Ok, If you remember, this morning I wrote an article about how to make you mail server which uses Postfix, to be able to sign the outgoing messages using DKIM. I moved on, and start digging about DomainKeys, and how that feature can be used with Postfix. Of course, our server runs on Ubuntu Hardy.

First you need the milter wich will sign or verify your messages with Postfix. I searched the web and found that Ubuntu repositories already provide such a package wich is called dk-filter (actually, it is build from dk-milter).
Install dk-filter:
sudo apt-get install dk-filter

After installation, you will also need a key for signing/verifying emails and setting up DNS TXT records (I’ll just copy paste this step from the previous post…).
Here’s how to get the keys (the first one will be the private key, and the second will be the public one):

openssl genrsa -out private.key 1024
openssl rsa -in rsa.private -out public.key -pubout -outform PEM

I recommend you moving the keys somewhere where those will be more protected than your home folder (somewhere in /var/dk-filter/ is ok).
For making DK work, you’ll also need to add some DNS records! I’m using domain.tld for examples, but if you have subdomain.domain.tld, DKIM works with sub domains!!!

Create a DNS TXT record for selector._domainkey.domain.tld as follows:
_domainkey.domain.tld. IN TXT "t=y; o=~;"
(the t=y means that the domain is in test mode, actually that it is activated, and the o=~; means that some mail is being signed from this domain).
mail._domainkey.domain.tld. IN TXT "k=rsa; t=y; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB"
(the string after p= is the base64 encoding of your public key.
If the public.key file which was generated contains:

-----BEGIN PUBLIC KEY-----
PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB
-----END PUBLIC KEY-------

the base64 encoding is everything between the first ----- BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines, remove any spaces and newlines, the t=y value pair means that the domain is using this key in test mode, also that is activated).

Net you need to edit your configuration for dk-filter. The file can be found /etc/default/dk-filter
(the contents of that file are very explicit and commented so I believe you won’t get stuck, just mention your domain and the path to your key file).

Now, before starting the daemon, you’ll need to specify a port number. Do this by editing the same /etc/default/dk-filter and un-commenting one of the lines that can be found at the end of file. It will look like this after you are done:
SOCKET="inet:8892@localhost" # listen on loopback on port 8892

The dk-filter daemon now can be started using /etc/init.d/dk-filter start (if the daemon is already started, use /etc/init.d/dk-filter restart).

Back to Postfix. As your probably found already, dk-filter is actually a milter, so you can use smtpd_milters to pass your new milter to Postfix… Add to the end of /etc/postfix/main.cf for example:
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

If you are using already some milter, like I do (remember DKIM), you can add the new one like this:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,inet:localhost:8892
non_smtpd_milters = inet:localhost:8891,inet:localhost:8892


This is the minimum of configuration to make Postfix use the our milter, and in my case it was enough for making it work!

Now you can restart Postfix:
sudo /etc/init.d/postfix restart

Give some time for DNS services be activated, and then let’s test our new milter!
I found several DKIM/DK checkers, for ex.: SkyList, ESPCoalition for emails and Sendmail, Yahoo tools for DNS.
(Don’t worry if those will say that the algorithm rsa-sha256 is not supported, the tools are a bit outdated…)

I’m also open for further discussions on this topic, or If you need to ask something, I’ll be happy to reply to your comments.
Hope that this article helped you somehow….

Special note: I owe some credits to dk-milter discussion list on sourceforge and especially to Murray S. Kucherawy. I would also want to thank Noel Jones for pointing me the right direction.

I was playing these days with Postfix on my server with Hardy on it, so I said why not making it speak DKIM? (My server already speaks SPF!)
Easy to say, almost impossible to make!

The problem with DKIM is that, nowadays you can find several tools that will theoretically allow you to build a mail server which verifies and signs outgoing emails with domain keys, but that is a horror when it comes to work with those tools.

For solving my problem I started with dkfilter trying to compile it. The problem with dkfilter is that it uses several Perl libraries, so after getting those from CPAN, one of it was asking to be compiled, and it’s compilation finished with an error! … I moved on, joined the #postfix on freenode and started to ask pals for help and thoughts. From that point I found dkim-milter. After a bit of digging, I did also found that the package dkim-filter from Ubuntu repositories is actually dkim-milter I was reading (and already trying to compile).

From here starts the real tutorial…
Install dkim-filter (actually this is the tool which will verify and sign the emails for our server)
sudo apt-get install dkim-filter
After installation, dpkg will throw you an error, don’t worry, it is trying to start the daemon dkim-filter which can’t be started until it will be configured.

For that you’ll need some keys and to edit the /etc/dkim-filter.conf
Here’s how to get the keys (the first one will be the private key, and the second will be the public one):

openssl genrsa -out private.key 1024
openssl rsa -in rsa.private -out public.key -pubout -outform PEM

I recommend you moving the keys somewhere where those will be more protected than your home folder (somewhere in /var/dkim-filter/ is ok).
For making DKIM work, you’ll also need to add some DNS records! I’m using domain.tld for examples, but if you have subdomain.domain.tld, DKIM works with sub domains!!!

Create a DNS TXT record for selector._domainkey.domain.tld as follows:
mail._domainkey.domain.tld. IN TXT "k=rsa; t=y; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB"
(the string after p= is the base64 encoding of your public key.
If the public.key file which was generated contains:

-----BEGIN PUBLIC KEY-----
PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB
-----END PUBLIC KEY-------

the base64 encoding is everything between the first ----- BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines, remove any spaces and newlines, the t=y value pair means that the domain is using this key in test mode, also that is activated).

After this you can start editing /etc/dkim-filter.conf. Actually the contents of that file are really explicit and well commented, so I believe you won’t get in troubles. (Remember, if your server is on a sub domain, edit it considering that!)
After you can start up the daemon:
sudo /etc/init.d/dkim-filter start
You can check if it started by looking inside logs (try: less /var/log/mail.log and look for word DKIM).

Now let’s make Postfix use our milter!
Edit your /etc/postfix/main.cf and append the following lined to the end of file:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891


This is the minimum of configuration to make Postfix use the our milter, and in my case it was enough for making it work!

Save the file and then restart Postfix:
sudo /etc/init.d/postfix restart

Give some time for DNS services be activated, and then let’s test our new milter!
I found several DKIM checkers, for ex.: SkyList, ESPCoalition for emails and Sendmail, Yahoo tools for DNS.
(Don’t worry if those will say that the algorithm rsa-sha256 is not supported, the tools are a bit outdated…)

I’m also open for further discussions on this topic, or If you need to ask something, I’ll be happy to reply to your comments.
Hope that this article helped you somehow….

I must say that the latest server-edition Ubuntu LTS (Hardy Heron) is really great.
I’ve just finished some upgrades from Ubuntu 7.10 for a server (vps), and I can say that the difference is damn great.

The speed, the package management, the process handling and stability are really improved.
I recommend it to everyone who is thinking about “What Linux would be better to install on my next server?”, I promise you, it’s a pleasure to manage such a distro!