Category Archives: mail

I’m seeing more and more questions related to this and wanted to put how to fix it out there for folks.

Gmail has started flagging emails that were sent without encryption using a small red lock. It looks like this:

Screenshot from 2016-02-17 12:23:16

To fix this is pretty easy with Postfix.

  1. Log in to the server
  2. Open up /etc/postfix/
  3. Ensure the following values are set:
  4. smtpd_tls_security_level = may
    smtp_tls_security_level = may
    smtp_tls_loglevel = 1
    smtpd_tls_loglevel = 1

    (there are three levels you can set: none, may, or encrypt. Using may ensures we don’t lock out those who can’t do encryption)

  5. Reload postfix: service postfix reload
  6. Send a test email and check gmail. You should now see that there is no broken lock:

Screenshot from 2016-02-17 12:27:08

Category: encryption, mail

If you’re like me, you’re seeing more and more requests to disable plaintext authentication without encryption for POP and IMAP due to the higher number of people going for PCI compliance.

Fortunately, in Dovecot, this is very easy to configure. The setting you want to use is:

disable_plaintext_auth = yes

This can be found in /etc/dovecot/conf.d/10-auth.conf on newer Dovecot installs:

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you’re connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = yes

Restart the service after uncommenting the directive out, and you’re golden.

Edit: The conf.d/ folder seems to have appeared with Dovecot 2.x versions. If you’re using Dovecot 1.x, you should be able to plug the line into your /etc/dovecot.conf file without issue.

Category: advice, mail

One of the most common issues I see that affects my clients is the: “Yahoo/Gmail/Hotmail is sending all of my mail straight to the spam folder despite ‘insert usual DNS and config details here'” issues, so I spent some time researching a solution that would be relatively quick and painless to implement. I found it, but it only works with a straight postfix box. This will not work for Plesk servers, qmail, sendmail, etc. So if you’re running a centos or RHEL box with postfix and want DKIM/domainkeys signing? Here’s an article for you.

In particular, Yahoo seemed to be the most stringent defender of the DKIM/domainkeys/SPF rules (and thus a lot of spamming of mail going on), so…..Yahoo became sort of my “litmus” test for DKIM/domainkey/SPF configuration. If it works there, it is going to work everywhere else. This has also been generally true in my experience. Your mileage may vary.

Please note: This is NOT a cut and paste document. This is meant as a guide that should get you from point A to point B pretty painlessly. However, every dkimproxy install I’ve done has differed just slightly from one detail to another. So be prepared to do a little thinking on your feet. I’ve tried to include most of the “gotchas”, but there’s always something.

Prepare to install

This is actually the “hardest” part of the install for dkimproxy. It has varied for just about every system I’ve done to date and is purely a question of searching the DAG repositories for the RPMs you need to meet the base requirements of the required packages if it isn’t available via YUM.

So, to start with….you need to install the following RPMs:


As of May 30th, 2011 I found all of the above packages on yum for centos 5. RHEL 5 and earlier versions of both may still require a visit to DAG to get the packages that may not be available in those OS versions. Edit: 12/2011 – I just did this install on a RH ES5.6 server and all of the above perl rpms were in the epel-release. Edit: 8/2014 – I just did this on a Redhat 6.1, the packages were still there in both the base channel and epel-release for perl-Net-Server.

These installs could give you some dependency errors. As I said, it is a little different for each server (mostly due to a question of how long the server has been online and what has been installed on it and how old the OS is). Every requirement I’ve had to fill can be met by searching yum/up2date and/or the package list at DAG. Follow the chains and install the required packages. It is better for your system overall that you try to install any package from yum/up2date before you go trying to install a DAG rpm.

Once you have the base packages listed above installed (with no further dependency issues), you are ready to proceed onward.


Obtain and compile dkimproxy

Note! The wget statement below was current as of May 30th, 2011. It may have changed. Always go here and make sure you are downloading the most current version of DKIMproxy.

tar -xvzf dkimproxy-1.4.1.tar.gz
cd dkimproxy-1.4.1
./configure –prefix=/usr/local/dkimproxy
make install

Then we place the init script:

cp /etc/init.d/dkimproxy
chmod +x /etc/init.d/dkimproxy

and create the DKIM user:

useradd -d /usr/local/dkimproxy dkim
passwd -l dkim

From there, we create the Key:

cd /usr/local/dkimproxy/etc/
openssl genrsa -out domain.tld.key 1024
openssl rsa -in domain.tld.key -pubout -out

Obviously, replace domain.tld with the domain the client is wanting to sign. If they plan to sign multiple domains with a single key, this is fine and you may wish to make the key name more generic rather than domain specific.

Now create a DNS TXT record for mail._domainkey.domain.tld with the contents of Your public key will span at least two lines, so combine all of the lines of the key together when putting it in your DNS record. The whole DNS record will look something like this:

k=rsa; t=s; p=MFwwDQYJ..(snipped for space)….0JMCAwEAAQ==

I’ve shorted the key here for space/display reasons. It will be pretty long.

You can test to see if the key is working like this:

# host -ttxt mail._domainkey.domain.tls
mail._domainkey.domain.tld descriptive text “k=rsa\; t=s\; p=MFwwDQYJ……0JMCAwEAAQ==”

Now to set up the config files. Tell dkimproxy about the key files, and configuration parameters. Create /usr/local/dkimproxy/etc/dkimproxy_out.conf with this content

# specify what address/port DKIMproxy should listen on

# specify what address/port DKIMproxy forwards mail to

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain domain.tld

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile /usr/local/dkimproxy/etc/domain.tld.key

# specify the selector (i.e. the name of the key record put in DNS)
selector mail

Please note, if you are doing a multiple domain set up with a single key, you can list each domain as “domain domain1,domain2,domain3” a comma separated list.

Now copy the sample inbound config to the real inbound config

cd /usr/local/dkimproxy/etc
cp dkimproxy_in.conf.example dkimproxy_in.conf

Start the service

/etc/init.d/dkimproxy start
chkconfig dkimproxy on


Configuring Postfix to use DKIMproxy

You must add the following entries to the bottom of the /etc/postfix/ file:

# specify the location of the DKIM signing proxy
# Note: the smtp_discard_ehlo_keywords option requires a recent version of
# Postfix. Leave it off if your version does not support it.
dksign unix – – n – 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

# service for accepting messages FROM the DKIM signing proxy inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=
-o smtpd_authorized_xforward_hosts=

Then, depending on WHAT messages your client wants signed, you need to add the line

-o content_filter=dksign:[]:10027

to that part of the service. So, for example, if they want anything submitted to port 25 signed:

smtp inet n – n – – smtpd
-o content_filter=dksign:[]:10027

If they want script created mail to be signed:

pickup fifo n – n 40 1 pickup
-o content_filter=dksign:[]:10027

Mail to port 587 to be signed:

submission inet n – n – – smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

Note: The spacing before the -o is being pulled out by the blog software, even with the code tag. Look at how the rest of the entries in your file look and emulate that where the -o lines are indented. That matters! And a lack of such indenting will prevent postfix from working properly.

There’s obviously more there than just the dksign line, due to the nature of that port in that last one.

From there, reload postfix (make sure it starts and continues to be able to send mail. I tend to do both command line tests as well as pop/imap checks for the rack user).

service postfix reload


Testing DKIM signing

Now that all of that is in place, you can now do some tests.

The easiest way to do this, if the server is not doing any sort of mail redirection, is to set up the account in your mail client so you can both send the test messages as well as check and see the reply emails.

I use two primary tests. One, I send a mail (with any subject, any body) to This returns 4 (at the moment) test results. You can pretty easily see from these 4 messages what is working and what isn’t.

The second test I use is to check the SPF record, because most services will fail dkim/domainkeys if the SPF record is invalid for the sent mail. So send a test message to It will be rejected WITH the response, so watch the log file on the server to see if the SPF record passed correctly.

Finally, I create a php script to generate a mail to my yahoo account to see if it gets through with the DKIM/domainkey/SPF pass. You can use something like:

and invoke it via a browser or by the command line:

php /path/to/phpmail.php

Tweak and resolve any issues you came across in the testing until you get clean results for DKIM, Domainkeys, and SPF. At that point, I generally send an email to myself at my yahoo account. If you see the little key/lock icon on the “from” line of the email (and it isn’t in the spam folder)? You’ve successfully set up and configured DKIM/Domainkeys. If it IS in the spam folder? Check the header to see where to go next. As I said, the most common reason it fails is the SPF record in my experience.

Hopefully this article has been helpful at getting you to get your DKIMproxy install up and going.

Category: linux, mail

Horde/IMP, by default, does not seem to enforce strict passwords. This can cause a lot of issues due to the number of brute force scans going on out there in internetland. If you (or a client you are representing) want to set horde to do the typical “strict password” enforcement, look for the file:


And read the bit about password policy. An example policy that can be set in this file that would require 1 capital, 1 lowercase, 1 special character and 1 number, with a minimum password size of 8, would look like:

‘password policy’ => array(
‘minLength’ => 8,
‘maxLength’ => 64,
‘maxSpace’ => 0,
‘minUpper’ => 1,
‘minLower’ => 1,
‘minNumeric’ => 1,
‘minSymbols’ => 1

Took me a bit to find this, so I figured I’d pass it along to other linux folks working with Horde/IMP.

Category: linux, mail


gives good tech
Kale is one of the smartest people I know

Racker Hacker
Major is always good for leet deetz