Hi everyone, I’m migrating a Zimbra server to the newest K4UCS server available.
Now, I m dealing with a problem, that’s how can I implement the DKIN & DMARC support on the server?
Are there any how-tos? On a quick search on google, I couldn’t find any useful for Kopano UCS …
Is this implemented manually ?? via CLI?
Sorry for the quick message, but I m trying to find the info on searches, but decided to ask for help in here too.
Thanks in advance.
Regards.
JG
I have never setup dkim or dmarc on an ucs system personally, but searching in this forum gives some results. Kopano is just using the default mail stack of ucs so any ucs based tutorial should work.
Hi everyone, this is a quick How-to about how I’ve set up this on my test server.
Info here was gathered from several ones available, either on posts on this forum or from searching the Net, it’s not my credits.
https://forge.univention.org/bugzilla/show_bug.cgi?id=45193
https://www.cubewerk.de/2017/12/04/spf-und-dkim-mit-univention-ucs-server/
https://kofler.info/dkim-konfiguration-fuer-postfix/
I did this using the ‘root’ user and running UCS version 4.4.
Set the repository to be able to download the packages needed:
ucr set repository/online/unmaintained='yes'
Install the packages needed:
univention-install opendkim opendkim-tools postfix-policyd-spf-python postfix-pcre
Make a copy of the original file:
cp /etc/opendkim.conf /etc/opendkim.conf.original
Open file /etc/default/opendkim and change:
SOCKET=inet:12301@localhost
The socket number may be different, use one not in use.
Sample of my own:
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:12301@localhost
open postfix template ::
vi /etc/univention/templates/files/etc/postfix/main.cf.d/10_general
add this end of file:
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
Save the file and run:
univention-config-registry commit /etc/postfix/main.cf
Create the relevant files:
vi /etc/opendkim/TrustedHosts
127.0.0.1
::1
localhost
10.10.0.0/24
domain
domain.com
host.domain.com
Create a key table:
vi /etc/opendkim/KeyTable
mail._domainkey.domain.com domain.com:mail:/etc/opendkim/keys/domain.com/mail.private
Create a signing table:
vi /etc/opendkim/SigningTable
*@domain.com mail._domainkey.domain.com
Generate the public and private keys:
cd /etc/opendkim/keys
mkdir domain.com
cd domain.com
Generate the keys:
opendkim-genkey -s mail -d domain.com
Change the owner of the private key to opendkim:
chown opendkim:opendkim mail.private
Add the public key to the domain’s DNS records
This part can be tricky to someone not used to do this, since you need to copy the text ‘as is’ to the TXT record.
Sample key:
nano -$ mail.txt
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxddfBL9/0ZgCHpwXv92xxvpasPXUaIeXXosDCiypxUIY1CtCRLJ8Ti03FZrJGVQvYmYaiI1Wa8omMVF11b+0U6Cl5t2BlH6VzBYxuNHk1w91xkVJz59MTYuwNTT87JuMGM/y0IQV8UfykZ7TWZxvr79mWYxSLkYC5CDTrPj7iph2MWn/8fqsUMcJbNd4oLszY5nyqfmmhMug0avPQ/vEmmUjb9MwUU15Og4GvcjQ5XK/u5o9Z4wktM8v+v+4JM19xX6L/wR7HgW4d0mq/UtAWSqlnqgQcsztcjt
Copy the key to your TXT record on the DNS server serving your domain.
Sample of mine, on Cloudflare DNS record:
TXT mail._domainkey v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkq
Restart services:
service postfix restart
service opendkim restart
Hope this can help someone too.
Regards.
JG
First: thanks for providing this How-To
I did a comparable setup a while ago and it appears that we nearly have done the same.
Some additional remarks:
It is not necessary to change the postffix template anymore. All changes can be done in /etc/postfix/main.cf.local. This eliminates the need of reviewing the changed template after an update.
I dont see where the installed packages postfix-policyd-spf-python and postfix-pcre are needed but maybe I am missing something.
Once https://forge.univention.org/bugzilla/show_bug.cgi?id=50777 is resolved it is not needed to activate the unmaintained repository anymore. It looks like this will happen in a couple of days.
Best Regards,
Dirk
Hello @mag007 and thank you very much for the howto.
As small addition:
Under certain circumstances (e.g. if Spamassassin has been configured in UCS) it can happen that when using “DomainKeys Identified Mail” (DKIM) the entry is duplicated or even tripled.
With standard settings, every mail sent is checked by Amavis and then run through postfix again, which adds an additional DKIM header. However, this can be prevented with the appropriate configuration.
A german tutorial with detailed background information is available here (newsportal.koeln):
Unfortunately, with UCS, at the moment a template file has to be changed as shown below.
root@mail:~# diff -u /etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir_ORIGINAL /etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir
--- /etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir_ORIGINAL 2020-02-18 23:42:35.041259401 +0100
+++ /etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir 2020-02-18 23:44:06.876020444 +0100
@@ -21,5 +21,5 @@
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
- -o receive_override_options=no_address_mappings''' % {"maxproc": configRegistry.get("mail/antivir/max_servers", "2")}
+ -o receive_override_options=no_address_mappings,no_milters''' % {"maxproc": configRegistry.get("mail/antivir/max_servers", "2")}
@!@
root@mail:~# ucr commit /etc/postfix/master.cf
Multifile: /etc/postfix/master.cf
root@mail:~# systemctl restart postfix.service
The easiest way to check the result is to use a mail reply service, for example the service of Port25. Just send an (empty) mail to check-auth@verifier.port25.com and check the result sent back to you.
hth, Greetings Lutz
Thanks for the efforts @mag007 @ahrnke @lutz.willek ! May I ask what is the situation a year later? Is the advice in this thread still valid?
I am implementing mail server on UCS. Hopefully some day DKIM can be configured via UMC/UCR, but meanwhile, update of any kind of the current workarounds would be highly appreciated.
This bug https://forge.univention.org/bugzilla/show_bug.cgi?id=31993 has been open for a while and seems I am not alone with the interest to a supported DKIM setup on Univention UCS. 