I had the need to view the actual SMTP server conversation to confirm TLS and authentication were being used. I could have done this from server logs, but as we transmit thousands of SMTP messages a day it was easier to look to the client for logs, rather than for the needle in a stack of other needles.
After setting up a DKIM DNS entry and then sending email we were seeing one of authorised 3rd parties failing to pass the DKIM checks. The DNS record looked OK but the mail systems like Google and Yahoo were saying it was failing. So how do I go about testing a message I received so I can see for myself what’s going on?
Looks like the answer is to use a Perl module “Mail::DKIM::Verifier”
For several ears now we’ve run a fairly tight ship on our email server. It consumes an awful lot of resources mainly because of how many businesses out there fail to properly configure their email server correctly. By far the biggest failing is not using the proper HELO/EHLO name and not having a reverse DNS (RNDS/PTR) record that matches.
So please, if you’re an email admin, get it sorted. This is an internet standard from way back in the 1980’s and beyond!
Adding to our anti-spam systems using DKIM and SPF we’ve brought in DMARC to enforce compliance with these standards. So in future we’ll be telling recipients to reject mail claiming to be from our domain that fails to meet the SPF and DKIM checks.
Following on from the previous post Exim4 & DKIM I ran into a problem with no DKIM signature being added to outgoing mail. As I had this working when sending emails directly I figure it has to do with the smarthost config in Exim4.
Turns out the problem is that there is no DKIM config in the smarthosts config section.
Where possible I try to get mail systems setup so that they can be verified as true senders by the recipient by using SPF and DKIM. Seems a shame that few mail systems actually seem to do this as it would trim a lot of spam from the net.
Having moved to another server I needed to move the mail sender with it. This particular system only needs to send email out as there is another system that receives mail for this domain. So All I need do is install an SMTP service and make sure it signs it’s messages with the same private key as I previously used, so it matches the public key that is published in DNS.
Previously the system used Postfix and OpenDKIM, but as this needs to be a barebones simple system I figured I’d stick with Debian’s default mailer Exim4. Turns out this was a good choice as it has DKIM built in.
This box runs Linux and many of my favourite services so can handle Postfix, Dovecot, SpamAssassin and many others that are documented here. There are a few quirks though. After all it is highly stylised and GUI based so the configs are driven by the web interface. That just needs some careful consideration as they will be overwritten every time the server starts. So you just need to ensure you edit the “template” files that the GUI will apply.