<> ##Originally written by http://stas.nerd.ro/blog/index.php/read/201 = Introduction = ||<>|| !DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity. !DomainKeys was originally developed by Yahoo! and has since been superseded by a newer protocol called !DomainKeys Identified Mail [[Postfix/DKIM]]. DomainKeys has been deprecated and should no longer be used. dk-milter is unmaintained and it's author recommends it no longer be used due to significant bugs. !DomainKeys is very similar in most respects to [[Postfix/DKIM]]'s operation. [[http://en.wikipedia.org/wiki/DomainKeys|Read more on Wikipedia]] '''dk-filter''' implements a Sendmail Mail Filter (Milter) for the !DomainKeys standard. !DomainKeys provides a way for senders to confirm their identity when sending email by adding a cryptographic signature to the headers of the message. The dk-milter implements both !DomainKeys signing and verification. = Installation = We assume you already successfully installed Postfix MTA, if not, please read the [[Postfix]] dedicated page. To install '''dk-filter''', you need Universe repositories added, if so, use your favorite package manager and install the package. For example: {{{ sudo aptitude install dk-filter }}} Simply accept the defaults if the installation process asks questions. The configuration will be done in greater detail in the next stage. = Generating signing keys = You can generate a public and private key pair which will be used in signing and verifying mail using the following: {{{ openssl genrsa -out private.key 1024 openssl rsa -in private.key -out public.key -pubout -outform PEM }}} You can then move it to a more secure location: {{{ cp private.key /etc/mail/domainkey.key }}} = Configuration = '''dk-filter''' configuration consists of a single file: '''/etc/default/dk-filter''' In this example configuration, we'll assume your domain is '''domain.tld''' and your selector is '''mail''': {{{ # Sane defaults: log to syslog DAEMON_OPTS="-l" # Sign for domain.tld with key in /etc/mail/domainkey.key using # selector '2007' (e.g. 2007._domainkey.domain.tld) DAEMON_OPTS="$DAEMON_OPTS -d domain.tld -s /etc/mail/domainkey.key -S mail" # See dk-filter(8) for a complete list of options # # Uncomment to specify an alternate socket #SOCKET="/var/run/dk-filter/dk-filter.sock" # default #SOCKET="inet:54321" # listen on all interfaces on port 54321 SOCKET="inet:8892@localhost" # listen on loopback on port 8892 #SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345 }}} The '''DAEMON_OPTS''' is the most important setting. For a full list of optional arguments you can pass to the dk-filter: {{{ dk-filter --help }}} For instance, if you are configuring a 'smarthost' and need to allow other servers to connect to it to send mail, you can create a file with each allowed IP address per line. You then tell dk-filter about this list by passing it the '-i' argument. For example, if you create a file '/etc/default/ilist' with the following contents: {{{ 192.168.0.1 192.168.0.2 }}} the '''DAEMON_OPTS''' setting would then become: {{{ DAEMON_OPTS="$DAEMON_OPTS -d domain.tld -s /etc/mail/domainkey.key -S mail -i /etc/default/ilist" }}} This will allow mail sent by those IP addresses to be signed by the smarthost you are configuring. = Configuring DNS = You will need to create two TXT records in order for mail recipients to verify your signed mail. The DNS record should look like this: {{{ _domainkey.domain.tld. IN TXT "t=y; o=~; }}} Where the "t=y" means that the domain is in test mode, actually that it is activated, and the "o=~;" means that only some mail is being signed from this domain. If you want to indicate that all mail is signed, use "o=-;". {{{ mail._domainkey.domain.tld. IN TXT "k=rsa; t=y; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB" }}} Where everything after '''p=''' is actually the content of the public key we generated above, '''public.key'''. Be sure to only copy the key string itself, leaving out these comments: {{{ -----BEGIN PUBLIC KEY----- }}} and: {{{ -----END PUBLIC KEY------- }}} The t=y value pair means that the domain is using this key in test mode, also that is activate. = Startup and testing = Now that dk-filter is configured, you need to restart the daemon: {{{ /etc/init.d/dk-filter restart }}} If for some reason the daemon is not already running, you can simply start it: {{{ /etc/init.d/dk-filter start }}} You can check the log file if everything is ok: {{{ sudo grep -i dk /var/log/mail.log }}} Now, to tell the Postfix about the existing milter, and where to connect with it, edit your Postfix main.cf file '''/etc/postfix/main.cf''', and append the following data: {{{ milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8892 non_smtpd_milters = inet:localhost:8892 }}} If you are already using another milter (for example [[Postfix/DKIM]]), you can append additional settings using a comma as a separator: {{{ milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891,inet:localhost:8892 non_smtpd_milters = inet:localhost:8891,inet:localhost:8892 }}} Now restart Postfix: {{{ sudo /etc/init.d/postfix restart }}} For testing purposes, I recommend you tools like: * http://domainkeys.sourceforge.net/#interop Testing results should look like this in Yahoo Mail: {{http://stas.nerd.ro/blog/data/dk-filter.png}}