http://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendki
Day: 28 January 2017
Enabling DKIM milter in Virtualmin
To enable DKIM signing of outgoing email messages, follow these steps :
- Login to Virutalmin as
rootand go to Email Messages -> DomainKeys Identified Mail - Change Signing of outgoing mail enabled? to Yes.
- In the Selector for DKIM record name field enter a short name that you will use to identify the signing key. This is typically just the current year, like
2010. Do NOT enterdefault, as this can trigger a bug in the current Virtualmin release which deletes the/etc/defaultdirectory! - Click the Save button.
Assuming all goes well, Virtualmin will report the steps taken to configure and enable DKIM.
Only virtual servers that have both the DNS and email features enabled will have DKIM activated, as the mail server needs to be setup to use a private signing key whose corresponding public key is added to DNS.
By default, Virtualmin will also configure the DKIM milter to verify incoming email that has the proper signatures. DKIM-signed messages where the signature is incorrect or cannot be checked with a DNS lookup will be bounced or delayed. If you want to disable verification, set the Verify DKIM signatures on incoming email? option to No.
To turn off DKIM signing completely, just do the following :
- Login to Virutalmin as
rootand go to Email Messages -> DomainKeys Identified Mail - Change Signing of outgoing mail enabled? to No.
- Click Save.
This will remove the public key from all domains, and stop your mail server from signing messages with the DKIM milter.
NOTES:
Common problems:
- Check if you have SPF, DKIM and DMARC records and if they are properly set
- Check if you have rDNS
- Check if your domain or IP is blacklisted
- From 1 to 3 plus several other settings can be checked with:
http://mxtoolbox.com/SuperTool.aspx - Check what services are active and their ports especially dovecot: http://www.cyberciti.biz/faq/how-do-i-find-out-what-ports-are-listeningo…
NOTES:
For rDNS should be easy to sort. Best and easiest solution would be to use the hostname (either way it should be FQDN), so if your hostname is “myserver.domain.tld” then check if you have in your DNS records “myserver.domain.tld. IN A your.server.IP.address”. If you are missing this record be sure to add it before you proceed to set rDNS. Once done go to your host control panel and set rDNS to “myserver.domain.tld”.
postfix/anvil
ANVIL(8) ANVIL(8)
NAME
anvil - Postfix session count and request rate control
SYNOPSIS
anvil [generic Postfix daemon options]
DESCRIPTION
The Postfix anvil(8) server maintains statistics about client connec-
tion counts or client request rates. This information can be used to
defend against clients that hammer a server with either too many simul-
taneous sessions, or with too many successive requests within a config-
urable time interval. This server is designed to run under control by
the Postfix master(8) server.
In the following text, ident specifies a (service, client) combination.
The exact syntax of that information is application-dependent; the
anvil(8) server does not care.
CONNECTION COUNT/RATE CONTROL
To register a new connection send the following request to the anvil(8)
server:
request=connect
ident=string
The anvil(8) server answers with the number of simultaneous connections
and the number of connections per unit time for the (service, client)
combination specified with ident:
status=0
count=number
rate=number
To register a disconnect event send the following request to the
anvil(8) server:
request=disconnect
ident=string
The anvil(8) server replies with:
status=0
MESSAGE RATE CONTROL
To register a message delivery request send the following request to
the anvil(8) server:
request=message
ident=string
The anvil(8) server answers with the number of message delivery
requests per unit time for the (service, client) combination specified
with ident:
status=0
rate=number
RECIPIENT RATE CONTROL
To register a recipient request send the following request to the
anvil(8) server:
request=recipient
ident=string
The anvil(8) server answers with the number of recipient addresses per
unit time for the (service, client) combination specified with ident:
status=0
rate=number
TLS SESSION NEGOTIATION RATE CONTROL
The features described in this section are available with Postfix 2.3
and later.
To register a request for a new (i.e. not cached) TLS session send the
following request to the anvil(8) server:
request=newtls
ident=string
The anvil(8) server answers with the number of new TLS session requests
per unit time for the (service, client) combination specified with
ident:
status=0
rate=number
To retrieve new TLS session request rate information without updating
the counter information, send:
request=newtls_report
ident=string
The anvil(8) server answers with the number of new TLS session requests
per unit time for the (service, client) combination specified with
ident:
status=0
rate=number
AUTH RATE CONTROL
To register an AUTH request send the following request to the anvil(8)
server:
request=auth
ident=string
The anvil(8) server answers with the number of auth requests per unit
time for the (service, client) combination specified with ident:
status=0
rate=number
SECURITY
The anvil(8) server does not talk to the network or to local users, and
can run chrooted at fixed low privilege.
The anvil(8) server maintains an in-memory table with information about
recent clients requests. No persistent state is kept because standard
system library routines are not sufficiently robust for update-inten-
sive applications.
Although the in-memory state is kept only temporarily, this may require
a lot of memory on systems that handle connections from many remote
clients. To reduce memory usage, reduce the time unit over which state
is kept.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
Upon exit, and every anvil_status_update_time seconds, the server logs
the maximal count and rate values measured, together with (service,
client) information and the time of day associated with those events.
In order to avoid unnecessary overhead, no measurements are done for
activity that isn't concurrency limited or rate limited.
BUGS
Systems behind network address translating routers or proxies appear to
have the same client address and can run into connection count and/or
rate limits falsely.
In this preliminary implementation, a count (or rate) limited server
process can have only one remote client at a time. If a server process
reports multiple simultaneous clients, state is kept only for the last
reported client.
The anvil(8) server automatically discards client request information
after it expires. To prevent the anvil(8) server from discarding
client request rate information too early or too late, a rate limited
service should always register connect/disconnect events even when it
does not explicitly limit them.
CONFIGURATION PARAMETERS
On low-traffic mail systems, changes to main.cf are picked up automati-
cally as anvil(8) processes run for only a limited amount of time. On
other mail systems, use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for
more details including examples.
anvil_rate_time_unit (60s)
The time unit over which client connection rates and other rates
are calculated.
anvil_status_update_time (600s)
How frequently the anvil(8) connection and rate limiting server
logs peak usage information.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf con-
figuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving information over an
internal communication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon
process will service before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
SEE ALSO
smtpd(8), Postfix SMTP server
postconf(5), configuration parameters
master(5), generic daemon options
README FILES
TUNING_README, performance tuning
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
The anvil service is available in Postfix 2.2 and later.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Wietse Venema
Google, Inc.
111 8th Avenue
New York, NY 10011, USA
Tools like mxtoolbox.com should give you some info if there is a problem, another option is intodns.com but it will check only DNS (there are other solutions just use google). To test email only you can use https://www.unlocktheinbox.com/mail-tester . One thing you must know, every single thing what is not properly set or defined, it will increase spam score of your emails and more problems you have it will be easier for emails to end in spam or be rejected by receiver.
NOTES:
You can enable dmarc if you go virtualmin – domain – server configuration and click dns options. There you scroll down and click enabled on DMARC record enabled? also you can change policy there. You may perhaps wait 24 hours to apply this as its dns which could take time a bit.
NOTES:
I do see your point but I am hosting sites with emails without rDNS - that does not need to be concerned at allWell based on RFC1912 we have:
2.1 Inconsistent, Missing, or Bad DataEvery Internet-reachable host should have a name. The consequences
of this are becoming more and more obvious. Many services available
on the Internet will not talk to you if you aren’t correctly
registered in the DNS.
Make sure your PTR and A records match. For every IP address, there
should be a matching PTR record in the in-addr.arpa domain. If a
host is multi-homed, (more than one IP address) make sure that all IP
addresses have a corresponding PTR record (not just the first one).
Failure to have matching PTR and A records can cause loss of Internet
services similar to not being registered in the DNS at all. Also,
PTR records must point back to a valid A record, not a alias defined
by a CNAME.
It is highly recommended that you use some software
which automates this checking, or generate your DNS data from a
database which automatically creates consistent data…So please read it you will find a lot of information there about rDNS.
For the rest there is difference between helping and hand holding and i will not do the later. If someone dont want to spend few minutes on google then he or she dont deserve any attention and if you want to do differently please be my guest, i’m sure no one will stop you.
P.S. Stop telling people wrong information, there are rules you must follow so instead of teaching people wrong things lets educate them to properly follow the rules.
Diabolico
https://www.virtualmin.com/node/41321
– I often come to the conclusion that my brain has too many tabs open. –
Failing at desktop publishing & graphic design since 1994.