DKIM

Hi,

my mail server (Kerio) can apply DKIM signatures. Piping DKIM signed
mails through Ciphermail disrupts the validity of the DKIM signatures.
Postfix on the Ciphermail server has to apply the DKIM signature after
the mail was processd by Ciphermail. This could be achieved by following
these howtos:

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy

http://unixwars.blogspot.de/2015/01/8bitmime-and-dkim-body-authentication.html

The second is required at my site because without it mails sent by
Thunderbird fail validation by remote servers. My master.cf now looks
like this:

smtp inet n - - - - smtpd
             -o
message_size_limit=${djigzo_before_filter_message_size_limit}
             -o content_filter=smtp-downconvert:127.0.0.1:10026
pickup fifo n - - 60 1 pickup
...
...
...
# cleanup for reinject so we can set the hopcount_limit differently for
the reinjection port
cleanup_reinject unix n - - - 0 cleanup
             -o hopcount_limit=100

smtp-downconvert unix - - - - 2 smtp
    -o smtp_discard_ehlo_keywords=8bitmime,silent-discard

127.0.0.1:10026 inet n - n - 10 smtpd
             -o content_filter=
...
...
...

Suggestion: Add a DKIM config option to Ciphermail :slight_smile:

cheers
Matthias

···

--

MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany

voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: info(a)mhcsoftware.de

HR Coburg: B2242
Geschäftsführer: Matthias Henze

Hi,

my first approach with "opendkim" does not work as "opendkim" uses
milter and Ciphermail is a content filter. Milters are applied before
content filters and the s/Mime signature modifies the body of the mail
with the signature. This invalidates the DKIM signature. Took ma a day
to figure this out as I was not aware of the described processing order.
Finally I found this out just by reading the (previously ignored)
headlines of Postfix After-Queue Content Filter and
www.postfix.org/MILTER_README.html :slight_smile:

See postfix_dkim_support [MHC SoftWare Wiki] (sorry, German) for
details.

cheers
Matthias

···

Am 24.03.2016 um 20:35 schrieb Matthias Henze:

Hi,

my mail server (Kerio) can apply DKIM signatures. Piping DKIM signed
mails through Ciphermail disrupts the validity of the DKIM signatures.
Postfix on the Ciphermail server has to apply the DKIM signature after
the mail was processd by Ciphermail. This could be achieved by following
these howtos:

How To Install and Configure DKIM with Postfix on Debian Wheezy | DigitalOcean

Record of the UNIX Wars: Email fun: 8BITMIME and DKIM body authentication failure

The second is required at my site because without it mails sent by
Thunderbird fail validation by remote servers. My master.cf now looks
like this:

smtp inet n - - - - smtpd
             -o
message_size_limit=${djigzo_before_filter_message_size_limit}
             -o content_filter=smtp-downconvert:127.0.0.1:10026
pickup fifo n - - 60 1 pickup
...
...
...
# cleanup for reinject so we can set the hopcount_limit differently for
the reinjection port
cleanup_reinject unix n - - - 0 cleanup
             -o hopcount_limit=100

smtp-downconvert unix - - - - 2 smtp
    -o smtp_discard_ehlo_keywords=8bitmime,silent-discard

127.0.0.1:10026 inet n - n - 10 smtpd
             -o content_filter=
...
...
...

Suggestion: Add a DKIM config option to Ciphermail :slight_smile:

cheers
Matthias

--

MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany

voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: info(a)mhcsoftware.de

HR Coburg: B2242
Geschaeftsfuehrer: Matthias Henze

my first approach with "opendkim" does not work as "opendkim" uses
milter and Ciphermail is a content filter. Milters are applied before
content filters and the s/Mime signature modifies the body of the mail
with the signature. This invalidates the DKIM signature. Took ma a day
to figure this out as I was not aware of the described processing order.
Finally I found this out just by reading the (previously ignored)
headlines of Postfix After-Queue Content Filter and
www.postfix.org/MILTER_README.html :slight_smile:

Adding the DKIM milter on the reinjection port(s) should work. After
handling the mail (i.e., encryption/decryption etc), the back-end sends
the mail back to postfix on a "reinjection port" (port 10026).

I haven't tested it but the following might work:

See the following line in master under the 127.0.0.1:10026 section:

-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters

You should change this line to something like:

-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,smtpd_milters=REPLACEWITHDKIMMILTER

This should enable the DKIM milet after the message has been
encryped/decrypted/signed.

Again, I have not tested this but this should work (might some minimal
changes though)

Then again, you suggestion of using dkimproxy is also a good alternative
until DKIM support has been added to CipherMail*.

Kind regards,

Martijn Brinkers

* "native" DKIM support is basically working but not enabled for all
SMTP outgoing mail. We will see whether we can make it possible to
enable this for all outgoing email.

···

On 03/27/2016 04:07 PM, Matthias Henze wrote:

See postfix_dkim_support [MHC SoftWare Wiki] (sorry, German) for
details.

cheers
Matthias

Am 24.03.2016 um 20:35 schrieb Matthias Henze:

Hi,

my mail server (Kerio) can apply DKIM signatures. Piping DKIM signed
mails through Ciphermail disrupts the validity of the DKIM signatures.
Postfix on the Ciphermail server has to apply the DKIM signature after
the mail was processd by Ciphermail. This could be achieved by following
these howtos:

How To Install and Configure DKIM with Postfix on Debian Wheezy | DigitalOcean

Record of the UNIX Wars: Email fun: 8BITMIME and DKIM body authentication failure

The second is required at my site because without it mails sent by
Thunderbird fail validation by remote servers. My master.cf now looks
like this:

smtp inet n - - - - smtpd
             -o
message_size_limit=${djigzo_before_filter_message_size_limit}
             -o content_filter=smtp-downconvert:127.0.0.1:10026
pickup fifo n - - 60 1 pickup
...
...
...
# cleanup for reinject so we can set the hopcount_limit differently for
the reinjection port
cleanup_reinject unix n - - - 0 cleanup
             -o hopcount_limit=100

smtp-downconvert unix - - - - 2 smtp
    -o smtp_discard_ehlo_keywords=8bitmime,silent-discard

127.0.0.1:10026 inet n - n - 10 smtpd
             -o content_filter=
...
...
...

Suggestion: Add a DKIM config option to Ciphermail :slight_smile:

cheers
Matthias

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

Twitter: http://twitter.com/CipherMail

my first approach with "opendkim" does not work as "opendkim" uses
milter and Ciphermail is a content filter. Milters are applied before
content filters and the s/Mime signature modifies the body of the mail
with the signature. This invalidates the DKIM signature. Took ma a day
to figure this out as I was not aware of the described processing order.
Finally I found this out just by reading the (previously ignored)
headlines of Postfix After-Queue Content Filter and
www.postfix.org/MILTER_README.html :slight_smile:

Adding the DKIM milter on the reinjection port(s) should work. After
handling the mail (i.e., encryption/decryption etc), the back-end sends
the mail back to postfix on a "reinjection port" (port 10026).

I haven't tested it but the following might work:

See the following line in master under the 127.0.0.1:10026 section:

-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters

You should change this line to something like:

-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,smtpd_milters=REPLACEWITHDKIMMILTER

This should enable the DKIM milet after the message has been
encryped/decrypted/signed.

Again, I have not tested this but this should work (might some minimal
changes though)

Interesting .. thanks for your reply.

Then again, you suggestion of using dkimproxy is also a good alternative
until DKIM support has been added to CipherMail*.

Kind regards,

Martijn Brinkers

* "native" DKIM support is basically working but not enabled for all
SMTP outgoing mail. We will see whether we can make it possible to
enable this for all outgoing email.

Is there a timeline for new releases and a list of planed features.

A nice feature would be some thing like this:

This: Email Security. Made in Germany. | NoSpamProxy offers this feature. There are
several ways to use it. It requires that a web portal is accessible from
the Internet. On way is to tell the software to detach the attachments
of mails, store them and generate a mail for the recipient with a link
for the download. You also can generate a mail which allows the
recipient to upload a file, and write a comment. Then you get notified
by mail and you can download it with a generated link.

Just an idea for a enhancement :slight_smile:

cheers
Matthias

···

Am 27.03.2016 um 16:29 schrieb Martijn Brinkers:

On 03/27/2016 04:07 PM, Matthias Henze wrote:

--

MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany

voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: info(a)mhcsoftware.de

HR Coburg: B2242
Geschaeftsfuehrer: Matthias Henze

Hi,

Is there a timeline for new releases and a list of planed features.

Maybe pushing generated pgpkeys and/or via nsupdate were a grait and usefull feature. Retrieving keys from DNS, too. :slight_smile:

cul8r!
Django