NameServer config and DKIM signing for email.

[steve_adams]

I have 2 stand alone nameservers, ns1.radicalcomputingconcepts.com and ns2.radicalcomputingconcepts.com. The DNS is delegated from godaddy to these two NS. Both physical servers are running Froxlor. NS1 is also hosting mail. I am trying to configure both machines with Bind9 on Ubuntu 20.04 to act as the functional NS for domains hosted on either machines.

1) Do I need to add domains in both Froxlor control panels for radicalcomputingconcepts.com? I'm not hosting a site here at all...only DNS and mail.

2) How do I configure NS2 to point to NS1 for a particular domain? for instance keystonedesign.com is on the NS1 server. Do I need to install the domain on NS2 as well and edit the DNS manually to point it to the NS1 server?

3) How do I configure the DKIM email signing (mail is only sent from NS1) for resolution from NS2? Manually edit the DNS record?

[steve_adams]

I managed to resolve my issue by manually configuring Rspamd to inject the keys Froxlor created.

I realize it's a low priority as there are few people as stubborn as I am when it comes to running a DNS server and hosting my own mail server, but it would be nice to incorporate opendkim and rspamd configurations into Froxlor. 

I am extremely grateful to the Froxlor community for the present solution. I'd like to contribute these feature requests myself; however, I'm reluctant because I don't think you'd want me sticking my dirty novice hands into the community food bowl!

[d00p]

1) no, the nameserver domain does not need to be added to froxlor

2) you might want to read docs about master/slave - the second NS does not need to be a froxlor server (froxlor only does MASTER)

3) if you have your NS set up correctly there is no need to edit dns records on ns2 manually...you basically want ns2 to get new zones and updates automatically from ns1 ...again, read about master/slave

[steve_adams]

could you please point me to a link regarding master/slave configuration?

When configuring the mail server, if I do not list the nameserver as a domain (which is also the mail server) where can I edit the DNS records to add DKIM, DMARC, and SPF?

[d00p]

6 minutes ago, steve_adams said:

could you please point me to a link regarding master/slave configuration?

If you want to run your own nameserver...google for that kind of stuff is the LEAST you should be able to do on your own...you won't learn anything if i just tell you what to do...you need to understand what and more importantly - why - you do it.

7 minutes ago, steve_adams said:

When configuring the mail server, if I do not list the nameserver as a domain (which is also the mail server) where can I edit the DNS records to add DKIM, DMARC, and SPF?

did you even check out the settings and dns editor in froxlor?! come on...

[steve_adams]

I've been running my own NS for a couple of decades with DJBDNS on both these machines. However, with Google's increasing the DKIM bit length to 2048, djbdns will no longer contain the length of the records. Since I was running Froxlor since beta I was aware of the Nameserver settings and the DNS editor is fairly new. Yes...I have checked the settings. The issue I'm having is that the server name (radicalcomputingconcepts.com) cannot be listed as a domain from within Froxlor so I can't edit the zone to add DMARC. DKIM, SPF for mail.radicalcomputingconcepts.com for which all the domains within froxlor send mail through. This is the only domain for which I have PTR

[d00p]

13 minutes ago, steve_adams said:

The issue I'm having is that the server name (radicalcomputingconcepts.com) cannot be listed as a domain from within Froxlor

So, you have set this Domain as froxlor system Hostname? If yes, why Not Just use froxlor.radicalcomputingconcepts.com so you can add radicalcomputingconcepts.com as domain

[steve_adams]

thank you!

 

[steve_adams]

Ok, I'm still having issues with the DKIM signing. I'm successfully issuing the keys and can dig dkim21._domainkey.mail.radicalcomputingconcepts.com txt but the emails are not getting signed? postfix conf?

[d00p]

you need a service that uses the key to sign the messages, dkim-filter for example 

[steve_adams]

I installed open-dkim since dkim-filter was removed from the apt sources list for Debian some time ago. I've dug pretty deep in the Froxlor docs, forums, and issues and not found any conclusive configuration solutions for open-dkim. Please advise.

[steve_adams]

Likewise, I can find no documentation on configuring Amavis or Rspamd to work with Froxlor and retrieve the keys created by Froxlor.

[d00p]

Basically, froxlor generates a keyfile for each Domain, and you will have to Tell the Service how to use Them. There are soke Threads for opendkim Here. Rspamd should also have Options to make it Work.

Dkim config Templates are Not maintained that much as it depends on the Nameserver Feature which Not many people use.

 

[steve_adams]

Ok, I'm getting closer. My issue is twofold:

1) postfix was indeed not configured correctly. The main.cf milters were set to 'smtpd_milters = inet:localhost:8891' and 'non_smtpd_milters = inet:localhost:8891' rather than 'smtpd_milters = local:opendkim/opendkim.sock' and 'non_smtpd_milters = local:opendkim/opendkim.sock'

2) the dkim-keys.conf generated by Froxlor in /etc/postfix/dkim and the domains file also generated there do not conform to open-dkim's intended format for the /etc/opendkim/signing.table and /etc/opendkim/keys.table as pointed to via the /etc/opendkim.conf file.

In regard to number 2 above, has anyone contributed a template to construct these two tables??...I assume this file would be lib/Froxlor/Cron/Dns/DnsBase.php

I'm using opendkim: OpenDKIM Filter v2.11.0

[d00p]

There are one or two issues with possible solutions on https://github.com/Froxlor/Froxlor/issues maybe you find Something there. I remember that opendkim worked Just fine