Using Dkim Email Authentication
These instructions are based on the documentation at http://dkimproxy.sourceforge.net, refer there for FAQ and troubleshooting.
Install postfix and get Perl libraries we’ll need:
yum remove sendmail
yum install postfix unzip links wget ftp gpg
wget ftp://ftp.ncftp.com/ncftp/binaries/ncftp-3.2.1-linux-x86-glibc2.3-export.tar.gz
tar xvfz ncftp-3.2.1*.tar.gz
cd ncftp-3.2.1
make install
cpan
install Bundle::CPAN
reload cpan
install Error Crypt::OpenSSL::RSA Digest::SHA Digest::SHA1 Mail::Address MIME::Base64 Net::DNS
install Net::Server Mail::DKIM
exit
Download dkimproxy which will handle the DKIM signing of our messages:
wget http://superb-west.dl.sourceforge.net/sourceforge/dkimproxy/dkimproxy-1.0beta1.tar.gz
tar xvzf dkimproxy*
cd dkimproxy*
./configure --prefix=/usr/local/dkimproxy
make install
useradd -r -c “DKIM Proxy System Account” dkim
mkdir -p /etc/mail/domainkeys
chmod 0700 /etc/mail/domainkeys
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
mv private.key /etc/mail/domainkeys/.pem
cat public.key
Use the contents of the public key to add a TXT record for
“k=rsa; t=s; p=
Test your DNS record:
dig +short <selector>.
Move the public key:
mv public.key /etc/mail/domainkeys/<selector>.pub chown -R dkim /etc/mail/domainkeys</pre>Edit /usr/local/dkimproxy/etc/dkimproxy_out.conf.example
- Update the domain(s) you are signing for
- Update the path to the keyfile: /etc/mail/domainkeys/
.pem - Update the selector name
Then run:
mv /usr/local/dkimproxy/etc/dkimproxy_out.conf.example /usr/local/dkimproxy/etc/dkimproxy_out.conf mv /usr/local/dkimproxy/etc/dkimproxy_in.conf.example /usr/local/dkimproxy/etc/dkimproxy_in.conf</pre>#Save init script to /etc/init.d/dkimproxy
chmod +x /etc/init.d/dkimproxy
chkconfig dkimproxy on
service dkimproxy start # should see inbound and outbound proxies startingEdit or update these sections in /etc/postfix/master.cf:
smtp inet n - n - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_client_connection_count_limit=10 submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes -o content_filter=dksign:[127.0.0.1]:10027 -o receive_override_options=no_address_mappings -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject dksign unix - - n - 10 smtp -o smtp_send_xforward_command=yes -o smtp_discard_ehlo_keywords=8bitmime,starttls 127.0.0.1:10028 inet n - n - 10 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 127.0.0.1:10026 inet n - n - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks pickup fifo n - n 60 1 pickup -o content_filter=dksign:[127.0.0.1]:10027</pre>Edit /etc/postfix/main.cf:
- Uncomment: inet_interfaces = all
- Comment: inet_interfaces = localhost
- Configure other Postfix directives as needed: hostname, relays, etc.
Reload postfix configuration
service postfix reload</pre>Test it!
Use the mutt program to send an email to test@dkimtest.jason.long.name. You may need toyum install mutt. The reply to your test mail will provide the results of the DKIM verification. Be sure to put “dkim” in the subject of your test email.
Look in /var/log/maillog to check for errors/confirmations.
If you send an email to your Gmail or Yahoo email accounts, you should see the DKIM and Domain Keys signatures in the header of the message along with a confirmation:
dkim=pass header.i=@yourdomain.comMeta