Ok, If you remember, this morning I wrote an article about how to make you mail server which uses Postfix, to be able to sign the outgoing messages using DKIM. I moved on, and start digging about DomainKeys, and how that feature can be used with Postfix. Of course, our server runs on Ubuntu Hardy.
First you need the milter wich will sign or verify your messages with Postfix. I searched the web and found that Ubuntu repositories already provide such a package wich is called dk-filter (actually, it is build from dk-milter).
Install dk-filter:
sudo apt-get install dk-filter
After installation, you will also need a key for signing/verifying emails and setting up DNS TXT records (I’ll just copy paste this step from the previous post…).
Here’s how to get the keys (the first one will be the private key, and the second will be the public one):
openssl genrsa -out private.key 1024
openssl rsa -in rsa.private -out public.key -pubout -outform PEM
I recommend you moving the keys somewhere where those will be more protected than your home folder (somewhere in /var/dk-filter/ is ok).
For making DK work, you’ll also need to add some DNS records! I’m using domain.tld for examples, but if you have subdomain.domain.tld, DKIM works with sub domains!!!
Create a DNS TXT record for selector._domainkey.domain.tld as follows:
_domainkey.domain.tld. IN TXT "t=y; o=~;"
(the t=y means that the domain is in test mode, actually that it is activated, and the o=~; means that some mail is being signed from this domain).
mail._domainkey.domain.tld. IN TXT "k=rsa; t=y; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB"
(the string after p= is the base64 encoding of your public key.
If the public.key file which was generated contains:
-----BEGIN PUBLIC KEY-----
PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB
-----END PUBLIC KEY-------
the base64 encoding is everything between the first ----- BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines, remove any spaces and newlines, the t=y value pair means that the domain is using this key in test mode, also that is activated).
Net you need to edit your configuration for dk-filter. The file can be found /etc/default/dk-filter
(the contents of that file are very explicit and commented so I believe you won’t get stuck, just mention your domain and the path to your key file).
Now, before starting the daemon, you’ll need to specify a port number. Do this by editing the same /etc/default/dk-filter and un-commenting one of the lines that can be found at the end of file. It will look like this after you are done:
SOCKET="inet:8892@localhost" # listen on loopback on port 8892
The dk-filter daemon now can be started using /etc/init.d/dk-filter start (if the daemon is already started, use /etc/init.d/dk-filter restart).
Back to Postfix. As your probably found already, dk-filter is actually a milter, so you can use smtpd_milters to pass your new milter to Postfix… Add to the end of /etc/postfix/main.cf for example:
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892
If you are using already some milter, like I do (remember DKIM), you can add the new one like this:
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,inet:localhost:8892
non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
This is the minimum of configuration to make Postfix use the our milter, and in my case it was enough for making it work!
Now you can restart Postfix:
sudo /etc/init.d/postfix restart
Give some time for DNS services be activated, and then let’s test our new milter!
I found several DKIM/DK checkers, for ex.: SkyList, ESPCoalition for emails and Sendmail, Yahoo tools for DNS.
(Don’t worry if those will say that the algorithm rsa-sha256 is not supported, the tools are a bit outdated…)
I’m also open for further discussions on this topic, or If you need to ask something, I’ll be happy to reply to your comments.
Hope that this article helped you somehow….
Special note: I owe some credits to dk-milter discussion list on sourceforge and especially to Murray S. Kucherawy. I would also want to thank Noel Jones for pointing me the right direction.
Great guide, it saved me a lot of time!
A couple of extra points I ran into:
dkim:
Needed to add “Canonicalization relaxed” in my dkim-filter.conf I was able to send fine using the command line, bbut when I sent from a rails app, the extra headers were causing me problems getting my email to pass verification.
dk:
As above, I needed canonicalization more relaxed, the option for dk being “-c nofws” in df-filter,conf. I also need to add in the “-H” parameter before yahoo would pass my email.
Thanks for the guide. I got it to work when sending a test message from the machine itself but what if this machine is also used as a smarthost? From what I’ve seen, none of the messages that are relayed through this server are being signed. It’s only the ones that are composed and sent from this server that works.
I think I figured it out.
/etc/default/ilist (contains IPs of originating servers that use my server as a smarthost)
then…
/etc/default/dk-filter
DAEMON_OPTS=”$DAEMON_OPTS -d domain.tld -i /etc/default/ilist -s /var/run/dk-filter/private.key -S mail”
@mikek, thank you for your solution.
;)
I’m confused… what exactly is the difference between this post and http://stas.nerd.ro/blog/index.php/2008/05/13/configure-postfix-and-dkim-filter-on-ubuntu-hardy/?
Is the only difference between DKIM and DomainKeys the extra DNS entry _domainkey.domain.tld. IN TXT “t=y; o=~;”?
Read docs about DKIM and DomainKeys, and you’ll get it!
How would I set this up for multiple domains?
@Daniel, you can specify that in you config file (/etc/default/dk-filter or /etc/dkim-filter.conf). Luckily both those files are reach in comments!
;)
Please I’m lost on step
“Create a DNS TXT record ”
I’m getting DNS fron my ISP. I can run a BIND on my server also. What I should do.?
First, I don’t recommend you running DNS services on a single machine (at least 2 servers are recommended!).
Secondly, why do you use your ISP DNS services? There are a plenty of free DNS service providers (have a look at editdns.net those are using djbdns if I’m not wrong. Which is cool!)
Third: What’s so unclear with the TXT DNS record? Just create it, that’s all. Be sure to set the correct selector!!!
Good luck!
:)
Blog article is absolete.
The wiki pages from Ubuntu are the updated articles from my blog:
Postfix on help.ubuntu.com.
I’m trying to get DKIM working where I have a mail server, and two web servers that relay mail to the mail server. If I send mail locally from mail server, everything is signed correctly. But mail originating from www-1 or www-2 are never signed properly. I’ve played around with several parameters, but have not been able to get them signed correctly. I know I’m pretty close, but just can’t find how this works.
Thanks in advance,
-Jason
Hi Jason,
dkim signs the local outgoing mails, signing relayed emails can produce a good oportunity for spammers to send spam messages signed with your dkim if you server was configured as an open relay.
So this runs in a security issue, this is why I’m pretty sure dkim cannot sign relayed messages, and most probably this feature won’t be implemented ever.
You might also get help by asking dkim mailing list.
Cheers.
Hi Stas,
I have got the dk-filter working a long ago. Since then I was trying to get the dkim-filter working on Ubuntu 8.04 LTS. Now I get the following errors:
can’t configure DKIM library; continuing
Sendmail DKIM Filter v2.6.0 starting (args: -x /etc/dkim-filter.conf -u dkim-filter -P /var/run/dkim-filter/dkim-filter.pid -p inet:8891@localhost)
netstat -ta
tcp 0 0 localhost.localdom:8891 *:* LISTEN
tcp 0 0 localhost.localdom:8892 *:* LISTEN
Help please…
Hmm, that looks strange, but still, we can see the demon started and it’s listening.
Did you check if the messages are signed?
Not signed.
However, domainKeys are working and it is signed.
Can I use the same private key and DNS TXT entry for dkim-filter too? Or Should I have a different one for dk-filter and dkim-filter?
Thank you so much.
Yes you can use same keys for both milters.
About the dkim-filter, you might try to start the demon manually with increased verbosity and debug a bit.
Good luck.