Page MenuHomeDevCentral

[Deployment] Enable DKIM on Hervil
Closed, ResolvedPublic

Description

Activity

  • Apply mailserver role to push D3553 to Postfix
  • Start DKIM process
  • Restart Postfix
  • Validate DKIM is correctly used

What to look for?

Validation

  • Can we validate external mails?
    • Send mail from gmail to Nasqueron
  • Can we sign our mails?
    • Send mail from Nasqueron to gmail
      • Should contain the DKIM signature
      • DKIM signature should pass

If any of those two fails, rollback.

Rollback procedure

To rollback, it's enough to instruct Postfix not to use milter anymore.

  • Revert D3553 on rOPS
  • Reapply mailserver role
  • Restart Postfix

Event Timeline

dereckson renamed this task from [Deployment] Enable DKIM to [Deployment] Enable DKIM on Hervil.Oct 26 2024, 14:42
dereckson triaged this task as High priority.
dereckson created this task.
dereckson added a parent task: T2066: Deploy DKIM.

Service

FreeBSD service for OpenDKIM has several issues:

  • detection of PID file
  • socket install
  • try to allow several instances for several profiles

Perhaps we could delete it and write a standard opendkim service with simple straightforward code?

Current status

Service need to be started like this pending resolution (see above):

/usr/local/etc/rc.d/milter-opendkim start
chgrp mail /var/run/milteropendkim/opendkim.sock

Bilateral test between nasqueron.org (our infrastructure) and espace-win.org (gmail) shows DKIM works AND for signing AND for verifying.

We met on Jitsi this evening to test D3591. We decided to switch from trying to write the socket file to create a directory with correct permissions, so opendkim itself can create files on it.