[SOLVED] Issue with DKIM outbound?

Discussion in 'Mail Gateway: Installation and configuration' started by killmasta93, Feb 11, 2019.

  1. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    Hi
    I was wondering if someone else has accomplished on DKIM outbound on proxmox. I was reading this tutorial
    https://wiki.fws.fr/tuto/linux_divers/dkim_dmarc_onpmg

    But would not get it working, as the opendkim-verifier does not install or exist but the opendkim-signer is working
    Code:
    oot@mail:~# service opendkim-signer status
    ● opendkim-signer.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter - signer
      Loaded: loaded (/etc/systemd/system/opendkim-signer.service; enabled; vendor preset: enabled)
      Active: active (running) since Fri 2019-02-01 21:17:55 -05; 2min 51s ago
        Docs: man:opendkim(8)
              man:opendkim.conf(5)
              man:opendkim-genkey(8)
              man:opendkim-genzone(8)
              man:opendkim-testadsp(8)
              man:opendkim-testkey
              http://www.opendkim.org/docs.html
    Main PID: 600 (opendkim)
       Tasks: 6 (limit: 4915)
      Memory: 3.2M (limit: 50.0M)
      CGroup: /system.slice/opendkim-signer.service
              └─600 /usr/sbin/opendkim -x /etc/opendkim/signer.conf
    
    i checked postfix was in the group of opendkim which it is
    Code:
    root@mail:~# id postfix
    uid=111(postfix) gid=114(postfix) groups=114(postfix),116(opendkim),117(opendmarc)
    
    any ideas how to troubleshoot this issue?

    Thank you
     
  2. adam.sage

    adam.sage New Member

    Joined:
    Feb 8, 2019
    Messages:
    26
    Likes Received:
    0
    There are a lot of problems with that howto. First one is what you saw there, they didn't make the file name correct. These 2 commands should fix it:

    mv /etc/opendkim/verifier /etc/opendkim/verifier.conf
    systemctl restart opendkim-verifier
     
  3. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    Thanks for the reply, so i tested it and your write so far so good no error only issue i tried sending a test email to
    check-auth@verifier.port25.com

    i keep getting DKIM check none not sure what im missing

    Thanks you
     
  4. adam.sage

    adam.sage New Member

    Joined:
    Feb 8, 2019
    Messages:
    26
    Likes Received:
    0
    Check your syslog. If I had to guess you will see permission errors about the .sock from opendkim-signer and opendkim-verifier.
     
  5. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    Thanks for the reply your right issue with permissions what permissions should i put?
    I think there is also issue with DMARC, as now the emails dont want to go out im guessing thats the issue
    here is the log
    Code:
    Feb 12 19:20:50 ares systemd[1]: opendmarc.service: Start operation timed out. Terminating.
    Feb 12 19:20:55 ares opendmarc[28625]: OpenDMARC Filter: mi_stop=1
    Feb 12 19:20:55 ares opendmarc[28625]: OpenDMARC Filter v1.3.2 terminating with status 0, errno = 0
    Feb 12 19:20:55 ares systemd[1]: Failed to start OpenDMARC Milter.
    Feb 12 19:20:55 ares systemd[1]: opendmarc.service: Unit entered failed state.
    Feb 12 19:20:55 ares systemd[1]: opendmarc.service: Failed with result 'timeout'.
    Feb 12 19:20:55 ares systemd[1]: opendmarc.service: Service hold-off time over, scheduling restart.
    Feb 12 19:20:55 ares systemd[1]: Stopped OpenDMARC Milter.
    Feb 12 19:20:55 ares systemd[1]: Starting OpenDMARC Milter...
    Feb 12 19:20:55 ares opendmarc[28684]: OpenDMARC Filter v1.3.2 starting ()
    Feb 12 19:20:55 ares opendmarc[28684]: additional trusted authentication services: (none)
    Feb 12 19:20:57 ares postfix/smtpd[28698]: connect from hermes.casa.local[192.168.3.150]
    Feb 12 19:20:57 ares postfix/smtpd[28698]: warning: connect to Milter service unix:/var/run/opendkim/signer.sock: Permission denied
    Feb 12 19:20:57 ares postfix/smtpd[28698]: NOQUEUE: milter-reject: CONNECT from hermes.casa.local[192.168.3.150]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
    Feb 12 19:20:57 ares postfix/smtpd[28698]: NOQUEUE: milter-reject: EHLO from hermes.casa.local[192.168.3.150]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<mail.telsatco.com>
    Feb 12 19:20:57 ares postfix/smtpd[28698]: NOQUEUE: milter-reject: MAIL from hermes.casa.local[192.168.3.150]: 451 4.7.1 Service unavailable - try again later; from=<sistemas@telsatco.com> proto=ESMTP helo=<mail.telsatco.com>
    Feb 12 19:20:57 ares postfix/smtpd[28698]: disconnect from hermes.casa.local[192.168.3.150] ehlo=1 starttls=0/1 mail=0/1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=3/7
    Feb 12 19:21:32 ares pmgpolicy[991]: starting policy database maintainance (greylist, rbl)
    Feb 12 19:21:32 ares pmgpolicy[991]: end policy database maintainance (6 ms, 0 ms)
    
    
    Thank you
     
    #5 killmasta93, Feb 13, 2019
    Last edited: Feb 13, 2019
  6. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    EDIT:
    So i ran this chown opendkim:eek:pendkim default.private fixed that issue but still cannot get it signed so im not sure what to look for i send an email to checkauth i checked the logs but eveything is fine

    Code:
    Feb 13 00:09:13 mail postfix/smtpd[2426]: connect from hermes.casa.local[192.168.3.150]
    Feb 13 00:09:13 mail postfix/smtpd[2426]: Anonymous TLS connection established from hermes.casa.local[192.168.3.150]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
    Feb 13 00:09:13 mail postfix/smtpd[2426]: 7D0DA80F9D: client=hermes.casa.local[192.168.3.150]
    Feb 13 00:09:13 mail postfix/cleanup[2429]: 7D0DA80F9D: message-id=<bb05fcf91f131f9bb48353e1aa691b4f43e0feaa.camel@mydomain>
    Feb 13 00:09:13 mail postfix/qmgr[2093]: 7D0DA80F9D: from=<sistemas@mydomain>, size=1351, nrcpt=1 (queue active)
    Feb 13 00:09:13 mail postfix/smtpd[2426]: disconnect from hermes.casa.local[192.168.3.150] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
    Feb 13 00:09:13 mail pmg-smtp-filter[760]: 2019/02/13-00:09:13 CONNECT TCP Peer: "[127.0.0.1]:33498" Local: "[127.0.0.1]:10023"
    Feb 13 00:09:13 mail pmg-smtp-filter[760]: 80F9F5C63A6799C0CA: new mail message-id=<bb05fcf91f131f9bb48353e1aa691b4f43e0feaa.camel@mydomain>
    Feb 13 00:09:13 mail postfix/smtpd[2434]: connect from localhost.localdomain[127.0.0.1]
    Feb 13 00:09:13 mail postfix/smtpd[2434]: A0EC68100F: client=localhost.localdomain[127.0.0.1], orig_client=hermes.casa.local[192.168.3.150]
    Feb 13 00:09:13 mail postfix/cleanup[2429]: A0EC68100F: message-id=<bb05fcf91f131f9bb48353e1aa691b4f43e0feaa.camel@mydomain>
    Feb 13 00:09:13 mail postfix/qmgr[2093]: A0EC68100F: from=<sistemas@mydomain>, size=1556, nrcpt=1 (queue active)
    Feb 13 00:09:13 mail pmg-smtp-filter[760]: 80F9F5C63A6799C0CA: accept mail to <check-auth2@verifier.port25.com> (A0EC68100F)
    Feb 13 00:09:13 mail postfix/smtpd[2434]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
    Feb 13 00:09:13 mail pmg-smtp-filter[760]: 80F9F5C63A6799C0CA: processing time: 0.12 seconds (0, 0.008)
    Feb 13 00:09:13 mail postfix/lmtp[2430]: 7D0DA80F9D: to=<check-auth2@verifier.port25.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.28, delays=0.08/0.01/0.04/0.15, dsn=2.5.0, status=sent (250 2.5.0 OK (80F9F5C63A6799C0CA))
    Feb 13 00:09:13 mail postfix/qmgr[2093]: 7D0DA80F9D: removed
    Feb 13 00:09:14 mail postfix/smtp[2435]: Untrusted TLS connection established to verifier.port25.com[34.209.113.130]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    Feb 13 00:09:15 mail postfix/smtp[2435]: A0EC68100F: to=<check-auth2@verifier.port25.com>, relay=verifier.port25.com[34.209.113.130]:25, delay=1.8, delays=0.1/0.01/1.1/0.63, dsn=2.6.0, status=sent (250 2.6.0 message received)
    Feb 13 00:09:15 mail postfix/qmgr[2093]: A0EC68100F: removed

    The Port25 Solutions, Inc. team

    ==========================================================
    Summary of Results
    ==========================================================
    SPF check: pass
    "iprev" check: pass
    DKIM check: none
    SpamAssassin check: ham
     
  7. adam.sage

    adam.sage New Member

    Joined:
    Feb 8, 2019
    Messages:
    26
    Likes Received:
    0
  8. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    thanks for the reply, it seem that the tutorial is not well described. my question is installing opendkim on debian 9 be applicable to proxmox? because i installed fairly easy on ubuntu server 14, not sure why this is such a hassale as for the tutorial it says to disable opendkim and use opendkim-signer
     
  9. adam.sage

    adam.sage New Member

    Joined:
    Feb 8, 2019
    Messages:
    26
    Likes Received:
    0
    It's linux, there are a million packages and a million ways to do one thing. Did you manage to get it working?
     
  10. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    Thanks for the reply, could not get it working the way the tutorial was im trying another way with another tutorial
     
  11. adam.sage

    adam.sage New Member

    Joined:
    Feb 8, 2019
    Messages:
    26
    Likes Received:
    0
    It works fine, you just have to make the modifications in the stackexchange link.
     
  12. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    Well i try and tried but not sure what im doing wrong. These are the steps i took.

    1) install
    Code:
     apt install opendkim opendkim-tools
    
    2)
    Code:
     mkdir /etc/opendkim
    3)
    Code:
    nano /etc/opendkim/verifier
    inside add this
    Code:
    Syslog yes
    LogResults yes
    LogWhy yes
    SyslogSuccess yes
    UMask 007
    Mode v
    AllowSHA1Only yes
    AlwaysAddARHeader yes
    Socket local:/var/run/opendkim/verifier.sock
    PidFile /var/run/opendkim/verifier.pid
    TrustAnchorFile /usr/share/dns/root.key
    UserID opendkim
    Background no
    Nameservers 192.168.3.253

    then
    4)
    Code:
    nano /etc/opendkim/signer.conf
    
    inside add this
    Code:
    Syslog yes
    LogResults yes
    LogWhy yes
    SyslogSuccess yes
    UMask 007
    KeyTable /etc/opendkim/keytable
    SigningTable /etc/opendkim/signingtable
    Mode s
    InternalHosts 0.0.0.0/0
    Socket local:/var/run/opendkim/signer.sock
    PidFile /var/run/opendkim/signer.pid
    TrustAnchorFile /usr/share/dns/root.key
    UserID opendkim
    Background no
    Nameservers 192.168.3.253
    then this
    5)
    Code:
    nano /etc/opendkim/signingtable
    
    then add this
    Code:
    # Add one line per domain you want to sign when email are being sent.
    # You can use different keys if needed
    # Or just use a wildcard to sign everything with the same key
    * default
    then
    6)
    Code:
    nano /etc/opendkim/keytable
    inside add this
    Code:
    default %:default:/etc/opendkim/keys/default/default.private
    
    7) run each line one by one
    Code:
    mkdir -p /etc/opendkim/keys/default
    chown opendkim /etc/opendkim/{keys,keys/default}
    chmod 700 /etc/opendkim/{keys,keys/default}
    opendkim-genkey -D /etc/opendkim/keys/default/ -s default }}
    
    8) then this
    Code:
    nano /etc/systemd/system/opendkim-signer.service
    add inside
    Code:
    [Unit]
    Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter - signer
    Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
    After=network.target nss-lookup.target
     
    [Service]
    Type=simple
    UMask=0007
    ExecStart=/usr/sbin/opendkim -x /etc/opendkim/signer.conf
    User=opendkim
    Group=opendkim
    MemoryLimit=50M
    PrivateTmp=yes
    PrivateDevices=yes
    ProtectSystem=full
    ProtectHome=yes
    NoNewPrivileges=yes
    Restart=on-failure
    ExecReload=/bin/kill -USR1 $MAINPID
     
    [Install]
    WantedBy=multi-user.target
    9)
    Code:
    nano /etc/systemd/system/opendkim-verifier.service
    add this inside
    Code:
    [Unit]
    Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter - verifier
    Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
    After=network.target nss-lookup.target
     
    [Service]
    Type=simple
    UMask=0007
    ExecStart=/usr/sbin/opendkim -x /etc/opendkim/verifier.conf
    User=opendkim
    Group=opendkim
    MemoryLimit=50M
    PrivateTmp=yes
    PrivateDevices=yes
    ProtectSystem=full
    ProtectHome=yes
    NoNewPrivileges=yes
    Restart=on-failure
    ExecReload=/bin/kill -USR1 $MAINPID
     
    [Install]
    WantedBy=multi-user.target
    10) then this
    Code:
    mv /etc/opendkim/verifier /etc/opendkim/verifier.conf
    11) give permissions
    Code:
    cd /etc/opendkim/keys/default
    chown opendkim:opendkim default.private
    12) reload everything
    Code:
    systemctl daemon-reload
    
    systemctl stop opendkim
    systemctl disable opendkim
    systemctl enable opendkim-signer
    systemctl start opendkim-signer
    systemctl enable opendkim-verifier
    systemctl start opendkim-verifier
    13) install opendmarc
    Code:
    apt install opendmarc
    
    14) then [CODE]nano /etc/opendmarc.conf
    inside add this and delete everything of that conf
    Code:
    Background false
    IgnoreAuthenticatedClients true
    IgnoreHosts /etc/pmg/mynetworks
    PidFile /var/run/opendmarc/opendmarc.pid
    PublicSuffixList /usr/share/publicsuffix/
    Syslog true
    RejectFailures true
    UMask 007
    Socket local:/var/run/opendmarc/opendmarc.sock
    HistoryFile /var/run/opendmarc/history.dat
    15) give permissions and restart
    Code:
    usermod -a -G opendkim,opendmarc postfix
    systemctl enable opendmarc
    systemctl start opendmarc
    16) then create the templates run each line
    Code:
    mkdir /etc/pmg/templates
    cp -a /var/lib/pmg/templates/master.cf.in /etc/pmg/templates/
    
    17) then
    Code:
    nano /etc/pmg/templates/master.cf.in
    inside add these two lines
    Code:
    -o smtpd_milters=unix:/var/run/opendkim/signer.sock
    
    -o smtpd_milters=unix:/var/run/opendkim/verifier.sock,unix:/var/run/opendmarc/opendmarc.sock

    then reboot the machine

    but for for some reason cannot get the damm thing to sign with dkim
     
  13. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    EDIT: i had to reboot now all is working
     
  14. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    edit2: so for some odd reason not working inbound emails getting this error

    Code:
     dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
     
  15. Stoiko Ivanov

    Stoiko Ivanov Proxmox Staff Member
    Staff Member

    Joined:
    May 2, 2018
    Messages:
    679
    Likes Received:
    55
    seems `pmg-smtp-filter` ist not running?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. adam.sage

    adam.sage New Member

    Joined:
    Feb 8, 2019
    Messages:
    26
    Likes Received:
    0
    You also have to add:

    submission inet n - - - 100 smtpd
    -o content_filter=scan:127.0.0.1:10023
    -o smtpd_enforce_tls=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_recipient_restrictions=reject_unknown_recipient_domain
    -o smtpd_sender_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_milters=unix:/var/run/opendkim/signer.sock

    smtps inet n - - - 100 smtpd
    -o content_filter=scan:127.0.0.1:10023
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_recipient_restrictions=reject_unknown_recipient_domain
    -o smtpd_sender_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_milters=unix:/var/run/opendkim/signer.sock

    Also, check syslog for any errors that will give you clues about what failed.
     
  17. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    Thanks for the reply i reboot and the mails started to come in very odd

    quick question howcome i would need this config? is it necessarily?
     
  18. Stoiko Ivanov

    Stoiko Ivanov Proxmox Staff Member
    Staff Member

    Joined:
    May 2, 2018
    Messages:
    679
    Likes Received:
    55
    haven't checked the tutorial in detail, but it seems like the writer wanted to have:
    * smtps (smtp with TLS directly not via STARTTLS) - a not-rfc-compliant (AFAIR), but quite often used configuration - on port 465
    * submission - the port where clients (like Thunderbird, or even servers) are connecting authenticated (providing username and password) - on port 587
    both seem configured to run as 'internal' ports (like port 26 in the default config) - which seems reasonable for 587, but I'm not so sure about 465

    Hope this helps!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    killmasta93 likes this.
  19. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    Thanks for the reply, as for the previous tutorial there was a few things missing in the above steps worked flawless hope this helps someone else been trying to configure outbound for a while but finally got it with the above config
     
  20. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    324
    Likes Received:
    10
    @Stoiko Ivanov quick question every now and then i see the pmg-smtp-filter off any ideas howcome? i have to start it manually
    Code:
    root@mail:~# service pmg-smtp-filter status
    ● pmg-smtp-filter.service - Proxmox SMTP Filter Daemon
       Loaded: loaded (/lib/systemd/system/pmg-smtp-filter.service; enabled; vendor preset: enabled)
       Active: failed (Result: exit-code) since Wed 2019-02-20 05:01:05 -05; 17h ago
      Process: 20124 ExecStart=/usr/bin/pmg-smtp-filter (code=exited, status=0/SUCCESS)
     Main PID: 20148 (code=exited, status=110)
    
    Feb 20 04:57:44 mail pmg-smtp-filter[20167]: 810B45C6D249541245: accept mail to <info@mydomain.com> (D40B8810B9)
    Feb 20 04:57:45 mail pmg-smtp-filter[20167]: 810B45C6D249541245: processing time: 3.68 seconds (3.417, 0.12)
    Feb 20 04:58:45 mail pmg-smtp-filter[20148]: starting database maintainance
    Feb 20 04:58:45 mail pmg-smtp-filter[20148]: end database maintainance (45 ms)
    Feb 20 05:00:45 mail pmg-smtp-filter[20148]: starting database maintainance
    Feb 20 05:01:05 mail systemd[1]: pmg-smtp-filter.service: Main process exited, code=exited, status=110/n/a
    Feb 20 05:01:05 mail systemd[1]: pmg-smtp-filter.service: Killing process 20167 (pmg-smtp-filter) with signal SIGKILL.
    Feb 20 05:01:05 mail systemd[1]: pmg-smtp-filter.service: Killing process 20168 (pmg-smtp-filter) with signal SIGKILL.
    Feb 20 05:01:05 mail systemd[1]: pmg-smtp-filter.service: Unit entered failed state.
    Feb 20 05:01:05 mail systemd[1]: pmg-smtp-filter.service: Failed with result 'exit-code'.
    
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice