Introduction
The DomainKeys Identified Mail (DKIM) Internet standard enables email senders to digitally sign their messages so that receivers can verify that those messages have not been forged. The DKIM sender authentication scheme allows the recipient of a message to confirm a message originated with the sender's domain and that the message content has not been altered. A cryptography-based solution, DKIM provides businesses an industry-standard method for mitigating email fraud and protecting an organization's brand and reputation at a relatively low implementation cost. The DKIM base specification is being spearheaded by Sendmail, Inc. in conjunction with Cisco and Yahoo!.
This tutorial is based on Set Up DKIM On Postfix With dkim-milter (CentOS 5.2) tutorial and my personal experience.I do not issue any guarantee that this will work for you!
Installation
Topdog software provides Centos rpms for Dkim-milter at http://www.topdog-software.com/oss/dkim-milter so we will install the latest version. At the time of writing this tutorial the latest version is dkim-milter-2.8.3-1
Install the dkim-milter rpm, (32bit and 64bit intel supported)
wget http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.3-1.i386.rpm
rpm -ivh dkim-milter-2.8.3-1.i386.rpm
Generate the Keys
/usr/bin/dkim-genkey -r -d mydomain1.com
Replace mydomain1.com with the domain name you will be signing the mail for. The command will create two files.
default.txt - contains the public key you publish via DNS
default.private - the private key you use for signing your email
Rename and move the private key to the dkim-milter keys directory and secure it.
mv default.private default
mkdir /etc/mail/dkim/keys/mydomain1.com
mv default /etc/mail/dkim/keys/mydomain1.com
chmod 600 /etc/mail/dkim/keys/mydomain1.com/default
chown dkim-milt.dkim-milt /etc/mail/dkim/keys/mydomain1.com/default
Important Note: repeat these steps for other domains and for each domain use seperate folder as you can see above otherwise you will receive "dkim: FAILED, invalid (public key: not available)" error message
DNS Setup
You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of default.txt is the line you need to add to your zone file a sample, is below
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDvwn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+zJVW+CKpUcI8BJD03iW2l1CwIDAQAB"
; ----- DKIM default for mydomain1.com
Also add this to your zone file.
_ssp._domainkey IN TXT "t=y; dkim=unknown"
Configuration
You need to check /etc/dkim-filter.conf file.
vi /etc/dkim-filter.conf
It must look like this:
ADSPDiscard yes
ADSPNoSuchDomain yes
AllowSHA1Only no
AlwaysAddARHeader no
AutoRestart yes
AutoRestartRate 10/1h
BaseDirectory /var/run/dkim-milter
Canonicalization simple/simple
Domain mydomain1.com #add all your domains here and seperate them with comma
ExternalIgnoreList /etc/mail/dkim/trusted-hosts
InternalHosts /etc/mail/dkim/trusted-hosts
KeyList /etc/mail/dkim/keylist
LocalADSP /etc/mail/dkim/local-adsp-rules
Mode sv
MTA MSA
On-Default reject
On-BadSignature reject
On-DNSError tempfail
On-InternalError accept
On-NoSignature accept
On-Security discard
PidFile /var/run/dkim-milter/dkim-milter.pid
QueryCache yes
RemoveOldSignatures yes
Selector default
SignatureAlgorithm rsa-sha1
Socket inet:20209@localhost
Syslog yes
SyslogSuccess yes
TemporaryDirectory /var/tmp
UMask 022
UserID dkim-milt:dkim-milt
X-Header yes
Check /etc/mail/dkim/keylist file.
Click here to find out more!
vi /etc/mail/dkim/keylist
It must look like this:
*@mydomain1.com:mydomain1.com:/etc/mail/dkim/keys/mydomain1.com/default
Note: if you have other domains you must add them in this file.Each line for one domain
Configure Postfix
You need to add the following options to the postfix main.cf file to enable it to use the milter.
vi /etc/postfix/main.cf
smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
milter_protocol = 2
milter_default_action = accept
Append the dkim-milter options to the existing milters if you have other milters already configured.
Start dkim-milter and restart postfix:
service dkim-milter start
service postfix restart
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment