[PLUG] Setting up DKIM...

Louis Kowolowski louisk at cryptomonkeys.org
Mon Oct 22 16:22:56 UTC 2018 

Typically, you want the client to use the clients email/password, which would be provided by the client, not saved on the server (although I suppose you could set things up so that all outgoing mail is sent by the same user. seems a bit of an odd use-case though).

I would not expect it to be particularly important whether you use 25, 465, or 587 for the initial connection. If you want to do authenticated sending with postfix, you will be using either 465 or 587, depending on whether you wish to have an SSL connection, or a STARTTLS connection. Both of these require configuration of the master.cf, not main.cf.

If this server sends mail directly, dkim would be appropriate here. If it relays all its mail to another server under your control, imho, dkim is a waste. I'd deploy dkim on an internet facing server.

Don't forget to rotate your domain keys at least once a quarter (best practice).


> On Oct 21, 2018, at 1:47 PM, michael at robinson-west.com wrote:
> 
> I have a server at Eskimo North running CentOS 7, primary DNS (Bind 9), Postfix 2.10, Dovecot, Apache-2.4.34, php-7.2.8, and I have an SSL certificate
> from RapidSSL. I am also running rainloop.
> 
> In the ongoing effort to tighten up security, I note that I have not successfully deployed Domain Keys or DKIM. I still don't know how to do
> this.
> 
> I have Postfix set up with submission, but how to get Rainloop to use that I'm not certain. I'm concerned that there is no obvious config file
> line for Rainloop to store the smtp username and smtp password and that Rainloop is using plain old port 25.
> 
> Does port 25 have to be open or can I get away with just the submission port? I use fetchmail to retrieve incoming email from Eskimo North.
> 
> The output and errors from postconf -n follow:
> 
> [root at goose postfix]# cat postfix_config.txt
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
> html_directory = no
> inet_interfaces = all
> inet_protocols = ipv4
> mail_owner = postfix
> mailbox_command = /usr/bin/procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> masquerade_domains = $mydomain
> mydestination = localhost.$mydomain, localhost, $mydomain
> mydomain = robinson-west.com
> myhostname = goose.robinson-west.com
> mynetworks = 127.0.0.0/8, 204.122.17.0/24
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
> postscreen_greet_action = enforce
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
> sample_directory = /usr/share/doc/postfix-2.10.1/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options =
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname at Eskimo North
> smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_helo_access hash:/etc/postfix/helo_access reject_unknown_helo_hostname
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = reject_unknown_sender_domain
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /opt/etc/certs/cert/server.crt
> smtpd_tls_key_file = /opt/etc/certs/private/goose_robinson-west_com_RSA_private_nopass.key
> smtpd_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> soft_bounce = no
> unknown_local_recipient_reject_code = 550
> smtpd_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> soft_bounce = no
> unknown_local_recipient_reject_code = 550
> 
> [root at goose postfix]# cat error-postfix-config.txt
> postconf: warning: /etc/postfix/main.cf: unused parameter: postfix_dnsbl_threshold=2
> postconf: warning: /etc/postfix/main.cf: unused parameter: postfix_dnsbl_sites=zen.spamhaus.org*2?bl.spamcop.net*1 b.barracudacentral.org*1
> postconf: warning: /etc/postfix/master.cf: unused parameter: smptd_sasl_local_domain=$myhostname
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

--
Louis Kowolowski                                louisk at cryptomonkeys.org <mailto:louisk at cryptomonkeys.org>
Cryptomonkeys:                                   http://www.cryptomonkeys.com/ <http://www.cryptomonkeys.com/>

Making life more interesting for people since 1977

More information about the PLUG mailing list