OpenDKIM for all

testing
v7
mailserver

(Stéphane de Labrusse) #1

Hi all

I worked recently to bring a new feature to nethserver: opendkim

The goal is to sign the email by a RSA key and allow other email servers to authenticate you as the good sender by retrieving the public key in your public DNS zone (default._domainkey.YourDomainName)

the protocol of test is available at https://github.com/NethServer/dev/issues/5407

to update your server, do

yum update nethserver-mail-common --enablerepo=testing

I would like to personally thank (no matter for order) @davidep @filippo_carletti @giacomo for test, idea, code, support and fun.

Please test and report


How to get rid smarthost (and use rdns,spf,dkim,dmarc)
(Davide Principi) #2

Those are super-great news Stéphane! I’ll check it out on my production server!

Now I can’t wait to see rspamd in action too :wink:


(Rob Bosch) #3

Great work @stephdl! It is important that NethServer modules (and especially mail features) are safe and trustworthy. Too many garbage is being sent already.
IMO the startpoint for trustworthy email services is knowing the mail comes from the person that is mentioned in the sender field. OpenDKIM is part of that trust.


(Joel Clendineng) #4

yum update nethserver-mail-common --enablerepo=nethserver-testing

Installing now, will report back.


(Joel Clendineng) #5

Works as expected, I am having some other issues but I am trying to figure out if they are coming from this testing update or something else.Email addresses section errors with

[64] Cannot use lexical variable $view as a parameter name

See the system log for details.

So I am going through my logs.

DPI also errors but I doubt that it is related.


(Stéphane de Labrusse) #6

Please, can you check the/var/log/httpd-admin/error_log when you display the error and give back the full error line


(Joel Clendineng) #7

Ive created a bug topic, Im pretty sure its php related not email.


(Stéphane de Labrusse) #8

url, please


(Joel Clendineng) #9

(Tyron Jerez) #10

I am testing out on my server and it is working properly. Totally awesome, you guys rock :ok_hand:


(Davide Principi) #11

One issue has been found during the QA phase that is blocking the release of this feature. If we don’t find a solution for it we must wait for the alternative mail-filter implementation based on rspamd.

More info here

https://github.com/NethServer/dev/issues/5407


#13

Count me in.


(Stéphane de Labrusse) #14

The patch has been reversed, efforts go to rspamd now, we will go back to opendkim a bit later. For those who upgraded the server you can downgrade by

yum downgrade nethserver-mail-common


(Tyron Jerez) #15

Sorry to be the odd man, but I got a bit excited and have already gone to Production Server with this :grimacing:

I am not as technical as you guys, but can someone please let me know exactly what the problem is in dumb terms. From what i think i understand, there is an issue authenticating when sending emails to users from the same domain e.g. me@mydomain.com to you@mydomain.com while on the same network.

If that is the case, would it affect me since i have my Mail Server set up over the internet with its own public IP on a separate NS installation and not on the LAN.

Aldo would i be able to change when a solution is found for DKIM afterwards without losing anything.

Thanks for your patience :sweat_smile:


(Stéphane de Labrusse) #16

due to a proxied smtp, all emails seems to come from the localhost and not from the real sender IP. For rspamd the proxied smtp needed by amavisd is removed then it should not give more trouble. We just need to wait a bit more and find the good way to sign email by dkim

rspamd could be a way
opendkim is the common way

For now just revert the rpm, opendkim should no be removed, only disabled and think to remove the public key of your dns zone.


(Davide Principi) #17