How to install dkim and domainkeys in postfix?

DomainKeys works by signing outbound e-mail messages with a cryptographic signature which can be verified by the recipient to determine if the messages originates from an authorized system.

DKIM–DomainKeys Identified Mail. DKIM is an extension of DomainKeys. It allows a recipient to verify that a message really does come from the sending domain. Senders publish a public key for their domain and then cryptographically sign their outgoing email, using the corresponding private key. Recipients can then verify the signature, typically as part of the spam filtering process.

Prerequisites:

We can use dkim proxy to configure domainkeys and dkim in the server. DKIMproxy is written in Perl. It requires additional modules Crypt::OpenSSL::RSA, Net::DNS etc., We can use the “cpan” to install these perl modules.

—————
cpan Crypt::OpenSSL::RSA
cpan Digest::SHA
cpan Mail::Address
cpan MIME::Base64
cpan Net::DNS
cpan Net::Server
cpan Error
—————

The another perl module Mail::DKIM which is normally not available in cpan repository. We can download this module from source and installed it in the server.

—————
wget http://search.cpan.org/CPAN/authors/id/J/JA/JASLONG/Mail-DKIM-0.39.tar.gz
tar -zxvf  Mail-DKIM-0.39.tar.gz
cd Mail-DKIM-0.39
perl Makefile.PL
make
make test
make install
—————

We have completed the prerequisites for dkimproxy. Now, we would need to install dkim proxy to the server.

Installation:

————–
wget http://downloads.sourceforge.net/project/dkimproxy/dkimproxy/1.4.1/dkimproxy-1.4.1.tar.gz
tar -zxvf dkimproxy-1.4.1.tar.gz
cd dkimproxy-1.4.1
./configure –prefix=/usr/local/dkimproxy
make install
————–

Copy the sample startup script to /etc/init.d.

———-
cp sample-dkim-init-script.sh /etc/init.d/dkimproxy
———-

Now, create dkim user dedicated to running dkimproxy.

———–
useradd -d /usr/local/dkimproxy dkim
———–

The next step is to create private key and public key pair.

———–
cd /usr/local/dkimproxy/
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
———–

Now, we would need to add this public key in the DNS zone file of the domain. The public should be present in /usr/local/dkimproxy/public.key.

———-
cat /usr/local/dkimproxy/public.key
———-

We used the selector “selector1” for defining the TXT record.

—————
selector1._domainkey IN TXT “k=rsa; t=s; p=MHwwDQYJK … OprwIDAQAB”
—————

There will be propagation delay of 24 to 48 hours for this DNS change to reflect all over the world. Once the DNS propagation completed, you can verify it by using the following command.

———–
host -ttxt selector1._domainkey.domainname.com
———–

We have completed the installation of dkimproxy. Now, we would need to configure dkimproxy to sign the mails by DKIM.

Configuration:

Create a file /usr/local/dkimproxy/etc/dkimproxy_out.conf with the following content.

=====================
# specify what address/port DKIMproxy should listen on
listen    127.0.0.1:10037

# specify what address/port DKIMproxy forwards mail to
relay     127.0.0.1:10038

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain    Domainname.com

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile   /usr/local/dkimproxy/private.key

# specify the selector (i.e. the name of the key record put in DNS)
selector  selector1
=====================

Note that we have used “selector1” in DNS zone file for defining TXT record. So, we should use this as a selector.Make sure that private.key and public.key are available in “/usr/local/dkimproxy”. In the “domain” field, we can mention what are the domains that will be signed by dkimproxy.

Now, start the dkimproxy and configure it to start at boot:

———
/etc/init.d/dkimproxy start
chkconfig dkimproxy on
———

The final step is to configure postfix to use dkimproxy for sending mails.

Postfix configuration:

Add the following content in postfix master configuration file(/etc/postfix/master.cf). Make sure that you have taken the backup of this configuration before editing.

===============
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10037
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

#
# specify the location of the DKIM signing proxy
# Note: we allow “4” simultaneous deliveries here; high-volume sites may
#   want a number higher than 4.
# Note: the smtp_discard_ehlo_keywords option requires Postfix 2.2 or
#   better. Leave it off if your version does not support it.
#
dksign    unix  -       -       n       -       4       smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls

#
# service for accepting messages FROM the DKIM signing proxy
#
127.0.0.1:10038 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
pickup    fifo  n       -       n       60      1       pickup
    -o content_filter=dksign:[127.0.0.1]:10037
===============

Reload the postfix service.

———
postfix reload
———

Dkimproxy is installed in the server. We have used the port 10037 for dkimproxy service.

———
[root@server ~]# netstat -plan |grep perl|grep 10037
tcp        0      0 127.0.0.1:10037             0.0.0.0:*                   LISTEN      17783/perl         
[root@server ~]#
———

Verification:

You can verify the dkim signature by sending an email to verifier.port25.com. The authentication result will be send it to the mail account that we mentioned.

mail -v check-auth-username=gmail.com@verifier.port25.com

Leave a Reply