Tuesday, February 11, 2014

Sendmail with DKIM on Fedora 19


yum install dkim-milter

cd /etc/mail/dkim-milter/keys
dkim-genkey -r -d your-domain.com
= > 2 files : public key (default.txt) and private key (default.private)

At this point you should have a "default.private" and "default.txt" file in your current working directory (which is /etc/mail/dkim-milter/keys). 
default.txt contains the DNS TXT record you must add to your DNS entries. 

cat default.txt >> /var/named/chroot/var/named/yourdomain.zone
mv default.private /etc/mail/dkim-milter/domeniultau_default.key.pem
chown dkim-milter:dkim-milter /etc/mail/dkim-milter/domeniultau_default.key.pem



dnl # dkim - yahoo domainkeys implementation
INPUT_MAIL_FILTER(`dkim-filter', `S=local:/var/run/dkim-milter/dkim-milter.sock')

cd /etc/mail
service named reload
service dkim-milter start
service sendmail restart
chkconfig dkim-milter on

 The config file (/etc/mail/dkim-milter/dkim-filter.conf) is fully self-documented and easy to understand. 
I made the following changes from the default config:
AutoRestart  Yes
AutoRestartRate 10/1h
Canonicalization simple/simple
Domain  techsneeze.com
ExternalIgnoreList /etc/mail/dkim-milter/trusted-hosts
InternalHosts /etc/mail/dkim-milter/InternalHosts.txt
LogWhy  yes
On-Default accept
On-BadSignature accept
On-DNSError accept
On-InternalError accept
On-NoSignature accept
On-Security accept
SignatureAlgorithm rsa-sha256
Socket  local:/var/run/dkim-milter/dkim-milter.sock
Syslog  yes
SyslogSuccess yes
UserID  dkim-milter:dkim-milter
X-Header  yes

if in the logs appear something like : "no signature data" 
       [ cat /var/log/maillog | grep "no signature data" ] or 
   "external host [] attempted to send as yourdomain.com
  and this host  [] is on your internal network ...
#cd /etc/mail/dkim-milter/ 
#touch InternalHosts.txt 
# chmod 444 InternalHosts.txt
 # vi InternalHosts.txt 

~ ~ ~ 

We may enhance DKIM TXT entries like: 
 _domainkey.(yourdomain.com). IN TXT "t=y; o=~; r=postmaster@(yourdomain.com)" 
 t=y means “this domain is currently testing DKIM, verifier side mustn’t treat the messages differently from unsigned e-mails even if the signature fails to be verified”


 o=~ means “some e-mails from this domain are signed, some are not”


o=- means “all e-mails from this domain are signed”


 r=postmaster@(yourdomain.com) designates responsible e-mail address

When we implemented DomainKeys Identified Mail (DKIM) with Postfix on FreeBSD, we had used dkim-milter plugin. However, it seems that dkim-milter has expired and recently it has been removed from the ports tree. Consequently, we’ll also move to OpenDKIM which is in fact claimed to be bug free compared to dkim-milter. - See more at: http://www.ipsure.com/blog/2012/dkim-milter-is-no-longer-available-how-to-use-opendkim-instead/#sthash.UraBfaka.dpuf


DKIM includes a cryptographic hash in the e-mail header which is calculated with the private key (on the server) and verified with the public key (in the DNS record).
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
     c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;

First, install opendkim.
yum install opendkim

AutoRestart             Yes
UMask                   002
Syslog                  yes
AutoRestartRate         10/1h
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
LogWhy                  Yes
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  inet:8891@localhost
SyslogSuccess           Yes
TemporaryDirectory      /var/tmp
UserID                  opendkim:opendkim
As you can see, there are three more files to be added, TrustedHosts (whitelisted IPs that can sign e-mails), KeyTable (multiple domain configuration for public and private keys) and SigningTable (whitelisted users that can sign e-mail).


*@example.com default._domainkey.example.com
All users from @example.com can sign. You can specifiy usernames and domains, instead of the wildcard, for additional security.

default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com.pvt
Location of the private key and name of the DNS record for each domain. The "default" before _domainkey.example.com and :default: is a selector. This can be changed to something else.

Next, we need to generate the public and private key for each domain.
If some folders don't exist, just create them.
# opendkim-genkey -D /etc/opendkim/keys/example.com -d example.com -s default
Again -s flag is for the selector. If you changed it, you need to enter it here.
The command generates a private key (default) and public key (default.txt). You will probably rename them, to match the configuration.
An important note here is that the files are owned by user opendkim, or you will get permission denied errors in /var/log/mail.err. Default permissions on those files are -rw------.

Move the private key to where you specified it should be in the KeyTable.
Insert the public key in your DNS as a TXT record.

Next up, telling sendmail to talk to opendkim.
Edit /etc/mail/sendmail.mc and add this line at the end. 
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

Rebuild sendmail configuration and restart, start opendkim if it's not running yet
service sendmail restart; service opendkim start

1 comment: