[SOLVED] Issue with DKIM outbound?

killmasta93

Renowned Member
Aug 13, 2017
973
58
68
31
Hi
I was wondering if someone else has accomplished on DKIM outbound on proxmox. I was reading this tutorial
https://wiki.fws.fr/tuto/linux_divers/dkim_dmarc_onpmg

But would not get it working, as the opendkim-verifier does not install or exist but the opendkim-signer is working
Code:
oot@mail:~# service opendkim-signer status
● opendkim-signer.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter - signer
  Loaded: loaded (/etc/systemd/system/opendkim-signer.service; enabled; vendor preset: enabled)
  Active: active (running) since Fri 2019-02-01 21:17:55 -05; 2min 51s ago
    Docs: man:opendkim(8)
          man:opendkim.conf(5)
          man:opendkim-genkey(8)
          man:opendkim-genzone(8)
          man:opendkim-testadsp(8)
          man:opendkim-testkey
          http://www.opendkim.org/docs.html
Main PID: 600 (opendkim)
   Tasks: 6 (limit: 4915)
  Memory: 3.2M (limit: 50.0M)
  CGroup: /system.slice/opendkim-signer.service
          └─600 /usr/sbin/opendkim -x /etc/opendkim/signer.conf

i checked postfix was in the group of opendkim which it is
Code:
root@mail:~# id postfix
uid=111(postfix) gid=114(postfix) groups=114(postfix),116(opendkim),117(opendmarc)

any ideas how to troubleshoot this issue?

Thank you
 
There are a lot of problems with that howto. First one is what you saw there, they didn't make the file name correct. These 2 commands should fix it:

mv /etc/opendkim/verifier /etc/opendkim/verifier.conf
systemctl restart opendkim-verifier
 
Thanks for the reply, so i tested it and your write so far so good no error only issue i tried sending a test email to
check-auth@verifier.port25.com

i keep getting DKIM check none not sure what im missing

Thanks you
 
Check your syslog. If I had to guess you will see permission errors about the .sock from opendkim-signer and opendkim-verifier.
 
Thanks for the reply your right issue with permissions what permissions should i put?
I think there is also issue with DMARC, as now the emails dont want to go out im guessing thats the issue
here is the log
Code:
Feb 12 19:20:50 ares systemd[1]: opendmarc.service: Start operation timed out. Terminating.
Feb 12 19:20:55 ares opendmarc[28625]: OpenDMARC Filter: mi_stop=1
Feb 12 19:20:55 ares opendmarc[28625]: OpenDMARC Filter v1.3.2 terminating with status 0, errno = 0
Feb 12 19:20:55 ares systemd[1]: Failed to start OpenDMARC Milter.
Feb 12 19:20:55 ares systemd[1]: opendmarc.service: Unit entered failed state.
Feb 12 19:20:55 ares systemd[1]: opendmarc.service: Failed with result 'timeout'.
Feb 12 19:20:55 ares systemd[1]: opendmarc.service: Service hold-off time over, scheduling restart.
Feb 12 19:20:55 ares systemd[1]: Stopped OpenDMARC Milter.
Feb 12 19:20:55 ares systemd[1]: Starting OpenDMARC Milter...
Feb 12 19:20:55 ares opendmarc[28684]: OpenDMARC Filter v1.3.2 starting ()
Feb 12 19:20:55 ares opendmarc[28684]: additional trusted authentication services: (none)
Feb 12 19:20:57 ares postfix/smtpd[28698]: connect from hermes.casa.local[192.168.3.150]
Feb 12 19:20:57 ares postfix/smtpd[28698]: warning: connect to Milter service unix:/var/run/opendkim/signer.sock: Permission denied
Feb 12 19:20:57 ares postfix/smtpd[28698]: NOQUEUE: milter-reject: CONNECT from hermes.casa.local[192.168.3.150]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
Feb 12 19:20:57 ares postfix/smtpd[28698]: NOQUEUE: milter-reject: EHLO from hermes.casa.local[192.168.3.150]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<mail.telsatco.com>
Feb 12 19:20:57 ares postfix/smtpd[28698]: NOQUEUE: milter-reject: MAIL from hermes.casa.local[192.168.3.150]: 451 4.7.1 Service unavailable - try again later; from=<sistemas@telsatco.com> proto=ESMTP helo=<mail.telsatco.com>
Feb 12 19:20:57 ares postfix/smtpd[28698]: disconnect from hermes.casa.local[192.168.3.150] ehlo=1 starttls=0/1 mail=0/1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=3/7
Feb 12 19:21:32 ares pmgpolicy[991]: starting policy database maintainance (greylist, rbl)
Feb 12 19:21:32 ares pmgpolicy[991]: end policy database maintainance (6 ms, 0 ms)
Thank you
 
Last edited:
EDIT:
So i ran this chown opendkim:opendkim default.private fixed that issue but still cannot get it signed so im not sure what to look for i send an email to checkauth i checked the logs but eveything is fine

Code:
Feb 13 00:09:13 mail postfix/smtpd[2426]: connect from hermes.casa.local[192.168.3.150]
Feb 13 00:09:13 mail postfix/smtpd[2426]: Anonymous TLS connection established from hermes.casa.local[192.168.3.150]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Feb 13 00:09:13 mail postfix/smtpd[2426]: 7D0DA80F9D: client=hermes.casa.local[192.168.3.150]
Feb 13 00:09:13 mail postfix/cleanup[2429]: 7D0DA80F9D: message-id=<bb05fcf91f131f9bb48353e1aa691b4f43e0feaa.camel@mydomain>
Feb 13 00:09:13 mail postfix/qmgr[2093]: 7D0DA80F9D: from=<sistemas@mydomain>, size=1351, nrcpt=1 (queue active)
Feb 13 00:09:13 mail postfix/smtpd[2426]: disconnect from hermes.casa.local[192.168.3.150] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Feb 13 00:09:13 mail pmg-smtp-filter[760]: 2019/02/13-00:09:13 CONNECT TCP Peer: "[127.0.0.1]:33498" Local: "[127.0.0.1]:10023"
Feb 13 00:09:13 mail pmg-smtp-filter[760]: 80F9F5C63A6799C0CA: new mail message-id=<bb05fcf91f131f9bb48353e1aa691b4f43e0feaa.camel@mydomain>
Feb 13 00:09:13 mail postfix/smtpd[2434]: connect from localhost.localdomain[127.0.0.1]
Feb 13 00:09:13 mail postfix/smtpd[2434]: A0EC68100F: client=localhost.localdomain[127.0.0.1], orig_client=hermes.casa.local[192.168.3.150]
Feb 13 00:09:13 mail postfix/cleanup[2429]: A0EC68100F: message-id=<bb05fcf91f131f9bb48353e1aa691b4f43e0feaa.camel@mydomain>
Feb 13 00:09:13 mail postfix/qmgr[2093]: A0EC68100F: from=<sistemas@mydomain>, size=1556, nrcpt=1 (queue active)
Feb 13 00:09:13 mail pmg-smtp-filter[760]: 80F9F5C63A6799C0CA: accept mail to <check-auth2@verifier.port25.com> (A0EC68100F)
Feb 13 00:09:13 mail postfix/smtpd[2434]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Feb 13 00:09:13 mail pmg-smtp-filter[760]: 80F9F5C63A6799C0CA: processing time: 0.12 seconds (0, 0.008)
Feb 13 00:09:13 mail postfix/lmtp[2430]: 7D0DA80F9D: to=<check-auth2@verifier.port25.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.28, delays=0.08/0.01/0.04/0.15, dsn=2.5.0, status=sent (250 2.5.0 OK (80F9F5C63A6799C0CA))
Feb 13 00:09:13 mail postfix/qmgr[2093]: 7D0DA80F9D: removed
Feb 13 00:09:14 mail postfix/smtp[2435]: Untrusted TLS connection established to verifier.port25.com[34.209.113.130]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 13 00:09:15 mail postfix/smtp[2435]: A0EC68100F: to=<check-auth2@verifier.port25.com>, relay=verifier.port25.com[34.209.113.130]:25, delay=1.8, delays=0.1/0.01/1.1/0.63, dsn=2.6.0, status=sent (250 2.6.0 message received)
Feb 13 00:09:15 mail postfix/qmgr[2093]: A0EC68100F: removed


The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check: pass
"iprev" check: pass
DKIM check: none
SpamAssassin check: ham
 
thanks for the reply, it seem that the tutorial is not well described. my question is installing opendkim on debian 9 be applicable to proxmox? because i installed fairly easy on ubuntu server 14, not sure why this is such a hassale as for the tutorial it says to disable opendkim and use opendkim-signer
 
It's linux, there are a million packages and a million ways to do one thing. Did you manage to get it working?
 
Thanks for the reply, could not get it working the way the tutorial was im trying another way with another tutorial
 
Well i try and tried but not sure what im doing wrong. These are the steps i took.

1) install
Code:
 apt install opendkim opendkim-tools

2)
Code:
 mkdir /etc/opendkim

3)
Code:
nano /etc/opendkim/verifier
inside add this
Code:
Syslog yes
LogResults yes
LogWhy yes
SyslogSuccess yes
UMask 007
Mode v
AllowSHA1Only yes
AlwaysAddARHeader yes
Socket local:/var/run/opendkim/verifier.sock
PidFile /var/run/opendkim/verifier.pid
TrustAnchorFile /usr/share/dns/root.key
UserID opendkim
Background no
Nameservers 192.168.3.253


then
4)
Code:
nano /etc/opendkim/signer.conf
inside add this
Code:
Syslog yes
LogResults yes
LogWhy yes
SyslogSuccess yes
UMask 007
KeyTable /etc/opendkim/keytable
SigningTable /etc/opendkim/signingtable
Mode s
InternalHosts 0.0.0.0/0
Socket local:/var/run/opendkim/signer.sock
PidFile /var/run/opendkim/signer.pid
TrustAnchorFile /usr/share/dns/root.key
UserID opendkim
Background no
Nameservers 192.168.3.253

then this
5)
Code:
nano /etc/opendkim/signingtable
then add this
Code:
# Add one line per domain you want to sign when email are being sent.
# You can use different keys if needed
# Or just use a wildcard to sign everything with the same key
* default

then
6)
Code:
nano /etc/opendkim/keytable
inside add this
Code:
default %:default:/etc/opendkim/keys/default/default.private

7) run each line one by one
Code:
mkdir -p /etc/opendkim/keys/default
chown opendkim /etc/opendkim/{keys,keys/default}
chmod 700 /etc/opendkim/{keys,keys/default}
opendkim-genkey -D /etc/opendkim/keys/default/ -s default }}

8) then this
Code:
nano /etc/systemd/system/opendkim-signer.service
add inside
Code:
[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter - signer
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target
 
[Service]
Type=simple
UMask=0007
ExecStart=/usr/sbin/opendkim -x /etc/opendkim/signer.conf
User=opendkim
Group=opendkim
MemoryLimit=50M
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID
 
[Install]
WantedBy=multi-user.target

9)
Code:
nano /etc/systemd/system/opendkim-verifier.service
add this inside
Code:
[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter - verifier
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target
 
[Service]
Type=simple
UMask=0007
ExecStart=/usr/sbin/opendkim -x /etc/opendkim/verifier.conf
User=opendkim
Group=opendkim
MemoryLimit=50M
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID
 
[Install]
WantedBy=multi-user.target

10) then this
Code:
mv /etc/opendkim/verifier /etc/opendkim/verifier.conf

11) give permissions
Code:
cd /etc/opendkim/keys/default
chown opendkim:opendkim default.private

12) reload everything
Code:
systemctl daemon-reload

systemctl stop opendkim
systemctl disable opendkim
systemctl enable opendkim-signer
systemctl start opendkim-signer
systemctl enable opendkim-verifier
systemctl start opendkim-verifier

13) install opendmarc
Code:
apt install opendmarc

14) then [CODE]nano /etc/opendmarc.conf
inside add this and delete everything of that conf
Code:
Background false
IgnoreAuthenticatedClients true
IgnoreHosts /etc/pmg/mynetworks
PidFile /var/run/opendmarc/opendmarc.pid
PublicSuffixList /usr/share/publicsuffix/
Syslog true
RejectFailures true
UMask 007
Socket local:/var/run/opendmarc/opendmarc.sock
HistoryFile /var/run/opendmarc/history.dat

15) give permissions and restart
Code:
usermod -a -G opendkim,opendmarc postfix
systemctl enable opendmarc
systemctl start opendmarc

16) then create the templates run each line
Code:
mkdir /etc/pmg/templates
cp -a /var/lib/pmg/templates/master.cf.in /etc/pmg/templates/

17) then
Code:
nano /etc/pmg/templates/master.cf.in
inside add these two lines
Code:
-o smtpd_milters=unix:/var/run/opendkim/signer.sock

-o smtpd_milters=unix:/var/run/opendkim/verifier.sock,unix:/var/run/opendmarc/opendmarc.sock


then reboot the machine

but for for some reason cannot get the damm thing to sign with dkim
 
edit2: so for some odd reason not working inbound emails getting this error

Code:
 dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
 
Well i try and tried but not sure what im doing wrong. These are the steps i took.
17) then
Code:
nano /etc/pmg/templates/master.cf.in
inside add these two lines
Code:
-o smtpd_milters=unix:/var/run/opendkim/signer.sock

-o smtpd_milters=unix:/var/run/opendkim/verifier.sock,unix:/var/run/opendmarc/opendmarc.sock


then reboot the machine

but for for some reason cannot get the damm thing to sign with dkim

You also have to add:

submission inet n - - - 100 smtpd
-o content_filter=scan:127.0.0.1:10023
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=reject_unknown_recipient_domain
-o smtpd_sender_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_milters=unix:/var/run/opendkim/signer.sock

smtps inet n - - - 100 smtpd
-o content_filter=scan:127.0.0.1:10023
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=reject_unknown_recipient_domain
-o smtpd_sender_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_milters=unix:/var/run/opendkim/signer.sock

Also, check syslog for any errors that will give you clues about what failed.
 
seems `pmg-smtp-filter` ist not running?
Thanks for the reply i reboot and the mails started to come in very odd

You also have to add:

submission inet n - - - 100 smtpd
-o content_filter=scan:127.0.0.1:10023
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=reject_unknown_recipient_domain
-o smtpd_sender_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_milters=unix:/var/run/opendkim/signer.sock

smtps inet n - - - 100 smtpd
-o content_filter=scan:127.0.0.1:10023
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=reject_unknown_recipient_domain
-o smtpd_sender_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_milters=unix:/var/run/opendkim/signer.sock

Also, check syslog for any errors that will give you clues about what failed.

quick question howcome i would need this config? is it necessarily?
 
haven't checked the tutorial in detail, but it seems like the writer wanted to have:
* smtps (smtp with TLS directly not via STARTTLS) - a not-rfc-compliant (AFAIR), but quite often used configuration - on port 465
* submission - the port where clients (like Thunderbird, or even servers) are connecting authenticated (providing username and password) - on port 587
both seem configured to run as 'internal' ports (like port 26 in the default config) - which seems reasonable for 587, but I'm not so sure about 465

Hope this helps!
 
  • Like
Reactions: killmasta93
Thanks for the reply, as for the previous tutorial there was a few things missing in the above steps worked flawless hope this helps someone else been trying to configure outbound for a while but finally got it with the above config
 
seems `pmg-smtp-filter` ist not running?
@Stoiko Ivanov quick question every now and then i see the pmg-smtp-filter off any ideas howcome? i have to start it manually
Code:
root@mail:~# service pmg-smtp-filter status
● pmg-smtp-filter.service - Proxmox SMTP Filter Daemon
   Loaded: loaded (/lib/systemd/system/pmg-smtp-filter.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-02-20 05:01:05 -05; 17h ago
  Process: 20124 ExecStart=/usr/bin/pmg-smtp-filter (code=exited, status=0/SUCCESS)
 Main PID: 20148 (code=exited, status=110)

Feb 20 04:57:44 mail pmg-smtp-filter[20167]: 810B45C6D249541245: accept mail to <info@mydomain.com> (D40B8810B9)
Feb 20 04:57:45 mail pmg-smtp-filter[20167]: 810B45C6D249541245: processing time: 3.68 seconds (3.417, 0.12)
Feb 20 04:58:45 mail pmg-smtp-filter[20148]: starting database maintainance
Feb 20 04:58:45 mail pmg-smtp-filter[20148]: end database maintainance (45 ms)
Feb 20 05:00:45 mail pmg-smtp-filter[20148]: starting database maintainance
Feb 20 05:01:05 mail systemd[1]: pmg-smtp-filter.service: Main process exited, code=exited, status=110/n/a
Feb 20 05:01:05 mail systemd[1]: pmg-smtp-filter.service: Killing process 20167 (pmg-smtp-filter) with signal SIGKILL.
Feb 20 05:01:05 mail systemd[1]: pmg-smtp-filter.service: Killing process 20168 (pmg-smtp-filter) with signal SIGKILL.
Feb 20 05:01:05 mail systemd[1]: pmg-smtp-filter.service: Unit entered failed state.
Feb 20 05:01:05 mail systemd[1]: pmg-smtp-filter.service: Failed with result 'exit-code'.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!