Koozali.org: home of the SME Server

[SOLVED] t= option in DKIM

Offline Michail Pappas

  • *
  • 351
  • +1/-0
[SOLVED] t= option in DKIM
« on: May 19, 2017, 11:17:47 AM »
If one enabled DKIM, then using qpsmtpd-print-dns will provide a long string of the form:
Code: [Select]
default._domainkey IN TXT "v=DKIMA;p=<longkey>;[b]t=y[/b]"
...

Notice the t=y option in the end. When I first encountered it, I took the quick and dirty road to figure out what that does, by feeding the entire DKIM record in http://dkimcore.org/c/keycheck

On that site, I was informed that "The 'y' flag tells recipients to ignore your DKIM signature". Which for me meant that I should omit the ";t=y" from the DNS TXT entry.

Checking things out today, I noticed that a DKIM signed message also includes a t= field, which is a timestamp though. All in all:

1) is this a case of a field used differently on the DKIM DNS TXT entry, compared to how it is used on DKIM-signed messages?
2) Did I do right to remove t=y from the DKIM DNS record?
« Last Edit: May 24, 2017, 07:25:51 AM by Michail Pappas »

Offline TerryF

  • grumpy old man
  • *
  • 1,847
  • +6/-0
Re: t= option in DKIM
« Reply #1 on: May 19, 2017, 11:34:12 AM »
Info re t= : http://dkim.org/specs/rfc4871-dkimbase.html

Two refs One is info related and in the sig header field ie timestamp

The other is a Management related option, test message or not..
« Last Edit: May 19, 2017, 11:36:29 AM by TerryF »
--
qui scribit bis legit

Offline Michail Pappas

  • *
  • 351
  • +1/-0
Re: t= option in DKIM
« Reply #2 on: May 19, 2017, 12:05:27 PM »
Thanks Terry, so it is one option and two entirely different contexts.


Offline Michail Pappas

  • *
  • 351
  • +1/-0
Re: t= option in DKIM
« Reply #3 on: May 19, 2017, 12:37:10 PM »
There might be a minor bug here, let me know if it is worth submitting it as one: the qpsmtpd-print-dns command includes by default a "t=y" field at the end of the DNS record it proposes to the user. The strange things is that in https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#publishing_your_dns_entries as well as in https://wiki.contribs.org/Email#Publishing_your_DNS_entries the "t=y" is omitted. If the admin does not notice, he will copy/paste and create a DNS record that will effectively do nothing (since testing mode is enabled).

Like I said, if this requires a bug report to be submitted, let me know.

Offline Jean-Philippe Pialasse

  • *
  • 2,912
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: t= option in DKIM
« Reply #4 on: May 19, 2017, 04:13:55 PM »
t=y means use it in test mode.

If your policy is too restrictive you might end up with good mail refused. Hence, this is a good approach to start with the t=y switch to only get the warnings and reports but no emails rejected. After a while you might take the time to remove it, or to adapt the policy to get the results you want before removing the switch.

Offline TerryF

  • grumpy old man
  • *
  • 1,847
  • +6/-0
Re: t= option in DKIM
« Reply #5 on: May 19, 2017, 11:18:46 PM »
Like I said, if this requires a bug report to be submitted, let me know.

Musing, dunno, at the least perhaps a wiki bug to describe the what and why..

Wiki shows it on earlier versions of qpsmtpd https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version.3C0.96 but doesn't say what it is or what it does and then doesn't show it on the later version https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version_.3E.3D_0.96

or just edit the wiki to be clearer .. easiest and simplest :-)
--
qui scribit bis legit

Offline Michail Pappas

  • *
  • 351
  • +1/-0
Re: t= option in DKIM
« Reply #6 on: May 20, 2017, 11:19:33 AM »
Got my hands full, but I think I can tackle the minor edits to reflect the "t=y" option.

Still, I'm quite certain that users will blindly copy/paste whatever is produced by the command, including the test-enabling option, when sending the request to whoever handles their DNS (like I did :D ).

Offline TerryF

  • grumpy old man
  • *
  • 1,847
  • +6/-0
Re: t= option in DKIM
« Reply #7 on: May 20, 2017, 11:30:42 AM »
Got my hands full, but I think I can tackle the minor edits to reflect the "t=y" option.

Still, I'm quite certain that users will blindly copy/paste whatever is produced by the command, including the test-enabling option, when sending the request to whoever handles their DNS (like I did :D ).

No worries, no one hanging by the you know whats yet :-)

and think of that little bit of new knowledge we have now squirreled away :-)
--
qui scribit bis legit

Offline Daniel B.

  • *
  • 1,700
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: t= option in DKIM
« Reply #8 on: May 20, 2017, 12:12:50 PM »
Got my hands full, but I think I can tackle the minor edits to reflect the "t=y" option.

Still, I'm quite certain that users will blindly copy/paste whatever is produced by the command, including the test-enabling option, when sending the request to whoever handles their DNS (like I did :D ).

That's the very reason I choosed to add t=y, so that users do not simply copy/paste the output of qpsmtpd-print-dns (they need to understand and adapt those examples). But indeed, the command also says "The DKIM entry can be copied as is" which is misleading. This part should be removed
C'est la fin du monde !!! :lol:

Offline Jean-Philippe Pialasse

  • *
  • 2,912
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: t= option in DKIM
« Reply #9 on: May 20, 2017, 05:56:08 PM »
But indeed, the command also says "The DKIM entry can be copied as is" which is misleading. This part should be removed

Still it can be pasted as is. So instead of removing, maybe just adding "to enable in test mode, you can later remove the t flag."

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: t= option in DKIM
« Reply #10 on: May 21, 2017, 12:21:38 AM »
Sorry, I have a problem of understanding.

I did:

db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update

I understand:

Publishing your DNS entries

Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it:

qpsmtpd-print-dns <domain name>

If omitted, the primary domain name is assumed.

Example output:

Here are sample DNS entries you should add in your public DNS
The DKIM entry can be copied as is, but others will probably need to be adjusted
to your need. For example, you should either change the reporting email adress
for DMARC (or create the needed pseudonym)


default._domainkey IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"
@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100"

All you have to do now is publish those records.

Where/how is this to be done?

Regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline Jean-Philippe Pialasse

  • *
  • 2,912
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: t= option in DKIM
« Reply #11 on: May 21, 2017, 12:41:37 AM »
Quote
All you have to do now is publish those records.

Where/how is this to be done?

Regards,
stefan

As announced, where you publish dns, in other word see your domain name registrar. We can not give you a procedure, it depends on your registrar

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: t= option in DKIM
« Reply #12 on: May 21, 2017, 12:58:10 AM »
Thank you for your reply.

In my case this would look like this:

SPF-Regel (SPF-Rule)
Keine SPF-Regel (No spf rule) <-- checked
Standard STRATO Mailserver <-- unchecked
FAIL - Mailserver laut MX Eintrag der Domain/Subdomain <-- unchecked
SOFTFAIL - Mailserver laut MX Eintrag der Domain/Subdomain <-- unchecked

TXT und CNAME Records inklusive DKIM-Einstellungen
Präfix <-- What would that be ?
Typ <-- What would that be ?

Wert <-- What would that be? I assume the output of qpsmtpd-print-dns <domain name> ?

And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: t= option in DKIM
« Reply #13 on: May 21, 2017, 01:15:53 AM »
Would this be correct?

1.)

Präfix: default._domainkey
Typ: TXT
Wert: v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB

2.)

Präfix: default._domainkey
Typ: TXT
Wert: v=spf1 mx a -all

3.)

Präfix: default._domainkey
Typ: TXT
Wert: v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100

In case of my ISP it's not possible to paste the whole output string of qpsmtpd-print-dns <domain name>. But it's possible to add multiple values (1 to 3) to the record.

Thank's for clarifying/help.

Regards,
stefan

« Last Edit: May 21, 2017, 01:47:59 AM by SchulzStefan »
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline Jean-Philippe Pialasse

  • *
  • 2,912
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: t= option in DKIM
« Reply #14 on: May 21, 2017, 07:43:16 PM »
They Are 4 independant entries, so yes you are on good way. For spf, usually you enter it twice : as txt and as spf. The txt is the old way before a dedicated spf type was created, it is good practice to keep them both for the moment as some old implementations will only search the txt one.


Also as you indicated mx and a as authorized , and if not sent from a server designated as a A or a MX in your dns mail are rejected by recipient server because of the -all.

Hence you should be sure all the server that should sent mail are either in a A and/or MX dns field.

See http://www.openspf.org/SPF_Record_Syntax