Ubuntu+ISPConfig+DKIM

Discussion in 'Installation/Configuration' started by oxygen, Mar 19, 2016.

  1. oxygen

    oxygen Member

  2. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    oxygen likes this.
  3. florian030

    florian030 Well-Known Member HowtoForge Supporter

    You can use openDKIM as described in the link. But you will loose a lot of features. Better use the link from ztk.me. The dkim-patch is a backport from the upcoming ispconfig-release and it`s working very well for over a year with all needed features.

    If you run postfix with a milter you should take care, that the milter is always running.
     
    oxygen likes this.
  4. oxygen

    oxygen Member

    Now thinking about SPF.
    I added txt record v=spf1 a mx ip4:my.ip ~all
    then tested with http://www.kitterman.com/spf/validate.html with result:

    SPF record lookup and validation for: mydomain.com

    SPF records are published in DNS as TXT records.

    The TXT records found for your domain are:
    v=spf1 a mx ip4:my.ip ~all

    Checking to see if there is a valid SPF record.

    Found v=spf1 record for mydomain.com:
    v=spf1 a mx ip4:my.ip ~all

    evaluating...
    SPF record passed validation test with pySPF (Python SPF library)!


    But anyway i should install https://www.howtoforge.com/postfix_spf ?
     
  5. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    You should install it, the postfix_spf does the magic of checking on your server wether incoming server is allowed to use the from-adress it claims - if SPF is set of course.
    And "~all" is just for testing, to make it pass google & co you need to "turn it on" by using "-all"
     
    oxygen likes this.
  6. oxygen

    oxygen Member

    I installed https://blog.schaal-24.de/ispconfig/dkim-patch-1-0/
    Now i should check "Enable DKIM" in each mail domain, then generate key, ant add txt record (from DNS-Record window) to my external domain name provider ("v=DKIM1; t=s; p=code code code code") ?
     
  7. florian030

    florian030 Well-Known Member HowtoForge Supporter

    SPF has nothing to do with DKIM. But to ue DMARC you need DKIM and SPF.
    If you want to sign mails with dkim, you must create a DKIM-Keypair for each domain and publish the public-key in the dns-zone. You must insert the full record show in the interface and not just "v=DKIM1..."
    v=spf1 a mx ip4:my.ip ~all
    is my.ip not listed in your dns-zone as a-record?
    do you send mails from the server that points to the mx-record _and_ from _all_ ips with a A-record?
    usually, v=spf1 mx ~all is enough.
     
  8. oxygen

    oxygen Member

    Understand, so i will add full txt string:
    default._domainkey.mydomain.com. 3600 TXT v=DKIM1; t=s; p=MIGf..............................................................
    End i will edit SPF string, will be v=spf1 mx ~all
    I'm right?
     
  9. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    yes, except it should be "-all" not "~all"
     
    oxygen likes this.
  10. oxygen

    oxygen Member

    Thank You guys, will try it.
     
  11. oxygen

    oxygen Member

    Hi guys, now situation is next:
    ISPConfig- Server Config- Mail- DKIM strenght- strong (4096);
    Each mail domain- checked Enable DKIM, generated keys;
    DNS Records from interface are copied to my external domain name provider, they sent screenshots to me:

    [​IMG]

    i sent email to test server, i got:
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: temperror
    Sender-ID check: pass
    SpamAssassin check: ham

    ...

    ----------------------------------------------------------
    DKIM check details:
    ----------------------------------------------------------
    Result: temperror (error retrieving key record: IOException, status = StatusDnsQueryFailed)
    ID(s) verified:
    Canonicalized Headers:

    ...

    DNS record(s):
    default._domainkey.MYDOMAIN.lt. TXT (StatusDnsQueryFailed)

    From another onlite tester i got:
    DKIM Record for default._domainkey.MYDOMAIN.com

    This is not a good DKIM key record. You should fix the errors shown in red.

    DNS query failed for 'default._domainkey.MYDOMAIN.com':SERVFAIL

    A public-key (p=) is required
     
    Last edited: Mar 21, 2016
  12. florian030

    florian030 Well-Known Member HowtoForge Supporter

    You should discuss this with your domain provider. The result from http://dkimcore.org/c/keycheck is:
    DNS query failed for 'default...':SERVFAIL
    A public-key (p=) is required
     
  13. oxygen

    oxygen Member

    ... and they do not know where is my problem ..
     
  14. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    some DNS servers need quotes for TXT records, some don't, try deleteing the "
    a rare case can be: text is too long, then u need multiple TXT fields but... haven't come across those issues to give a solution to that.
     
    oxygen likes this.
  15. oxygen

    oxygen Member

    Last edit. We tried 2048 bits- i found something like "too long" in test results. Then i did 1024- DKIM test is pass!!!
    as i found here:
    https://support.google.com/mail/answer/81126
    1024 is ok with gmail, so should i keep it as is?

    Next question- DMARK.
    Should i just put
    _dmarc.MYDOMAIN.com. IN TXT "v=DMARC1; p=none"
    to my domain server?
     
    Last edited: Mar 21, 2016
  16. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    p=none basically eleminates the usage of dmarc.
    Use either quarantine or reject.
     
  17. oxygen

    oxygen Member

    now i did

    dmarc.mydomain.com IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]"

    I will check reports, and later i will put reject.
     
  18. florian030

    florian030 Well-Known Member HowtoForge Supporter

    If the do not support longer TXT-Records to cover 4096er dkim-keys, they should fix this ASAP. ;)
     
    oxygen likes this.
  19. florian030

    florian030 Well-Known Member HowtoForge Supporter

    Do you think, that DMARC is really usefull? Personally, i like the idea behind DMARC. But a DMARC test passes, if DKIM or SPF is valid.
    If you set "p=none" this does not eliminates anything. The main purpose for DMARC is getting reports (btw: i use the services at https://dmarcian.com/ to receive and analyze the reports).
     
  20. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Depends, most of the times I'd say no - because the reports the average person gets will go to trash, unread, 99% of the times.
    DKIM and SPF is good enough. I don't think increasing the amount of mails handled will help much reducing spam or work time needed to manage systems.
    Using external tools analyzing your mail flow ... well I don't really like the idea handing details out to 3rd party - so one has to operate his/her own analyzing tools ... and asking him/herself - what for.
    Do I miss something important about DMARC reports / why they are really useful and one is basically forced to implement it?
     

Share This Page