqhq5dU4X
 QfviUMA5CkWboNiOG57OR1C0a4XJcFCDcgmsYRhMYDj4qw7M+z3fcjFJnEwqHHoIhzsvGbDs
 Dra8QkP188tx+Uzf4wMnEVCVzOuL5ji36OlxegF5wjj5CTtso237hhcI82+xAnqXteA5pJMw
 DunRmhEkjpJjxkUtr4vyOSzGBmMP3sWGbq0uVbWacxggb1r56+uKrQULVEnCa4P64d8RPKn7
 Dsn/Pqf7n+nLevBertj5roQNceXeGIpu0k45wVFUtCA9Rc1Y6myNs0aq8Cw5LKTLemI+uT4y
 Okky89vroZqG/XetHAXxjZGm+kyMbu3ThvIzOSb5+hTfWcTa8zybUvujkfiejfhRDZ9GWjXS
 iK20nZ8d2WwTqPDOMySozXFUJoT6TqTJ/I7m9vJj2mz+xPRLHaAVVKF7rMP8Gw+6g9uWbHs1
 SXAZH/CgQTAJwQ+FxWC657Q+bjg11lmjCHpDMxxFnIdqYiIaKjocQzI2SP67Yr94W0trumOR
 fZm3nietLoSVVkak0z+SBJZ4/S+XbkDmLnUDG3GJq/QCXFAFVv02VS76gvVYaxFuVWOUIuXf
 SkWKoa6vs12Cx30Hp/BfdftCHH6IuhzXspKK+br9CqDrRZcHzMB42/QPYcDa/BZBzudBXsZd
 M+CrfDxPMyd7
Organization: HCC!Hobbynet
Message-ID: <bc4cc04a-de4c-54f7-37c4-ffb6f589fb4b@hobby.nl>
Date: Thu, 31 May 2018 21:48:24 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: nl
Content-Transfer-Encoding: 7bit