I was playing these days with Postfix on my server with Hardy on it, so I said why not making it speak DKIM? (My server already speaks SPF!)
Easy to say, almost impossible to make!
The problem with DKIM is that, nowadays you can find several tools that will theoretically allow you to build a mail server which verifies and signs outgoing emails with domain keys, but that is a horror when it comes to work with those tools.
For solving my problem I started with dkfilter trying to compile it. The problem with dkfilter is that it uses several Perl libraries, so after getting those from CPAN, one of it was asking to be compiled, and it’s compilation finished with an error! … I moved on, joined the #postfix on freenode and started to ask pals for help and thoughts. From that point I found dkim-milter. After a bit of digging, I did also found that the package dkim-filter from Ubuntu repositories is actually dkim-milter I was reading (and already trying to compile).
From here starts the real tutorial…
Install dkim-filter (actually this is the tool which will verify and sign the emails for our server)
sudo apt-get install dkim-filter
After installation, dpkg will throw you an error, don’t worry, it is trying to start the daemon dkim-filter which can’t be started until it will be configured.
For that you’ll need some keys and to edit the /etc/dkim-filter.conf
Here’s how to get the keys (the first one will be the private key, and the second will be the public one):
openssl genrsa -out private.key 1024
openssl rsa -in rsa.private -out public.key -pubout -outform PEM
I recommend you moving the keys somewhere where those will be more protected than your home folder (somewhere in /var/dkim-filter/ is ok).
For making DKIM work, you’ll also need to add some DNS records! I’m using domain.tld for examples, but if you have subdomain.domain.tld, DKIM works with sub domains!!!
Create a DNS TXT record for selector._domainkey.domain.tld as follows:
mail._domainkey.domain.tld. IN TXT "k=rsa; t=y; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB"
(the string after p= is the base64 encoding of your public key.
If the public.key file which was generated contains:
-----BEGIN PUBLIC KEY-----
PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB
-----END PUBLIC KEY-------
the base64 encoding is everything between the first ----- BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines, remove any spaces and newlines, the t=y value pair means that the domain is using this key in test mode, also that is activated).
After this you can start editing /etc/dkim-filter.conf. Actually the contents of that file are really explicit and well commented, so I believe you won’t get in troubles. (Remember, if your server is on a sub domain, edit it considering that!)
After you can start up the daemon:
sudo /etc/init.d/dkim-filter start
You can check if it started by looking inside logs (try: less /var/log/mail.log and look for word DKIM).
Now let’s make Postfix use our milter!
Edit your /etc/postfix/main.cf and append the following lined to the end of file:
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
This is the minimum of configuration to make Postfix use the our milter, and in my case it was enough for making it work!
Save the file and then restart Postfix:
sudo /etc/init.d/postfix restart
Give some time for DNS services be activated, and then let’s test our new milter!
I found several DKIM checkers, for ex.: SkyList, ESPCoalition for emails and Sendmail, Yahoo tools for DNS.
(Don’t worry if those will say that the algorithm rsa-sha256 is not supported, the tools are a bit outdated…)
I’m also open for further discussions on this topic, or If you need to ask something, I’ll be happy to reply to your comments.
Hope that this article helped you somehow….
Pingback: Stas Sushkov Journal - Configuring Postfix + DomainKeys (+ DKIM) on Ubuntu Hardy
For some reason my key seems way too long.
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGqRUNlkgNI7PlvRMljUebAuMh1qeKH3PDL5y9dJQY6Ubc4VzW/u/2Ox79ANi4cw1hvOE/eyC1wabwfSfl9qXnOm8wXddaFnFmGwBYCIhz46OWFVbRjDBNj0wO+hL+Zz4UN6Atm/B0pHH/haiCoiMYp3PUu5ctktE+R2uJ3s6nEQIDAQAB
This doesn’t even seem to fully resolve in the DNS TXT entry. Any idea what I’m doing wrong. I’m on Ubuntu Hardy too, followed your instructions (and similar instructions I found elsewhere) exactly.
Thanks,
Mike
@MIchael,
your key is ok.
Just paste it where it should be, and that’s all.
Remember, there might be need of time for new settings to be become propagated in the DNS zone you use.
Remember to put the key in one line (remove enter) in the zone file, then maybe wait for some hours for your records to be updated, could be necesary to update both the primary and the secondary domain server (if secondary is not slave) and to update the serial number of your zone.
I found that using for some strange reason the postfix is ignoring this:
submission inet n n smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
so, because I;m using the amavis to scan mail messages, then I add the dksign in the content filter option for the port 10025 and this way is working
127.0.0.1:10025 inet n - - smtpd
-o content_filter=dksign:[127.0.0.1]:10027
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_bind_address=127.0.0.1
Don’t know if this is correct but at least is working and now yahoo says mta332.mail.mud.yahoo.com from=stclara.net; domainkeys=pass (ok)
The command “openssl genrsa -out public.key 1024″ is incorrect. It should be “openssl genrsa -out rsa.private 1024″. The second command will fail otherwise.
Test your config with if init.d script can’t start the daemon:
dkim-filter -x /etc/dkim-filter.confIf you get the error like:
Then try manually specifing the socket, in our case it is local:
dkim-filter -x /etc/dkim-filter.conf -p localI followed your steps exactly and successfully configured dk-filter. But when I’m using dkim-filter I get the following error:
Mar 1 11:00:24 mail postfix/smtpd[4639]: warning: milter inet:localhost:8891: can’t read SMFIC_OPTNEG reply packet header: Connection timed out
Mar 1 11:00:24 mail postfix/smtpd[4639]: warning: milter inet:localhost:8891: read error in initial handshake
Can you please point me in the right direction.
Thank you in advance?
These tutorials are somehow absolete. I recommend you reading the wiki pages directly from Ubuntu which actually are the updated articles from my blog:
Postfix on help.ubuntu.com.
If you have problems after that, send me an email, and I’ll try to help you.
Pingback: Postfix + DKIM în Ubuntu la lucru cu domenii multiple | Loc de joaca pentru idei