DKIM does not work on port 587

Discussion in 'Installation/Configuration' started by martinhe, Nov 11, 2021.

Tags:
  1. martinhe

    martinhe Member

    Hi, please advise, tip, directions, whatever.

    In addition to port 25, I enabled port 587 on the server using this manual: https://www.sbarjatiya.com/notes_wiki/index.php/CentOS_7.x_Enable_submission_587_port_for_postfix

    • When I send a message via port 25, the header contains the DKIM signature.
    • When I send a message over port 587, the header does NOT contain a DKIM signature.

    How do I please make sure that DKIM is also in messages that I send via port 587?

    Thank you for the advice.
     
    Last edited: Nov 15, 2021
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    How did you set up dkim signing for port 25? Presumably you would do something very similar for port 587.
     
  3. martinhe

    martinhe Member

    Deleted by me. I wrote nonsense, so don't get it.
     
    Last edited: Nov 12, 2021
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Post #1 is about DKIM signing. Is post #3 about a completely different matter since it is about Let's Encrypt?
    Be that as it may, my signature has link to e-mail setup on ISPConfig. It has info on DKIM.
     
  5. martinhe

    martinhe Member

    I'm sorry, I wrote complete nonsense. I got two things wrong. :-D

    I implemented DKIM just by installing yum install amavisd-new, according to the instructions: https://www.howtoforge.com/perfect-...config-3#-install-amavisdnew-spamassassin-and -clamav

    Then I just did a bypass virus check, but no further configuration took place. It works kind of by itself. :)

    I enclose the configuration of the postfix and the screenshot from the administration of ispconfig.

    cat /etc/postfix/master.cf
    # Postfix master process configuration file. For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master").
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ==========================================================================
    smtp inet n - n - - smtpd
    #smtp inet n - n - 1 postscreen
    #smtpd pass - - n - - smtpd
    #dnsblog unix - - n - 0 dnsblog
    #tlsproxy unix - - n - 0 tlsproxy
    submission inet n - n - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_recipient=no
    -o smtpd_client_restrictions=$mua_client_restrictions
    -o smtpd_helo_restrictions=$mua_helo_restrictions
    -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
    #smtps inet n - n - - smtpd
    # -o syslog_name=postfix/smtps
    # -o smtpd_tls_wrappermode=yes
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_reject_unlisted_recipient=no
    # -o smtpd_client_restrictions=$mua_client_restrictions
    # -o smtpd_helo_restrictions=$mua_helo_restrictions
    # -o smtpd_sender_restrictions=$mua_sender_restrictions
    # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING
    #628 inet n - n - - qmqpd
    pickup unix n - n 60 1 pickup
    cleanup unix n - n - 0 cleanup
    qmgr unix n - n 300 1 qmgr
    #qmgr unix n - n 300 1 oqmgr
    tlsmgr unix - - n 1000? 1 tlsmgr
    rewrite unix - - n - - trivial-rewrite
    bounce unix - - n - 0 bounce
    defer unix - - n - 0 bounce
    trace unix - - n - 0 bounce
    verify unix - - n - 1 verify
    flush unix n - n 1000? 0 flush
    proxymap unix - - n - - proxymap
    proxywrite unix - - n - 1 proxymap
    smtp unix - - n - - smtp
    relay unix - - n - - smtp
    # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq unix n - n - - showq
    error unix - - n - - error
    retry unix - - n - - error
    discard unix - - n - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - n - - lmtp
    anvil unix - - n - 1 anvil
    scache unix - - n - 1 scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent. See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    # mailbox_transport = lmtp:inet:localhost
    # virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus unix - n n - - pipe
    # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    #
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix - n n - - pipe
    # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    #uucp unix - n n - - pipe
    # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # ====================================================================
    #
    # Other external delivery methods.
    #
    #ifmail unix - n n - - pipe
    # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    #
    #bsmtp unix - n n - - pipe
    # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
    #
    #scalemail-backend unix - n n - 2 pipe
    # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
    # ${nexthop} ${user} ${extension}
    #
    #mailman unix - n n - - pipe
    # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
    # ${nexthop} ${user}
    dovecot unix - n n - - pipe
    flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

    amavis unix - - - - 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o smtp_bind_address=


    127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes


    127.0.0.1:10027 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtp_send_xforward_command=yes
    -o milter_default_action=accept
    -o milter_macro_daemon_name=ORIGINATING
    -o disable_dns_lookups=yes
     

    Attached Files:

  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  7. martinhe

    martinhe Member

    I cannot, but this test script id broken, is not working for me:

    [root@server~]# scl enable rh-php73 bash
    [root@server~]# php -v
    PHP 7.3.29 (cli) (built: Aug 3 2021 12:26:40) ( NTS )
    Copyright (c) 1997-2018 The PHP Group
    Zend Engine v3.3.29, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.29, Copyright (c) 1999-2018, by Zend Technologies
    with Xdebug v2.7.2, Copyright (c) 2002-2019, by Derick Rethans
    [root@server~]#
    [root@server~]# cd /root/
    [root@server~]# pwd
    /root
    [root@server~]# wget -q -O htf-common-issues.php "http://gitplace.net/pixcept/ispconfig-tools/raw/stable/htf-common-issues.php" && php -q htf-common-issues.php
    [root@server~]# cat htf_report.txt | more
    cat: htf_report.txt: No such file or directory
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If the common issues script fails, there is very fatal error in you system. Is that PHP version the correct original PHP on your system? Strange there is no error message.
    Try
    Code:
    cd /tmp
    wget -q -O htf-common-issues.php "http://gitplace.net/pixcept/ispconfig-tools/raw/stable/htf-common-issues.php" 
    and then run the script:
    Code:
    cd /tmp
    php -q htf-common-issues.php
    Any error messages now?
     
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    In ISPConfig, dkim in your setup is handled by amavis as you mentioned, and the amavis content filter is set via smtpd_sender_restrictions in main.cf, but you overwrote that setting for the submission, so now amavis isn't used for submission (port 587):
    Refer back to the perfect server guide for enabling submission (and smtps), you simply uncommented too many lines.
     
    martinhe likes this.
  10. martinhe

    martinhe Member

    It doesn't work the same way.
     
  11. martinhe

    martinhe Member

    [root@new ~]# cat /etc/postfix/main.cf| grep smtpd_sender_restrictions
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_origi_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_senderpostfix/tag_as_foreign.re
    [root@new ~]#

    [root@production ~]# cat /etc/postfix/main.cf| grep smtpd_sender_restrictions smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    [root@production ~]#

    You write main.cf, but you probably mean master.cf.

    Solution for me:
    submission inet n - n - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_recipient=no
    # -o smtpd_client_restrictions=$mua_client_restrictions
    # -o smtpd_helo_restrictions=$mua_helo_restrictions
    # -o smtpd_sender_restrictions=$mua_sender_restrictions

    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING

    DKIM now working also on 587.

    Thanks you.
     
  12. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    No, it's set in main.cf as your output shows. The error you have now corrected is in master.cf. Note you appear to still have smtpd_recipient_restrictions uncommented, which changes the policy/behavior on that port; that's not necessarily wrong, just make sure that's what you intend/want.
     
  13. martinhe

    martinhe Member

    Hi, how do you recommend setting this up? I can't understand it.

    I left these commented, otherwise postconf writes that the variable values are undefined.
    # -o smtpd_client_restrictions=$mua_client_restrictions
    # -o smtpd_helo_restrictions=$mua_helo_restrictions
    # -o smtpd_sender_restrictions=$mua_sender_restrictions
    # -o milter_macro_daemon_name=ORIGINATING

    If i uncomment this lines, server say:
    [root@server ~]# postconf -n | grep warning
    postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
    postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
    postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
    [root@server ~]#


    Thanks.
     
    Last edited: Nov 18, 2021
  14. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    On my Postrix all of the lines with $mua_<something> are commented out.
    If you do uncomment them, you have to define the variables $mua_sender_restrictions et al with some value.
    You seem to be doing a lot of configuration on your Postfix. Maybe go back to plain configuration, check it works, and if really needed add things one at a time.
     

Share This Page