Page 1 of 1

How to generate a BATV Key/DKIM signing for use in Outgoing?

Posted: Thu Jun 26, 2014 4:14 am
by viniciusferrao
Hello guys,

I would like to setup BATV and DKIM, but I'm not sure how to do that using MailCleaner.

I'm aware that I should route all my traffic to the MailCleaner server to allow MailCleaner to modify the messages adding the BATV info and DKIM signatures.

The question starts here: how to generate a BATV Key to put in the Configuration -> Domain -> Outgoing Relay and what I should select in DKIM Signing? It's clear to me to choose "This Domain", but I don't know what to put in Selector and Private Key fields. Another question is: should I use an existing private key from SSL certificates used in SMTP/Submission?

Don't know if it's important but I'm running Exchange 2013 in the final destination with send and receive connectors pointed only to the MailCleaner server. So all sent or received from the Exchange server must pass through the MailCleaner server.

Thanks in advance,

Re: How to generate a BATV Key/DKIM signing for use in Outgo

Posted: Thu Jun 26, 2014 7:47 am
by del
Do NOT use your SSL key!
You should read some sites explaining BATV and DKIM:
http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
http://www.dkim.org/info/dkim-faq.html
http://en.wikipedia.org/wiki/Bounce_Add ... Validation

Either you let MailCleaner generate the DKIM key for you or you use openssl:
https://my.spamexperts.com/kb/33/Genera ... icate.html

Re: How to generate a BATV Key/DKIM signing for use in Outgo

Posted: Thu Jun 26, 2014 7:53 am
by viniciusferrao
del wrote:Do NOT use your SSL key!
You should read some sites explaining BATV and DKIM:
http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
http://www.dkim.org/info/dkim-faq.html
http://en.wikipedia.org/wiki/Bounce_Add ... Validation

Either you let MailCleaner generate the DKIM key for you or you use openssl:
https://my.spamexperts.com/kb/33/Genera ... icate.html


Thank you del.

I've already read some of those links, the last one was really useful, I will try to setup DKIM right now. But one thing isn't clear for me: how do I generate the BATV Key. It appears to be simple but I'm missing the point.

Re: How to generate a BATV Key/DKIM signing for use in Outgo

Posted: Thu Jun 26, 2014 8:03 am
by del
BATV does not use any key pairs, so a simple string is enough.
You can for example use openssl to generate a 'random' string:

Code: Select all

openssl rand -base64 64

Re: How to generate a BATV Key/DKIM signing for use in Outgo

Posted: Thu Jun 26, 2014 8:07 am
by viniciusferrao
del wrote:BATV does not use any key pairs, so a simple string is enough.
You can for example use openssl to generate a 'random' string:

Code: Select all

openssl rand -base64 64


That's what I mean :)

It's just a simple base64 string with 64 characters long?

Re: How to generate a BATV Key/DKIM signing for use in Outgo

Posted: Thu Jun 26, 2014 8:11 am
by del
64 byte ;)
https://www.openssl.org/docs/apps/rand.html

//EDIT: But you can use any length. BATV works with a single char key too but I do not recommend that ;)

Re: How to generate a BATV Key/DKIM signing for use in Outgo

Posted: Thu Jun 26, 2014 8:18 am
by viniciusferrao
del wrote:64 byte ;)
https://www.openssl.org/docs/apps/rand.html

//EDIT: But you can use any length. BATV works with a single char key too but I do not recommend that ;)


Hmmm now it's clear for me! Thank you very much del.

I've already another problem, BATV appears to broke my LDAP callout for address verification, I was afraid of this... During earlier research today of BATV I've came across this thread: viewtopic.php?f=14&t=1836 and saw a potential problem.

Then things happened as expected:
Jun 26 04:08:32 ironforge postfix/smtp[11962]: 5BE5B5FBA2: to=<prvs=02542e2386=myemail@example.com>, relay=mailcleaner.example.com[192.168.0.14]:25, delay=0.21, delays=0/0/0.01/0.2, dsn=5.0.0, status=bounced (host mailcleaner.example[192.168.0.14] said: 550 User unknown (in reply to RCPT TO command))

Re: How to generate a BATV Key/DKIM signing for use in Outgo

Posted: Thu Jun 26, 2014 8:30 am
by del
Hm...
I have no idea how to fix that, sorry

Re: How to generate a BATV Key/DKIM signing for use in Outgo

Posted: Thu Jun 26, 2014 8:33 am
by viniciusferrao
del wrote:Hm...
I have no idea how to fix that, sorry


No problem. I think this can be a BUG, since it was easily replicated from the reference thread I've posted here. Perhaps this is a question to @olivier.

Re: How to generate a BATV Key/DKIM signing for use in Outgo

Posted: Sat Jun 28, 2014 7:36 am
by viniciusferrao
Del, thanks one more time.

I was able to setup BATV and DKIM. Only missing DMARC now. And I've posted a message on Bugs subforum to describe the LDAP BUG with BATV.

Re: How to generate a BATV Key/DKIM signing for use in Outgoing?

Posted: Fri Mar 31, 2017 6:12 pm
by cglmicro
Sorry to wake up this old thread, but I'm having some issue configuring DKIM with my Mailcleaner for outbound.

In my MailCleaner I have set it :
jdb_2017-03-31_1303.png
jdb_2017-03-31_1303.png (37.04 KiB) Viewed 113 times


And in my CPANEL > DNS I've added:
jdb_2017-03-31_1307.png
jdb_2017-03-31_1307.png (6.79 KiB) Viewed 113 times


But in my MailCleaner tracing it shows INVALID PUBLIC KEY RECORD:

Code: Select all

Incoming MTA stage:    2017-03-31 11:10:16 1ctyBs-0002ul-I6 DKIM: d=jeudebourse.com s=default c=relaxed/relaxed a=rsa-sha256 [invalid - public key record (currently?) unavailable]
...
2017-03-31 11:10:18 1ctyBs-0002ul-I6 Completed


Why ?

Re: How to generate a BATV Key/DKIM signing for use in Outgoing?

Posted: Thu Apr 06, 2017 1:04 am
by cglmicro
My problem is solved: I remove DKIM signing from MC and I added it in the webmail server that relay through MC. Thanks anyway.

Re: How to generate a BATV Key/DKIM signing for use in Outgoing?

Posted: Tue Apr 18, 2017 8:38 am
by Matter
cglmicro wrote:Sorry to wake up this old thread, but I'm having some issue configuring DKIM with my Mailcleaner for outbound.


I'm glad you did, cglmicro, and I'm glad I stumbled upon this threat because I may very well be having the same issue. Fingers crossed.