Guide to Install OpenDKIM for multiple domains with Postfix and Debian

This is a guide to installing OpenDKIM for multiple domains on a Postfix-installtion on Debian. I tried some other guides but kept running into problems, so this is how I did it.

Among others, Google Gmail and Yahoo mail check your email for a DKIM signature.

Install and Configure OpenDKIM

1. Install OpenDKIM

[code]apt-get install opendkim[/code]

Comment: This will install the latest available stable Debian packaged version of OpenDKIM which is currently 2.0.1. This version is already a couple of years old (2010).
If you know how/want to compile sources yourself, then the latest version is 2.4.3 (and 2.5.0 is right around the corner)

2. Edit the OpenDKIM config file

[code]nano /etc/opendkim.conf[/code]

Add these rows:

[code]
KeyTable /etc/opendkim/KeyTable
SigningTable /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
[/code]

Note: If you run multiple instances of Postfix you need to add this to the opendkim.conf for each instance (or the ones you want to use opendkim)

3.  Edit /etc/opendkim/TrustedHosts

[code]nano /etc/opendkim/TrustedHosts[/code]

Add domains, hostnames and/or ip’s that should be handled by OpenDKIM. Don’t forget localhost.

[code]
127.0.0.1
localhost
x.253.204.64
x.253.204.32/27
[/code]

4. Edit /etc/default/opendkim

[code]nano /etc/default/opendkim[/code]

Uncomment this row:

[code]SOCKET="inet:12345@localhost" # listen on loopback on port 12345[/code]

Generate keys

Repeat these steps to generate keys for each domain you will send email from. Replace mydomain.com with your domain name in examples below.

1. Generate key

[code]
mkdir -p /etc/opendkim/keys/mydomain.com
cd /etc/opendkim/keys/mydomain.com
opendkim-genkey -r -d mydomain.com
chown opendkim:opendkim default.private
[/code]

2. Add domain to KeyTable /etc/opendkim/KeyTable

[code]nano /etc/opendkim/KeyTable[/code]

Add line:

[code]default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default.private[/code]

3. Add domain to SigningTable /etc/opendkim/SigningTable

[code]nano /etc/opendkim/SigningTable[/code]

Add line:

[code]mydomain.com default._domainkey.mydomain.com[/code]

Note that in OpenDKIM 2.0.1 domain names are case sensitive (supposed to be fixed from 2.3.1 but I have not tested).
This means that in the above example an email from info@mydomain.com will be signed, but an email from info@MyDomain.com will not be signed. The workaround is to add one extra entry for MyDomain.com to SigningTable.

4. Add to DKIM public key to DNS

Add an entry for the public key to the DNS server you are using for your domain. You find the public key here:

[code]cat /etc/opendkim/keys/mydomain.com/default.txt[/code]

Start OpenDKIM

[code]/etc/init.d/opendkim start[/code]

In the future, if you make any changes to configuration remember to restart: /etc/init.d/opendkim restart

Configure and Restart Postifx

1. Configure Postfix

[code]nano /etc/postfix/main.cf[/code]

Add or edit these lines:

[code]
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345
[/code]

2. Restart Postfix

[code]/etc/init.d/postfix reload[/code]

Or in my case as i run postfix multi instance:

[code]/etc/init.d/postfix-multi restart[/code]

Other

Log files are in the /var/log directory

[code]
cat /var/log/mail.log
cat /var/log/mail.warn
cat /var/log/mail.err
[/code]

Log more info

[code]nano /etc/opendkim.conf[/code]

Add this line:

[code]LogWhy yes[/code]

Credits

Guides that have helped me along the way: Debian Tutorials and Syslog

OpenDKIM: error loading key `default._domainkey.mydomain.com’

I have been pulling my hair with getting OpenDKIM to work on a Debian machine with Postfix. I have been changing my KeyTable, SigningTable, ExternalIgnoreList, InternalHosts files and references like a madman.

I have kept getting errors like this in /var/log/mail.log

[code]Feb 28 11:21:43 06-135-D2 opendkim[27826]: 5EADD532313: dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed

Feb 28 11:24:00 06-135-D2 opendkim[27955]: D2560532313 error loading key `default._domainkey.mydomain.com'[/code]

Unfortunately OpenDKIM does not give more info than this and Googling did not provide many hints mor than possibly being a directory access problem. I checked directory and file access and realized that the key file was only readable by root.

[code]-rw——- 1 root root 891 Feb 28 00:14 default.private[/code]

Testing Permissions
(you can skip straight to Solution below)

[Edit: Renamed this part from “Solution” to “Testing Permissions” and added a better Solution below. Thanks to Andreas Schultze on the OpenDKIM mailing list for getting me on the right track to finding the correct solution]

As I used opendkim-genkey to generate my key I would have thought permissions would be set ok from the start but I anyway tried doing chmod 644 on the key file

[code]chmod 644 default.private[/code]
[code]-rw-r–r– 1 root root 891 Feb 28 00:14 default.private[/code]

And finally – success!
In /var/log/mail.log:

[code]Feb 28 11:30:28 06-135-D2 opendkim[27955]: 5E811532313 "DKIM-Signature" header added[/code]

To me it seems a little unsecure to do chmod 644 on the file as this means anyone with access to the system can read the private key. In my case I consider my system secure as it is only used for SMTP/Postfix so I am happy that is working.

As I am all new to Debian, OpenDKIM and Postfix (The last time I touched Unix was when I worked with IBM’s AIX on their RS/6000 systems in the early 90s…) so I would be happy to hear any thoughts on this.

Solution

To set permissions to allow OpenDKIM but no unauthorized users to access the private key, change owner of the private key file to user and group opendkim with the following command:

[code]chown opendkim:opendkim default.private[/code]

(To check what user opendkim is running as, check the running processes once you have started opendkim: ps -f -A
This command shows what groups the user opendkim belongs to: group opendkim)

Maybe this is fixed to set file permissions correctly in a later version of opendkim-genkey, I am running the old 2.0.1 apt-get package that is currently available for Debian.

Backup or Copy Windows Server 2008 Configuration

In Windows Server 2008 there is a backup tool called Windows Server Backup which however creates huge backup files. I prefer to use a simple command/batch file that copies everything I want to backup, zips it and then uploads it to Amazon S3 (aka “the cloud”)

I have not been able to find a simple way to copy all of my Windows Server 2008 settings. Theses are the bits and pieces I have found:

Copy IIS7 Configuration

To save IIS 7 (Internet Information Services) configuration, copy the config directory %SYSTEMROOT%\System32\inetsrv\config, example:

[code]xcopy %SYSTEMROOT%\System32\inetsrv\config c:\backup\iisconfig\ /S/E[/code]

Windows Advanced Firewall Export Configuration

To export all the current configurations of your firewall to a file:

[code]netsh advfirewall export c:\backup\advfirewall.wfw[/code]

Source: David Davis

Export Windows Registry

To export the Registry, use regedit.exe command line options. Note that export is done in background so you need to allow some time before you are able to access the exported file.

[code]regedit /e c:\backup\regbackup.reg[/code]

Source: Speedguide

Network Settings

[code]netsh dump > c:\backup\network-settings-netsh-dump.txt[/code]

Source: Chris Sanders

 

Please note that this method cannot and should not to be compared to a full backup method such as Windows Server Backup.

This method will not allow you to do a full recovery. It will mean installing Windows Server and all software from scratch and then recover the data you have backed up. Meaning an unrecoverable hard drive crash would most likely mean more downtime/recovery time.

The reason I like this method is because it takes less space which allows me to use S3 to save my backups. That means I can fully automate it (scheduled batch script and no need to change any media) and it is off-site (meaning if there is a fire where my server is, my backup is still safe). And I prefer the ease of just getting my files from a zip file if I need to check or recover anything. Besides, it’s dirt cheap, I pay Amazon S3 a few dollars for a month worth of daily 1GB backups.

8 Quick Steps: Guide to Microsoft Office 365 Exchange Online Free Trial

This guide tells you how to quickly and easily get started with Exchange Online using a 10 user free trial which can easily be converted to a paid subscription later ($6 per user per month, minimum 1 user)

This is how you do it (steps may vary a little bit depending on what country you are from)

    1. Go to Office365.com
    2. Click “Get the trial”. This will give you a fully functional free 10 user trial for 30 days.
      So this means one month free and you can test everything before you start paying. When the trial period is up, it is easy to turn it into a paid subscription. No rebate coupon or voucher code needed.
    3. Select the option for “Professionals and Small businesses”, this is the “P1” plan. For some countries this may already be preselected.
      (If you are a larger company select the “Midsize businesses and enterprises”, plan “E3” but note that pricing, features etc is different from what is covered here)
    4. Fill out the information about yourself to create a Microsoft Online Services ID.
      You will have to select an onmicrosoft.com domain name, e.g. mycompany.onmicrosoft.com. Don’t worry, you will be able to add your real domain name (or multiple domain names) later
    5. You should see a page telling you that Exchange Online, Lync Online and Sharepoint Online is being set up and that it will take a few minutes. Wait for them to finish.
    6. Add your own Domain. a) Click Admin in the top navigation. From the Admin page on the left column navigation b) Click Management-Domains, then c) Click Add a Domain. d) Enter your domain name and click the Check Domain button. After domain information is shown e) click Next and you will be taken to a page with instructions how to add a TXT record to your DNS for verifying your domain.
    7. Add users. a) Click Admin in the top navigation. From the Admin page on the left column navigation b) Click Management-Users, then c) Click New + User and follow the instructions.
      If you wish, you can make the admin user that was created when you signed up just an admin account without a paid license. To do this edit the user and uncheck “Microsoft Office 365 Plan P1” under License.
    8. Add me as your partner – optional. Thanks! a) Click Admin in the top navigation. From the Admin page on the left column navigation b) click Subscriptions-Manage, then c) click your subscription, Microsoft Office 365 Trial (Plan P1). On the far right you will see d) Partner Information, click Add and e) in the box shown enter 1912364 as partner id to use my company XS Tech as partner and click Ok (or if you prefer to use another partner enter their partner id) Thanks.

Done!

Background
Microsofts cloud offering Office 365 (formerly BPOS) includes among other things Exchange Online, Microsofts hosted email offering.
Exchange Online can be accessed from a browser (Outlook Web App), Outlook (Windows), Entourage or Outlook for Mac or any mobile software supporting ActiveSync, e.g. Android, iPhone, iPad, Windows Phone etc.
I find Exchange Online well priced at just below 50 SEK (US$ 6) per month for a 25GB mailbox with Sharepoint, Office Web Apps and Lync also included. It is half the price compared to my current Hosted Exchange provider and with over 10 times the storage. Extra plus for me is also that my Hosted Exchange provider is running Exchange 2007 while Office365 is on Exchange 2010. New with the change from BPOS to Office365 is also that you can now signup for only one single user instead of the previous minimum of three.

Browsers
I recommend using Internet Explorer or Firefox with Office 365, Exchange Online and other Office Web Apps. Chrome (currently in release 14) is working most of the time but not always.

Disclosure: My company is a Microsoft partner.

Compare and Merge Text Files

This is more a less a note to myself to remember what the text file comparison tool that I use from time to time is called: WinMerge!

It’s a nice Open Source Windows application where you can easily compare two or more text files to each other and make changes or copy from one file to the other while comparing. For example great when comparing to versions of a php file etc.

Automate update of web.config with Microsoft Powershell

I have an ASP.NET web site project that I use for 5-10 web sites. Each has its own directory, setup in IIS and MySQL database, ie they work as independent web sites, only the code base is the same. For updates I have a setup with one Windows command file to copy out any file changes to the web site directories and another command file that updates the database with any database structure changes.

So far I have made any updates to the web.config files manually but today I finally figured out how to automate this too.

The Windows command tool Powershell has been around for a couple of years but I have not used it before. It was installed with Windows Update some time ago so it should be installed on your machine. To use it simply run powershell.exe from a command prompt. To exit, close the window or type exit.
Powershell can among other things run Powershell script files (file extension .ps1)

This script will show you how to add to and edit multiple web.config files (or any xml file)
[code lang=”xml”]
# Source: http://blog.tjitjing.com

# Array of files to make changes to, add as many as you like
$filesarray = @("c:\temp\web.config","c:\anotherfile.xml")

# Go thru all files
foreach ($filename in $filesarray)
{
# Get file + cast as xml
$xml = [[xml]](get-content $filename)

# Backup file before making changes
$backup = $filename + "-" + (get-date).tostring("yyyy-MM-dd-hh_mm_s")
$xml.Save($backup)

$root = $xml.get_DocumentElement();

# Add a new node
$node = $xml.createElement("mynewnode")
$root."system.web".appendChild($node)
$subnode = $xml.createElement("add")
$node.AppendChild($subnode)
$attribute = $xml.CreateAttribute("url")
$attribute.set_Value("http://blog.tjitjing.com")
$subnode.SetAttributeNode($attribute )

# Change existing node
$root.connectionStrings.add.connectionString = "My new connection string"

# Save
$xml.Save($filename)
}
[/code]

There are two caveats I ran in to when running my script:

1) You need to always give the path of the file, even if it is in your current directory. To run a file from current directory you need to wite ./
[code lang=”vb”]
C:\Temp>powershell.exe ./test.ps1
[/code]
Or from within Powershell
[code lang=”vb”]
PS C:\Temp>./test.ps1
[/code]

2) Powershells execution policy is by default set to Restricted. To avoid getting a message similar to “File C:\temp\test.ps1 cannot be loaded because the execution of scripts is disabled on this system.”, you need to run the command Set-ExecutionPolicy RemoteSigned from the powershell prompt.

Some useful links that helped me understand this and get it working:
Powershell on Microsoft Technet
Andy Schneider’s Blog about Windows PowerShell
Blog post by Dave Donaldson

Google Plus invite give away

Would you like an invite to Google Plus, Googles new social network, the “Facebook and Twitter killer”?
I have a few invitations, post a comment here with your gmail address (currently it seems only gmail accounts are accepted, you should also have filled out your google profile)

For Swedish speakers this is another option to get a Google+ invitation: gratis

[Edit: As I understand it Google Plus is now open for all gmail accounts. I still have plenty of invites, so comment here if you want one and don’t have a gmail email address]

Get root path in ASP.NET without using Tilde ~

As you probably know you can use the tilde sign (~) in ASP.NET to get the relative path of the root of your Web Site or Web Application. But unless using the Link Server Control or similar you may need some code to convert it to a correct url or get the absolute path.

Using a Server Control – example using the HyperLink Web Server Control
[code lang=”vb”]
MyHyperLink.NavigateUrl = "~/Products/XYZ"
[/code]

Using HttpRuntime.AppDomainAppVirtualPath
[code lang=”vb”]
strAbsoluteUrl = HttpRuntime.AppDomainAppVirtualPath & "/Products/XYZ"
[/code]

Using VirtualPathUtility.ToAbsolute
[code lang=”vb”]
strAbsoluteUrl = VirtualPathUtility.ToAbsolute("~/Products/XYZ")
[/code]

Thanks to Yousef

ASP.NET 4.0: Extra space above Menu in Chrome and Safari using Menu Control

In Visual Studio 2010 when creating a new ASP.NET Web Site or ASP.NET Web Application you get a shell for ASP.NET 4.0 web site with a menu using the ASP.NET 4.0 Menu Control. However in Google Chrome and Safari browsers the menu will show with some extra space above it. It took plenty of googling to find the answer since google is filled with solutions for Chrome problems in ASP.NET 2.0.
Finally – the solution for .NET Framework 4.0:

Add these lines to the Site.css file (in the Styles folder of your VS 2010 project)
[code lang=”css”]
/* Fix for extra space above menu in Chrome and Safari */
img[alt=’Skip Navigation Links’] {
display: none;
}
[/code]

An alternative is to add SkipLinkText=”” to each menu item (have not tested this)

Thanks to MattyF for the solution