Addition/Configure dk-filter to sign emails with Domainkeys

From iRedMail
Revision as of 09:23, 5 April 2010 by Derchris (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Check DNS settings

First check that Domainkeys is setup ok in DNS

Terminal:
#dig _domainkey.<domain> TXT

;; ANSWER SECTION:
_domainkey.<domain>. 3600    IN      TXT     "t=y\; o=-"

#dig dk._domainkey.<domain> TXT

;; ANSWER SECTION:
dk._domainkey.<domain>. 3600 IN      TXT     "k=rsa\; t=y\; p=Long RSA key"

In this example, I created a _domainkey DNS TXT entry with "t=y; o=-", and a Selector dk._domainkey with "k=rsa t=y p=<RSA Key>" The RSA key is the same as for DKIM, which is already setup via Amavis

Install dk-filter

Install dk-filter

Terminal:
#apt-get install dk-filter 


Check dk-filter user/group

Check if dk-filter user/group has been added

Terminal:
#grep dk-filter /etc/passwd
dk-filter:x:125:132::/var/run/dk-filter:/bin/false

#grep dk-filter /etc/group
dk-filter:x:132: 

If not, create the user/group, with /var/run/dk-filter as home dir.

Configure dk-filter

Open /etc/default/dk-filter:

File: /etc/default/dk-filter
# Sane defaults: log to syslog
DAEMON_OPTS="-l"
DAEMON_OPTS="$DAEMON_OPTS -b s -c simple -d <domain> -D -h -m ORIGINATING -s /var/lib/dkim/<domain>.pem -S <selector>"
SOCKET="inet:4445@127.0.0.1"

dk-filter will sign mails on 127.0.0.1:4445 for Domain <domain>, with keys from /var/lib/dkim/<domain>.pem using Selector <selector> You need to change this to your environment (domain, selector)

Configure postfix

Open /etc/postfix/master.conf, and go down to the Amavis smtpd

File: /etc/postfix/master.conf
127.0.0.1:10025 inet n  -   -   -   -  smtpd
    -o content_filter=
    -o milter_default_action=accept
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_milters=inet:127.0.0.1:4445       # Add this to the Postfix config
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

Start dk-filter

Start dk-filter, and then restart Postfix

Terminal:
#/etc/init.d/dk-filter start

Check if dk-filter is running

Then restart Postfix

Terminal:
#/etc/init.d/postfix restart

Test Domainkeys

Domainkeys should now be working. In order to test it, send a blank email to:

check-auth@verifier.port25.com

Wait for the reply. It should show like this

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   pass
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham
Personal tools