Setup Postfix to sign and verify Domainkeys email

Domainkeys is DomainKeys is a method of e-mail authentication. Unlike some other methods, it offers almost end-to-end integrity from a signing to a verifying Mail Transfer Agent (MTA). In most cases the signing MTA acts on behalf of the sender, and the verifying MTA on behalf of the receiver. DomainKeys is specified in Historic RFC 4870, which is obsoleted by Standards Track RFC 4871, DomainKeys Identified Mail (DKIM) Signatures. according to the wikipedia. So why a how to on it when there is DKIM ? Well domainkeys is still actively being used and is more widely deployed than DKIM, the developer yahoo still uses it to sign and verify mail although they are contributers to the DKIM standard.

We will be using the milter implementation of domainkeys http://sourceforge.net/projects/dk-milter on CENTOS 5.1.

• Install the rpm

# rpm -Uvh http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm

A script to do this is provided with the rpm.

# /usr/share/doc/dk-milter-0.6.0/gentxt.sh <selector> <domainname>

Where <selector> is anything you want to call it i use default and <domainname> is your domain name for which you will be signing mail. This script will produce 3 files

• <selector>.txt - this contains the text to add to your zone file

default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==" ; ----- DomainKey default for example.com

• <selector>.public - It is the public key

-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoR
illFNbOpNOr5Gst5H8wG9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==
-----END PUBLIC KEY-----

• <selector>.private - This is the private key

-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG
9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQJACHWqPCf+/yW0dmv24yWY
/eIFy3PNZNNxol2YjpVIZ28SgOSRrC0vzH+SpR1WZURAOcHi+WQa0AJPeqxM4Y1g
xQIhAMVjPNPW8u0sMpNIcev9JBUjUjbilOgY2FTfyNQV0SKjAiEAwBrO5T8XLZQ6
eRUUzz7yWYCHZln6CgD0lhBuZzu4wP8CIQCq8AT2Y7ie4l6uI9fcia2czKjfNRvF
X/bAkchGutoRRwIgF2KsEQgvICNNQvQoBlqZUf/te640XAdlvubdKcABa60CIQCU
DKlMOSxHp4Ms+KT41MFHkHDI/gkFfHvVRhL1PmuwtQ==
-----END RSA PRIVATE KEY----

• Install the private key

 # mv default.private /etc/mail/domainkeys/dk_<domainname>.pem
 # chown dk-milt.dk-milt /etc/mail/domainkeys/dk_<domainname>.pem
 # chmod 600 /etc/mail/domainkey/dk_<domainname>.pem

• Add the contents of <selector>.txt to your DNS zone file
• Add the following to your DNS zone file

_domainkey IN TXT "t=y; o=~"

• Verify your DNS configuration http://domainkeys.sourceforge.net/policycheck.html

Edit the file /etc/sysconfig/dk-milter and set the following options

# Default values
#
USER="dk-milt"
PORT="local:/var/run/dk-milter/dk.sock"
SIGNING_DOMAIN="<domainname>"
SELECTOR_NAME="<selector>"
KEYFILE="/etc/mail/domainkeys/dk_${SIGNING_DOMAIN}.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
MILTER_GROUP="mail"

Add this to the postfix configuration file /etc/postfix/main.cf

smtpd_milters = unix:/var/run/dk-milter/dk.sock
non_smtpd_milters = unix:/var/run/dk-milter/dk.sock

Append to the existing milters if you have other milters already configured.

Start dk-milter and Restart Postfix

# chkconfig --level 345 dk-milter on 
# service dk-milter start
# service postfix restart

To test send a mail to autorespond+dk@dk.elandsys.com. you will recieve a response email with the test results. If you have a yahoo account you can send a mail to that as well a sample of signed message in yahoo is below

• http://en.wikipedia.org/wiki/Domainkeys
• http://domainkeys.sourceforge.net/
• http://www.elandsys.com/resources/sendmail/domainkeys.html
• http://www.postfix.org/MILTER_README.html
• http://www.topdog-software.com/oss/dk-milter/