User Tools

Site Tools


plugins:opendkim

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
plugins:opendkim [2016/07/17 10:36]
theemstra [Existing milter configurations]
plugins:opendkim [2017/09/25 18:04] (current)
nuxwin
Line 1: Line 1:
-======OpenDKIM ​Plugin Documentation======+<WRAP center round important 60%> 
 +**Bear in mind that this documentation is for the last available version. If you use an older version, you must refer to the README.md file inside the plugin archive.** 
 +</​WRAP>​ 
 +<​markdown>​ 
 +# i-MSCP ​OpenDKIM ​plugin
  
-Plugin providing an OpenDKIM implementation for i-MSCP.+Provides DomainKeys Identified Mail (DKIM) service through MILTER.
  
-===== Requirements ===== +## Introduction
-  * i-MSCP versions >= 1.2.3 +
-  * See installation section for required software packages.+
  
-===== Limitations =====+DKIM provides a way for senders to confirm their identity when sending email by 
 +adding a cryptographic signature to the headers of the message.
  
-At the moment the DKIM signing is only supported for normal domains and alias domains. \\ It is planned to also support subdomains in a future version.+## Requirements
  
-===== Installation instructions =====+- i-MSCP Serie ≥ 1.4.x
  
-   +## Installation
-**1. Install needed Debian / Ubuntu packages**+
  
-  # aptitude update +1. Upload the plugin through the plugin management interface 
-  # aptitude install opendkim opendkim-tools +2. Install the plugin through the plugin management interface
-   +
-**Debian Squeeze**+
  
-Add the backports of Debian Squeeze to your /​etc/​apt/​sources.list:​+## Update
  
-  deb http://​backports.debian.org/​debian-backports squeeze-backports main contrib non-free +1Be sure that all requirements as stated in the requirements section are met 
-   +2Backup your plugin configuration file if needed 
-Installation of the opendkim packages:+3. Upload the plugin through ​the plugin management interface
  
-  ​aptitude update +### Restore you plugin configuration file if needed
-  ​aptitude -t squeeze-backports install opendkim opendkim-tools+
  
-**Ubuntu Lucid**+1. Restore your plugin configuration file (compare it with the new version 
 +   ​first) 
 +2. Update the plugin list through the plugin management interface
  
-Add the backports of Ubuntu Lucid to your /​etc/​apt/​sources.list:​+## Configuration
  
-  deb http://archive.ubuntu.com/ubuntu lucid-backports main restricted universe +See [Configuration file](https://github.com/i-MSCP/​plugins/​blob/​master/​incubator/​OpenDKIM/​config.php)
-   +
-Installation of the opendkim packages:+
  
-  # aptitude update +When changing a configuration parameter in the plugin configuration file, don'
-  # aptitude -lucid-backports install opendkim opendkim-tools +forget to trigger a plugin list update, else you're changes will not be token 
-   +into account.
-**Ubuntu Precise**+
  
-Add the backports of Ubuntu Precise to your /​etc/​apt/​sources.list:​+## Plugin working level
  
-  deb http://​archive.ubuntu.com/ubuntu precise-backports main restricted universe+It is possible to choose the plugin working level through the 
 +`plugin_working_level` plugin configuration parameterThere are actually two 
 +working levels which are `admin` and `reseller`.
  
-Installation of the opendkim packages:+When it works at the `admin` level, the plugin activates OpenDKIM for all 
 +customers automatically. In this working level, resellers can only trigger 
 +renewal of DKIM keys through their own management interface.
  
-  # aptitude update +When it works at `reseller` level, the plugin doesn'activate OpenDKIM 
-  # aptitude -precise-backports install opendkim opendkim-tools +automatically for customersResellers must enable ​the OpenDKIM feature 
-  +manually for all of their customers.
-**2Get the plugin from Plugin Store**+
  
-http://​i-mscp.net/​filebase/​index.php/​Filebase/​ +## Usage of an external DNS server
-  +
-**3. Plugin upload and installation**+
  
- * Login into the panel as admin and go to the plugin management interface +If you make use of an external DNS server (not the one managed by i-MSCP), you 
- * Upload ​the OpenDKIM plugin archive +must not forget ​to add the DKIM and ADSP DNS resource records in the zone of 
- * Install the plugin +your domain. ​
-  +
-===== Update =====+
  
-**1Get the plugin from Plugin Store**+Each domain has one DKIM and one ADSP DNS resource records and each subdomain has 
 +one ADSP resource record.
  
-http://​i-mscp.net/​filebase/​index.php/​Filebase/​+## Testing
  
-**2. Backup your current plugin config**+### Internal DKIM test
  
- # plugins/OpenDKIM/config.php +You can check on the command line if OpenDKIM ​is working for your domain by 
-  +running the following command:
-**3. Plugin upload and update**+
  
- * Login into the panel as admin and go to the plugin management interface +``` 
- * Upload the OpenDKIM plugin archive +opendkim-testkey -d example.com -s mail -vvv 
- * Update the plugin list +```
-  +
-===== Configuration =====+
  
-For the different configuration options please check the plugin config file.+The result should look similar like this one:
  
- plugins/OpenDKIM/config.php +``` 
-  +root@jessie32:/​etc/​opendkimopendkim-testkey -d weird.test.bbox.nuxwin.com -s mail -vvv 
-After you made your config changes, don't forget to update the plugin list.+opendkim-testkey:​ using default configfile ​/etc/opendkim.conf 
 +opendkim-testkey:​ checking key 'mail._domainkey.weird.test.bbox.nuxwin.com'​ 
 +opendkim-testkey:​ key not secure 
 +opendkim-testkey:​ key OK 
 +```
  
- * Login into the panel as admin and go to the plugin management interface +Note that the `key not secure` message doesn'​t indicate an error. It is the 
- * Update the plugin list+expected consequence of not using DNSSSEC.
  
-===== Testing =====+You can also query your DNS server to check the TXT record for your domain:
  
-==== Internal DKIM test ====+``` 
 +dig -t txt mail._domainkey.example.com 
 +```
  
-You could check on the command line if OpenDKIM is working for your domain: +### External DKIM test
-  +
- opendkim-testkey -d example.com -s mail -vvv +
-  +
-The result should look similar like this one. The 'key not secure'​ does not indicate an error. It is an expected consequence of not using DNSSSEC.+
  
- opendkim-testkeychecking key '​mail._domainkey.example.com+Go to [dkimvalidator.com](http://​dkimvalidator.comand send a mail from the 
- opendkim-testkey:​ key not secure +domain ​for which you activated OpenDKIM to the random mail addressOnce you 
- opendkim-testkey:​ key OK +have sent the mail, wait few seconds and then, click on the `View Results` 
-  +buttonYou should get a result similar to:
-Query your DNS server ​and check the TXT DKIM record ​for your domain+
-  +
- # dig -t txt mail._domainkey.example.com+
  
-==== External DKIM test ====+#### Original Message
  
-Open one of the links below and send a mail from the domain you activated ​OpenDKIM ​to the random ​mail address shown on that page.+``` 
 +Received: ​from jessie32.bbox.nuxwin.com (xxx-xxx-xx-xx.abo.bbox.fr [xxx.xxx.xx.xx]) 
 + by relay-4.us-west-2.relay-prod (Postfix) with ESMTPS id 9B57F160208 
 + for <​[email protected]>;​ Sat,  2 Sep 2017 18:29:48 +0000 (UTC) 
 +Received: from panel.bbox.nuxwin.com (jessie32.bbox.nuxwin.com.local [127.0.0.1]) 
 + (Authenticated sender: [email protected]
 + by jessie32.bbox.nuxwin.com (Postfix) with ESMTPA id F3E645FC6A 
 + for <​[email protected]>;​ Sat,  2 Sep 2017 20:30:21 +0200 (CEST) 
 +DKIM-Filter: ​OpenDKIM ​Filter v2.9.2 jessie32.bbox.nuxwin.com F3E645FC6A 
 +DKIM-Signature:​ v=1; a=rsa-sha256;​ c=relaxed/​simple;​ 
 + d=weird.test.bbox.nuxwin.com;​ s=mail; t=1504377022;​ 
 + [email protected];​ 
 + bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/​GaJedfustWU5uGs=;​ 
 + h=Date:​From:​To:​Subject:​From;​ 
 + b=HdAyJ/​C0tBH5UkzZSGXo2ESZ6+8tCr1O/​LC3REVuyRg1TSB/​bYGDAv/​H05+nJSisD 
 + fExsy/​Irnjjz5bVNSUq0nB8mPoHaTMibh9mWAC/​Q23WDsu9j9vprH5TGw0k91UUuur 
 + XQm2anEaugJtvEpCSdOf3CMHlxUF9M/​oMti+Bm0N/​aoqsvu1vRZHazQH4PUMd+Thyq 
 + PtnEx4ZPQaU/​f1HOdZTi7c4KjwWHoLDdQ1mNAwknUMjm5hsw2MGIIW0ecumNqzzKZH 
 + vIFhX75q2Hw03rByI5paaUrf6bAEozOmQghDTzz+07pn/​aYhoK+jNYMEvev/​F8pRqz 
 + 596UbuEZYMC1w== 
 +MIME-Version:​ 1.0 
 +Content-Type:​ text/plain; charset=US-ASCII;​ 
 + ​format=flowed 
 +Content-Transfer-Encoding:​ 7bit 
 +Date: Sat, 02 Sep 2017 20:30:21 +0200 
 +From: [email protected] 
 +To: [email protected] 
 +Subject: test 
 +Message-ID: <​[email protected]>​ 
 +X-Sender: [email protected] 
 +User-Agent: Roundcube Webmail/1.2.5
  
- https://​www.mail-tester.com+test 
 +```
  
-or+#### DKIM Information
  
- http://​www.brandonchecketts.com/​emailtest.php +``` 
-  +DKIM Signature
-After you sent the mail, click on that page the 'View Results'​ button and verify the **DKIM Information:​** section.+
  
- DKIM Information:​ +Message contains this DKIM Signature: 
-   +DKIM-Filter:​ OpenDKIM Filter v2.9.2 jessie32.bbox.nuxwin.com F3E645FC6A 
- DKIM Signature +DKIM-Signature:​ v=1; a=rsa-sha256;​ c=relaxed/simple; 
-   + d=weird.test.bbox.nuxwin.com; s=mail; t=1504377022;​ 
-   + [email protected]
- Message contains this DKIM Signature:​ + bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; 
- DKIM-Signature:​ v=1; a=rsa-sha256;​ c=simple/simple; d=example.com; + h=Date:​From:​To:​Subject:​From;​ 
- s=mail; t=1385558914+ b=HdAyJ/C0tBH5UkzZSGXo2ESZ6+8tCr1O/LC3REVuyRg1TSB/bYGDAv/​H05+nJSisD 
- bh=fdkeB/A0FkbVP2k4J4pNPoeWH6vqBm9+b0C3OY87Cw8=; +  fExsy/Irnjjz5bVNSUq0nB8mPoHaTMibh9mWAC/Q23WDsu9j9vprH5TGw0k91UUuur 
- h=Date:​From:​To:​Subject:​From;​ +  XQm2anEaugJtvEpCSdOf3CMHlxUF9M/oMti+Bm0N/​aoqsvu1vRZHazQH4PUMd+Thyq 
- b=ZtWi/eDZtQ0RDv60FCDf4c+G9gqhFH3r6RPCw9vr400auTH0PnkOwt2BuLNpv4Uh4 +  PtnEx4ZPQaU/​f1HOdZTi7c4KjwWHoLDdQ1mNAwknUMjm5hsw2MGIIW0ecumNqzzKZH 
- wjBHhFnIqt+t/c9/DLCC8envKmnzco8BATgXl5I5HHLxDcGMFYlwHDgOLXcCKXOXA5 +  vIFhX75q2Hw03rByI5paaUrf6bAEozOmQghDTzz+07pn/aYhoK+jNYMEvev/F8pRqz 
- 15oFPlimBrwZXnq3XOJCwopZmUmZZhUyYT8pZO9k= +  596UbuEZYMC1w==
-  ​ +
-   +
- Signature Information:​ +
- v= Version: ​        1 +
- a= Algorithm: ​      ​rsa-sha256 +
- c= Method: ​         simple/simple +
- d= Domain: ​         example.com +
- s= Selector: ​       mail +
- q= Protocol: ​        +
- bh=                 fdkeB/A0FkbVP2k4J4pNPoeWH6vqBm9+b0C3OY87Cw8= +
- h= Signed Headers: ​ Date:​From:​To:​Subject:​From +
- b= Data:            ZtWi/eDZtQ0RDv60FCDf4c+G9gqhFH3r6RPCw9vr400auTH0PnkOwt2BuLNpv4Uh4 +
- wjBHhFnIqt+t/​c9/​DLCC8envKmnzco8BATgXl5I5HHLxDcGMFYlwHDgOLXcCKXOXA5 +
- 15oFPlimBrwZXnq3XOJCwopZmUmZZhUyYT8pZO9k= +
- Public Key DNS Lookup +
-   +
-  ​ +
- Building DNS Query for mail._domainkey.example.com +
- Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN+HbTA3/7KoENKhMr6qRO0cFeaDX1NSD5Xe7zkGhkvOnajIrhycu0XyxzHLTTSbFLq9juJmUbPmP9OVj44o0p/​NqoLQ9oWjfkcM+7nq+S4QYGoM7h+SMcxjFm05mo0LdessYi/Sw5z6x87nMkLD/​wQViDvctss4srrPTr/​hqD+wIDAQAB +
- Validating Signature +
-  ​ +
-   +
- result ​pass +
- Details:  ​+
  
-===== Authors ​=====+Signature Information:​ 
 +vVersion: ​        1 
 +aAlgorithm: ​      ​rsa-sha256 
 +cMethod: ​         relaxed/​simple 
 +dDomain: ​         weird.test.bbox.nuxwin.com 
 +sSelector: ​       mail 
 +qProtocol: ​        
 +bh                g3zLYH4xKxcPrHOD18z9YfpQcnk/​GaJedfustWU5uGs= 
 +hSigned Headers: ​ Date:​From:​To:​Subject:​From 
 +bData:            HdAyJ/​C0tBH5UkzZSGXo2ESZ6+8tCr1O/​LC3REVuyRg1TSB/​bYGDAv/​H05+nJSisD 
 + fExsy/​Irnjjz5bVNSUq0nB8mPoHaTMibh9mWAC/​Q23WDsu9j9vprH5TGw0k91UUuur 
 + XQm2anEaugJtvEpCSdOf3CMHlxUF9M/​oMti+Bm0N/​aoqsvu1vRZHazQH4PUMd+Thyq 
 + PtnEx4ZPQaU/​f1HOdZTi7c4KjwWHoLDdQ1mNAwknUMjm5hsw2MGIIW0ecumNqzzKZH 
 + vIFhX75q2Hw03rByI5paaUrf6bAEozOmQghDTzz+07pn/​aYhoK+jNYMEvev/​F8pRqz 
 + 596UbuEZYMC1w== 
 +Public Key DNS Lookup
  
-  * Sascha Bay <​[email protected]>​ +Building DNS Query for mail._domainkey.weird.test.bbox.nuxwin.com 
-  * Rene Schuster <mail@reneschuster.de>+Retrieved this publickey from DNS: v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsGfEnQP49L7DrUvR8/​cPOciHvATQkxXTgBm4qUcNFFDLnT6s45xsmU068RTED/​QGJWaeL2eQcd7c5p7dlUdqVugYSfB+aDjOJuvPIr3P/​jiISt6HERoBafu7pkc2mj92S70Xq3Jyx6lgIhMe63UGKyeyuBJHB7Nm3KHHiZFqH7AWtQwgBpMqa7LKPj4OCIELZ+G8SO8OMAkytLndDf40lABXXHsyjFSTaOPb27BStTLBmZT58AwPtSHTZ7+8hz+reHZDUXMos96SiwcvxOepDMSBMMdKpAI7iu+v86F+ewaMRllAogVIAFZb68DgjAUvk6fwDE4mwGyGk1y7QdKVEwIDAQAB 
 +Validating Signature
  
-===== Contributor ​===== +result ​pass 
 +Details:  
 +``` 
 + 
 +#### SPF Information 
 + 
 +``` 
 +Using this information that I obtained from the headers 
 + 
 +Helo Address ​jessie32.bbox.nuxwin.com 
 +From Address ​[email protected] 
 +From IP      ​xxx.xxx.xx.xx 
 +SPF Record Lookup 
 + 
 +Looking up TXT SPF record for sub1.weird.test.bbox.nuxwin.com 
 +Found the following namesevers for sub1.weird.test.bbox.nuxwin.com:​  
 +Retrieved this SPF Record: zone updated 20170902 (TTL 43897) 
 +Using local nameserver for SPF resolution. ​ This will probably be cached! 
 +Result: pass (Mechanism '​include:​weird.test.bbox.nuxwin.com'​ matched) 
 + 
 +Result code: pass 
 +Local Explanation:​ sub1.weird.test.bbox.nuxwin.com:​ Sender is authorized to use '​[email protected]'​ in '​mfrom'​ identity (mechanism '​include:​weird.test.bbox.nuxwin.com'​ matched) 
 +spf_header ​Received-SPF:​ pass (sub1.weird.test.bbox.nuxwin.com:​ Sender is authorized to use '​[email protected]'​ in '​mfrom'​ identity (mechanism '​include:​weird.test.bbox.nuxwin.com'​ matched)) receiver=dkimvalidator.com;​ identity=mailfrom; envelope-from="​[email protected]";​ helo=jessie32.bbox.nuxwin.com;​ client-ip=xxx.xxx.xx.xx 
 +``` 
 + 
 +Regarding the SpamAssassin information at bottom, you can ignore them as the 
 +SpamAssassin installation used is not able to validate DKIM signatures when 
 +DKIM ADSP extension is involved.  
 + 
 +## License 
 + 
 +    i-MSCP ​ OpenDKIM plugin 
 +    Copyright (C) 2013-2017 Laurent Declercq <​[email protected]>​ 
 +    Copyright (C) 2013-2016 Rene Schuster <​[email protected]>​ 
 +    Copyright (C) 2013-2016 Sascha Bay <​[email protected]>​ 
 +     
 +    This program is free software; you can redistribute it and/or modify 
 +    it under the terms of the GNU General Public License as published by 
 +    the Free Software Foundation; version 2 of the License 
 +     
 +    This program is distributed in the hope that it will be useful, 
 +    but WITHOUT ANY WARRANTY; without even the implied warranty of 
 +    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ​ See the 
 +    GNU General Public License for more details. 
 +</​markdown>​
  
-  * Laurent Declercq <​[email protected]>​ 
/var/www/virtual/i-mscp.net/wiki/htdocs/data/attic/plugins/opendkim.1468751813.txt.gz · Last modified: 2016/07/17 10:36 by theemstra