How JustAnswer Works:

  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.

Ask Terry Your Own Question

Terry
Terry, Consultant
Category: Software
Satisfied Customers: 114
Experience:  Worked over thirteen years in operating systems support chats and groups.
32740927
Type Your Software Question Here...
Terry is online now
A new question is answered every 9 seconds

I have server, i install POSTFIX & i need make configuration

Customer Question

Hello
i have server , i install POSTFIX & i need make configuration of SPF & DKIM CAN SOMEONE HELP ME ?
THANK YOU
i have Ubuntu
Submitted: 1 year ago.
Category: Software
Expert:  Mr.Med replied 1 year ago.
Hello and welcome to justanswer, My name is ***** ***** i will be assisting you today,
Please check this link : https://www.exratione.com/2014/07/setting-up-spf-and-dkim-for-an-ubuntu-1404-mail-server/
Let me know if you need further help
Thank you
Customer: replied 1 year ago.
can you explain me morre please !
im not expert of Adminstration server !
can i give u my login & passowrd and configure that TXT please for me
Expert:  Mr.Med replied 1 year ago.
Add the following to /etc/opendkim.conf: (you can use the command : nano or vi)
Domain example.com : Put your domain address here
KeyFile /etc/postfix/dkim.key
Selector dkim
SOCKET inet:[email protected] : you can change localhost by your IP address (server IP)
Save and exit the file.
Now open and Add the following to /etc/default/opendkim:
SOCKET="inet:[email protected]"
save & exit
Now check your postfix server.
Thank you
Customer: replied 1 year ago.
sir step with step pls ! xD
i need configure SPF First after DKIM
Expert:  Mr.Med replied 1 year ago.
Ok let's get started, First I hope you have installed Postfix without any errors.
second follow these steps to install/configure SPF :
1-In Ubuntu there are two RFC 4408 compliant policy servers for postfix you can use. One is written in Python. The other is written in Perl.
The Perl package meets most basic requirements. The Python package is significantly more sophisticated (it provides a sane set of defaults, so setup is not necessarily more complex).
For the Python programs, installation is:
sudo apt-get install postfix-policyd-spf-python
For the Perl system, installation is:
sudo apt-get install postfix-policyd-spf-perl
2-Postfix Integration :
In /etc/postfix/main.cf you will need to add the following line (it doesn't matter where, usually they get added to the end.
policy-spf_time_limit = 3600s
Add this section to /etc/postfix/master.cf for the Python script
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf
or for the Perl script
policy-spf unix - n n - - spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
3-Finally, you need to add the policy service to your smtpd_recipient_restrictions in file /etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_policy_service unix:private/policy-spf
...
4-Reload Postfix
sudo /etc/init.d/postfix reload
5-Verifying It's Working
Check your mail logs. The Python server logs mail that is rejected or deferred due to SPF. If there is a problem with the policy server or its integration with Postfix, it will be logged.
tail -f /var/log/mail.log
or
less /var/log/mail.log
Let me know the result afer you finish the configuration of SPF.
Thank you
Customer: replied 1 year ago.
thank you i use python i do all but this Step i don't und well
Scrennshot : http://puu.sh/jIw99/50006bf3aa.png
3-Finally, you need to add the policy service to your smtpd_recipient_restrictions in file /etc/postfix/main.cf:smtpd_recipient_restrictions =
...
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_policy_service unix:private/policy-spf
...
Expert:  Mr.Med replied 1 year ago.
for this step, it depends on your decisions for example : (connections you want to allow or block)
Here is an Examples of simple restriction lists :
http://www.postfix.org/SMTPD_ACCESS_README.html
Hope this help
Thank you
Customer: replied 1 year ago.
my object if send many emails ( newsletter )
so i don't need have restrection :;:
Expert:  Mr.Med replied 1 year ago.
Ok you can pass this step. and verify if the service is working or not (hope it work)
Thank you
Customer: replied 1 year ago.
ok i need make some modification in TXT of DNS of domain ?
Expert:  Mr.Med replied 1 year ago.
You will make the modifications in the DomainKeys Identified Mail (DKIM)
Customer: replied 1 year ago.
i want know now we finish SPF ?
( im bad in english sir :( )
Expert:  Mr.Med replied 1 year ago.

yes we have finish with SPF, It's ok your english is good :)

Customer: replied 1 year ago.
if all good , i will give u bonus :)
and what about DKIM NOW , what i need do ?
Customer: replied 1 year ago.
See :( : http://mxtoolbox.com/SuperTool.aspx?action=spf%3a5.175.233.98&run=toolpage
Expert:  Mr.Med replied 1 year ago.
Thank you.
For DKIM, please follow these steps :
First You need to Install opendkim :
sudo aptitude install opendkim opendkim-tools
sudo aptitude install opendkim/precise-backports
sudo aptitude install opendkim-tools/precise-backports
opendkim configuration consists of two files:
/etc/opendkim.conf
/etc/default/opendkim
Use your favorite editor to edit those files.
This is an example of /etc/opendkim.conf file already edited
Note: (you need to edit it to suit your needs)- Please read carefully the configuration.
# ***** to syslog
Syslog yes
# ***** to use local socket with MTAs that access the socket as a non-
# ***** user (e.g. Postfix)
#UMask 002
# ***** (2.5.2.dfsg-1ubuntu1) hardy:
# ***** new umask option by default (not needed since Ubuntu default
# ***** a TCP socket instead of a Unix socket).
# ***** to become the specified userid before starting operations.
#UserID 105 # ***** postfix' in your shell
# ***** for example.com with key in /etc/mail/dkim.key using
# ***** '2007' (e.g. 2007._domainkey.example.com)
Domain ubuntu.ro
KeyFile /etc/mail/dkim.key # ***** bellow how to generate and set up the key
Selector mail
# ***** settings. See dkim-filter.conf(5) for more information.
AutoRestart yes
Background yes
Canonicalization relaxed/relaxed
DNSTimeout 5
Mode sv
SignatureAlgorithm rsa-sha256
SubDomains no
#UseASPDiscard no
#Version rfc4871
X-Header no
#InternalHosts /etc/mail/dkim-InternalHosts.txt
# ***** contents of /etc/mail/dkim-InternalHosts.txt should be
# 127.0.0.1/8
# 192.168.1.0/24
# other.internal.host.domain.tld
# ***** need InternalHosts if you are signing e-mails on a gateway mail server
# ***** each of the computers on your LAN.
###############################################
# ***** (less-standard) configuration options #
###############################################
#
# ***** enabled, log verification stats here
Statistics /var/log/dkim-filter/dkim-stats
#
# ***** is a file containing tuples of key information. Requires
# ***** to be unset. Each line of the file should be of the format:
# sender glob:signing domain:signing key file
# ***** lines and lines beginning with # ***** ignored. Selector will be
# ***** from the key's filename.
#KeyList /etc/dkim-keys.conf
#
# ***** enabled, will generate verification failure reports for any messages
# ***** fail signature verification. These will be sent to the r= address
# ***** the policy record, if any.
#ReportInfo yes
#
# ***** enabled, will issue a Sendmail QUARANTINE for any messages that fail
# ***** verification, allowing them to be inspected later.
#Quarantine yes
#
# ***** enabled, will check for required headers when processing messages.
# ***** a minimum, that means From: and Date: will be required. Messages not
# ***** the required headers will not be signed or verified, but will
# ***** passed through
#RequiredHeaders yes
etc/opendkim.conf is the most important file. It provides our milter with required information about selector (used for DNS requests and email verifications) and used signing key (the key is used for signing the outgoing emails).
Here's an example of /etc/default/opendkim This file is used to connect the milter to MTA:
# ***** options specified here will override the contents of
# ***** See dkim-filter(8) for a complete list of options.
#DAEMON_OPTS=""
#
# ***** to specify an alternate socket
# ***** that setting this will override any Socket value in dkim-filter.conf
#SOCKET="local:/var/run/dkim-filter/dkim-filter.sock" # ***** default
#SOCKET="inet:54321" # ***** on all interfaces on port 54321
SOCKET="inet:[email protected]" # ***** default - listen on loopback on port 8891
#SOCKET="inet***@******.***" # ***** on 192.0.2.1 on port 12345
Now, to tell the Postfix about the existing milter, and where to connect with it, edit your Postfix main.cf file /etc/postfix/main.cf, and append to its content the following data:
# *****
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
If you are using already some milter (for example Postfix/DomainKeys), you can add the new one like this:
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,inet:localhost:8892
non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
The opendkim-tools package provides a tool, opendkim-genkey for creating your key pairs:
opendkim-genkey -t -s mail -d ubuntu.ro
This will generate two files: mail.private which is your private key, and mail.txt which is your DNS record containing your public key.
The -s argument supplies the selector (in our case "mail"), the -d argument supplies the domain, and the -t argument says that we are running DKIM in test mode. This indicates that verifiers shouldn't drop your mail if something's wrong with the signature. Its seems that the majority using DKIM run it in test mode.
Copy your private key in place:
cp mail.private /etc/mail/dkim.key
Now create your DNS record as supplied in mail.txt, which should look like this:
mail._domainkey.ubuntu.ro. IN TXT "v=DKIM1; g=*; k=rsa; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB" ; ----- DKIM mail for ubuntu.ro
Startup and testing :
Once configuration above was done, the daemon can be started with:
sudo service opendkim start
If it doesn't start, search the logs for problems and see what it requires more:
grep -i dkim /var/log/mail.log
Instead of using sudo service opendkim start you can run dkim-filter directly:
dkim-filter -x /etc/dkim-filter.conf
If you get the error like: dkim-filter: milter socket must be specified Then try manually specifying the socket. Use this to specify local (which does not match /etc/default/dkim-filter above):
dkim-filter -x /etc/dkim-filter.conf -p local
Now restart the Postfix MTA, and check for email signing:
sudo service postfix restart
For testing :
just send an email to autorespond+dkim[at]dk.elandsys.com
Testing results should look like this in Gmail: http://stas.nerd.ro/blog/data/dkim-filter.png
Customer: replied 1 year ago.
i have ubuntu ,
[email protected]:~# ***** aptitude install opendkim opendkim-tools
sudo: aptitude: command not found
Expert:  Mr.Med replied 1 year ago.

Please try :

sudo apt-get install opendkim opendkim-tools

Customer: replied 1 year ago.
Your commande its work : but second & third i try change it to apt-get install but don't work :
Screenshot : http://puu.sh/jIBph/d54ed11312.png
Expert:  Mr.Med replied 1 year ago.

can you try : sudo apt-get install opendkim opendkim-tools

Customer: replied 1 year ago.
its installed !
Expert:  Mr.Med replied 1 year ago.

That's Awsome! all you need now is to follow the step by step instructions to configure your server.

Thank you

Expert:  Mr.Med replied 1 year ago.
If you have a moment please rate or accept my service by clicking on one of the faces below, positive ratings are appreciated.
Thank you
Customer: replied 1 year ago.
thank you ,
sir i need know, just copy past configuration that all ?
Expert:  Mr.Med replied 1 year ago.
No you need to access to the files and edit it, for example add your domain and your Ip address and the TXT file will be generated by the postfix server.
regards
Customer: replied 1 year ago.
i don't where i do my ip & domain in configuration sir :( /etc/opendkim.conf
Expert:  Mr.Med replied 1 year ago.

please open /etc/opendkim.conf and replace ubuntu.ro by your domain

For the IP address you can keep localhost.

Thank you

Customer: replied 1 year ago.
sir i don't see any ubuntu.ro in my file
http://puu.sh/jIFla/8bbc832fe5.png
Expert:  Mr.Med replied 1 year ago.

In you situation it is domain.com, please delete the # from the line you want to edit.

http://4.1m.yt/jOBb6QUk.png

Customer: replied 1 year ago.
Done : http://puu.sh/jIHmH/6ac948d241.png :D
what next sir :)
Expert:  Mr.Med replied 1 year ago.

Now open /etc/default/opendkim and delete all # from this file, once you finish close and save it

You can replace localhost by your internal IP address if you want.

Expert:  Mr.Med replied 1 year ago.

Once you finish type : opendkim-genkey -t -s mail -d (your domain)

This will generate two files: mail.private which is your private key, and mail.txt which is your DNS record containing your public key. The -s argument supplies the selector (in our case "mail"), the -d argument supplies the domain, and the -t argument says that we are running DKIM in test mode

Now Copy your private key in place: cp mail.private /etc/mail/dkim.key

Customer: replied 1 year ago.
last step :
[email protected]:~# ***** mail.private /etc/mail/dkim.key
cp: cannot create regular file ‘/etc/mail/dkim.key’: No such file or directory
Expert:  Mr.Med replied 1 year ago.
Please replace mail.txt (mail) by your DNS record that is containing your public key.
Customer: replied 1 year ago.
can show where ?
http://puu.sh/jIJXQ/c3d513b57f.png
Expert:  Mr.Med replied 1 year ago.

can you type pwd and send me a screenshot

Thank you

Customer: replied 1 year ago.
http://puu.sh/jIK5Q/57c25552d8.png
Customer: replied 1 year ago.
Expert:  Mr.Med replied 1 year ago.
Thanks, your file seems good, you ahve generate the private key.
Can you try again this command please cp mail.private /etc/mail/dkim.key
Customer: replied 1 year ago.
http://puu.sh/jIKuS/e9eccfc79d.png
Expert:  Mr.Med replied 1 year ago.

ok type : cd /etc/mail/ or cd /etc/mail/

Let me know if you can access to this directory

thanks

Customer: replied 1 year ago.
nop : http://puu.sh/jIKHy/751ed33fa8.png
Expert:  Mr.Med replied 1 year ago.

can you try with cd etc/mail/ or etc/mail

Customer: replied 1 year ago.
don't work :
http://puu.sh/jIKUh/13f2420043.png
Customer: replied 1 year ago.
thiere no DIR mail :(
http://puu.sh/jIKVD/bd1f9c7c1c.png
Expert:  Mr.Med replied 1 year ago.

can you tell me what is the location of your mail.txt ?

Customer: replied 1 year ago.
http://puu.sh/jILdP/f8284bf9fb.png
Expert:  Mr.Med replied 1 year ago.

First type : mkdir -p /etc/mail/

then cp mail.private /etc/mail/dkim.key

Customer: replied 1 year ago.
Done :)
what next :D
Customer: replied 1 year ago.
my domain : http://puu.sh/jILJ9/f884e7e987.png
Expert:  Mr.Med replied 1 year ago.

now type : sudo service opendkim start and test

Customer: replied 1 year ago.
how can i test ?
Expert:  Mr.Med replied 1 year ago.

For the test, please use one of those solutions: http://www.appmaildev.com/en/dkim/

Your satisfaction is my top goal. If you have a moment please rate my service by clicking on one of the faces below, positive ratings are appreciated.

Thank you

Customer: replied 1 year ago.
http://puu.sh/jIMrH/82bc688122.png
Customer: replied 1 year ago.
can i send via php and use mail() ? its ok ?
Expert:  Mr.Med replied 1 year ago.

ok good your service is running good, all you need to do now is to test it

JustAnswer has a 100% satisfaction guarantee. We value you as a customer and very much want you to be satisfied.

Thank you

Expert:  Mr.Med replied 1 year ago.

yes you can.

Customer: replied 1 year ago.
bad : (http://puu.sh/jIMUI/e40fd01cb8.png
Expert:  Mr.Med replied 1 year ago.

can you restart dkim and try again please sudo service opendkim restart

Expert:  Mr.Med replied 1 year ago.

any changes ?

Customer: replied 1 year ago.
any change sir , and DKIM don't show in header of mail GMAIL :(
i wait ur answer
Customer: replied 1 year ago.
Expert:  Mr.Med replied 1 year ago.

Hi, I'm sorry to hear that you still have problem with dkim

Please start over with this configuration : https://rtcamp.com/tutorials/mail/dkim-postfix-ubuntu/

Hope this help

Thank you

Customer: replied 1 year ago.
Sir SPF still not working too !!
Expert:  Mr.Med replied 1 year ago.

type tail -f /var/log/mail.log or less /var/log/mail.log

Check your mail logs. The Python server logs mail that is rejected or deferred due to SPF. If there is a problem with the policy server or its integration with Postfix, it will be logged.

Customer: replied 1 year ago.
Screenshoot : http://puu.sh/jJgiW/44bed6cf05.png
Expert:  Mr.Med replied 1 year ago.

Is the last line says it's finished. ?

Customer: replied 1 year ago.
but when i test yesterday in gmail was error !
Expert:  Mr.Med replied 1 year ago.

I don't see what the problem is. It looks like everything's working. The logs say there's some outgoing email, it tries to connect to gmail.smtp.in.l.google.com via IPv6, it fails so it tries to connect via 74.125.71.27 and is successful, and the last line says it's finished.

Expert:  Mr.Med replied 1 year ago.

so SPF is working fine, you need just to reconfigure the DKIM

Thank you

Customer: replied 1 year ago.
ok im working for DKIM what u give me
Expert:  Mr.Med replied 1 year ago.

Ok good, Hope it works, If not let me open your uestion to another expert.

Please Only rate if you"re satisfied with my help/asnwers, do not rate an answer as poor/bad service if you're not satisfied

Thank you

best regards,

Customer: replied 1 year ago.
Starting OpenDKIM: opendkim: smfi_opensocket() failed
opendkim.
Expert:  Mr.Med replied 1 year ago.

sudo service opendkim start or sudo service opendkim restart

Expert:  Mr.Med replied 1 year ago.

sudo service opendkim start or sudo service opendkim restart

Customer: replied 1 year ago.
http://puu.sh/jJhRT/07d7301e35.png :( : (
Expert:  Mr.Med replied 1 year ago.

can you type : ps aux | grep opendkim and send me the resuts

Customer: replied 1 year ago.
RESULT : http://puu.sh/jJiYQ/f82cbe1d52.png
Expert:  Mr.Med replied 1 year ago.

Try running the following command

semanage port -a -t milter_port_t -p tcp 8891

sudo service opendkim start

''Or''sudo service opendkim restart

Customer: replied 1 year ago.
Problem in semanage : http://puu.sh/jJj95/106190ca7f.png
Expert:  Mr.Med replied 1 year ago.

it seems that the network socket is already occupied, try restarting ubuntu and check

Customer: replied 1 year ago.
Still same problem , mybe its cause some configuration bad ?
http://puu.sh/jJjMs/420b4ec845.png
Expert:  Mr.Med replied 1 year ago.

Yes it could be, I fear I am not making progress with this case, and cannot necessarily deliver what you are seeking,
so I must Opt Out, with sincere regrets.

If and when another Expert takes up the case, you ought to receive a notification email.

please do not rate my answer negativelly this way another can take over

Thanks

Customer: replied 1 year ago.
ok i will not , Don't worry ,
change for me other expert so
Expert:  Terry replied 1 year ago.

From the web site:

Newsflash

As of July 2015, all supported Postfix releases no longer enable export-grade ciphers, and no longer enable the SSLv2 and SSLv3 protocols. These ciphers and protocols have little if any legitimate use today, and have instead become a vehicle for downgrade attacks. See the announcement for more.

Logjam Attack: this has mostly the same countermeasure as FREAK: disable EXPORT ciphers on the SMTP server side, as described under the next bullet.

FREAK Attack: To protect vulnerable clients execute as root "postconf smtpd_tls_exclude_ciphers=EXPORT; postfix reload". This command removes EXPORT ciphers with opportunistic as well as mandatory TLS. The impact of this attack was already low because each Postfix SMTP server process computes its own own "ephemeral" RSA key and terminates after a limited time.

GHOST Attack: Postfix does not call gethostbyname() since 2005. There is no Postfix code that invokes this function unless Postfix is specifically built for operating systems from more than 10 years ago (this requires the compile-time option "-DNO_IPV6").

If you found this helpful please rate my answer. Thanks'

Terry