Buen dia.
No logro que OpenDKIM me firme los correos, es algo raro y que me frustra porque antes de que formatear el server lo tenia funcionando sin problema alguno :S...
El servicio se levanta sin problema, checando con mtoolbox el DKIM Record, aparece como bueno, pero *al momento de enviar un correo* no lo firma :'(, recibo el correo con todas las cabeceras menos la de "DKIM".
Haber si alguien puede ayudarme a ver el error que evidentemente no estoy tomando en cuenta :D
OJO... mi servidor tiene un dominio "midominio.com", pero este mantiene buzones y sirve de smtp a otros dominios como: "empresa1.com", "empresa2.com", etc... por lo cual mi interes es solamente usar una unica firma para todos los correos salientes.
Cuando los correos salen (por ejemplo) les cuelgo el dato de " mail.midominio.com" ye ste concuerda con el MTA, de modo que el rDNS esta asociado con "mail.midominio.com" y esto permite que al comprobar el SPF, me da "pass", esto aunque el que se autentifique a SMTP tenga un correo como "usuario@empresa2.com".
Les paso mi config...
*shell# cat /etc/opendkim/opendkim.conf* catwc /etc/opendkim.conf PidFile /var/run/opendkim/opendkim.pid Mode sv Syslog yes SyslogSuccess yes LogWhy yes UserID opendkim:opendkim Socket inet:8891@localhost Umask 022 SendReports yes SoftwareHeader yes Canonicalization relaxed/relaxed MinimumKeyBits 1024 KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable InternalHosts refile:/etc/opendkim/TrustedHosts OversignHeaders From
*shell# cat /etc/opendkim/KeyTable * default._domainkey.midominio.com midominio.com: default:/etc/opendkim/keys/midominiocom/default.private
*shell# cat /etc/opendkim/keys/midominiocom/default.txt * default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIG.........QAB" ) ; ----- DKIM key default for midominiocom
*shell# cat /etc/postfix/main.conf* queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix inet_interfaces = all inet_protocols = all mydestination = mail.midominio.com, localhost, localhost.localdomain unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.6.6/samples readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES virtual_alias_domains = virtual_alias_maps = hash:/etc/mailman/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org,reject_rhsbl_sender dbl.spamhaus.org smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/ mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/ mysql-virtual_sender.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/ mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 myhostname = mail.midominio.com mynetworks = 127.0.0.0/8 [::1]/128 dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings relayhost = mailbox_size_limit = 0 message_size_limit = 0 smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_milter = inet:8891@localhost, inet:8893@localhost non_smtpd_milters = inet:8891@localhost, inet:8893@localhost milter_default_action = accept milter_protocol = 2
*shell# cat /etc/postfix/master.cf http://master.cf* smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} ${extension} ${recipient} ${user} ${nexthop} ${sender} dovecot unix - n n - - pipe flags=DROhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
Saludos !
Bueno.
Ya vi un poco de avance :D...
He cambiado las variables de
# ANTES smtpd_milter = inet:8891@localhost, inet:8893@localhost non_smtpd_milters = inet:8891@localhost, inet:8893@localhost milter_default_action = accept milter_protocol = 2
# DESPUES smtpd_milter = inet:127.0.01:8891, inet:127.0.0.1:8893 non_smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893 milter_default_action = accept milter_protocol = 2
Pero *continua sin firmar*, recibo el error siguiente en el log "maillog".
*opendkim[28917]: 5AB242A06B5: no signature data*
Evidentemente sera que no encuentra el "default.private" para firmar el dato, o porque sera ?
Como les platique anteriormente, mi idea es firmar todo el correo saliente con el mismo "default.private", ya que los clientes que se autentifican al smtp tienen cuenta de confianza, el server no lo usan para "enviar spam/publicidad" y aparte el "fail2ban" bannea las IPs tras 5 intentos fallidos de conexion al SMTP.
Es posible firmar los correos con el mismo "default.private" ???, obviamente cada cliente tiene su propio dominio (empresa1.com, empresa2.com, etc...), el buzon existe en el servidor, y actualmente se autentifica para enviar correos regularmentre.
Saludos !
2016-07-24 21:23 GMT-05:00 angel jauregui darkdiabliyo@gmail.com:
Buen dia.
No logro que OpenDKIM me firme los correos, es algo raro y que me frustra porque antes de que formatear el server lo tenia funcionando sin problema alguno :S...
El servicio se levanta sin problema, checando con mtoolbox el DKIM Record, aparece como bueno, pero *al momento de enviar un correo* no lo firma :'(, recibo el correo con todas las cabeceras menos la de "DKIM".
Haber si alguien puede ayudarme a ver el error que evidentemente no estoy tomando en cuenta :D
OJO... mi servidor tiene un dominio "midominio.com", pero este mantiene buzones y sirve de smtp a otros dominios como: "empresa1.com", " empresa2.com", etc... por lo cual mi interes es solamente usar una unica firma para todos los correos salientes.
Cuando los correos salen (por ejemplo) les cuelgo el dato de " mail.midominio.com" ye ste concuerda con el MTA, de modo que el rDNS esta asociado con "mail.midominio.com" y esto permite que al comprobar el SPF, me da "pass", esto aunque el que se autentifique a SMTP tenga un correo como "usuario@empresa2.com".
Les paso mi config...
*shell# cat /etc/opendkim/opendkim.conf* catwc /etc/opendkim.conf PidFile /var/run/opendkim/opendkim.pid Mode sv Syslog yes SyslogSuccess yes LogWhy yes UserID opendkim:opendkim Socket inet:8891@localhost Umask 022 SendReports yes SoftwareHeader yes Canonicalization relaxed/relaxed MinimumKeyBits 1024 KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable InternalHosts refile:/etc/opendkim/TrustedHosts OversignHeaders From
*shell# cat /etc/opendkim/KeyTable * default._domainkey.midominio.com midominio.com: default:/etc/opendkim/keys/midominiocom/default.private
*shell# cat /etc/opendkim/keys/midominiocom/default.txt * default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIG.........QAB" ) ; ----- DKIM key default for midominiocom
*shell# cat /etc/postfix/main.conf* queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix inet_interfaces = all inet_protocols = all mydestination = mail.midominio.com, localhost, localhost.localdomain unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.6.6/samples readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES virtual_alias_domains = virtual_alias_maps = hash:/etc/mailman/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/ mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org,reject_rhsbl_sender dbl.spamhaus.org smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/ mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/ mysql-virtual_sender.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/ mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 myhostname = mail.midominio.com mynetworks = 127.0.0.0/8 [::1]/128 dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings relayhost = mailbox_size_limit = 0 message_size_limit = 0 smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_milter = inet:8891@localhost, inet:8893@localhost non_smtpd_milters = inet:8891@localhost, inet:8893@localhost milter_default_action = accept milter_protocol = 2
*shell# cat /etc/postfix/master.cf http://master.cf* smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} ${extension} ${recipient} ${user} ${nexthop} ${sender} dovecot unix - n n - - pipe flags=DROhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
Saludos !
-- M.S.I. Angel Haniel Cantu Jauregui.
Celular: (011-52-1)-899-871-17-22 E-Mail: angel.cantu@sie-group.net Web: http://www.sie-group.net/ Cd. Reynosa Tamaulipas.
-
angel jauregui