Postfix: Difference between revisions

From miki
Jump to navigation Jump to search
 
(8 intermediate revisions by the same user not shown)
Line 14: Line 14:


=== DKIM ===
=== DKIM ===
;Testing
* See also guides in DMARC below for DKIM testing / validation.

;Install
See [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy this excellent guide on digitalocean.com].
See [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy this excellent guide on digitalocean.com].
<source lang="bash">
vi /etc/opendkim.conf
vi /etc/default/opendkim
vi /etc/postfix/main.cf
umask 022
mkdir -p /etc/opendkim/keys/noekeon.org
vi /etc/opendkim/TrustedHosts
vi /etc/opendkim/KeyTable
vi /etc/opendkim/SigningTable
cd /etc/opendkim/keys/noekeon.org
opendkim-genkey -s mail -d noekeon.org
chown opendkim:opendkim mail.private
# Make sure that all other files / directory are world readable
cat mail.txt
service postfix restart
service opendkim restart
</source>

We verify that it works correctly:
* To check domain key validity, visit http://dkimcore.org/tools/keycheck.html.
* To verify that DKIM is correctly configured, send a mail to <code>check-auth@verifier.port25.com</code>. You should see <code>DKIM check:pass</code>.
: Alternatively, send a mail to a gmail account under your control, and check in email's headers that <code>dkim=pass</code> is present in the <code>Authentication-Results</code> header field.

;Troubleshoot - ... not internal, ... not authenticated
... It doesn't! We get <code>dkim=neutral</code>.

Checking the logs, we have:
<source lang="bash">
grep opendkim /var/log/mail.info
# ...
# May 6 18:21:17 ober rmilter[14579]: <323cc8a125>; msg done: queue_id: <092462225F>; message id: <>; ip: 91.134.134.85; from: <mip.opendkim@noekeon.org>; rcpt: <check-auth@verifier.port25.com> ...
# May 6 18:21:17 ober opendkim[24890]: 092462225F: prime.immie.org [91.134.134.85] not internal
# May 6 18:21:17 ober opendkim[24890]: 092462225F: not authenticated
# ...
</source>

Same issue is found in [https://github.com/sovereign/sovereign/issues/510 GitHub issue report]. Opendkim thinks that user is not authenticated. This is because postfix does not forward macro <code>{auth_type}</code> to opendkim milter. We edit {{file|/etc/postfix/main.cf}}:

<source lang="diff">
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -159,7 +159,7 @@ smtpd_milters = inet:127.0.0.1:9900, inet:127.0.0.1:12301
non_smtpd_milters = inet:127.0.0.1:12301
milter_default_action = accept
milter_protocol = 6
-milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
</source>
Then restart the service:
<source lang="bash">
service opendkim status
</source>
Now it works!

;Troubleshoot - ... rsa routines INT_RSA_VERIFY bad signature - bad signature data
We see regularly message like the one below.
<source lang="text">
May 9 16:25:08 ober postfix/smtpd[5444]: 5D37D2225F: client=vger.kernel.org[209.132.180.67]
May 9 16:25:08 ober rmilter[14579]: <1d889902a2>; mlfi_data: queue id: <5D37D2225F>
May 9 16:25:08 ober rmilter[14579]: <1d889902a2>; spamdscan: ...
May 9 16:25:08 ober rmilter[14579]: <1d889902a2>; msg done: queue_id: <5D37D2225F>; message id: <xmqqziem151v.fsf@gitster.mtv.corp.google.com>; ip: 209.132.180.67; from: <git-owner@vger.kernel.org>; rcpt: <mbulk.git.vger@noekeon.org> (1 total); user: unauthorized; spam scan: no spam; virus scan: skipped, no av servers; dkim: not signed, ignored
May 9 16:25:08 ober opendkim[24890]: 5D37D2225F: vger.kernel.org [209.132.180.67] not internal
May 9 16:25:08 ober opendkim[24890]: 5D37D2225F: not authenticated
May 9 16:25:08 ober opendkim[24890]: 5D37D2225F: s=20161025 d=gmail.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
May 9 16:25:08 ober opendkim[24890]: 5D37D2225F: bad signature data
</source>
Reading a bit this might be due to modification of the message headers [http://postfix.1071664.n5.nabble.com/many-domains-fail-dkim-sig-check-td71586.html].
One solution would be to install ''opendkim'' '''first''', then ''rmilter'' [https://serverfault.com/questions/747127/correct-order-for-postfix-milters].
Note however that rmilter does not see a valid signature either (<code>...; dkim: not signed, ...</code>).

We edit {{file|/etc/postfix/main.cf}} as follow.
<source lang="diff">
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -155,7 +155,7 @@ smtpd_relay_restrictions =
# rmilter setup
# smtpd_milters = unix:/var/spool/rmilter/rmilter.sock
-smtpd_milters = inet:127.0.0.1:9900, inet:127.0.0.1:12301
+smtpd_milters = inet:127.0.0.1:12301, inet:127.0.0.1:9900
non_smtpd_milters = inet:127.0.0.1:12301
</source>


=== DMARC ===
=== DMARC ===
See [https://dmarc.org/ dmarc.org]. DMARC is suggested by [https://support.google.com/mail/answer/81126?hl=en GMail Bulk Senders Guidelines].
See [https://dmarc.org/ dmarc.org]. DMARC is suggested by [https://support.google.com/mail/answer/81126?hl=en GMail Bulk Senders Guidelines], and when [https://support.google.com/mail/answer/2451690 messages are bounced due to DMARC policy].

Available guides:
* http://www.isyweb.com/configurer-linux/?SPF%2C+DKIM+et+DMARC
* https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
: Also covers installation of the DRMAC policy (to verify policy of incoming mails).

We can
* Publish a DMARC policy for outgoing mails. This is done by adding a DNS TXT record (see noekeon.org for instance).
* Verify DMARC policy of incoming mails. This requires to add a milter (see 2nd guide above).

;Testing
* To test DMARC policy, visit [http://www.mail-tester.com/ mail-tester.com] and follow the instructions.
* '''{{red|New}}''' See also https://www.learndmarc.com/, an interactive visualization of how SPF / DKIM / DMARC is performed by mail host.


== Aliases ==
== Aliases ==
Line 35: Line 134:
/^tom\..*@domain.com$/ tom@other.com
/^tom\..*@domain.com$/ tom@other.com
/^phil\..*@domain.com$/ phil@other.com
/^phil\..*@domain.com$/ phil@other.com

== Local delivery (procmail, sieve...) ==
See [http://www.postfix.org/local.8.html <code>local(8)</code>] for documentation on local mail delivery.

Some information:
* Configuration file is {{file|/etc/postfix/mail.cf}}.
* One may configure several delivery methods. The precedence of delivery methods from high to low is [http://www.postfix.org/local.8.html]: <code>aliases</code>, {{file|.forward}} files, <code>mailbox_transport_maps</code>, <code>mailbox_transport</code>, <code>mailbox_command_maps</code>, <code>mailbox_command</code>, <code>home_mailbox</code>, <code>mail_spool_directory</code>, <code>fallback_transport_maps</code>, <code>fallback_transport</code>, and <code>luser_relay</code>.

=== Procmail ===
Two options. Define it as user-level in {{file|~/.forward}} file:
"|exec /usr/local/bin/procmail || exit 75"

Or define it at system-level in {{file|/etc/postfix/main.cf}}:
<source lang="bash">
mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir
</source>

=== Sieve ===
See [[Sieve]] page.


== Troubleshooting ==
== Troubleshooting ==

Latest revision as of 09:36, 2 October 2023

References

Installation

Server

TBC

SRS

See Configuration Noekeon.org.

DKIM

Testing
  • See also guides in DMARC below for DKIM testing / validation.
Install

See this excellent guide on digitalocean.com. 

vi /etc/opendkim.conf
vi /etc/default/opendkim
vi /etc/postfix/main.cf
umask 022
mkdir -p /etc/opendkim/keys/noekeon.org
vi /etc/opendkim/TrustedHosts
vi /etc/opendkim/KeyTable
vi /etc/opendkim/SigningTable
cd /etc/opendkim/keys/noekeon.org
opendkim-genkey -s mail -d noekeon.org
chown opendkim:opendkim mail.private
# Make sure that all other files / directory are world readable
cat mail.txt
service postfix restart
service opendkim restart

We verify that it works correctly:

  • To check domain key validity, visit http://dkimcore.org/tools/keycheck.html.
  • To verify that DKIM is correctly configured, send a mail to check-auth@verifier.port25.com. You should see DKIM check:pass.
Alternatively, send a mail to a gmail account under your control, and check in email's headers that dkim=pass is present in the Authentication-Results header field.
Troubleshoot - ... not internal, ... not authenticated

... It doesn't! We get dkim=neutral.

Checking the logs, we have: 

grep opendkim /var/log/mail.info
# ...
# May  6 18:21:17 ober rmilter[14579]: <323cc8a125>; msg done: queue_id: <092462225F>; message id: <>; ip: 91.134.134.85; from: <mip.opendkim@noekeon.org>; rcpt: <check-auth@verifier.port25.com> ...
# May  6 18:21:17 ober opendkim[24890]: 092462225F: prime.immie.org [91.134.134.85] not internal
# May  6 18:21:17 ober opendkim[24890]: 092462225F: not authenticated
# ...

Same issue is found in GitHub issue report. Opendkim thinks that user is not authenticated. This is because postfix does not forward macro {auth_type} to opendkim milter. We edit /etc/postfix/main.cf: 

--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -159,7 +159,7 @@ smtpd_milters = inet:127.0.0.1:9900, inet:127.0.0.1:12301
 non_smtpd_milters = inet:127.0.0.1:12301
 milter_default_action = accept
 milter_protocol = 6
-milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}

Then restart the service: 

service opendkim status

Now it works!

Troubleshoot - ... rsa routines INT_RSA_VERIFY bad signature - bad signature data

We see regularly message like the one below. 

May  9 16:25:08 ober postfix/smtpd[5444]: 5D37D2225F: client=vger.kernel.org[209.132.180.67]
May  9 16:25:08 ober rmilter[14579]: <1d889902a2>; mlfi_data: queue id: <5D37D2225F>
May  9 16:25:08 ober rmilter[14579]: <1d889902a2>; spamdscan: ...
May  9 16:25:08 ober rmilter[14579]: <1d889902a2>; msg done: queue_id: <5D37D2225F>; message id: <xmqqziem151v.fsf@gitster.mtv.corp.google.com>; ip: 209.132.180.67; from: <git-owner@vger.kernel.org>; rcpt: <mbulk.git.vger@noekeon.org> (1 total); user: unauthorized; spam scan: no spam; virus scan: skipped, no av servers; dkim: not signed, ignored
May  9 16:25:08 ober opendkim[24890]: 5D37D2225F: vger.kernel.org [209.132.180.67] not internal
May  9 16:25:08 ober opendkim[24890]: 5D37D2225F: not authenticated
May  9 16:25:08 ober opendkim[24890]: 5D37D2225F: s=20161025 d=gmail.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
May  9 16:25:08 ober opendkim[24890]: 5D37D2225F: bad signature data

Reading a bit this might be due to modification of the message headers [1]. One solution would be to install opendkim first, then rmilter [2]. Note however that rmilter does not see a valid signature either (...; dkim: not signed, ...).

We edit /etc/postfix/main.cf as follow. 

--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -155,7 +155,7 @@ smtpd_relay_restrictions =
 
 # rmilter setup
 # smtpd_milters = unix:/var/spool/rmilter/rmilter.sock
-smtpd_milters = inet:127.0.0.1:9900, inet:127.0.0.1:12301
+smtpd_milters = inet:127.0.0.1:12301, inet:127.0.0.1:9900
 non_smtpd_milters = inet:127.0.0.1:12301

DMARC

See dmarc.org. DMARC is suggested by GMail Bulk Senders Guidelines, and when messages are bounced due to DMARC policy.

Available guides:

Also covers installation of the DRMAC policy (to verify policy of incoming mails).

We can

  • Publish a DMARC policy for outgoing mails. This is done by adding a DNS TXT record (see noekeon.org for instance).
  • Verify DMARC policy of incoming mails. This requires to add a milter (see 2nd guide above).
Testing

Aliases

Add static aliases in default configuration

  • Edit /etc/aliases
  • Then run newaliases:
newaliases

Uses regexp (dynamic) aliases

Edit file /etc/postfix/main.cf as follows [3]: 

alias_maps = regexp:/etc/postfix/aliases-regexp

Then create /etc/postfix/aliases-regexp as follows: 

/^tom\..*@domain.com$/     tom@other.com
/^phil\..*@domain.com$/    phil@other.com

Local delivery (procmail, sieve...)

See local(8) for documentation on local mail delivery.

Some information:

  • Configuration file is /etc/postfix/mail.cf.
  • One may configure several delivery methods. The precedence of delivery methods from high to low is [4]: aliases, .forward files, mailbox_transport_maps, mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps, fallback_transport, and luser_relay.

Procmail

Two options. Define it as user-level in ~/.forward file: 

"|exec /usr/local/bin/procmail || exit 75"

Or define it at system-level in /etc/postfix/main.cf: 

mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir

Sieve

See Sieve page.

Troubleshooting

Debugging aliases

Use postmap: 

postmap -q mip@prime.immie.org hash:/etc/aliases regexp:/etc/aliases-regexp
postmap -q mip hash:/etc/aliases regexp:/etc/aliases-regexp

Handling deferred mail / message queue

Reference:

View the queue
mailq                        # ... or ...
postqueue -p
View a message
postcat -vq XXXXXXXXXX       # Replace XXXXXXXXXX with message ID
Process the queue now
postqueue -f                 # ... or ...
postfix flush
Delete the queue
postsuper -d ALL
postsuper -d ALL deferred    # Delete only deferred messages
Retrieved from "https://miki.immie.org/mediawiki/index.php?title=Postfix&oldid=17308"