(How-To) Kopano UCS 4.4 Latest install - DKIM support


#1

Hi everyone, I’m migrating a Zimbra server to the newest K4UCS server available.
Now, I m dealing with a problem, that’s how can I implement the DKIN & DMARC support on the server?

Are there any how-tos? On a quick search on google, I couldn’t find any useful for Kopano UCS …

Is this implemented manually ?? via CLI?

Sorry for the quick message, but I m trying to find the info on searches, but decided to ask for help in here too.

Thanks in advance.
Regards.
JG


#2

I have never setup dkim or dmarc on an ucs system personally, but searching in this forum gives some results. Kopano is just using the default mail stack of ucs so any ucs based tutorial should work.


#3

WORK IN PROGRES !!

Hi everyone, this is a quick How-to about how I’ve set up this on my test server.

Info here was gathered from several ones available, either on posts on this forum or from searching the Net, it’s not my credits.

links / credits:

https://forge.univention.org/bugzilla/show_bug.cgi?id=45193


https://www.cubewerk.de/2017/12/04/spf-und-dkim-mit-univention-ucs-server/
https://kofler.info/dkim-konfiguration-fuer-postfix/

Actions

I did this using the ‘root’ user and running UCS version 4.4.

Set the repository to be able to download the packages needed:

ucr set repository/online/unmaintained='yes'

Install the packages needed:

univention-install opendkim opendkim-tools postfix-policyd-spf-python postfix-pcre

Make a copy of the original file:

cp /etc/opendkim.conf /etc/opendkim.conf.original

Open file /etc/default/opendkim and change:

SOCKET=inet:12301@localhost

The socket number may be different, use one not in use.

Sample of my own:

AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:12301@localhost

open postfix template ::

vi /etc/univention/templates/files/etc/postfix/main.cf.d/10_general

add this end of file:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Save the file and run:

univention-config-registry commit /etc/postfix/main.cf

Create the relevant files:
vi /etc/opendkim/TrustedHosts

127.0.0.1
::1
localhost
10.10.0.0/24
domain
domain.com
host.domain.com

Create a key table:
vi /etc/opendkim/KeyTable

mail._domainkey.domain.com domain.com:mail:/etc/opendkim/keys/domain.com/mail.private

Create a signing table:
vi /etc/opendkim/SigningTable

*@domain.com mail._domainkey.domain.com

Generate the public and private keys:

cd /etc/opendkim/keys
mkdir domain.com
cd domain.com

Generate the keys:

opendkim-genkey -s mail -d domain.com

Change the owner of the private key to opendkim:

chown opendkim:opendkim mail.private

Add the public key to the domain’s DNS records
This part can be tricky to someone not used to do this, since you need to copy the text ‘as is’ to the TXT record.

Sample key:

nano -$ mail.txt
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxddfBL9/0ZgCHpwXv92xxvpasPXUaIeXXosDCiypxUIY1CtCRLJ8Ti03FZrJGVQvYmYaiI1Wa8omMVF11b+0U6Cl5t2BlH6VzBYxuNHk1w91xkVJz59MTYuwNTT87JuMGM/y0IQV8UfykZ7TWZxvr79mWYxSLkYC5CDTrPj7iph2MWn/8fqsUMcJbNd4oLszY5nyqfmmhMug0avPQ/vEmmUjb9MwUU15Og4GvcjQ5XK/u5o9Z4wktM8v+v+4JM19xX6L/wR7HgW4d0mq/UtAWSqlnqgQcsztcjt

Copy the key to your TXT record on the DNS server serving your domain.

Sample of mine, on Cloudflare DNS record:

TXT    mail._domainkey	v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkq

Restart services:

service postfix restart
service opendkim restart

Hope this can help someone too.
Regards.
JG