Resolved Upgrading to Onyx: what if I already have OpenDKIM installed?

[Sergio Manzi]

Hello everybody!

As I have described in https://talk.plesk.com/threads/is-it-possible-to-use-domainkey-opendkim-in-plesk.338443/ I have already installed OpenDKIM in my servers running Plesk 12.5.30, following instructions I've got from http://www.stevejenkins.com/blog/20...h-postfix-or-sendmail-for-rhel-centos-fedora/

I'm now considering upgrading to Plesk Onyx and I'm wondering what should I do beforehand: should I uninstall my "custom" OpenDKIM solution beforehand?

Please also keep in mind that in my Plesk installations I'm not using Plesk DNS: all my DNS configuration is done on other separate servers (an heterogeneous mix of Amazon Route53, gandi.net, and other registrar's DNS)

Any advice would be welcome, thanks in advance.

Sergio

 

[UFHH01]

Hi Sergio Manzi,

the additional OpenDKIM - installation doesn't interfere with the ones used by Plesk. No need to change anything here.

 

[Sergio Manzi]

Thanks for answering, @UFHH01,

I'm puzzled: doesn't Plesk Onyx include its own DKIM signing mechanism?

When I installed OpenDKIM I had to activate it, for each of the involved domains, by adding it as a milter in /etc/postfix/main.cf

Will the upgrade procedure take care of adjusting that to the new Plesk Onyx DKIM signing mechanism?

Thanks again,

Sergio

 

[UFHH01]

Hi Sergio Manzi,

I'm puzzled: doesn't Plesk Onyx include its own DKIM signing mechanism?

Correct, but that doesn't mean, that you have to give up your manual installed OpenDKIM - configuration.

When I installed OpenDKIM I had to activate it, for each of the involved domains, by adding it as a milter in /etc/postfix/main.cf

Will the upgrade procedure take care of adjusting that to the new Plesk Onyx DKIM signing mechanism?

No, not at all. You will have TWO different DKIM - signings. One setup by YOURSELF and one setup by Plesk.

 

[Sergio Manzi]

Hi, and thanks for clarifying!

... that doesn't mean, that you have to give up your manual installed OpenDKIM - configuration.

Now I get what you mean, but I think it would be anyway worth to switch off one of the twos, otherwise...

... You will have TWO different DKIM - signings. One setup by YOURSELF and one setup by Plesk.

... which seems to be redundant.

And if I will opt to keep the Plesk Onyx signing (which seems to be the sensible solution...) I think I should also modify/update my domain's DKIM TXT records to reflect the new signing key, right? I haven't looked into the Onyx docs yet, but I think/hope there should be a way to get the public signing key so that I can declare it into my (manually configured) DNS zones...

Sergio

 

[UFHH01]

Hi Sergio Manzi,

... which seems to be redundant.

... sort off... yes... but why should you remove a working ( old ) configuration? Your thoughts can't be based on "performance issues", because using an additional milter with postfix could only be a waste of milli - seconds during the transport - process, nothing more.

And if I will opt to keep the Plesk Onyx signing (which seems to be the sensible solution...)

... it is the very same way, as for your manual configuration, with the fact, that Plesk uses the selector "default" ( which can't be changed at the moment, but might be changeable in a future release of Plesk Onyx ), therefore you should consider to use another selector ( as for example "mail", "YOUR_DESIRED_SELECTOR_NAME"... ), for your manual configuration. The advantage of your manual configuration is the possibility to change each possible configuration feature for OpenDKIM ( for example at "/etc/opendkim.conf" ), while with Plesk you are restricted to default settings, configured by Plesk.

I think I should also modify/update my domain's DKIM TXT records to reflect the new signing key, right?

This depends on your ( previous ) used selector. As mentioned above, Plesk uses the "default" - selector, while you are able to use any desired name for your manual OpenDKIM selector.

Due to the fact that Plesk uses the "default" selector, there will be corresponding DNS - entries at "Home > Subscriptions > YOUR-DOMAIN.COM > Websites & Domains > DNS settings" for

• _adsp._domainkey.YOUR-DOMAIN.COM.
• _domainkey.YOUR-DOMAIN.COM.

and​

• default._domainkey.YOUR-DOMAIN.COM.

... which you should copy to your PRIMARY NAMESERVER for your corresponding domain.

 

[Sergio Manzi]

@UFHH01, thanks to your help the scenario is getting clearer!

Bad luck is that in my OpenDKIM configuration I have used the "default" selector, so I'll have to change it (in my config) in order to not collide with the Onyx one.

I'm still unsure about what will happen when I'll upgrade as in my current Plesk config I don't have DNS installed at all (i.e. if I go to "Add and Remove Product Components" I have "BIND DNS server" unchecked, with the red X)...

 

[UFHH01]

Hi Sergio Manzi,

... I don't have DNS installed at all ...

... well, simply install the needed component(s), to reach the goal to take advantage of the desired feature(s) - it's not really complicated to install it.

The Plesk features will help you as well to configure your PRIMARY NAMESERVER, due to the fact that all needed DNS - entries for a domain are listed. I can't see any logical reason, why someone would resist to leave out these components on its server(s), when he/she uses Plesk.

 

[Sergio Manzi]

... I can't see any logical reason, why someone would resist to leave out these components on its server(s), when he/she uses Plesk.

There are several reasons why I had DNS uninstalled, but essentially all boils down to three main considerations:

1. I prefer to decouple DNS functions from service delivering functions (e.g. web server and mail server). Good hosted DNS like Amazon Route53 and gandi.net are vastly more reliable than my self-hosted servers and in case of troubles on one of my servers I can swiftly switch service delivery from the failed server to another stand-by server by switching my DNS configuration (which for the relevant records have very short TTL)
   
   
2. Feature-wise, Plesk DNS configuration is absolutely sub-par to what I'm used having on Amazon Route53 and gandi.net. On gandi.net I can have several different versions for each zone and switch them by a click of a button, while with Amazon Route53 (and others services I use) I can modify my config through their API (and, yes, I've tried the Plesk Amazon Route53 extension and found it absolutely lacking in terms of features/configurability).
   
   
3. Because of the above, I didn't had any good reason for maintaining yet another, non-active, DNS configuration handled by Plesk. With the new Plesk Onyx version things can possibly change...

 

[UFHH01]

Hi Sergio Manzi,

( last post --- my very own opinion ):

There are several reasons why I had DNS uninstalled

All three "reasons" don't explain, why someone would de-install bind and the corresponding components from Plesk. The additional features which Plesk offers don't depend on external nameserver usage and on the other hand, the external nameserver(s) don't depend on possible Plesk features.

Unfortunately, you don't see the point, that Plesk can help you to investigate issues/errors/problems/misconfigurations on your server, which none of your external nameservers are able to. Even if you use Plesk only "as an example" ( because all DNS - entries are setup RFC-compliant for example), you missed to used the "DomainKeys" - feature in previous Plesk versions ( before "Onyx" ), which resolved as well possible mail - transport - issues.

In my opinion, you should always consider to accept a "helping hand", especially when it doesn't harm your server.