|
Candidate for Deletion |
Introduction
DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity. DomainKeys was originally developed by Yahoo! and has since been superseded by a newer protocol called DomainKeys Identified Mail Postfix/DKIM. DomainKeys has been deprecated and should no longer be used. dk-milter is unmaintained and it's author recommends it no longer be used due to significant bugs.
DomainKeys is very similar in most respects to Postfix/DKIM's operation.
dk-filter implements a Sendmail Mail Filter (Milter) for the DomainKeys standard. DomainKeys provides a way for senders to confirm their identity when sending email by adding a cryptographic signature to the headers of the message.
The dk-milter implements both DomainKeys signing and verification.
Installation
We assume you already successfully installed Postfix MTA, if not, please read the Postfix dedicated page.
To install dk-filter, you need Universe repositories added, if so, use your favorite package manager and install the package. For example:
sudo aptitude install dk-filter
Simply accept the defaults if the installation process asks questions. The configuration will be done in greater detail in the next stage.
Generating signing keys
You can generate a public and private key pair which will be used in signing and verifying mail using the following:
openssl genrsa -out private.key 1024 openssl rsa -in private.key -out public.key -pubout -outform PEM
You can then move it to a more secure location:
cp private.key /etc/mail/domainkey.key
Configuration
dk-filter configuration consists of a single file: /etc/default/dk-filter
In this example configuration, we'll assume your domain is domain.tld and your selector is mail:
# Sane defaults: log to syslog DAEMON_OPTS="-l" # Sign for domain.tld with key in /etc/mail/domainkey.key using # selector '2007' (e.g. 2007._domainkey.domain.tld) DAEMON_OPTS="$DAEMON_OPTS -d domain.tld -s /etc/mail/domainkey.key -S mail" # See dk-filter(8) for a complete list of options # # Uncomment to specify an alternate socket #SOCKET="/var/run/dk-filter/dk-filter.sock" # default #SOCKET="inet:54321" # listen on all interfaces on port 54321 SOCKET="inet:8892@localhost" # listen on loopback on port 8892 #SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345
The DAEMON_OPTS is the most important setting. For a full list of optional arguments you can pass to the dk-filter:
dk-filter --help
For instance, if you are configuring a 'smarthost' and need to allow other servers to connect to it to send mail, you can create a file with each allowed IP address per line. You then tell dk-filter about this list by passing it the '-i' argument. For example, if you create a file '/etc/default/ilist' with the following contents:
192.168.0.1 192.168.0.2
the DAEMON_OPTS setting would then become:
DAEMON_OPTS="$DAEMON_OPTS -d domain.tld -s /etc/mail/domainkey.key -S mail -i /etc/default/ilist"
This will allow mail sent by those IP addresses to be signed by the smarthost you are configuring.
Configuring DNS
You will need to create two TXT records in order for mail recipients to verify your signed mail. The DNS record should look like this:
_domainkey.domain.tld. IN TXT "t=y; o=~;
Where the "t=y" means that the domain is in test mode, actually that it is activated, and the "o=~;" means that only some mail is being signed from this domain. If you want to indicate that all mail is signed, use "o=-;".
mail._domainkey.domain.tld. IN TXT "k=rsa; t=y; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB"
Where everything after p= is actually the content of the public key we generated above, public.key. Be sure to only copy the key string itself, leaving out these comments:
-----BEGIN PUBLIC KEY-----
and:
-----END PUBLIC KEY-------
The t=y value pair means that the domain is using this key in test mode, also that is activate.
Startup and testing
Now that dk-filter is configured, you need to restart the daemon:
/etc/init.d/dk-filter restart
If for some reason the daemon is not already running, you can simply start it:
/etc/init.d/dk-filter start
You can check the log file if everything is ok:
sudo grep -i dk /var/log/mail.log
Now, to tell the Postfix about the existing milter, and where to connect with it, edit your Postfix main.cf file /etc/postfix/main.cf, and append the following data:
milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8892 non_smtpd_milters = inet:localhost:8892
If you are already using another milter (for example Postfix/DKIM), you can append additional settings using a comma as a separator:
milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891,inet:localhost:8892 non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
Now restart Postfix:
sudo /etc/init.d/postfix restart
For testing purposes, I recommend you tools like:
Testing results should look like this in Yahoo Mail: