, Before starting this post I want to thanks Ilija from matoski.com as this post is based on his work on SPF / DKIM for Debian. Let’s start with a very short description of DKIM. DomainKeys Identified Mail is a mechanism designated to detect email spoofing (i.e. Be sure that the original email content is the same as the received).
It works with signatures. The public key is available on a DNS entry of the sender domain zone and the private key used to generate this signature is stored on the mail server.
This post will show how to configure DKIM on a Debian server with Postfix and automatize the configuration with Plesk. I assume you have sufficient permission to run these commands. Runing configuration Debian wheezy 3.2.0-4-amd64 Postfix 2.9.6 Plesk 12.0 OpenDKIM 2.6.8 After a great disscussion with M. Lieske who did a new install in August 2016, I can confirm it works with Debian jessie 8.5, OpenDKIM 2.9.2 (with some adjustements in the script below, see notes) and Plesk 12.5 Installation Let’s start with the installation of the OpenDKIM package. # Log to syslog Syslog yes SyslogSuccess yes LogWhy yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 002 # Commonly-used options; the commented-out versions show the defaults. Canonicalization relaxed/simple Mode sv PidFile /var/run/opendkim/opendkim.pid # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier.
![Postfix Configuration File Plesk Server Postfix Configuration File Plesk Server](/uploads/1/2/5/3/125369736/210364382.png)
![Postfix Configuration File Plesk Server Postfix Configuration File Plesk Server](/uploads/1/2/5/3/125369736/243153732.png)
From is oversigned by default in the Debian pacakge # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From # Our KeyTable and SigningTable KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable # Trusted Hosts ExternalIgnoreList /etc/opendkim/TrustedHosts InternalHosts /etc/opendkim/TrustedHosts # Hashing Algorithm SignatureAlgorithm rsa-sha256 # Auto restart when the failure occurs. CAUTION: This may cause a tight fork loops AutoRestart Yes AutoRestartRate 10/1h # Set the user and group to opendkim user UserID opendkim:opendkim # Specify the working socket Socket inet:8891@localhost.
To view or configure the mail service settings: Go to Tools & Settings > Mail Server Settings (in the Mail group). Leave the Enable mail management functions in Plesk checkbox selected if you want to allow your users to create mail accounts through Customer Panel and use the mail services provided by the Plesk-managed mail server. If you are using an external mail server, clear this checkbox.
Service opendkim restart Postfix configuration The base setup of OpenDKIM is done we have now to setup Postfix to use it as milter. Open the /etc/postfix/main.cf and add the “inet:127.0.0.1:8891” value to the smtpdmilters and nonsmtpdmilters configuration values.
There should already have other milters configured (psa-pc-remote / OpenDMARC / SPF), it depends from your actual configuration of Postfix. The order of the milters are important, especially for OpenDMARC that should be the last one as it depends of SPF and OpenDKIM. Service postfix restart OpenDKIM domain scripts At this point OpenDKIM is configured and active in Postfix, last step is to generate Keys for every domains. Here is the full script that will enable DKIM for a specific domain. This script will:.
Create the Keys. Setup the Signing Table to enable the DKIM signature for all addresses of this domain. Add the domain to the trusted hosts file. Create the DNS record on the Plesk Database.
Update DNS configuration via a Plesk CLI command. Reload services to apply the changes. Be sure to enable SPF signing for this domain.
Echo 'Warning: DNS record is not automatically removed'; Plesk automation When a domain is created or removed from Plesk it would be fun to automatize DKIM activation or deactivation. Fist we have to create another custom script to handle every action for a domain creation and another one when the domain is removed. Even if Plesk events handler can have multiple command lines it’s better to only do a call to an external script. For the example let’s have a script folder at the system root /scripts/ that will contain every scripts. The first one is “openDKIMDomGen.sh”. It contains every lines of the OpenDKIM creation script shown above.
The second one is “openDKIMDomRemove.sh” and contain the removal script above. These scripts can be executed only from the root user (chmod 700). Let’s create the script “pleskDomainCreatedEvent.sh” that will be called when a new domain is created. / scripts / postSRSDomainRemove.sh $ 1 Next phase is to configure Plesk Event Manager. Log on to Plesk with administrator account an go to Server Management - Tools & Settings - Tools & Ressources - Event Manager. Create a new Event Handler for the domain creation: Then create a new Event Handler for the domain removal: Configure OpenDKIM for every active domains on the Plesk server The Plesk Event Handler doesn’t help to configure OpenDKIM of all already active domains on the Plesk Server. A little command that call the openDKIMDomGen.sh script for every domain can be used.
Got it set up, works nicely, right up until I add more than 10 addresses to a domain, then I get an error (I’ve increased the number of mailboxes to 20). In http errrorlog I see: Tue Nov 07 11:77 2017 php7:notice pid 44698 client x.x.x.x:x caused by query: n WITH idx AS (SELECT. FROM mailbox n LEFT JOIN alias ON mailbox.username=alias.address LEFT JOIN vacation ON mailbox.username=vacation.email n WHERE mailbox.domain=’helpdesk.onemarketing.dk’ n ORDER BY mailbox.username ) n SELECT mailbox.username AS label, (SELECT (COUNT(.) – 1) FROM idx t1 WHERE t1.mailbox.username.
I experienced the same problem. Here’s a “quick and dirty” fix: 1. Open the “config.inc.php” file in your postfixadmin folder (in my case, it’s here: /var/www/html/postfixadmin-3.0.2/config.inc.php) 2. Search for the “$CONF‘pagesize’” variable (for me it’s on line 191) and change the number from 10 to something larger. I set mine to 100. It will look like this: $CONF‘pagesize’ = ‘100’; 3.
Save the “config.inc.php” file. Refresh your webpage and you’ll now see all of your email addresses.
The longer, nerdier explanation: In the “functions.inc.php” file, there is a function called “createpagebrowser” which checks for the pagesize variable and then gets the number of rows from the database. If there are too many rows to fit on one page, PostfixAdmin decides that it needs to select only a few of the rows instead of every row in the table. By default, it shows 10 addresses per page, which is why you got the error after adding more than 10 email addresses. For us who are following the guide, this is executed on line 517 of “functions.inc.php” under the if statement “if (dbsqlite)”. Inside this statement it uses a query that JOINs the mailbox usernames and aliases, then selects the right amount of rows to show on the page. The problem is that the syntax is wrong and instead of SELECTing a row from the “idx” JOIN, it instead references the database table directly. So why did I give a “quick and dirty” fix?
It seems that despite my best efforts, it throws an error even when the syntax is correct. To test this, I downloaded sqlitebrowser and loaded my.db file.
I tested my syntax and it works. I put that syntax into “functions.inc.php” and it throws an error on the “WITH” statement. Even when I copy and paste the syntax from the errorlog and execute it in sqlitebrowser, it works, but for some reason the website just doesn’t like it. Perhaps someone out there can take this info and improve on what I’ve done. So for now, printing every email address and alias is just fine for me, but if you have hundreds of email addresses, perhaps you’ll need to dig deeper than I did.
I hope this helps someone because the guide on this website was the first one I followed after many, many failed attempts at building a simple mail server and the only problem I ran into was this one, so with this fixed, everything works flawlessly. Thank you to the admin who wrote this great guide! Thank you so much for the awesome tutorial!
I did install this on my little server and it works fine so far. I want to highlight a few issues I had that took me some time to troubleshoot for others to pay attention. Don’t use the latest release of Postfixadmin 3.2 as there appears to be a bug with configuring the sqlite database. Keep to 3.0.2 like explained in this guide. When the author says “Edit the main.cf file:”. He doesn’t mean nano /etc/postfix/main.cf but he means just to enter the list of commands inside the terminal.
I stupidly added those to the main.cf using nano and I didn’t understand why postfix refused to start.