Giter Site home page Giter Site logo

haraka-plugin-dkim's Introduction

CI Test Status Code Climate

NPM

haraka-plugin-dkim

INSTALL

cd /path/to/local/haraka
npm install haraka-plugin-dkim
echo "dkim" >> config/plugins
service haraka restart

Configuration

If the default configuration is not sufficient, copy the config file from the distribution into your haraka config dir and then modify it:

cp node_modules/haraka-plugin-dkim/config/dkim.ini config/dkim.ini
$EDITOR config/dkim.ini

SIGNING

This plugin implements the DKIM Core specification.

Getting Started

Generate a DKIM selector and keys for your domain:

cd /path/to/haraka/config/dkim
./dkim_key_gen.sh example.org

Within the config/dkim/${domain} directory will be 4 files:

ls config/dkim/example.org/
dns private public selector

The selector file contains the DNS label where the DKIM public key is published. The private and public files contain the DKIM keys.

The dns file contains a formatted record of the public key suitable for copy/pasting into your domains zone file. It also has suggestions for DKIM, SPF, and DMARC policy records.

The DKIM DNS record will look like this:

may2013._domainkey TXT "v=DKIM1;p=[public key stripped of whitespace];"

The values in the address have the following meaning:

hash: h=[ sha1 | sha256 ]
test; t=[ s | s:y ]
granularity: g=[ ]
notes: n=[ ]
services: s=[email]
keytypes: [ rsa ]

Key size

The default key size created by dkim_key_gen.sh is 2048. That is considered secure as of mid-2024.

What to sign

The DKIM signing key for messages from example.org should be signed with a DKIM key for example.org. Failing to do so will result in messages not having an aligned DKIM signature. For DMARC enabled domains, this will likely result in deliverability problems.

For correct alignment, Haraka signs each message with that domains DKIM key. For an alternative, see the legacy Single Domain Configuration below.

Configuration

DKIM signing is configured in the sign section of dkim.ini.

[sign]
enabled = [ 1 | true | yes ], default=false
headers = list, of; headers (REQUIRED)

; for single domain configuration
selector = name
domain = name
  • headers: the list of headers that should be signed, separated by commas, colons or semi-colons. Signing prevents tampering with the specified headers. The 'From' header is required by the RFC and will be added if missing.

Single Domain Configuration

To sign all messages with a single DKIM key, you must set the selector and domain in dkim.ini. You must also save your DKIM private key in the file dkim.private.key in the Haraka config directory.

  • selector - Set this to the selector name published in DNS under the _domainkey sub-domain of the domain referenced below.

  • domain - Set this to the domain name that will be used to sign messages which don't match a per-domain DKIM key. The DNS TXT entry for:

    ._domainkey.

Test that your DKIM key is published properly with a DNS request like this:

drill TXT $SELECTOR._domainkey.$DOMAIN
dig TXT $SELECTOR._domainkey.$DOMAIN +short

Example DNS query

export SELECTOR=mar2013
export DOMAIN=simerson.net
$ dig TXT $SELECTOR._domainkey.$DOMAIN +short
"v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoyUzGOTSOmakY8BcxXgi0mN/nFegLBPs7aaGQUtjHfa8yUrt9T2j6GSXgdjLuG3R43WjePQv3RHzc+bwwOkdw0XDOXiztn5mhrlaflbVr5PMSTrv64/cpFQKLtgQx8Vgqp7Dh3jw13rLomRTqJFgMrMHdhIibZEa69gtuAfDqoeXo6QDSGk5JuBAeRHEH27FriHulg5ob" "4F4lmh7fMFVsDGkQEF6jaIVYqvRjDyyQed3R3aTJX3fpb3QrtRqvfn/LAf+3kzW58AjsERpsNCSTD2RquxbnyoR/1wdGKb8cUlD/EXvqtvpVnOzHeSeMEqex3kQI8HOGsEehWZlKd+GqwIDAQAB"

DKIM VERIFY

Verify DKIM signatures as defined by RFC 6376 and add an Authentication-Results header as appropriate.

Configuration

[verify]
; allowed_time_skew = (How far can we stretch on time matching, in secs. Useful when clock is skewed.)
; sigerror_log_level =

Testing

This plugin provides a command-line test tool that can be used to debug DKIM issues or to check results.

# dkimverify < message
identity="@gmail.com" domain="gmail.com" result=pass

You can add --debug to the option arguments to see a full trace of the processing.

Notes

This plugin and underlying library do not currently support DKIM body length limits (l=).

haraka-plugin-dkim's People

Contributors

msimerson avatar

Watchers

avatar Steve Freegard avatar Matt Sergeant avatar avatar

haraka-plugin-dkim's Issues

DKIM sign works only for the MTA instance

Hi

I have followed the guide:
https://haraka.github.io/plugins/dkim_sign

I have successfully sent outgoing emails, but I am facing an issue where DKIM signing only works for the main domain. For example, if the MTA hostname is relay.domain.com and I send an email from this domain, DKIM works perfectly fine. However, when I try to send an email from another domain like domain.com, the message is not signed with the main DKIM. Can you please help me understand what I am missing here?

DKIM with same key but using different domains

In our infrastructure we allow to sign from multiple domains but using the same keys.

Base in the question I can understand that is secure.
http://serverfault.com/questions/785151/dkim-with-same-key-but-different-domains

You currently allow:

  1. Sign all email with the same domain/key (legacy and not secure)
  2. Sign all email with differents keys per domain

We found very difficult to mantain a new key for every domain. So we ended using the same key but using different domains.
Why dont allow that?

DKIM sign issue

system info

Please report your OS, Node version, and Haraka version by running this shell script on your Haraka server and replacing this section with the output.
Ubuntu
Latest Haraka
Latest Nodejs

I will show:
I used the dkim generator provided dkim_key_gen.sh.
Folder: relay.mymta.com contains all the files: DNS, selector, private, public
Screenshot 2024-04-17 004630

dkim_sign.ini:

[main]


[sign]
enabled = true
selector = apr2024
domain = relay.mymta.com
key_path = /opt/haraka/config/dkim/relay.mymta.com/private

dkim.ini:

[main]


[sign]
enabled = true
selector = apr2024
domain = relay.mymta.com
key_path = /opt/haraka/config/dkim/relay.mymta.com/private

DKIM set in the main domain:

ubuntu@relay:/opt/haraka$ dig apr2024._domainkey.relay.mymta.com TXT +short
"v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4SyoWWf7/G0gkeIdxl7kEWojoDmiNIhMupB9gOhtYcBDPLVXcGF2ksVD0ztkU9SYhuFYOUgGeooHKr+hGcOQclSsbw2+ deleted the rest"
ubuntu@relay:/opt/haraka$

I also tried to copy the private file generated in the dkim folder under the main domain and renamed the file:
key_path = /opt/haraka/config/dkim.private.key

Message source in Gmail:

Delivered-To: [email protected]
Received: by 2002:a17:906:d975:b0:a52:6ce5:7cc with SMTP id rp21csp696544ejb;
        Tue, 16 Apr 2024 15:03:20 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHuf+e+LrPz9uLY1O64zI3UKytq4uaWadGGTzU5zqIHR0Mk3s0sgQWlDti1k2fHZoLlvtp5
X-Received: by 2002:a25:df91:0:b0:de1:f7ed:3236 with SMTP id w139-20020a25df91000000b00de1f7ed3236mr10643052ybg.30.1713305000317;
        Tue, 16 Apr 2024 15:03:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713305000; cv=none;
        d=google.com; s=arc-20160816;
        b=zCCxIILDRhLpxSd11nyvN9YVzTgwM4ZrY3qx3xcbasy1+Z7t7iah/kVz8GRYNmVQgm
         8KdaDqIWwzKRqD7nJLrIH1oU3H7dJsacYF31+OWopmP69lItc+Hbl0IiE197pIbFfFVm
         plD+ZVwvZJN9lOhz7Hils6rlgvSA0/n1qMaHz//pS9q7ptpR1JisETLtI8mcdH/650e8
         Db68ss0Pz46vNoYlNiqHTYGEE01i/AzekIwCfd0TvY5eNBuCpU6zSxs6TiGTzDi4QsqL
         GiMVkDR5+u0Gn7U12BjzoIIpSKfbrAyu3VdXmgGQuo5tLicD3BMW9A0Oud5QOL2qawRG
         EyPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=dkim-signature:message-id:subject:from:to:date;
        bh=ecGWgWCJeWxJFeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=;
        b=lDt/a7O+ivwJA+bhoqupGVaTLThOEiP24+Tf0ILjaJfoqvxdJFHnex81QWb6NwJ95c
         XuGlzccgP+aLasS4G4IfoQr93t/OhdFwU8R9CrB5gipkOfdCnTw82Tf7tEcDIIx7pGGI
         EZfapBok4MIk55gj1HFcMzP0sX/5hARRwzxJuObZXU+9ksS7I47vEwMeId2ZxRF/W/lc
         G1Qvnv7GYCvMnxxF7RsxgaJGOulCDHRoKpqmc/tKud69Henq0p4R9BrEWOIDoB82Kiys
         a+8Oa8F6ba/d386btTjtemmX/rQ09H5SszdpByU10tqJ5esvxMOyZRyJD9xj61MLMSAf
         I2eA==;
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) [email protected] header.s=mail header.b=0A02wYN0;
       spf=pass (google.com: domain of [email protected] designates 15.235.10.1 as permitted sender) [email protected];
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=domain.com
Return-Path: <[email protected]>
Received: from server.domain.com (server.domain.com. [15.235.10.1])
        by mx.google.com with ESMTPS id d9-20020a25adc9000000b00dcdbc351e3asi5685685ybe.309.2024.04.16.15.03.20
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 16 Apr 2024 15:03:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 15.235.10.1 as permitted sender) client-ip=15.235.10.1;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) [email protected] header.s=mail header.b=0A02wYN0;
       spf=pass (google.com: domain of [email protected] designates 15.235.10.1 as permitted sender) [email protected];
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=domain.com
Received: (Haraka outbound); Tue, 16 Apr 2024 22:03:19 +0000
Authentication-Results: server.domain.com; auth=pass (cram-md5)
Received: from server.domain.com (Unknown [127.0.0.1]) by server.domain.com (Haraka/3.0.3) with ESMTPA id 54AECDC0-80FE-4010-8956-EEFCE0B91FAA.1 envelope-from <[email protected]> (authenticated bits=0); Tue, 16 Apr 2024 22:03:19 +0000
Date: Tue, 16 Apr 2024 22:03:19 +0000
To: [email protected]
From: [email protected]
Subject: Test DKIM signing
Message-Id: <[email protected]>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com; s=mail; h=from:subject:date:message-id:to; bh=ecGWgWCJeWxJFeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=; b=0A02wYN0za2aXrF+oZUm3r00IoS2ybqnVfDJTf68HuWKubc2jxfZ4xjRel2D1L4Ka+bkSS3okp d7gNblGhb7W3dHsIr67aoec7H3knOOfV+dy/GWtxr8dKIOxRp3r9Nn+mOKoSQbdAQwG6Huj07f6l kJwNPvrQ5IQrWhRA6RZYV0Csg7PgIJXSWjwE9o6/T4cqVZ9ey5PrqV8+D9TkRnFhD47+YKkE4fp9 sK5yAA0+nwDzazRkczs3B7BvFIGcgI/cGECuXVnda3USM9cm42G4QBv5GX7GbF9onmuTz5NUFkEd +14M4d00bpZwdcoxABQXYFtC+VzjyRgmINKlQOTA==

This is a test mailing

DKIM: | 'FAIL' with domain example.com

But I set the correct settings, I also tried dkim.ini and dkim_sign.ini - where is the correct file?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.