MailServer Configuration (autodiscover, SPF, DKIM)

JOduMonT · July 8, 2015, 9:05am

#Before you install your NethServer

Please consider a server must have FQDN
# when you run hostname -f it must return something like SERVER.DOMAIN.TLD
And your DNS zone must look something like this
A @ 1.2.3.4
A server1.domain.tld. 1.2.3.4
CNAME mail. server1.domain.tld.

#After you installed your Nethserver

autodiscover

simply add a CNAME with autodiscover and point it to your mailserver
###exemple
CNAME autodiscover. mail.domain.tld.

SPF

add a TXT entry

exemple

TXT @ "v=spf1 a:domain.tld mx ?all"

DKIM

# amavisd genrsa /etc/pki/tls/private/YOUR_DOMAIN-dkim.key.pem
# chgrp amavis /etc/pki/tls/private/nethesis-dkim.key.pem
# chmod g+r /etc/pki/tls/private/nethesis-dkim.key.pem
# mkdir -p /etc/e-smith/templates-custom/etc/amavisd.conf

add those lines into /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim

# filippo enable dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key(‘nethesis.it’, ‘dkim’, ‘/etc/pki/tls/private/nethesis-dkim.key.pem’);
@dkim_signature_options_bysender_maps = (
{ ‘.’ => { ttl => 21243600, c => ‘relaxed/relaxed’ } } );

Edit your DNS

# amavisd -u amavis -g amavis showkeys

make a TXT with this info
###exemple
TXT dkim._domainkey "v=DKIM1; k=rsa; " “p=…OpenDKIMKey…”

##Restart service
# signal-event nethserver-mail-server-update

##Test your mail configuration

http://mxtoolbox.com
http://www.mail-tester.com
you should have a result like this : http://www.mail-tester.com/web-N15aFH

Thanks @filippo_carletti for your help!

filippo_carletti · July 8, 2015, 9:17am

I think that DKIM setup is much more simple following the commands shown here:
http://dev.nethserver.org/issues/1910

Why do you think milters are a better way?

JOduMonT · July 8, 2015, 10:14am

maybe, but I know mine works and before I made it, I did’nt find anything about DKIM into this forum.
do you have DKIM with AMAVIS in production ?

Nas · July 8, 2015, 10:27am

Yep! Amavis is only that you need !

JOduMonT · July 8, 2015, 10:47am

You’re both probably right but I’d tried with Amavis
in this file /etc/amavisd.conf
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.

and at the step3 of this howto : http://www.faqforge.com/linux/how-to-enable-dkim-email-signatures-in-amavisd-new-and-ispconfig-3/
i’d receive this error : amavisd showkeys

filippo_carletti · July 8, 2015, 11:19am

Yep, since when I wrote that issue.

Would you mind trying the simpler setup described in the issue to validate my configurations?
We could move on and work together on a better config and have it as a default.

Note: a lot of material is archived on the old google forum:
https://groups.google.com/forum/#!forum/nethserver

JOduMonT · July 8, 2015, 11:46am

Thank to reply
Of course I want to do it like you described…
Saddly I don’t trully understand

it is those line you talk about ?

# grep dkim /etc/amavisd.conf

and

# amavisd genrsa /etc/pki/tls/private/nethesis-dkim.key.pem
# chgrp amavis /etc/pki/tls/private/nethesis-dkim.key.pem
# chmod g+r /etc/pki/tls/private/nethesis-dkim.key.pem
# cat /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim

filippo_carletti · July 8, 2015, 1:07pm

Oops, the commands are my notes, hard to understand even for me, sorry. I should have been more careful.

Run the following commands:

amavisd genrsa /etc/pki/tls/private/nethesis-dkim.key.pem
chgrp amavis /etc/pki/tls/private/nethesis-dkim.key.pem
chmod g+r /etc/pki/tls/private/nethesis-dkim.key.pem
mkdir -p /etc/e-smith/templates-custom/etc/amavisd.conf
cat <<EOF >/etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
# filippo enable dkim
\$enable_dkim_verification = 1;
\$enable_dkim_signing = 1;
dkim_key('nethesis.it', 'dkim', '/etc/pki/tls/private/nethesis-dkim.key.pem');
@dkim_signature_options_bysender_maps = (
\{ '.' => \{ ttl => 21*24*3600, c => 'relaxed/simple' \} \} );
EOF
signal-event nethserver-mail-server-update

These commands generates a proper RSA key for dkim, give the key file the correct permissions to be accessed by amavisd, create a custom template to enable dkim in amavisd and apply the new configuration.

Do you think it would be a valuable addition to the system having a server-manager interface to confgiure DKIM?

JOduMonT · July 8, 2015, 1:57pm

After i’d followed those instruction with the command : amavisd showkeys
i’d receive : Error in config file “/etc/amavisd.conf”: syntax error at /etc/amavisd.conf line 303, near "="
so I add those line into /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;

and now, when i’m running : amavisd showkeys
I have the same result then before : drop_priv: No such username:

Mightbe a nice feature to add into the server-manager but with an option to choose if you want to be : relaxed/relaxed or relaxed/simple
because G**gle use relaxed/relaxed.

filippo_carletti · July 8, 2015, 2:29pm

amavisd -u amavis -g amavis showkeys

Nas · July 8, 2015, 2:32pm

@filippo_carletti all is cool but :
1 in WebUI we need to see Dkim key for copying for our DNS Provider.
2 If we use DNSmasq we need to integrate Dkim to it .
Because @JOduMonT is newcommer and if it have success on Amavis , he hardly sign his letter by DNS provider

JOduMonT · July 8, 2015, 2:41pm

so everything is fine and working thank @filippo_carletti
But I kept those modifications
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;

filippo_carletti · July 8, 2015, 2:57pm

I don’t understand, sorry. How do you intend to integrate dnsmasq and dkim?

My bad, sorry: variable expansion happens in heredoc, need to protect $.
Edited.

Nas · July 8, 2015, 3:15pm

@filippo_carletti so if we use DKIM and DNSmasq we should add TXT record to DNSmasq

 txt-record=dkim._domainkey.sploing.fr,"v=DKIM1; t=y; k=rsa;
 p=MIG1MA0GCSqGSIb3DQEBAQUAA4GjADCBnwKBlwxSuaM6ckdmIAHbz4KjlmUjmVxH6kMlaJi
 29fHa7lWonM0AWoBw9Pli/EULXHpVj71W6uJD/dGOQBlFjy0zOFBlR/yJU79rRqLwEPyDM8Fo
 aLHHQWEcX/msoL5xjFS9R9l1+FJG5SmVVmQcyT0hgiyfW87xE3YhPspN6jnaukDYmzejGdivk
 y9SowCrZWNgLtuxBjDaI20CAwEAAQ=="
 txt-record=_adsp._domainkey.sploing.fr,"dkim=all; t=s"

filippo_carletti · July 8, 2015, 3:26pm

Got it, thank you @Nas. This usually go into the registrar/dns maintainer web panel.

JOduMonT · July 9, 2015, 5:02pm

So; this morning I need to disable the antivirus filter (AMAVIS)
on my email to send and receive email ;(
I did’nt trully find a clear error into log.

Nas · July 9, 2015, 5:46pm

@JOduMonT tell us fully , what have beed done with AMAVIS… try to help you

Nas · July 9, 2015, 5:52pm

amavis has it’s own log verbosity

JOduMonT · July 9, 2015, 5:53pm

####cat /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key(‘deass.net’, ‘dkim’, ‘/etc/pki/tls/private/deass-dkim.key.pem’);
@dkim_signature_options_bysender_maps = (
{ ‘.’ => { ttl => 21243600, c => ‘relaxed/relaxed’ } } );

####[root@neth1 ~]# amavisd -u amavis -g amavis showkeys
; key#1, domain deass.net, /etc/pki/tls/private/deass-dkim.key.pem
dkim._domainkey.deass.net. 3600 TXT (
“v=DKIM1; p=” “MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+qUWxnFO37pR+H/ij0z9i7Zkv”
“enh5kEUfxSRVRDqF4Fsq366D6nkXgrPHWeyNDh1j32sDNTaPsaHfFjUeJvKwu153” “flU5i31ZwKlvDpe8FyrQO3A3q45wlUXLyyReZysaKhRQF38s14B+G7iZA2ABCo0a”
“lbMbZ7RPQ/C+sMn1nQIDAQAB”)

and I’d restart the service

into my DNS

txt dkim._domainkey “v=DKIM1; p=” “MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+qUWxnFO37pR+H/ij0z9i7Zkv” “enh5kEUfxSRVRDqF4Fsq366D6nkXgrPHWeyNDh1j32sDNTaPsaHfFjUeJvKwu153” “flU5i31ZwKlvDpe8FyrQO3A3q45wlUXLyyReZysaKhRQF38s14B+G7iZA2ABCo0a” “lbMbZ7RPQ/C+sMn1nQIDAQAB”

Nas · July 9, 2015, 5:55pm

and letter become to stuck ?