ipsure logo
Logo and Language
Login icon Language selection icon
Hello, guest
*NIX Active category menu left background Active category menu right background BACKUP Hands-On blog header image Right block of Hands-On blog header image Final menu block of Hands-On blog header image
MS TIP PKI Active category menu left background Active category menu right background PROJECTS CMS Türkçe HANDS-ON SERVICES IT BUSINESS CONTACT ABOUT REFERENCES TERMS RSS
Home page Hands-On Services IT Business Contact About References Terms of Use RSS

23/09/2010

DomainKeys with Postfix Using dk-milter (SMTP-Only)

Filed under: *NIX, PKI — Tags: , , , , , — Sezgin Bayrak @ 02:13

DomainKeys for e-mailsIn my previous article, I spoke about DKIM and how to implement it with Postfix by using dkim-milter. In this article, we’ll be talking about DomainKeys which is confused with DKIM almost every time. Then we’ll be implementing it with Postfix by dk-milter on a FreeBSD box.

Both of these PGP-like methodologies are used for aiding the same ultimate purpose, the sender authentication, with slight differences in practice. When it comes to functionality, both are providing more effective validation mechanism over the source when compared to a single SPF record which is an earlier de facto standard.

Although DKIM is a newer standard that seems to enhance DomainKeys, DomainKeys is definitely going to be the requisite approach that you need to make, if your aim is to gain smooth deliveries to Yahoo! accounts. This is because Yahoo! developed and took out patents for DomainKeys technique and my experimentations over shifting DKIM and DomainKeys respectively shows that it is unclear whether Yahoo! validates emails which is signed only with DKIM or in which ratio it considers if it really validates. Gmail supports both while Hotmail supports their own technology, SenderID which is a variation of SPF.

Logic behind DK and DKIM processes are not complicated. By using milter application, sender encrypts the email headers and affixes the hash value to the header. Reveiver side locates the public key of the domain via DNS and repeats the encryption to compare the hash values. If match occurs, email passes validation.

If you’re curious about the differences between two methods, I recommend you to look over Comparison with Related Technologies section of DKIM FAQ.

Assuming your ports tree is up-to-date, we start the installation as usual;

# cd /usr/ports/mail/dk-milter/
# make install clean

Create the container to store the private key;

# mkdir -p /var/db/domainkeys/keys/ipsure.com
# cd /var/db/domainkeys/keys/ipsure.com/

Generate public-private key pair with gentxt-dk tool.

# gentxt-dk
usage: /usr/local/sbin/gentxt-dk selector [domain]

“selector” is the subdomain name you chose which the public key will be published by.

# gentxt-dk dkey ipsure.com
dkey._domainkey IN TXT "k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJ(...)GunkH4ZKRPf23uN+m/GpDwFskyykUCAwEAAQ==" ; ----- DomainKey dkey for ipsure.com

Immediately after running the script, it will generate an output for your public TXT DNS record. Copy whole and insert it to your domain zone file at your DNS server, you may remove “t=y;” if you’re not implementing DomainKeys for just testing purposes. Recipient side will identify your selector value in your email’s DomainKey-Signature: header field. _domainkey is the standard and the integral part of the whole domain name as the recipient side will particularly use this pattern in order to initiate a DNS query to locate your public key.

Outputs:

-rw-r--r--  1 root  wheel   493 Sep 22 01:21 dkey.private
-rw-r--r--  1 root  wheel   182 Sep 22 01:21 dkey.public

Configuration differences regarding DKIM and DK on FreeBSD consists of absence of the config file for dk-milter therefore we’ll define necessary variables inside /etc/rc.conf parameters;

# vi /etc/rc.conf
milterdk_enable="YES"
milterdk_socket="inet:10027@localhost"
milterdk_domain="ipsure.com"
milterdk_key="/var/db/domainkeys/keys/ipsure.com/dkey.private"
milterdk_selector="dkey"

Save and quit.

You don’t need to include additional milterdk_flags as the daemon already starts with the mandatory flags, as long as you give the correct socket information. But for special cases, for example if you don’t want incoming emails to be verified but instead you only want the outgoing messages to be signed or you’re planning to make the subdomains related to the main domain to be signed as well, then you’ll need to use additional parameters. Therefore, you have to chose a setup as seen below by using the milter_flags option instead of the milter_ directives which we have used above.

milterdk_enable="YES"
milterdk_socket="inet:10027@localhost"
milterdk_flags="-d ipsure.com -D -b s -c nofws -H -m MSA -s /var/db/domainkeys/keys/ipsure.com/dkey.private -S dkey"

Start dk-milter;

# /usr/local/etc/rc.d/milter-dk start

Check it;

# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
mailnull dk-filter  78135 3  tcp4   127.0.0.1:10027       *:*

Check also your log file

# tail -f /var/log/maillog
Sep 22 01:59:23 nix1 dk-filter[78193]: Sendmail DomainKeys Filter v1.0.2 starting (args: -b s -h -l -p inet:10027@localhost -u mailnull -P /var/run/milterdk/pid)

Open your Postfix configuration file;

# vi /usr/local/etc/postfix/main.cf

Insert a single socket information if you’re configuring just DomainKeys;

smtpd_milters = inet:localhost:10027

Insert comma separated socket definitions appropriately if you’re configuring multiple milter applications such as DKIM and DomainKeys together;

smtpd_milters = inet:localhost:10026, inet:localhost:10027

Reload Postfix

# postfix reload

Make sure that your new TXT record returns a valid response to queries;

# nslookup -q=txt dkey._domainkey.ipsure.com

Non-authoritative answer:
dkey._domainkey.ipsure.com      text = "k=rsa\; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJ(...)GunkH4ZKRPf23uN+m/GpDwFskyykUCAwEAAQ=="

Send a test e-mail to your Yahoo! account;

Yahoo DomainKeys test e-mail

Successful DomainKeys implementation must also reveal itself when you examine Full Headers;

Authentication-Results: mta1053.mail.sp2.yahoo.com from=ipsure.com; domainkeys=pass (ok); from=ipsure.com; dkim=pass (ok)

DomainKey-Signature: a=rsa-sha1; s=dkey; d=ipsure.com; c=nofws; q=dns; h=dkim-signature:reply-to:from:to:subject:date:message-id: mime-version:content-type:x-mailer:thread-index:content-language: x-cr-hashedpuzzle:x-cr-puzzleid; b=pDm948yUk86DRsknEsaxutR8F/dNKfyS1BWfDusQVuCtsF8h7No7gxPe9j35b/0Jv Qep5WyDS6RLenf4AsAqcQ==

If you’re looking for a complete installation guide of Postfix (Virtual Setup) Dovecot SpamAssassin ClamAV Maia Roundcube (/w MySQL db) on FreeBSD, please see here.

Related Posts with Thumbnails
Subscribe to our RSS feeds Email Subscription via FeedBurner RSS Subscription via FeedBurner
  1. DomainKeys Identified Mail (DKIM) with Postfix (SMTP-Only)
  2. Dkim-milter is No Longer Available, How to Use OpenDKIM Instead
  3. Postfix (Virtual Setup) Dovecot SpamAssassin ClamAV Maia Roundcube (/w MySQL db) on FreeBSD

1 Comment »

Trackbacks

Reader Comments

There are currently no reader comments available at this time.

RSS feed for comments RSS feed for comments on this post. TrackBack URL

Leave a comment