Quick And Easy Setup For DomainKeys Using Ubuntu, Postfix And Dkim-Filter

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Submitted by johnwilson1969 (Contact Author) (Forums) on Mon, 2009-01-05 14:09. :: Ubuntu | Postfix

Quick And Easy Setup For DomainKeys Using Ubuntu, Postfix And Dkim-Filter

This is a quick tutorial for setting up DomainKeys on Ubuntu (I used 6.06LTS - but should work the same on others) using dkim-filter with Postfix so emails from your domain will not constantly end up in Yahoo's spam filter.

First install dkim-filter from the respositories:

sudo apt-get install dkim-filter

Next create a location for storing the public and private keys required:

sudo mkdir /var/dkim-filter

Enter into that directory and create keys:

cd /var/dkim-filter

sudo openssl genrsa -out private.key 1024

sudo openssl rsa -in private.key -out public.key -pubout -outform PEM

Edit dkim-filter configuration file, almost everything is commented out by default. Here is a copy of my config. Replace DOMAIN.TLD with your domain name.

# Log to syslog
  Syslog			yes
  # Required to use local socket with MTAs that access the socket as a non-
  # privileged user (e.g. Postfix)
#UMask			002


# Sign for example.com with key in /etc/mail/dkim.key using
  # selector '2007' (e.g. 2007._domainkey.example.com)
  Domain	DOMAIN.TLD		
  KeyFile		/var/dkim-filter/private.key
  Selector		mail 

# Common settings. See dkim-filter.conf(5) for more information.
  AutoRestart		no
  Background		yes
  Canonicalization	simple
  DNSTimeout		5
  Mode			sv
  SignatureAlgorithm	rsa-sha256
  SubDomains		no
  UseSSPDeny		no
  X-Header		no

At this point you should be able to successfully start the service and check for any errors in the syslog.

sudo /etc/init.d/dkim-filter start

Now add the selector and public key info into your DNS zone file. Change the DOMAIN.TLD to match your domain name, and add the key contents from: /var/dkim-filter/public.key after the p=

Make sure there are no spaces or line breaks!

;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;

mail._domainkey.DOMAIN.TLD. IN TXT "k=rsa; t=y; p=MIGfKh1FC.....bfQIDAQAB"

Edit  the Postfix configuration file...

sudo vi /etc/postfix/main.cf

... and add the following to the bottom of the file:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Next restart BIND and Postfix:

sudo /etc/init.d/bind9 restart

sudo /etc/init.d/postfix restart

Test by sending a mail to a Yahoo account, check the header for DomainKeys status.


Copyright © 2009 John Wilson
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
error
Submitted by nima0102 (not registered) on Mon, 2009-06-29 21:59.
thanks for good article I have configured the same as this article,but in /var/log/mail.log, warning is logged : "postfix/cleanup[22889]: warning: connect to Milter service inet:localhost:8891: Connection refused" but i do not know about this issue. thanks for any help or guidance
reply | view as pdf view as pdf
Re: error
Submitted by Julien (not registered) on Fri, 2009-07-17 17:42.

Be sure you change /etc/default/dkim-filter so that dkim-filter uses TCP and not a local socket

Cheers,

Julien

reply | view as pdf view as pdf
DNS entry
Submitted by rieschl (registered user) on Fri, 2009-06-26 11:34.

After testing, the "t=y" flag in the DNS entry should be removed because this flag indicates that the DKIM implementation is for testing purposes.

See page 27 of RFC 4871

reply | view as pdf view as pdf
can't read SMFIC_OPTNEG reply packet header
Submitted by Vlad (not registered) on Sun, 2009-03-01 10:06.

I followed exactly your steps but this is the error I encountered:

Mar  1 11:00:24 mail postfix/smtpd[4639]: warning: milter inet:localhost:8891: can't read SMFIC_OPTNEG reply packet header: Connection timed out
Mar  1 11:00:24 mail postfix/smtpd[4639]: warning: milter inet:localhost:8891: read error in initial handshake

On the other hand I have dk-filter running perfectly on 8892.

Can you give me some advice? Thank you in advance...

reply | view as pdf view as pdf
Re: can't read SMFIC_OPTNEG reply packet header
Submitted by Anonymous (not registered) on Tue, 2009-03-24 22:04.

I just ran through this with ubuntu 8.04 perfect server w/ispconfig 2 installed and it went smoothly.

double check /etc/dkim-filter.conf and make sure you have domain and selector uncommented and set correctly...

also, your DNS zone file edit is a little confusing

mail._domainkey.DOMAIN.TLD. IN TXT "k=rsa; t=y; p=MIGfKh1FC.....bfQIDAQAB"

so, if your domain is friskycritters.org the line would read:

mail._domainkey.friskycritters.org. IN TXT ....

ALSO.... make sure when you paste your public key, you remove all line breaks so it fits all on one line and ends with a quote "

Hope this helps

johnwilson1969

reply | view as pdf view as pdf
Re: can't read SMFIC_OPTNEG reply packet header
Submitted by Anonymous (not registered) on Sat, 2009-03-21 03:43.
Hi, do you have a solution. I'm facing the exact same problem :?
reply | view as pdf view as pdf
Sponsored Links: Turn your desk phone and mobile phone into one with Sprint Mobile Integration.
www.seamlessenterprise.com

One number. One voicemail. Seize the lead. Sprint Mobile Integration.
www.seamlessenterprise.com

One Number. One Voicemail.
Make it easier for clients to reach you. Turn your desk phone and mobile phone into one with Sprint Mobile Integration.
www.seamlessenterprise.com

One number. One voicemail. Sprint Mobile Integration.
www.seamlessenterprise.com

AT&T Synaptic Compute as a Service. Boost your power on demand.

Trial: IBM Cognos Express Reporting, Analysis & Planning

Learn benefits of Simpana software.
View the Gartner Video