dkimproxy is an excellent tool to sign mails with domain keys as well as dkim in a single stretch. Here are the steps that I followed to install dkimproxy with postfix. Here the first part is common for all MTAs and the second part here is concerned with postfix, since i used postfix. You have to use settings related to your specific MTA for the second part.
PART 1: Installing dkimproxy.
First you need to install perl modules Mail::DKIM, Net::server and Error. You can do it using the perl installer cpan. Issue the following commands:
#cpan (you will be taken into cpan interface)
#cpan>install Mail::DKIM
#cpan>install Net::server
#cpan>install Error
Now download and install dkimproxy source from http://sourceforge.net/projects/dkimproxy/files/dkimproxy/1.3/dkimproxy-1.3.tar.gz/download
wget http://sourceforge.net/projects/dkimproxy/files/dkimproxy/1.3/dkimproxy-1.3.tar.gz/download
tar -xvzf dkimproxy-1.3.tar.gz
cd dkimproxy-1.3
./configure --prefix=/usr/local/dkimproxy (Here I used this location)
make
make install
Part 2: Configuring dkim proxy and setting the environment.
Create a user dkim.
#useradd -d /usr/local/dkimproxy dkim
chown dkim:dkim /usr/local/dkimproxy -R
Now is the time to create private/public key pairs.
mkdir /usr/localdkimproxy/keys
cd /usr/local/dkimproxy/keys
#openssl genrsa -out private.key 1024
#openssl rsa -in private.key -pubout -out public.key
Now you will have two key pairs private.key & public.key
Public key should be published in DNS zone file of the domain. Use only the contents in public.key after removing the PEM headers and then use it as one big line and form a txt record as given below:
test._domainkey IN TXT "k=rsa; t=s; p=MHwwDQYJK ... OprwIDAQAB"
Here test is any name (selector name) that you choose that makes sense to you, and contents after p should be the public key contents. I have here omitted part of public key for convenience.
So you can check the validity of key data in zone file by issuing the following command from any linux machine:
#dig +trace txt test._domainkey.domain.tld
where domain.tld is the actual domain name.
Now we need to setup outbound signing config file.
#cp /usr/local/dkimproxy/etc/dkimproxy_out.conf.example /usr/local/dkimproxy/etc/dkimproxy_out.conf
edit /usr/local/dkimproxy/etc/dkimproxy_out.conf using your favorite editor and make changes in the following sections:
# specify what domains DKIMproxy can sign for (comma-separated, no spaces) domain domain.tld
# specify location of the private key keyfile /usr/local/dkimproxy/keys/private.key
# specify the selector (i.e. the name of the key record put in DNS) selector test
Now the configuration part is over and you can start the dkimproxy outbound signing using the following command:
/usr/local/dkimproxy/bin/dkimproxy.out --conf_file=/usr/local/dkimproxy/etc/dkimproxy_out.conf --user=dkim --group=dkim &
Part 3: Configuring postfix to use dkim to sign messages
Edit /etc/postfix/master.cf and paste the following:
##########
submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes -o content_filter=dksign:[127.0.0.1]:10027 -o receive_override_options=no_address_mappings -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls
# service for accepting messages FROM the DKIM signing proxy
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
###########
You are Done! use the command "/etc/init.d/postfix reload" to reflect the changes made in postfix configuration file.
Now mails sent via secure port 587 will be signed with appropriate dkim and domain keys!
PS: If you need to sign mails sent through 25 also, you can paste the following additional entry in master.cf file.
smtp inet n - n - - smtpd
-o content_filter=dksign:[127.0.0.1]:10027
If you have any issues, feel free to comment.
0 comments:
Post a Comment