Page MenuHomeDevCentral
Create Task
Maniphest T2073

[Deployment] Enable DKIM on Hervil
Closed, ResolvedPublic
Actions

Description

Activity

  • Apply mailserver role to push D3553 to Postfix
  • Start DKIM process
  • Restart Postfix
  • Validate DKIM is correctly used

What to look for?

Validation

  • Can we validate external mails?
    • Send mail from gmail to Nasqueron
  • Can we sign our mails?
    • Send mail from Nasqueron to gmail
      • Should contain the DKIM signature
      • DKIM signature should pass

If any of those two fails, rollback.

Rollback procedure

To rollback, it's enough to instruct Postfix not to use milter anymore.

  • Revert D3553 on rOPS
  • Reapply mailserver role
  • Restart Postfix

Revisions and Commits

rOPS Nasqueron Operations
D3591rOPS9c00ea3ab08f Init OpenDKIM service
D3578rOPS99c83676fc3b Tweak how we start OpenDKIM service

Related Objects
Search...

Event Timeline

dereckson renamed this task from [Deployment] Enable DKIM to [Deployment] Enable DKIM on Hervil.Oct 26 2024, 14:42
dereckson triaged this task as High priority.
dereckson created this task.
dereckson added projects: Mail, Nasqueron Operations Squad.
dereckson added a parent task: T2066: Deploy DKIM.
dereckson updated the task description. (Show Details)Oct 26 2024, 14:45
dereckson moved this task from Backlog - On hold pending T1475 to Working on on the Mail board.Oct 26 2024, 14:50
DorianWinty claimed this task.Nov 5 2024, 21:41
dereckson added a comment.EditedNov 5 2024, 23:21

Service

FreeBSD service for OpenDKIM has several issues:

  • detection of PID file
  • socket install
  • try to allow several instances for several profiles

Perhaps we could delete it and write a standard opendkim service with simple straightforward code?

Current status

Service need to be started like this pending resolution (see above):

/usr/local/etc/rc.d/milter-opendkim start
chgrp mail /var/run/milteropendkim/opendkim.sock

Bilateral test between nasqueron.org (our infrastructure) and espace-win.org (gmail) shows DKIM works AND for signing AND for verifying.

DorianWinty added a revision: D3578: Tweak how we start OpenDKIM service.Nov 6 2024, 19:33
dereckson added a commit: rOPS99c83676fc3b: Tweak how we start OpenDKIM service.Nov 6 2024, 21:17
dereckson added a comment.Nov 18 2024, 22:12

We met on Jitsi this evening to test D3591. We decided to switch from trying to write the socket file to create a directory with correct permissions, so opendkim itself can create files on it.

DorianWinty added a revision: D3591: Init OpenDKIM service.Nov 20 2024, 17:40
DorianWinty added a commit: rOPS9c00ea3ab08f: Init OpenDKIM service.Nov 20 2024, 20:59
DorianWinty closed this task as Resolved.Nov 20 2024, 21:01
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator