How To Implement Domainkeys In Postfix Using dk-milter

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Submitted by topdog (Contact Author) (Forums) on Fri, 2008-02-01 16:53. :: Anti-Spam/Virus | CentOS | Postfix

How To Implement Domainkeys In Postfix Using dk-milter

Introduction

Domainkeys is "DomainKeys is a method of e-mail authentication. Unlike some other methods, it offers almost end-to-end integrity from a signing to a verifying Mail Transfer Agent (MTA). In most cases the signing MTA acts on behalf of the sender, and the verifying MTA on behalf of the receiver. DomainKeys is specified in Historic RFC 4870, which is obsoleted by Standards Track RFC 4871, DomainKeys Identified Mail (DKIM) Signatures." according to the wikipedia. So why a how to on it when there is DKIM ? Well domainkeys is still actively being used and is more widely deployed than DKIM, the developer Yahoo still uses it to sign and verify mail although they are contributers to the DKIM standard.

We will be using the milter implementation of domainkeys http://sourceforge.net/projects/dk-milter on CentOS 5.1.

 

Installation

Install the rpm:

rpm -Uvh http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm

 

Generate The Keys

A script to do this is provided with the rpm:

/usr/share/doc/dk-milter-0.6.0/gentxt.sh <selector> <domainname>

Where <selector> is anything you want to call it - I use default and <domainname> is your domain name for which you will be signing mail. This script will produce 3 files:

  • <selector>.txt - this contains the text to add to your zone file: 
    default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==" ; ----- DomainKey default for example.com
  • <selector>.public - It is the public key: 
    -----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoR
illFNbOpNOr5Gst5H8wG9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==
-----END PUBLIC KEY-----
  • <selector>.private - This is the private key: 
    -----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG
9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQJACHWqPCf+/yW0dmv24yWY
/eIFy3PNZNNxol2YjpVIZ28SgOSRrC0vzH+SpR1WZURAOcHi+WQa0AJPeqxM4Y1g
xQIhAMVjPNPW8u0sMpNIcev9JBUjUjbilOgY2FTfyNQV0SKjAiEAwBrO5T8XLZQ6
eRUUzz7yWYCHZln6CgD0lhBuZzu4wP8CIQCq8AT2Y7ie4l6uI9fcia2czKjfNRvF
X/bAkchGutoRRwIgF2KsEQgvICNNQvQoBlqZUf/te640XAdlvubdKcABa60CIQCU
DKlMOSxHp4Ms+KT41MFHkHDI/gkFfHvVRhL1PmuwtQ==
-----END RSA PRIVATE KEY----

Install the private key:

mv default.private /etc/mail/domainkeys/dk_<domainname>.pem
chown dk-milt:dk-milt /etc/mail/domainkeys/dk_<domainname>.pem
chmod 600 /etc/mail/domainkeys/dk_<domainname>.pem

 

DNS

Add the contents of the .txt to your DNS zone file.

Add the following to your DNS zone file:

_domainkey IN TXT "t=y; o=~"

Verify your DNS configuration: http://domainkeys.sourceforge.net/policycheck.html

 

Configuration

Edit the file /etc/sysconfig/dk-milter and set the following options: 

# Default values
#
USER="dk-milt"
PORT="local:/var/run/dk-milter/dk.sock"
SIGNING_DOMAIN="<domainname>"
SELECTOR_NAME="<selector>"
KEYFILE="/etc/mail/domainkeys/dk_${SIGNING_DOMAIN}.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
MILTER_GROUP="mail"

 

Configure Postfix

Add this to the Postfix configuration file /etc/postfix/main.cf:

smtpd_milters = unix:/var/run/dk-milter/dk.sock
non_smtpd_milters = unix:/var/run/dk-milter/dk.sock

Append to the existing milters if you have other milters already configured.

Start dk-milter and Restart Postfix:

 service dk-milter start

service postfix restart

 

Testing

To test send a mail to autorespond+dk@dk.elandsys.com you will recieve a response email with the test results. If you have a Yahoo account you can send a mail to that as well; a sample of a signed message in Yahoo is below:

Links


Copyright © 2008 Andrew Colin Kissa
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Hello,I installed &
Submitted by Parsa (not registered) on Sun, 2009-10-11 14:15.

Hello,

I installed & configured all the things you said above, but when I send an email from that mail server to my yahoo.com email, I see in the header: DomainKeys-status: fail(bad sig).

 What happened, and how can I fix this problem?

 

Best Regards,
Parsa

reply | view as pdf view as pdf
can't get it working
Submitted by Codechump (not registered) on Mon, 2009-02-16 22:34.
Hi, 
 
I followed this how to exactly... several times! I'm running CentOS 5.2
 
I went to the site mentioned in the rpm download link and got an RPM for v1.0.2-0 but I still can't get my out going mails signed. I'm using postfix v2.3.3 
 
Any suggestions?... my emails when sent to Yahoo, the headers show domainkeys=neutral(no sig) 
 
thanks so much...<!-- google_ad_section_end -->
reply | view as pdf view as pdf
Is rpm up to date?
Submitted by Anonymous (not registered) on Tue, 2009-01-06 19:11.

I tried running the rpm installation command on my openSuse 11.0 server and was told that libcrypto.so.6 and libssl.so.6 are needed (see below).

I'm running version .9 of these libraries to support the dkim milter.

Is a version of the dk-milter rpm that supports the latest openSSL version available?

kanaadmin@susemail:~> rpm -Uvh http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm
Retrieving http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm
error: Failed dependencies:
    libcrypto.so.6 is needed by dk-milter-0.6.0-1.i386
    libssl.so.6 is needed by dk-milter-0.6.0-1.i386
kanaadmin@susemail:~>

reply | view as pdf view as pdf
Re: Is rpm up to date?
Submitted by topdog (registered user) on Wed, 2009-01-07 08:30.
The rpm is built for Centos/RHEL YMMV with SUSE
reply | view as pdf view as pdf
Re: Re: Is rpm up to date?
Submitted by John Bailo (not registered) on Wed, 2009-01-07 20:43.

Thanks, I think that means going the route of building my own from source!

 

 

reply | view as pdf view as pdf
Re: Re: Re: Is rpm up to date?
Submitted by victor (not registered) on Fri, 2009-03-13 04:57.

Hi all,

I already followed the guidelines, everything seemed fine. However, when I sent an email to a yahoo email address, we could not pass the domain authorization check and find the signature as well.

In addition, we also found that there was no any domain signature header to be appended in an email when we sent it to yahoo.

Do any linux expert know the reason? this problem really annoys us and we are very frustrated now. Please help !!!

reply | view as pdf view as pdf
Re: Re: Re: Re: Is rpm up to date?
Submitted by topdog (registered user) on Sun, 2009-03-15 06:51.
Have you tested your DNS to see that it is correct ?
reply | view as pdf view as pdf
Sponsored Links: Turn your desk phone and mobile phone into one with Sprint Mobile Integration.
www.seamlessenterprise.com

One number. One voicemail. Seize the lead. Sprint Mobile Integration.
www.seamlessenterprise.com

One Number. One Voicemail.
Make it easier for clients to reach you. Turn your desk phone and mobile phone into one with Sprint Mobile Integration.
www.seamlessenterprise.com

One number. One voicemail. Sprint Mobile Integration.
www.seamlessenterprise.com

AT&T Synaptic Compute as a Service. Boost your power on demand.

Trial: IBM Cognos Express Reporting, Analysis & Planning