That was hard work...
May. 5th, 2014 09:11 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
swehConfiguring mail for DKIM!
I've had an SPF record for a while. Today I decided to add a DKIM record.
I've got a weird kludge solution. I have 2 internet facing servers (linode and dastardly) which run postfix. At home my primary server runs sendmail. They talk to each over over OpenVPN or IPv6 connections and so trust each other.
Since all my mail originates from home (any mail that originals from linode or dastardly better just be sent to me; cron jobs, daily reports, etc) I figured that that sendmail instance would be the right place to put the dkim.
Oh, hey, opendkim has already been packaged. And then the fun starts.
Half of the documents on the web say it should be configured in submit.mc. After a tonne of testing, I decided that sendmail submit never calls the mail filters.
So then I added it to the main sendmail instance. And no mail was being signed. Damnit. Test test test. Nope. Finally I work out the correct way of configuring opendkim. Hey, signatures!
So now I publish my DNS entry. Send a test message to a test site
I dig up an old yahoo.com mail account I created a long time ago (Oh WTF have yahoo done to that UI? It's fscking awful!). Send it a test message.
In the headers
Received-SPF: pass (domain of spuddy.org designates 66.228.55.57 as permitted sender)
Authentication-Results: mta1613.mail.gq1.yahoo.com from=spuddy.org; domainkeys=neutral (no sig); from=spuddy.org; dkim=pass (ok)
So this looks good. I'm sending mail with good DKIM.
Let's see about incoming mail...
Further debugging... huh " Can't locate Mail/DKIM/Verifier.pm in ..."
More perl modules needed. Install those and retest... DKIM_SIGNED,DKIM_VALID,
Yay!
I wonder if this was worth all the effort.
I don't think I'm going to publish a DMARC record 'cos I don't really want to receive a tonne of mails telling me how much phishing is going on!
But maybe I will, just for fun... (another mailbox...)
I've had an SPF record for a while. Today I decided to add a DKIM record.
I've got a weird kludge solution. I have 2 internet facing servers (linode and dastardly) which run postfix. At home my primary server runs sendmail. They talk to each over over OpenVPN or IPv6 connections and so trust each other.
Since all my mail originates from home (any mail that originals from linode or dastardly better just be sent to me; cron jobs, daily reports, etc) I figured that that sendmail instance would be the right place to put the dkim.
Oh, hey, opendkim has already been packaged. And then the fun starts.
Half of the documents on the web say it should be configured in submit.mc. After a tonne of testing, I decided that sendmail submit never calls the mail filters.
So then I added it to the main sendmail instance. And no mail was being signed. Damnit. Test test test. Nope. Finally I work out the correct way of configuring opendkim. Hey, signatures!
So now I publish my DNS entry. Send a test message to a test site
SPF result: pass
DKIM result: True
Alignment result: Pass
Feedback: RecordType
Delivery Result: Pass
Looks good.I dig up an old yahoo.com mail account I created a long time ago (Oh WTF have yahoo done to that UI? It's fscking awful!). Send it a test message.
In the headers
Received-SPF: pass (domain of spuddy.org designates 66.228.55.57 as permitted sender)
Authentication-Results: mta1613.mail.gq1.yahoo.com from=spuddy.org; domainkeys=neutral (no sig); from=spuddy.org; dkim=pass (ok)
So this looks good. I'm sending mail with good DKIM.
Let's see about incoming mail...
Authentication-Results: spuddy.org; dkim=pass reason="1024-bit key"
header.d=yahoo.com header.i=@yahoo.com header.b=Cwx4qDP3;
dkim-adsp=passSo far so good... wait; why did spamassassin claim T_DKIM_INVALID ? opendkim says "good", sa says "bad". Huh?Further debugging... huh " Can't locate Mail/DKIM/Verifier.pm in ..."
More perl modules needed. Install those and retest... DKIM_SIGNED,DKIM_VALID,
Yay!
I wonder if this was worth all the effort.
I don't think I'm going to publish a DMARC record 'cos I don't really want to receive a tonne of mails telling me how much phishing is going on!
But maybe I will, just for fun... (another mailbox...)
