Skip to main content

TẠO DKIM RECORD CHO EXCHANGE SERVER

 

Source: https://www.linkedin.com/pulse/how-configure-dkim-exchange-2019-simple-way-seyed-abdollahi

Installation

In Exchange Online DKIM is a built-in service, but on an on-prem Exchange 2019 deployment we need a 3rd party application to add this functionality to our Exchange infrastructure.

In this guide we use Stefan Profanter's excellent dkim-exchange application for this purpose, which is available here: https://github.com/Pro/dkim-exchange/releases/latest

No alt text provided for this image

After installing the program, we open Configuration.DkimSigner.exe

and click on the "Install" button, or download the installer straight from https://codeload.github.com/Pro/dkim-exchange/legacy.zip/v***

Configuration

After installation finished, open the configurator.

C:\Program Files\Exchange DkimSigner\Configuration.DkimSigner.exe

Click on the "Configure" button and move the DkimSigner agent to the very bottom of the list.

Under the DKIM settings tab select relaxed canonicalization as Exchange tend to add, remove and change whitespaces (spaces, tabs, new lines) when processing and submitting messages. This is a problem, as DKIM creates a hash signature of the original message body and header, then when received, the recipient server will create those hashes too and compares the two versions. They need to match.

Simple canonicalization requires the body and header of the messages to be identical when comparing the original message and the received version. Relaxed canonicalization gives the transport agents more flexibility in changing messages, it replaces all whitespaces with a single space character, converts all characters to lowercase, removes heading and trailing whitespaces, etc.


No alt text provided for this image

On the "Domain Settings" tab we add our domain name, the DKIM selector name will be selector1.

No alt text provided for this image

The private and public keys will be generated. The server encrypts the hashes with the private key, the clients will use the public key to decrypt that hash. This proves authenticity as only the server can generate this encrypted key, if someone modified the message in transit they could re-generate the hashes of the new body and header, but the cannot encrypt the hash like the server do.

R

No alt text provided for this image

Publish the selector DNS record for DKIM

The public key is published in the p= part of the DNS record that we add the domain public zone file, in our example at GoDaddy.

No alt text provided for this image

Restart the service

No alt text provided for this image

How it works

John Doe from Always Hot Café sends me a message to zsolt@opentechtips.com. The header of the received email contains a section called DKIM-Signature. The s= part tells my client that the dkim selector is selector1, that means the client will check the selector1._domainkey.alwayshotcafe.com TXT record, which contains the public key with which the client is able to decrypt the two hashes under the b= and bh= parts.

b= : contains the hash of the body

bh= : contains the hash of the header

Header

No alt text provided for this image

After having the original hashes, the client goes through the same hashing process, using the algorithm specified it the a= part.

If the newly generated and the earlier decrypted hashes match, the DKIM test passes.

TEST

https://www.appmaildev.com/en/dkim is a great website to verify that DKIM works.

No alt text provided for this image
Labels:

Comments

Post a Comment

Popular posts from this blog

[RAID] SWITCH FROM AHCI TO RAID WITH INTEL C600 CONTROLLER

I personally have used other ways to do this. Manipulating some registry settings in combination with a safe boot before booting normally does the trick as well. This works with both SATA SSD and M.2 NVMe drives and it enables relatively fast switching between back and forth between AHCI and RAID. I have described this method below.  I have also tried the same process used to switch from RAD to AHCI and that works as well. Switch to safe boot Reboot into BIOS Change from AHCI to RAID in the BIOS Boot into safe mode Turn off safe mode and reboot normally again Nothing else and that also did the trick, just like with moving from RAID to AHCI.  So the link above and my step by step below is here for completeness. You have options in case one of them doesn’t work! Step by step AHCI to RAID registry method This procedure I describe below works on Windows 10 1803/1809 and has been tested on Dell Latitude E6220 an XPS 13 9360. Editing the registry is...
Post a Comment
Read more

[Hyper-V] - Lỗi không boot vào được sau khi convert máy vật lý sang máy ảo

XỬ LÝ LỖI KHÔNG BOOT ĐƯỢC VÀO MÁY ẢO SAU KHI CONVERT TỪ MÁY VẬT LÝ BẰNG DISK2VHD Sau khi convert server vật lý sang file VHD để import vào Hyper thì khi start máy ảo lên màn hình máy ảo chỉ nhấp nháy con trỏ chuột trên màn hình đen (blinking cursor) NGUYÊN NHÂN Do máy vật lý sử dụng ổ đĩa cài OS được format theo chuẩn GPT (thay vì MBR như truyền thống, tham khảo GPT và MBR ) XỬ LÝ Bước 1: chuyển ổ GPT thành MBR Copy file VHD của ổ đĩa chứa OS về 1 máy tính Windows 8 trở lên Trên máy Windows 8+ click phải chuột lên file VHD vừa copy, chọn lệnh Mount . Lúc này dùng 1 phần mềm miễn phí (vd: Mini Partition Wizard ) để convert ổ đĩa vừa mount từ GPT  -> MBR Sau đó Delete phần Partition dư ra ở phần đầu ổ đĩa được mount (khoảng vài trăm MB) Set " Active " cho ổ đĩa này để là ổ đĩa boot OS Nhấn Apply để phần mềm thực thi tác vụ Sau khi phần mềm làm xong, tắt phần mềm Mini Partition Wizard, vào My Computer chọn eject ổ đĩa đang mount . Copy file VHD vừa đư...
Post a Comment
Read more

LỖI "The provided partition "Migration...." is not a valid Migration mailbox"

  Solution for a valid Migration mailbox could not be found for this organization To address this issue, we will: Delete Migration mailbox in Active Directory Users and Computers Recreate Migration mailbox with /PrepareAD command Enable Migration mailbox with Exchange Management Shell 1. Delete Migration mailbox in Active Directory Users and Computers We do see the mailbox in ADUC, let’s remove it. If you don’t see it, search for it. It might be in a different container than the default container  Users . We can always verify in Exchange Management Shell if the Migration mailbox is present. If it shows up in the output, it means that it’s present and enabled. The output should be empty. [PS] C:\> Set - ADServerSettings - ViewEntireForest $true ; Get - Mailbox - Identity "Migration.8f3e7716-2011-43e4-96b1-aba62d229136" - Arbitration | Format-Table Name , ServerName , Database , AdminDisplayVersion , ProhibitSendQuota Copy 2. Recreate Migration mailbox with /Prepare...
Post a Comment
Read more