Domainkeys/Dkim with Postfix

rga Debian, Howtos, Linux, Postfix, Software, Tips

Hello,

If you want to use postfix to use domainkeys or dkim you can do it using dkimproxy http://dkimproxy.sourceforge.net

In this setup, we only want that outgoing mail are signed. As we known, yahoo and gmail uses it with spam checks.

http://dkimproxy.sourceforge.net/postfix-outbound-howto.html

First, change your master.cf from postfix file
master.cf:
submission inet n – y – – smtpd
-o smtpd_etrn_restrictions=reject
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,reject

// put this in the same file, for example, at bottom is a good place
dksign unix – – n – 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

127.0.0.1:10028 inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject

Now, is time to setup dkimproxy, since we are only interested in outgoin mail, we use dkimproxy.out instead, please, use devel version, at moment, stable version can’t sign both signatures at the same time. Tested using dkimproxy-1.0beta1.tar.gz
This example show how to sing more than one domain.

Create a new file.
/etc/postfix/ssl/domainkeys/domainkeyfile:
# sign both mydom1.com and mydom2.com mail with both a domainkeys and dkim signature (put a new domain for each line)
mydom1.com domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha256,c=relaxed)
mydom2.com domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha1,c=relaxed)

As user root, is time to launch dkimproxy (change your values if necessary), in this case we run dkimproxy with user/group dkim
# groupadd -g 4321 dkim
# useradd -u 4321 -s /bin/false -d /dev/null -g dkim dkim

// launch it as a daemon
# dkimproxy.out –user=dkim –group=dkim –keyfile=/etc/postfix/etc/ssl/domainkeys/private.key –selector=yourselector –sender_map=/etc/postfix/ssl/domainkeys/domainkeyfile –daemonize –pidfile=/var/run/dkim.pid 127.0.0.1:10027 127.0.0.1:10028

Of course, it’s very important that you keep you port 25 for ‘normal’ mail and change it to port 587 if you want to use dkimproxy, check your mail client how to do that.

Now, your mail uses domainkeys/dkim headers :)

this is a mail headers example:
———-

DomainKey-Signature: a=rsa-sha1; c=nofws; d=mydom1.com; h=date:subject:from:to:mime-version:content-type:message-id:content-transfer-encoding; q=dns; s=ireth; b=

KPaZ5d7olrcJ62GwFyOAGGuiWe/+6ffW+b+ne24t3+mlUyUgU7kYHRedPphfTa4e

AtdKW/l9B+TFnZs3WOFpaB1fkkwohQIHUJrINhMlm6NVgcEy3wolOXx2QKmDQdzl

4cRo0x6q8DTjl9ThVwaOdL89Xj6gG8RecOx9wCKjnXO=

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mydom1.com; h=

date:subject:from:to:mime-version:content-type:message-id:

content-transfer-encoding; q=dns/txt; s=myhost1; bh=gbf05R7SXafOIY

pmOvZ6JHiCsUiIu94mbMnHdz31av0=; b=jh8AB9KJUF2yarL9etKNcdCsICPssS

Hz314WM/0KliaooehfanU+dxn/FIbvdeVc+ztTA9OkefWCj2SBfx/xi3sMDTy6gj

ue+BYGvS9GJ9tYCKUvW4lk5wwk70JcCSpwQAbjsyf1pPBW3I6NFPtk2G5LrykEs+

yizGa5g3x9rdg=

———-

This setup assumes that you have created you private/public cryptographic keys, also you have configured your dns, if not, then check main site for how to do it.

http://dkimproxy.sourceforge.net/ (read about openssl)

See you!

7 thoughts on “Domainkeys/Dkim with Postfix

  1. I installed dk-filter but in the header I see something like
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; ……
    instead of DomainKey-Signature how can I change it?

    Reply

  2. dk-filter is not the same program as dkimproxy. The newest versions of dkimproxy can sign email headers using both the newer DKIM and the older DomainKeys signatures (if you want – the DomainKeys signature is optional).

    Reply

  4. “This setup assumes that you have created you private/public cryptographic keys, also you have configured your dns, if not, then check main site for how to do it.”

    Wonderful howto but please, I do need to find out how to create the cryptographic keys and configure the dns. Where is the “main site” you refer to and any link in that direction would help.

    Reply

  5. Hello,

    Check dkimproxy site when talking about howto using DKIMproxy to sign outbound messages:

    1. Generate a private/public key pair using OpenSSL:

    openssl genrsa -out private.key 1024
    openssl rsa -in private.key -pubout -out public.key

    This creates the files private.key and public.key in the current directory, containing the private key and public key. Make sure private.key is not world-readable, but still readable by the dkim user.
    2. Pick a selector name… e.g. selector1
    3. Put the public-key data in DNS, in your domain, using the selector name you picked. Take the contents of the public.key file and remove the PEM header and footer, and concatenate the lines of the file into one big line. Then create a TXT entry, like this:

    selector1._domainkey IN TXT “k=rsa; t=s; p=MHwwDQYJK … OprwIDAQAB”

    where selector1 is the name of the selector chosen in the last step and the p= parameter contains the public-key as one long string of characters.

    Regards,

    Reply

  7. I can successfully sign outgoing mail when using one domian using the –conf_file option but when i add the domains into –sender_map it will not work no matter what configuration i try i keep getting “DKIM signing – skipped” in the logs. this is using Version: 1.0.1-8.1 from debian lenny. Its not giving any errors, do you know if this version should be able to sign two different domains properly?

    Reply

Leave a comment