Results 1 to 8 of 8

Thread: installing opendkim,make permanent changes on /opt/zimbra/postfix/conf/main.cf

Hybrid View

  1. #1
    Join Date
    Nov 2007
    Posts
    25
    Rep Power
    8

    Default installing opendkim,make permanent changes on /opt/zimbra/postfix/conf/main.cf

    Hello,i'm going configure opendkim on my zimbra server for hotmail junk issue.

    in order to make opendkim work on zimbra server properly i have to add these lines to /opt/zimbra/postfix/conf/main.cf file as described

    smtpd_milters = inet:localhost:8891
    non_smtpd_milters = inet:localhost:8891
    milter_default_action = accept

    but after postfix reload all changes going.Howto to make these records permanent?

    zmcontrol -v
    Release 7.1.3_GA_3346.RHEL5_64_20110928134520 CentOS5_64 FOSS edition.
    opendkim-2.4.2-5.el5.x86_64
    $zmcontrol -v
    Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.

  2. #2
    Join Date
    Nov 2007
    Posts
    25
    Rep Power
    8

    Default

    vavai thank you for your reply.
    do you have any working manual for adoptation opendkim to zimbra 7.x?
    $zmcontrol -v
    Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.

  3. #3
    Join Date
    Nov 2007
    Posts
    25
    Rep Power
    8

    Default

    vavai thanks in advance,i will try your manual and inform you.
    i am new with dkim(opendkim)all these configurations for hotmail(gmail) junk issue.
    $zmcontrol -v
    Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.

  4. #4
    Join Date
    Nov 2007
    Posts
    25
    Rep Power
    8

    Default

    vavai all configured on centos 5.7 x64 ,but opendkim not signin outgoing messages.Am I have to change native milter port on zimbra ?
    $zmcontrol -v
    Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.

  5. #5
    Join Date
    Nov 2007
    Posts
    25
    Rep Power
    8

    Default

    Because of my OS platform(CentOS 5.7 x64) I user 2 manaul.
    Yours and this How to get DKIM (DomainKeys Identified Mail) working with Postfix on RHEL 5 / CentOS 5 using OpenDKIM | Steve Jenkins' Blog

    here are my confs

    cat /opt/zimbra/postfix/conf/master.cf.in
    #
    # Postfix master process configuration file. For details on the format
    # of the file, see the Postfix master(5) manual page.
    #
    # ================================================== ========================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ================================================== ========================
    smtp inet n - n - - smtpd
    465 inet n - n - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    submission inet n - n - - smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
    -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
    -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLev el%%
    pickup fifo n - n 60 1 pickup
    cleanup unix n - n - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    tlsmgr unix - - n 1000? 1 tlsmgr
    rewrite unix - - n - - trivial-rewrite
    bounce unix - - n - 0 bounce
    defer unix - - n - 0 bounce
    trace unix - - n - 0 bounce
    verify unix - - n - 1 verify
    flush unix n - n 1000? 0 flush
    proxymap unix - - n - - proxymap
    smtp unix - - n - - smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay unix - - n - - smtp
    -o fallback_relay=
    showq unix n - n - - showq
    error unix - - n - - error
    retry unix - - n - - error
    discard unix - - n - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - n - - lmtp
    anvil unix - - n - 1 anvil
    scache unix - - n - 1 scache
    %%uncomment LOCALostfix_enable_smtpd_policyd%%policy unix - n n - 0 spawn
    %%uncomment LOCALostfix_enable_smtpd_policyd%% user=zimbra argv=/usr/bin/perl /opt/zimbra/libexec/zmpostfixpolicyd
    #
    # ================================================== ==================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent. See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ================================================== ==================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
    #
    # The Cyrus deliver program has changed incompatibly, multiple times.
    #
    old-cyrus unix - n n - - pipe
    flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    cyrus unix - n n - - pipe
    user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail unix - n n - - pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp unix - n n - - pipe
    flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
    #
    # AMAVISD-NEW
    #
    smtp-amavis unix - - n - 10 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o virtual_mailbox_maps=
    -o virtual_alias_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_milters=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,rej ect
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8,[::1]/128
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_ unknown_recipient_checks,no_address_mappings
    -o milter_default_action=accept
    -o smtpd_milters=inet:localhost:8891
    -o non_smtpd_milters=inet:localhost:8891
    -o disable_mime_output_conversion=yes


    cat /etc/opendkim.conf
    ## BASIC OPENDKIM CONFIGURATION FILE
    ## See opendkim.conf(5) or /usr/share/doc/opendkim-2.4.2/opendkim.conf.sample for more

    ## BEFORE running OpenDKIM you must:

    ## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
    ## - generate keys for your domain (if signing)
    ## - edit your DNS records to publish your public keys (if signing)

    ## See /usr/share/doc/opendkim-2.4.2/INSTALL for detailed instructions.

    ## CONFIGURATION OPTIONS

    # Specifies the path to the process ID file.
    PidFile /var/run/opendkim/opendkim.pid

    # Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
    Mode sv

    # Log activity to the system log.
    Syslog yes

    # Log additional entries indicating successful signing or verification of messages.
    SyslogSuccess yes

    # If logging is enabled, include detailed logging about why or why not a message was
    # signed or verified. This causes an increase in the amount of log data generated
    # for each message, so set this to No (or comment it out) if it gets too noisy.
    LogWhy yes

    # Attempt to become the specified user before starting operations.
    UserID opendkimpendkim

    # Create a socket through which your MTA can communicate.
    Socket inet:8891@localhost

    # Required to use local socket with MTAs that access the socket as a non-
    # privileged user (e.g. Postfix)
    Umask 002

    # This specifies a text file in which to store DKIM transaction statistics.
    #Statistics /var/spool/opendkim/stats.dat

    ## SIGNING OPTIONS

    # Selects the canonicalization method(s) to be used when signing messages.
    Canonicalization relaxed/simple

    # Domain(s) whose mail should be signed by this filter. Mail from other domains will
    # be verified rather than being signed. Uncomment and use your domain name.
    # This parameter is not required if a SigningTable is in use.
    #Domain aroma-polifarma.com

    # Defines the name of the selector to be used when signing messages.
    Selector default

    # Gives the location of a private key to be used for signing ALL messages.
    #KeyFile /etc/opendkim/keys/default.private

    # Gives the location of a file mapping key names to signing keys. In simple terms,
    # this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
    # setting in the configuration file.
    KeyTable refile:/etc/opendkim/KeyTable

    # Defines a table used to select one or more signatures to apply to a message based
    # on the address found in the From: header field. In simple terms, this tells
    # OpenDKIM how to use your keys.
    SigningTable refile:/etc/opendkim/SigningTable

    # Identifies a set of "external" hosts that may send mail through the server as one
    # of the signing domains without credentials as such.
    ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

    # Identifies a set internal hosts whose mail should be signed rather than verified.
    InternalHosts refile:/etc/opendkim/TrustedHosts
    #InternalHosts 10.0.0.0/24,10.2.0.0/24,127.0.0.1

    sendmail.net Sender Authentication Auto-Responder $Revision: 1.19 $

    This service runs at <sa-test@sendmail.net> and allows remote users
    to perform a simple, automated test to see if different Sender
    Authentication schemes are working. Mail sent to this service
    is checked by our Sender Authentication filters for any valid
    credentials or signatures. A script receives the message, checks
    for a special header with the results of the tests, and composes
    this response message based on what it finds. This response is also
    signed with DomainKeys and DomainKeys Identified Mail (DKIM).

    Please note that the DKIM filter signing this reply message conforms
    to the latest IETF draft version, and thus may not be successfully
    verified by older implementations. If you are using dkim-filter from
    Sendmail, Inc., upgrade to at least version 1.0.0 to be compatible
    with the most recent version of DKIM.

    We hope this service has been helpful to you.

    Authentication System: DomainKeys Identified Mail
    Result: (no result present)
    Reporting host:
    More information: Domain Keys Identified Mail (DKIM)
    Sendmail milter: https://sourceforge.net/projects/dkim-milter/

    Authentication System: Domain Keys
    Result: (no result present)
    Reporting host:
    More information: DomainKey Library and Implementor's Tools
    Sendmail milter: https://sourceforge.net/projects/domainkeys-milter/

    Authentication System: Sender ID
    Result: SID data confirmed GOOD
    Description: Sending host is authorized for sending domain
    Reporting host: sendmail.net
    More information: Sender ID Home Page
    Sendmail milter: https://sourceforge.net/projects/sid-milter/

    Authentication System: Sender Permitted From (SPF)
    Result: SPF data confirmed GOOD
    Description: Sending host is authorized for sending domain
    Reporting host: sendmail.net
    More information: SPF: Project Overview
    $zmcontrol -v
    Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.

  6. #6
    Join Date
    Nov 2007
    Posts
    25
    Rep Power
    8

    Default

    Because of my OS platform(CentOS 5.7 x64) I used 2 mauals.
    Yours and this How to get DKIM (DomainKeys Identified Mail) working with Postfix on RHEL 5 / CentOS 5 using OpenDKIM | Steve Jenkins' Blog

    here are my confs

    cat /opt/zimbra/postfix/conf/master.cf.in
    #
    # Postfix master process configuration file. For details on the format
    # of the file, see the Postfix master(5) manual page.
    #
    # ================================================== ========================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ================================================== ========================
    smtp inet n - n - - smtpd
    465 inet n - n - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    submission inet n - n - - smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
    -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
    -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLev el%%
    pickup fifo n - n 60 1 pickup
    cleanup unix n - n - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    tlsmgr unix - - n 1000? 1 tlsmgr
    rewrite unix - - n - - trivial-rewrite
    bounce unix - - n - 0 bounce
    defer unix - - n - 0 bounce
    trace unix - - n - 0 bounce
    verify unix - - n - 1 verify
    flush unix n - n 1000? 0 flush
    proxymap unix - - n - - proxymap
    smtp unix - - n - - smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay unix - - n - - smtp
    -o fallback_relay=
    showq unix n - n - - showq
    error unix - - n - - error
    retry unix - - n - - error
    discard unix - - n - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - n - - lmtp
    anvil unix - - n - 1 anvil
    scache unix - - n - 1 scache
    %%uncomment LOCALostfix_enable_smtpd_policyd%%policy unix - n n - 0 spawn
    %%uncomment LOCALostfix_enable_smtpd_policyd%% user=zimbra argv=/usr/bin/perl /opt/zimbra/libexec/zmpostfixpolicyd
    #
    # ================================================== ==================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent. See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ================================================== ==================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
    #
    # The Cyrus deliver program has changed incompatibly, multiple times.
    #
    old-cyrus unix - n n - - pipe
    flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    cyrus unix - n n - - pipe
    user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail unix - n n - - pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp unix - n n - - pipe
    flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
    #
    # AMAVISD-NEW
    #
    smtp-amavis unix - - n - 10 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o virtual_mailbox_maps=
    -o virtual_alias_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_milters=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,rej ect
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8,[::1]/128
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_ unknown_recipient_checks,no_address_mappings
    -o milter_default_action=accept
    -o smtpd_milters=inet:localhost:8891
    -o non_smtpd_milters=inet:localhost:8891
    -o disable_mime_output_conversion=yes


    cat /etc/opendkim.conf
    ## BASIC OPENDKIM CONFIGURATION FILE
    ## See opendkim.conf(5) or /usr/share/doc/opendkim-2.4.2/opendkim.conf.sample for more

    ## BEFORE running OpenDKIM you must:

    ## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
    ## - generate keys for your domain (if signing)
    ## - edit your DNS records to publish your public keys (if signing)

    ## See /usr/share/doc/opendkim-2.4.2/INSTALL for detailed instructions.

    ## CONFIGURATION OPTIONS

    # Specifies the path to the process ID file.
    PidFile /var/run/opendkim/opendkim.pid

    # Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
    Mode sv

    # Log activity to the system log.
    Syslog yes

    # Log additional entries indicating successful signing or verification of messages.
    SyslogSuccess yes

    # If logging is enabled, include detailed logging about why or why not a message was
    # signed or verified. This causes an increase in the amount of log data generated
    # for each message, so set this to No (or comment it out) if it gets too noisy.
    LogWhy yes

    # Attempt to become the specified user before starting operations.
    UserID opendkimpendkim

    # Create a socket through which your MTA can communicate.
    Socket inet:8891@localhost

    # Required to use local socket with MTAs that access the socket as a non-
    # privileged user (e.g. Postfix)
    Umask 002

    # This specifies a text file in which to store DKIM transaction statistics.
    #Statistics /var/spool/opendkim/stats.dat

    ## SIGNING OPTIONS

    # Selects the canonicalization method(s) to be used when signing messages.
    Canonicalization relaxed/simple

    # Domain(s) whose mail should be signed by this filter. Mail from other domains will
    # be verified rather than being signed. Uncomment and use your domain name.
    # This parameter is not required if a SigningTable is in use.
    #Domain aroma-polifarma.com

    # Defines the name of the selector to be used when signing messages.
    Selector default

    # Gives the location of a private key to be used for signing ALL messages.
    #KeyFile /etc/opendkim/keys/default.private

    # Gives the location of a file mapping key names to signing keys. In simple terms,
    # this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
    # setting in the configuration file.
    KeyTable refile:/etc/opendkim/KeyTable

    # Defines a table used to select one or more signatures to apply to a message based
    # on the address found in the From: header field. In simple terms, this tells
    # OpenDKIM how to use your keys.
    SigningTable refile:/etc/opendkim/SigningTable

    # Identifies a set of "external" hosts that may send mail through the server as one
    # of the signing domains without credentials as such.
    ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

    # Identifies a set internal hosts whose mail should be signed rather than verified.
    InternalHosts refile:/etc/opendkim/TrustedHosts
    #InternalHosts 10.0.0.0/24,10.2.0.0/24,127.0.0.1







    sendmail.net Sender Authentication Auto-Responder $Revision: 1.19 $

    This service runs at <sa-test@sendmail.net> and allows remote users
    to perform a simple, automated test to see if different Sender
    Authentication schemes are working. Mail sent to this service
    is checked by our Sender Authentication filters for any valid
    credentials or signatures. A script receives the message, checks
    for a special header with the results of the tests, and composes
    this response message based on what it finds. This response is also
    signed with DomainKeys and DomainKeys Identified Mail (DKIM).

    Please note that the DKIM filter signing this reply message conforms
    to the latest IETF draft version, and thus may not be successfully
    verified by older implementations. If you are using dkim-filter from
    Sendmail, Inc., upgrade to at least version 1.0.0 to be compatible
    with the most recent version of DKIM.

    We hope this service has been helpful to you.

    Authentication System: DomainKeys Identified Mail
    Result: (no result present)
    Reporting host:
    More information: Domain Keys Identified Mail (DKIM)
    Sendmail milter: https://sourceforge.net/projects/dkim-milter/

    Authentication System: Domain Keys
    Result: (no result present)
    Reporting host:
    More information: DomainKey Library and Implementor's Tools
    Sendmail milter: https://sourceforge.net/projects/domainkeys-milter/

    Authentication System: Sender ID
    Result: SID data confirmed GOOD
    Description: Sending host is authorized for sending domain
    Reporting host: sendmail.net
    More information: Sender ID Home Page
    Sendmail milter: https://sourceforge.net/projects/sid-milter/

    Authentication System: Sender Permitted From (SPF)
    Result: SPF data confirmed GOOD
    Description: Sending host is authorized for sending domain
    Reporting host: sendmail.net
    More information: SPF: Project Overview
    $zmcontrol -v
    Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.

  7. #7
    Join Date
    Dec 2011
    Posts
    2
    Rep Power
    3

    Default

    Removing "r=" won't make a difference. It's not used when signing, and verifiers are supposed to ignore tags they don't understand. "r=" is an experimental extension that opendkim does support.

    The replies from the sendmail.net autoresponder suggest Zimbra isn't adding signatures. This is typically caused by either a configuration problem with opendkim (where it has not been properly instructed about how or when to sign mail) or a communication problem between opendkim and Zimbra.

    I would suggest enabling opendkim's LogWhy option, which will reveal the logic it's applying when looking at messages to decide on signing vs. verifying. Then you can see why it isn't signing.

  8. #8
    Join Date
    Dec 2011
    Posts
    2
    Rep Power
    3

    Default

    You might also want to confirm that there are no iptables or other packet filter rules in place that prevent Zimbra and opendkim from communicating over TCP port 8891.

Similar Threads

  1. Replies: 14
    Last Post: 05-30-2013, 02:47 PM
  2. Problem installing ZD on Ubuntu
    By Art Harries in forum Installation Help
    Replies: 4
    Last Post: 04-24-2011, 02:16 AM
  3. Replies: 2
    Last Post: 12-20-2009, 03:18 PM
  4. Installing Zimbra on a Slicehost VPS
    By kindus in forum Installation
    Replies: 3
    Last Post: 03-10-2008, 10:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •