Welcome to Centmin Mod Community
Become a Member

Beta Branch add addons/opendkim.sh for dkim setup for 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Apr 13, 2016.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    45,657
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    7:54 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Only if you manually configured postfix to send from the domains which centmin mod doesn't do by default as no smtp, imap or pop3 setup from @domain.com as it's sent from @mainhostname.domain.com out of box

    That's why that is a hidden setting as its reserved for folks who have installed and configured full @domain.com users for pop3, imap and smtp locally on server rather than 3rd party @domain.com providers
     
    Last edited: Oct 7, 2016
  2. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    What i see is:

    Bounce address : nginx@domain.com

    So i have to adjust Postfix to attach Dkim signature on my domain.com or is it more complicated?
     
  3. eva2000

    eva2000 Administrator Staff Member

    45,657
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    7:54 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    See updated previous post you need have installed and configured full @domain.com users for pop3, imap and smtp locally on server rather than 3rd party@domain.com providers

    If you use 3rd party @domain.com provider then dkim needs to be setup at their end
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    I think that the point of this addon is to have as default Opendkim signed emails from forums/cms applications....

    As that applications from default they use php to send mails and not any SMTP or third part provider then we should have related adjustments .....

    If any user wants to use anything else than default then they must adjust what they want but i am sure 100% that the most users uses the default mail php option.

    Or you don't agree with my thought? Or is not posible to know from the begging what domains users will use or is not technical easy to do?

    I don't use any and i am not talking about pop,smtp,third party mail providers at all....

    Thanks :)
     
    Last edited: Oct 7, 2016
  5. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    For example a new user gets a domain and a server and he install Centminmod on it and after that the Invision platform.....

    Using the Opendkim addon and after setting the related DNS entries all emails from Invision should be signed with Dkim like registration emails or lost password emails....

    If the addon can't do that then i don't know where is this useful ... :(
     
    Last edited: Oct 8, 2016
  6. eva2000

    eva2000 Administrator Staff Member

    45,657
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    7:54 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    1st post has the purpose of this addon it's for emails sent from the main hostname root user i.e. root@mainhostname.domain.com - it's for emails sent such a cron emails, email alerts sent by the server itself including centmin.sh menu option 22's wordpress cron emails, account setup emails. All the emails sent where the from user is @mainhostname.domain.com that are for system related level not @domain.com level.
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok then it is useful :)

    I hope that you will be able to add a @domain option in the future :)

    Thank you !
     
  8. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    any ideas for this? :)

    Code:
    The DKIM signature of your message is:
    
        v=1;
        a=rsa-sha256;
        c=relaxed/simple;
        d=domain.com;
        s=default;
        t=1476072862;
        bh=UMh7Y4x2QFfM/TxKdFqcMd7yOjloNt4m2fl81vO+X+4=;
        h=To:Subject:Date:From;
        b=25PQjKUF/I3C9ay4nN7KlJrnfN4z6NxlM8fL7/mwgrnLseVxhf9mkZjgSeNH+a6FQ6Z1/udGyOjLOHLLSJi4FUrHTA/7QZaWgqYKsryUgWnGurOTp1QRPRbfQ04zhSMyKwEYlZ2drZnsg9XvHN4KHC2jGpR6A6A/zO+faL/seDg=
    
    
    Your public key is:
    
    "v=DKIM1;
    k=rsa;
    p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMtBVZbsvm/evf2SAaviVR/GRbUhV5mLOck4h/dp8w1fGaU1dWLrZuCtzlaVrblLtvLCScWUcYs1WgzSNNxu16AG51ewoqr+EFlxKayQ/SAMgxfOywhNCL1q1InwbOA9sFIiLyCe/mP3veF6sjAJ/LWTCLyNZUTXs18gMbxevZ8QIDAQAB"
    Key length: 1024bits
    
    Your DKIM signature is not valid
     
  9. eva2000

    eva2000 Administrator Staff Member

    45,657
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    7:54 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    for example
    Code (Text):
    default._domainkey.centos7.localdomain  IN      TXT     "v=DKIM1; k=rsa; "        "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+GvmpvrhrWzgtUZxUx4pmQwn49u9P/eR27JNR3AHHQMji3CcaAegIqJvrIqMips2/FkewaX80vTP6djgYFgx6hXdEp0iyIvAMuBddRM39bkjgLqJ4LDiXJQQNiTj2bUfpNDndyxXhfHNkX2sm1Vc+QA8rnGQAo0zkMj46rlPNaQIDAQAB"
    

    That is one whole single line after the TXT
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Yes i add all info after the TXT on the DNS entry...

    For me it looks like that i send out a=rsa-sha256; and the generated key is plain rsa k=rsa; ?

    Something don't much :(
     
  11. eva2000

    eva2000 Administrator Staff Member

    45,657
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    7:54 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    where you getting that reported not valid DKIM message ?

    from my own servers tested fine with server @host.domain.com emails sent via postfix have passed SPF, DKIM and DMARC.
     
  12. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    From mail-tester.com and i am checking it also at gmail as i can see there is not also signed :(
     
  13. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
  14. eva2000

    eva2000 Administrator Staff Member

    45,657
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    7:54 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    mail-tester.com reports valid for my addons/opendkim.sh generated emails

    as does google gmail and outlook

    Code (Text):
    Your DKIM signature is valid
    DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.
    
    The DKIM signature of your message is:
    
      v=1;
      a=rsa-sha256;
      c=relaxed/simple;
      d=domain.com;
      s=default;
      t=1476076108;
      bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
      h=Date:To:Subject:From:From;
      b=JlotZZSaAzpzxdSfMU82SnMk0Nu9f102evfLgWbY1CF/7rQNwZPE7QvVPfWx9dp5iV6EDCnSl8iRYTy8dv3lPLma5j/odH29Gf5BwpOzSxFsVu2KzMscGHrR2wPxCN/d+hrvELciUkia72dwx4WXuYDEgxc/rqFgEe+HQsiho=
    Your public key is:
    
    "v=DKIM1;
    k=rsa;
    p=MIGfMA0GCSqGb3DQEBAQUAA4GNADCBiQKBgQDGPC/EutQQ7GOyYb0VNN0uRDTdYz904YnEHT93GqtZoX4L67Ky8W+F+EFRtm2l2KnPQQhld34EEuy1OtrxA8/QiWc0jOzgzzy/ZAOAKI2PTqDo92QpD6ARClBt34hBUYpEeYlqwGia2UVruj41MaQi/+mhg5GDSbd7RYvHsuqbpQIDAQAB"
    Key length: 1024bits
     
  15. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok then i may need to search more why i have this issue.... :)
     
  16. eva2000

    eva2000 Administrator Staff Member

    45,657
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    7:54 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  17. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    i just stop and start opendkim and postfix and now seems to have no errors at logs...

    Let's check the signature now :)
     
    Last edited: Oct 10, 2016
  18. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Code:
    [root@server ~]# cd /etc/opendkim/keys
    
    [root@server keys]# opendkim-testkey -s default -k default.private -vvv
    opendkim-testkey: using default configfile /etc/opendkim.conf
    opendkim-testkey: key loaded from default.private
    opendkim-testkey: checking key 'default._domainkey.domain.com'
    opendkim-testkey: keys do not match
    
    keys do not match :(
     
    Last edited: Oct 10, 2016
  19. eva2000

    eva2000 Administrator Staff Member

    45,657
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    7:54 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    wrong paths :)
    Code (Text):
    opendkim-testkey -s default -k /etc/opendkim/keys/hostname.domain.com/default -d hostname.domain.com -vvv
    opendkim-testkey: using default configfile /etc/opendkim.conf
    opendkim-testkey: key loaded from /etc/opendkim/keys/hostname.domain.com/default
    opendkim-testkey: checking key 'default._domainkey.hostname.domain.com'
    opendkim-testkey: key OK
    


    addons/opendkim.sh never creates one at default.private so if yours did, it's from somewhere else as opendkim.sh creates them at /etc/opendkim/keys/hostname.domain.com/default
     
  20. pamamolf

    pamamolf Premium Member Premium Member

    3,884
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    11:54 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Yes i was play with different settings to find out how to use my domain to send signed emails as that needed for default installations of any forums or cms :)

    I think problem is solved:

    Code:
    [root@server domain.com]# opendkim-testkey -s default -k default.private -vvv
    opendkim-testkey: using default configfile /etc/opendkim.conf
    opendkim-testkey: key loaded from default.private
    opendkim-testkey: checking key 'default._domainkey.domain.com'
    opendkim-testkey: key OK
    It was a space on the Dns record that not needed on Cloudflare !

    It will be great if you can adjust the generated dkim_spf_dns_domain.com_270916-091928 the entry inside to be from:

    Code:
    "v=DKIM1; k=rsa; "      "p=
    to
    Code:
    "v=DKIM1; k=rsa;p=
    or with no spaces at all (both working):

    Code:
    "v=DKIM1;k=rsa;p=

    Also i want to request if you can please do an adjustment on that addon when a user uses:

    Code:
    opendkim.sh newdomain.com
    to have an edit at:

    Code:
    nano /etc/opendkim/KeyTable
    with an extra line inside for the domain:

    Code:
    default._domainkey.domain.com domain.com:default:/etc/opendkim/keys/domain.com/default.private
    Then enable if not already enabled here:

    Code:
    /etc/opendkim/SigningTable
    the:

    Code:
    *@domain.com default._domainkey.domain.com
    and last one here:

    Code:
    /etc/opendkim/TrustedHosts
    add or check if already there the domain.com

    After that restarting opendkim and postfix i think users will be able to get signed emails......

    I think it will be great to enable these changes for this addon :)

    Thank you