How To Implement Domainkeys In Postfix Using dk-milter

Introduction

Domainkeys is "DomainKeys is a method of e-mail authentication. Unlike some other methods, it offers almost end-to-end integrity from a signing to a verifying Mail Transfer Agent (MTA). In most cases the signing MTA acts on behalf of the sender, and the verifying MTA on behalf of the receiver. DomainKeys is specified in Historic RFC 4870, which is obsoleted by Standards Track RFC 4871, DomainKeys Identified Mail (DKIM) Signatures." according to the wikipedia. So why a how to on it when there is DKIM ? Well domainkeys is still actively being used and is more widely deployed than DKIM, the developer Yahoo still uses it to sign and verify mail although they are contributers to the DKIM standard.

We will be using the milter implementation of domainkeys http://sourceforge.net/projects/dk-milter on CentOS 5.1.

Installation

Install the rpm:

rpm -Uvh http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm

Generate The Keys

A script to do this is provided with the rpm:

/usr/share/doc/dk-milter-0.6.0/gentxt.sh <selector> <domainname>

Where <selector> is anything you want to call it - I use default and <domainname> is your domain name for which you will be signing mail. This script will produce 3 files:

• <selector>.txt - this contains the text to add to your zone file:

  default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==" ; ----- DomainKey default for example.com
  

• <selector>.public - It is the public key:

  -----BEGIN PUBLIC KEY-----
  MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoR
  illFNbOpNOr5Gst5H8wG9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==
  -----END PUBLIC KEY-----
  

• <selector>.private - This is the private key:

  -----BEGIN RSA PRIVATE KEY-----
  MIIBOwIBAAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG
  9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQJACHWqPCf+/yW0dmv24yWY
  /eIFy3PNZNNxol2YjpVIZ28SgOSRrC0vzH+SpR1WZURAOcHi+WQa0AJPeqxM4Y1g
  xQIhAMVjPNPW8u0sMpNIcev9JBUjUjbilOgY2FTfyNQV0SKjAiEAwBrO5T8XLZQ6
  eRUUzz7yWYCHZln6CgD0lhBuZzu4wP8CIQCq8AT2Y7ie4l6uI9fcia2czKjfNRvF
  X/bAkchGutoRRwIgF2KsEQgvICNNQvQoBlqZUf/te640XAdlvubdKcABa60CIQCU
  DKlMOSxHp4Ms+KT41MFHkHDI/gkFfHvVRhL1PmuwtQ==
  -----END RSA PRIVATE KEY----
  

Install the private key:

mv default.private /etc/mail/domainkeys/dk_<domainname>.pem
chown dk-milt:dk-milt /etc/mail/domainkeys/dk_<domainname>.pem
chmod 600 /etc/mail/domainkeys/dk_<domainname>.pem

DNS

Add the contents of the .txt to your DNS zone file.

Add the following to your DNS zone file:

_domainkey IN TXT "t=y; o=~"

Verify your DNS configuration: http://domainkeys.sourceforge.net/policycheck.html

Configuration

Edit the file /etc/sysconfig/dk-milter and set the following options:

# Default values
#
USER="dk-milt"
PORT="local:/var/run/dk-milter/dk.sock"
SIGNING_DOMAIN="<domainname>"
SELECTOR_NAME="<selector>"
KEYFILE="/etc/mail/domainkeys/dk_${SIGNING_DOMAIN}.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
MILTER_GROUP="mail"

Configure Postfix

Add this to the Postfix configuration file /etc/postfix/main.cf:

smtpd_milters = unix:/var/run/dk-milter/dk.sock
non_smtpd_milters = unix:/var/run/dk-milter/dk.sock

Append to the existing milters if you have other milters already configured.

Start dk-milter and Restart Postfix:

 service dk-milter start

service postfix restart

Testing

To test send a mail to autorespond+dk@dk.elandsys.com you will recieve a response email with the test results. If you have a Yahoo account you can send a mail to that as well; a sample of a signed message in Yahoo is below:

Links

• http://en.wikipedia.org/wiki/Domainkeys
• http://domainkeys.sourceforge.net/
• http://www.elandsys.com/resources/sendmail/domainkeys.html
• http://www.postfix.org/MILTER_README.html
• http://www.topdog-software.com/oss/dk-milter/