21 Responses to “How to enable Domain Keys (DKIM) in Qmail toaster based mail server install on Debian Linux”

  1. admin says:
    Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

    After setting the DKIM I’ve figured out my console mail command is not working 😐

    # mail -s “testing 123” hipo@pc-freak.net
    adsfadsffdsa
    .
    Cc:
    qmail-inject: fatal: mail server permanently rejected message (#5.3.0)
    Can’t send mail: sendmail process failed with error code 100

    Have to google around to see if there is a fix

    View CommentView Comment
  2. admin says:
    Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

    Got the error:
    It was /var/qmail/bin/sendmail
    While I was experimenting it appears I set a sendmail wrapper script as an attempt to solve some old qmail trouble.

    My /var/qmail/bin/sendmail wrapper script looked like so:

    #!/bin/sh
    export QMAILQUEUE=/var/qmail/bin/qmail-dk
    export DKQUEUE=/var/qmail/bin/qmail-queue.orig
    export DKSIGN=/etc/domainkeys/mydomain.com/default
    exec /var/qmail/bin/sendmail.orig “$@”

    After restoring to the original /var/qmail/bin/sendmail.orig binary all is well e.g.:

    debian:~# cp -rpf /var/qmail/bin/sendmail.orig /var/qmail/bin/sendmail

    View CommentView Comment
  3. admin says:
    Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

    Another good howto resource, which gives some genera tips how to enable qmail DKIM Signing is found on http://jeremy.kister.net/howto/dk.html.
    I have used chunks of it in order to write this tutorial

    View CommentView Comment
  4. admin says:
    Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

    Using the qmail-remote bash wrapper from http://www.pc-freak.net/files/qmail-remote.wrapper.old I got the following headers:

    From - Wed May 25 13:13:32 2011
    X-Account-Key: account11
    X-UIDL: 1306318471.48009.pcfreak,S=1958
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    Return-Path: <hipo@mydomain.com>
    Delivered-To: hipo@pc-freak.net
    Received: (qmail 48006 invoked by uid 1048); 25 May 2011 10:14:30 -0000
    Received: from mail.mydomain.com (83.170.105.141)
    by mail.pc-freak.net with SMTP; 25 May 2011 10:14:30 -0000
    DKIM-Signature: a=rsa-sha1; c=relaxed; d=mydomain.com;
    s=default; t=1306318395; x=1307182395; h=Received:From; b=k/hvkL
    zPXS4xwYaptsg9M8r3esJzQz71q7lK4uYV29VE35qghbmlXD2ShvwwwmElGK2mLR
    sFt/0b38dxjNZeu++R0UJ7jK3BJLqhbb/H3BeqdYgjnVloF693fxrwQOFxhSXk06
    KTuTrFwF+sVmFvdYIRDDLcsFJo7qBVuN8LPxI=
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mydomain.com;
    s=default; t=1306318395; x=1307182395; h=Received:From; bh=uoq1o
    CgLlTqpdDX/iUbLy7J1Wic=; b=VLw/fJAMQzI2Ba9e5EEsGcjmsDxzhmvYWuAGM
    SgKmwpdfG1DXknYWs1aX1ia25dHINhPlCixhoGWBiQTHSL7hHXNaOHsFNp5wUifu
    0piuBkMvsOWjZt3tf3yhdBxoQEvE2tz2f7MWSkA6QOtGznBiI4A9zjyq8/Q3FcZR
    hYKSp0=
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mydomain.com;
    s=default; t=1306318395; x=1307182395; h=Received:From; bh=frcCV
    1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; b=Cozq+28r4hnpZ+9IfM6pt
    l7vJSvRE5jsRfwMr/PyE3ubaII+LPDzcvBp4Do8UPvzQln31DM2Hkdu9uvxvh2po
    Qgi+eHWN6kW2bcH2HuqnIeFdURdJMVGA946I/eFKH5AB/1bcGXEumeKC0n84H+a7
    1596ArTCsGX3jRznvg/t6k=
    Received: (qmail 32713 invoked by uid 89); 25 May 2011 10:13:15 -0000
    Received: from unknown (HELO webmail.mydomain.com) (127.0.0.1)
    by 0 with SMTP; 25 May 2011 10:13:15 -0000
    Received: from 83.228.93.76
    (SquirrelMail authenticated user hipo@mydomain.com)
    by webmail.mydomain.com with HTTP;
    Wed, 25 May 2011 11:13:15 +0100 (BST)
    Message-ID: <59494.83.228.93.76.1306318395.squirrel@webmail.mydomain.com>
    Date: Wed, 25 May 2011 11:13:15 +0100 (BST)
    Subject: baklava
    From: hipo@mydomain.com
    To: hipo@pc-freak.net
    User-Agent: SquirrelMail/1.4.9a
    MIME-Version: 1.0
    Content-Type: text/plain;charset=UTF-8
    Content-Transfer-Encoding: 8bit
    X-Priority: 3 (Normal)
    Importance: Normal

    Notice the three DKIM-Signature sections in the header, this obviously means the DKIM-Signature of my outgoing mails is fine.
    What is weird is that the email gets a DKIM-Signature 3 times?
    I’m still investigating why is that asap as I have found why it’s like that I’ll explain it here.
    I’ve figured out why the DKIM-Signature gets signed three times within the mail header after a while.

    It seems the script that does the strange DKIM-Signature is signing my headers 3 times, once again script is found here http://www.pc-freak.net/files/qmail-remote.wrapper.old

    I’ll fix that in the toturial, right away

    View CommentView Comment
  5. admin says:
    Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

    Just one more handy test which might be helpful to somebody.
    In order to make sure dkimsign.pl does issue correct DKIM-Signatures, create a new file with some content for instance:

    host# touch aaa
    host# echo ‘aaaaaa’ >> aaa
    host# /usr/local/bin/dkimsign.pl < aaa DKIM-Signature: v=1; a=rsa-sha1; c=simple; h=; s=selector1; bh=uoq1oCgLl TqpdDX/iUbLy7J1Wic=; b=Di1wbTcT1ZFMdsrJM12z9TX23uiLNtvBTSrJZArED GinESGM1ouZkkGduuj+wVKJq3xTdQ10eo68V8Af0P7UuzPLIncO9KUhagtrRqNSi Eie15+eQXi7QGYo2eA4thvs You see the DKIM-Signature appearing, this means dkimsign.pl works fine.

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      P.S.

      line:

      host# /usr/local/bin/dkimsign.pl
      host# echo /usr/local/bin/dkimsign.pl < aa

      View CommentView Comment
  6. admin says:
    Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

    Another thing I’ve noticed is you might get troubles, where mails are not signed with DKIM-Signature or Domainkey-Signature, in case if your rsa private file (default) is missing (for example /etc/domainkeys/domainaname.com/default), where domainname.com is the vpopmail domain that physically the mail is sent from.

    View CommentView Comment
  7. admin says:
    Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

    Also on domains not managed by a custom BIND DNS server but by some external mail reseller companies DNS servers like Godaddy.

    A TXT records which are necessery to set up are:
    TXT name is: _domainkey.yourdomain.com
    TXT value is: t=y; o=-
    TXT name is: private._domainkey.yourdomain.com
    TXT value is: k=rsa; p=XXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx………

    View CommentView Comment
  8. hip0 says:
    Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

    If you get a “DomainKey-Status: bad” in the headers in gmail.com. This means something is wrong with the configured domain key…

    View CommentView Comment
    • hip0 says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Most common reason for a “Domainkey-Status: bad” is improperly configured (pasted) TXT RSA key in the DNS server.
      I’ve experienced this on a couple of domains I was configuring domainkeys.

      View CommentView Comment
  9. hip0 says:
    Firefox 3.6.17 Firefox 3.6.17 Ubuntu 8.04 Ubuntu 8.04
    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17

    Few very handy websites, to debug if finally the configured domainkeys are working properly are:
    http://www.mailradar.com/domainkeys/ (Domainkey Checker)
    http://domainkeys.sourceforge.net/policycheck.html (DomainKey Policy Record Tester)

    First website (Domainkey Checker) checks the header and matches against the created DNS record. If both the header values for domainkeys match certain criterias the domain key is considered valid. Many times, enabling domain keys and having a headers could still be invalid. It happened to me many times. Thus this online resource check is important indicator if DKIM is properly configured.

    Second one (DomainKey Policy Record Tester), checks and assures that the domain DNS configured TXT records for domainkeys are correct.

    View CommentView Comment
  10. hip0 says:
    Firefox 3.6.17 Firefox 3.6.17 Ubuntu 8.04 Ubuntu 8.04
    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17

    Another good debugging tool helpful in checking domain record is correct:
    http://domainkeys.sourceforge.net/selectorcheck.html

    View CommentView Comment
  11. admin says:
    Firefox 3.6.17 Firefox 3.6.17 Ubuntu 8.04 Ubuntu 8.04
    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17

    Another handy source of debug is sending mail to mail:
    check-auth2 [at] verifier.port25.com

    In less than minute an automated mail will be returned back giving hints on what might be causing the Domain key issues:
    You will get something like:

    hank you for using the verifier,

    The Port25 Solutions, Inc. team

    ==========================================================
    Summary of Results
    ==========================================================
    SPF check: pass
    DomainKeys check: pass
    DKIM check: permerror
    Sender-ID check: pass
    SpamAssassin check: ham

    ==========================================================
    Details:
    ==========================================================

    View CommentView Comment
  12. Cero says:
    Google Chrome 16.0.912.75 Google Chrome 16.0.912.75 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

    Hey! great article. Im looking to do the same with postfix (latest version) and exim (latest version too). Is there any possibility that you may do an article as fine and complete as this for those mta? That would be really awesome of you. Keep the great working. Thanks.

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Thx,

      WHen I have time I’ll write an article on how DKIM can be enabled on postfix.
      thx for suggestion

      best
      Georgi

      View CommentView Comment
  13. Cero says:
    Google Chrome 16.0.912.75 Google Chrome 16.0.912.75 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

    Thanks Gerogi for your reply. Do you know how to do it on exim? For people it is still needed to use both DomainKeys AND DKIM. Hope your expertice can be share to all of us with that need. 🙂

    View CommentView Comment
  14. SEO says:
    Google Chrome 28.0.1500.52 Google Chrome 28.0.1500.52 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.52 Safari/537.36

    If you really want to improve your search engine rank, quality, well written
    content should be your first priority. Buying expired domains can be a lot of work than you
    initially thought, but the job can be easier if you know what you are looking
    for (and how much your budget is). You can now see that ranking high on Google search engine is no longer just about the right keywords alone, but also about visitor’s participation on your site.

    View CommentView Comment
  15. Barbara says:
    Google Chrome 43.0.2357.124 Google Chrome 43.0.2357.124 Mac OS X 10.6.8 Mac OS X 10.6.8
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36

    Hi,

    I’ve a problem trying to install libdomainkeys. I’ve resolved all other problems and I’ve googled searching for mine but I cant’ find a solution for the followed error. Can you help me?

    # cd /usr/src/libdomainkeys-0.69
    # echo ‘-lresolv’ > dns.lib
    # make clean & make
    [2] 9655
    rm -f *.o *.so libdomainkeys.a dns.lib dnstest socktest makeheader dktest testtrace domainkeys.h
    gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -o makeheader makeheader.c
    ./makeheader domainkeys.h
    gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c dktest.c -I.
    gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c domainkeys.c -I.
    gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c dns_txt.c
    gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c -o dktrace.o dktrace.c
    rm -f libdomainkeys.a
    ar cr libdomainkeys.a domainkeys.o dns_txt.o dktrace.o
    ranlib libdomainkeys.a
    (if make dnstest >/dev/null 2>&1; then echo -lresolv; else echo “”; fi) >dns.lib
    rm -f dnstest
    gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -o dktest dktest.o -L. -ldomainkeys -lcrypto -lresolv `cat dns.lib` `cat socket.lib`
    ./libdomainkeys.a(domainkeys.o): In function `dk_getsig’:
    domainkeys.c:(.text+0x621): undefined reference to `BIO_set_flags’
    ./libdomainkeys.a(domainkeys.o): In function `dk_end’:
    domainkeys.c:(.text+0x20fd): undefined reference to `BIO_set_flags’
    domainkeys.c:(.text+0x25f5): undefined reference to `BIO_set_flags’
    collect2: ld returned 1 exit status
    make: *** [dktest] Error 1
    [2]- Done make clean

    View CommentView Comment
    • admin says:
      Firefox 38.0 Firefox 38.0 Windows 7 x64 Edition Windows 7 x64 Edition
      Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0

      Hi Barbara,

      Probably you need to install older version of libdomainkeys (download from source) or try libdomainkeys-dev package (if it is available on your distro).

      Hope this helps.
      Regards,

      Georgi

      View CommentView Comment
      • Barbara says:
        Firefox 38.0 Firefox 38.0 Mac OS X 10.6 Mac OS X 10.6
        Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:38.0) Gecko/20100101 Firefox/38.0

        Hi Georgi,

        thank you very much for your answer. I’ve tried to install both version 0.67 and 0.68 but the result unfortunately doesn’t change.
        I’m on Debian 3.1 with kernel 2.6.18.18 and gcc version 4.1.2
        I’ve also updated openssl to the last stable but nothing change… Any other ideas?

        Thanks again
        Barbara

        View CommentView Comment
        • admin says:
          Firefox 38.0 Firefox 38.0 Windows 7 x64 Edition Windows 7 x64 Edition
          Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0

          This is a rather old Debian, why don’t you try to update it and see whether compile will work?

          View CommentView Comment

Leave a Reply

CommentLuv badge