The eternal fight between admins and computers

Domainkeys/Dkim with Postfix

Posted in Debian, Howtos, Linux, Postfix, Software, Tips by rga on January 16, 2008

Hello,

If you want to use postfix to use domainkeys or dkim you can do it using dkimproxy http://dkimproxy.sourceforge.net

In this setup, we only want that outgoing mail are signed. As we known, yahoo and gmail uses it with spam checks.

http://dkimproxy.sourceforge.net/postfix-outbound-howto.html

First, change your master.cf from postfix file
master.cf:
submission inet n – y – – smtpd
-o smtpd_etrn_restrictions=reject
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,reject

// put this in the same file, for example, at bottom is a good place
dksign unix – – n – 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

127.0.0.1:10028 inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject

Now, is time to setup dkimproxy, since we are only interested in outgoin mail, we use dkimproxy.out instead, please, use devel version, at moment, stable version can’t sign both signatures at the same time. Tested using dkimproxy-1.0beta1.tar.gz
This example show how to sing more than one domain.

Create a new file.
/etc/postfix/ssl/domainkeys/domainkeyfile:
# sign both mydom1.com and mydom2.com mail with both a domainkeys and dkim signature (put a new domain for each line)
mydom1.com domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha256,c=relaxed)
mydom2.com domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha1,c=relaxed)

As user root, is time to launch dkimproxy (change your values if necessary), in this case we run dkimproxy with user/group dkim
# groupadd -g 4321 dkim
# useradd -u 4321 -s /bin/false -d /dev/null -g dkim dkim

// launch it as a daemon
# dkimproxy.out –user=dkim –group=dkim –keyfile=/etc/postfix/etc/ssl/domainkeys/private.key –selector=yourselector –sender_map=/etc/postfix/ssl/domainkeys/domainkeyfile –daemonize –pidfile=/var/run/dkim.pid 127.0.0.1:10027 127.0.0.1:10028

Of course, it’s very important that you keep you port 25 for ‘normal’ mail and change it to port 587 if you want to use dkimproxy, check your mail client how to do that.

Now, your mail uses domainkeys/dkim headers :)

this is a mail headers example:
———-

DomainKey-Signature: a=rsa-sha1; c=nofws; d=mydom1.com; h=date:subject:from:to:mime-version:content-type:message-id:content-transfer-encoding; q=dns; s=ireth; b=

KPaZ5d7olrcJ62GwFyOAGGuiWe/+6ffW+b+ne24t3+mlUyUgU7kYHRedPphfTa4e

AtdKW/l9B+TFnZs3WOFpaB1fkkwohQIHUJrINhMlm6NVgcEy3wolOXx2QKmDQdzl

4cRo0×6q8DTjl9ThVwaOdL89Xj6gG8RecOx9wCKjnXO=

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mydom1.com; h=

date:subject:from:to:mime-version:content-type:message-id:

content-transfer-encoding; q=dns/txt; s=myhost1; bh=gbf05R7SXafOIY

pmOvZ6JHiCsUiIu94mbMnHdz31av0=; b=jh8AB9KJUF2yarL9etKNcdCsICPssS

Hz314WM/0KliaooehfanU+dxn/FIbvdeVc+ztTA9OkefWCj2SBfx/xi3sMDTy6gj

ue+BYGvS9GJ9tYCKUvW4lk5wwk70JcCSpwQAbjsyf1pPBW3I6NFPtk2G5LrykEs+

yizGa5g3×9rdg=

———-

This setup assumes that you have created you private/public cryptographic keys, also you have configured your dns, if not, then check main site for how to do it.

http://dkimproxy.sourceforge.net/ (read about openssl)

See you!

Possibly related posts: (automatically generated)

6 Comments

6 Responses to 'Domainkeys/Dkim with Postfix'

Subscribe to comments with RSS or TrackBack to 'Domainkeys/Dkim with Postfix'.

  1. Mario said,

    on August 13, 2008 on 23:09

    I installed dk-filter but in the header I see something like
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; ……
    instead of DomainKey-Signature how can I change it?

    Reply

  2. James Holmes said,

    on September 20, 2008 on 09:43

    dk-filter is not the same program as dkimproxy. The newest versions of dkimproxy can sign email headers using both the newer DKIM and the older DomainKeys signatures (if you want – the DomainKeys signature is optional).

    Reply

  4. Main site reference said,

    on February 22, 2009 on 03:46

    “This setup assumes that you have created you private/public cryptographic keys, also you have configured your dns, if not, then check main site for how to do it.”

    Wonderful howto but please, I do need to find out how to create the cryptographic keys and configure the dns. Where is the “main site” you refer to and any link in that direction would help.

    Reply

  5. rga said,

    on February 22, 2009 on 16:18

    Hello,

    Check dkimproxy site when talking about howto using DKIMproxy to sign outbound messages:

    1. Generate a private/public key pair using OpenSSL:

    openssl genrsa -out private.key 1024
    openssl rsa -in private.key -pubout -out public.key

    This creates the files private.key and public.key in the current directory, containing the private key and public key. Make sure private.key is not world-readable, but still readable by the dkim user.
    2. Pick a selector name… e.g. selector1
    3. Put the public-key data in DNS, in your domain, using the selector name you picked. Take the contents of the public.key file and remove the PEM header and footer, and concatenate the lines of the file into one big line. Then create a TXT entry, like this:

    selector1._domainkey IN TXT “k=rsa; t=s; p=MHwwDQYJK … OprwIDAQAB”

    where selector1 is the name of the selector chosen in the last step and the p= parameter contains the public-key as one long string of characters.

    Regards,

    Reply

  6. Mihai Secasiu said,

    on April 30, 2009 on 18:29

    Why does it need to be on port 456 ?
    and is there a way to sign only messages from authenticated users ?

    Reply


Leave a Reply