Using Dkim Email Authentication
These instructions are based on the documentation at http://dkimproxy.sourceforge.net, refer there for FAQ and troubleshooting.
Install postfix and get Perl libraries we’ll need:
yum remove sendmail
yum install postfix unzip links wget ftp gpg
wget ftp://ftp.ncftp.com/ncftp/binaries/ncftp-3.2.1-linux-x86-glibc2.3-export.tar.gz
tar xvfz ncftp-3.2.1*.tar.gz
cd ncftp-3.2.1
make install
cpan
install Bundle::CPAN
reload cpan
install Error Crypt::OpenSSL::RSA Digest::SHA Digest::SHA1 Mail::Address MIME::Base64 Net::DNS
install Net::Server Mail::DKIM
exit
Download dkimproxy which will handle the DKIM signing of our messages:
wget http://superb-west.dl.sourceforge.net/sourceforge/dkimproxy/dkimproxy-1.0beta1.tar.gz
tar xvzf dkimproxy*
cd dkimproxy*
./configure --prefix=/usr/local/dkimproxy
make install
useradd -r -c "DKIM Proxy System Account" dkim
mkdir -p /etc/mail/domainkeys
chmod 0700 /etc/mail/domainkeys
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
mv private.key /etc/mail/domainkeys/<selector>.pem
cat public.key
Use the contents of the public key to add a TXT record for <selector>._domainkey.yourdomain.com to your DNS with the following format. Do keep the quote in the text value.
"k=rsa; t=s; p=<public key here>"
Test your DNS record:
dig +short <selector>._domainkey.yourdomain.com txtMove the public key:
mv public.key /etc/mail/domainkeys/<selector>.pub
chown -R dkim /etc/mail/domainkeysEdit /usr/local/dkimproxy/etc/dkimproxy_out.conf.example
- Update the domain(s) you are signing for
- Update the path to the keyfile: /etc/mail/domainkeys/
.pem - Update the selector name
Then run:
mv /usr/local/dkimproxy/etc/dkimproxy_out.conf.example /usr/local/dkimproxy/etc/dkimproxy_out.conf
mv /usr/local/dkimproxy/etc/dkimproxy_in.conf.example /usr/local/dkimproxy/etc/dkimproxy_in.conf
#Save init script to /etc/init.d/dkimproxy
chmod +x /etc/init.d/dkimproxy
chkconfig dkimproxy on
service dkimproxy start # should see inbound and outbound proxies starting
Edit or update these sections in /etc/postfix/master.cf:
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
pickup fifo n - n 60 1 pickup
-o content_filter=dksign:[127.0.0.1]:10027
Edit /etc/postfix/main.cf:
- Uncomment: inet_interfaces = all
- Comment: inet_interfaces = localhost
- Configure other Postfix directives as needed: hostname, relays, etc.
Reload postfix configuration
service postfix reloadTest it!
Use the mutt program to send an email to test@dkimtest.jason.long.name. You may need to yum install mutt. The reply to your test mail will provide the results of the DKIM verification. Be sure to put “dkim” in the subject of your test email.
Look in /var/log/maillog to check for errors/confirmations.
If you send an email to your Gmail or Yahoo email accounts, you should see the DKIM and Domain Keys signatures in the header of the message along with a confirmation:
dkim=pass header.i=@yourdomain.com