How To Implement Domainkeys In Postfix Using dk-milter

Want to support HowtoForge? Become a subscriber!
 
Submitted by topdog (Contact Author) (Forums) on Fri, 2008-02-01 16:53. :: Anti-Spam/Virus | CentOS | Postfix

How To Implement Domainkeys In Postfix Using dk-milter

Introduction

Domainkeys is "DomainKeys is a method of e-mail authentication. Unlike some other methods, it offers almost end-to-end integrity from a signing to a verifying Mail Transfer Agent (MTA). In most cases the signing MTA acts on behalf of the sender, and the verifying MTA on behalf of the receiver. DomainKeys is specified in Historic RFC 4870, which is obsoleted by Standards Track RFC 4871, DomainKeys Identified Mail (DKIM) Signatures." according to the wikipedia. So why a how to on it when there is DKIM ? Well domainkeys is still actively being used and is more widely deployed than DKIM, the developer Yahoo still uses it to sign and verify mail although they are contributers to the DKIM standard.

We will be using the milter implementation of domainkeys http://sourceforge.net/projects/dk-milter on CentOS 5.1.

 

Installation

Install the rpm:

rpm -Uvh http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm

 

Generate The Keys

A script to do this is provided with the rpm:

/usr/share/doc/dk-milter-0.6.0/gentxt.sh <selector> <domainname>

Where <selector> is anything you want to call it - I use default and <domainname> is your domain name for which you will be signing mail. This script will produce 3 files:

  • <selector>.txt - this contains the text to add to your zone file:
    default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==" ; ----- DomainKey default for example.com
    
  • <selector>.public - It is the public key:
    -----BEGIN PUBLIC KEY-----
    MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoR
    illFNbOpNOr5Gst5H8wG9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==
    -----END PUBLIC KEY-----
    
  • <selector>.private - This is the private key:
    -----BEGIN RSA PRIVATE KEY-----
    MIIBOwIBAAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG
    9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQJACHWqPCf+/yW0dmv24yWY
    /eIFy3PNZNNxol2YjpVIZ28SgOSRrC0vzH+SpR1WZURAOcHi+WQa0AJPeqxM4Y1g
    xQIhAMVjPNPW8u0sMpNIcev9JBUjUjbilOgY2FTfyNQV0SKjAiEAwBrO5T8XLZQ6
    eRUUzz7yWYCHZln6CgD0lhBuZzu4wP8CIQCq8AT2Y7ie4l6uI9fcia2czKjfNRvF
    X/bAkchGutoRRwIgF2KsEQgvICNNQvQoBlqZUf/te640XAdlvubdKcABa60CIQCU
    DKlMOSxHp4Ms+KT41MFHkHDI/gkFfHvVRhL1PmuwtQ==
    -----END RSA PRIVATE KEY----
    

Install the private key:

mv default.private /etc/mail/domainkeys/dk_<domainname>.pem
chown dk-milt:dk-milt /etc/mail/domainkeys/dk_<domainname>.pem
chmod 600 /etc/mail/domainkeys/dk_<domainname>.pem

 

DNS

Add the contents of the .txt to your DNS zone file.

Add the following to your DNS zone file:

_domainkey IN TXT "t=y; o=~"

Verify your DNS configuration: http://domainkeys.sourceforge.net/policycheck.html

 

Configuration

Edit the file /etc/sysconfig/dk-milter and set the following options:

# Default values
#
USER="dk-milt"
PORT="local:/var/run/dk-milter/dk.sock"
SIGNING_DOMAIN="<domainname>"
SELECTOR_NAME="<selector>"
KEYFILE="/etc/mail/domainkeys/dk_${SIGNING_DOMAIN}.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
MILTER_GROUP="mail"

 

Configure Postfix

Add this to the Postfix configuration file /etc/postfix/main.cf:

smtpd_milters = unix:/var/run/dk-milter/dk.sock
non_smtpd_milters = unix:/var/run/dk-milter/dk.sock

Append to the existing milters if you have other milters already configured.

Start dk-milter and Restart Postfix:

 service dk-milter start

service postfix restart

 

Testing

To test send a mail to autorespond+dk@dk.elandsys.com you will recieve a response email with the test results. If you have a Yahoo account you can send a mail to that as well; a sample of a signed message in Yahoo is below:

Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by jack ann (not registered) on Mon, 2011-06-20 14:09.

when i try to install the rpm with this line command

rpm -Uvh http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm

 i obtained :

Retrieving http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm
error: skipping http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm - transfer failed - Unknown or unexpected error
warning: u 0x9b7cc50 ctrl 0xa2d31c0 nrefs != 0 (www.topdog-software.com http)

please help me ..

Submitted by Parsa (not registered) on Sun, 2009-10-11 14:15.

Hello,

I installed & configured all the things you said above, but when I send an email from that mail server to my yahoo.com email, I see in the header: DomainKeys-status: fail(bad sig).

 What happened, and how can I fix this problem?

 

Best Regards,
Parsa

Submitted by Codechump (not registered) on Mon, 2009-02-16 22:34.
Hi, 
 
I followed this how to exactly... several times! I'm running CentOS 5.2
 
I went to the site mentioned in the rpm download link and got an RPM for v1.0.2-0 but I still can't get my out going mails signed. I'm using postfix v2.3.3 
 
Any suggestions?... my emails when sent to Yahoo, the headers show domainkeys=neutral(no sig) 
 
thanks so much...<!-- google_ad_section_end -->
Submitted by Anonymous (not registered) on Tue, 2009-01-06 19:11.

I tried running the rpm installation command on my openSuse 11.0 server and was told that libcrypto.so.6 and libssl.so.6 are needed (see below).

I'm running version .9 of these libraries to support the dkim milter.

Is a version of the dk-milter rpm that supports the latest openSSL version available?

kanaadmin@susemail:~> rpm -Uvh http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm
Retrieving http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm
error: Failed dependencies:
    libcrypto.so.6 is needed by dk-milter-0.6.0-1.i386
    libssl.so.6 is needed by dk-milter-0.6.0-1.i386
kanaadmin@susemail:~>


Submitted by topdog (registered user) on Wed, 2009-01-07 08:30.
The rpm is built for Centos/RHEL YMMV with SUSE
Submitted by John Bailo (not registered) on Wed, 2009-01-07 20:43.

Thanks, I think that means going the route of building my own from source!

 

 

Submitted by victor (not registered) on Fri, 2009-03-13 04:57.

Hi all,

I already followed the guidelines, everything seemed fine. However, when I sent an email to a yahoo email address, we could not pass the domain authorization check and find the signature as well.

In addition, we also found that there was no any domain signature header to be appended in an email when we sent it to yahoo.

Do any linux expert know the reason? this problem really annoys us and we are very frustrated now. Please help !!!

Submitted by topdog (registered user) on Sun, 2009-03-15 06:51.
Have you tested your DNS to see that it is correct ?