Difference between revisions of "OpenDKIM"

From ArchWiki
Jump to: navigation, search
Line 1: Line 1:
 
[[Category:Internet Applications]]
 
[[Category:Internet Applications]]
 
= What is it? =
 
 
DomainKeys Identified Mail is a digital email signing/verification technology, which is already supported by some common mail providers. (For example yahoo, google, etc).
 
DomainKeys Identified Mail is a digital email signing/verification technology, which is already supported by some common mail providers. (For example yahoo, google, etc).
  
== How does it work? ==
+
== The idea ==
  
The sender's mail server signs outgoing email with the private key.
+
Basically DKIM means digitally singing all messages on the server to verify the message actually was sent from the domain in question and is not spam or pishing (and has not been modified).
  
The receiver (or his server) gets the signed message, request public key from the domain's DNS and verifies the signature.
+
*The sender's mail server signs outgoing email with the private key.
  
So you can check who actually sent this email.
+
*When the message arrives, the receiver (or his server) requests the public key from the domain's DNS and verifies the signature.
  
For more info see:
+
This ensures the message was sent from a server who's private key matches the domain's public key.
* [http://tools.ietf.org/html/rfc6376 RFC 6376]
+
 
 +
For more info see [http://tools.ietf.org/html/rfc6376 RFC 6376]
  
 
= Installation =
 
= Installation =
Line 21: Line 20:
 
You may add user for opendkim or use existing one (for example: postfix)
 
You may add user for opendkim or use existing one (for example: postfix)
  
= Generic configuration =
+
== Basic configuration ==
 
* Generate key:
 
* Generate key:
 
<pre>
 
<pre>
Line 43: Line 42:
 
* Run it with /etc/rc.d/opendkim start or add it to DAEMONS in /etc/rc.conf
 
* Run it with /etc/rc.d/opendkim start or add it to DAEMONS in /etc/rc.conf
  
= Postfix integration =
+
== Postfix integration ==
  
 
Just add
 
Just add
Line 65: Line 64:
 
   -o smtpd_milters=inet:127.0.0.1:8891
 
   -o smtpd_milters=inet:127.0.0.1:8891
 
</pre>
 
</pre>
 +
 +
== Notes ==
 +
While you're about to fight spam and increase people's trust in your server, you might want to take a look at [http://de.wikipedia.org/wiki/Sender_Policy_Framework Sender Policy Framework], which basically means adding a DNS Record stating which servers are authorized to send email for your domain.

Revision as of 22:36, 16 July 2012

DomainKeys Identified Mail is a digital email signing/verification technology, which is already supported by some common mail providers. (For example yahoo, google, etc).

The idea

Basically DKIM means digitally singing all messages on the server to verify the message actually was sent from the domain in question and is not spam or pishing (and has not been modified).

  • The sender's mail server signs outgoing email with the private key.
  • When the message arrives, the receiver (or his server) requests the public key from the domain's DNS and verifies the signature.

This ensures the message was sent from a server who's private key matches the domain's public key.

For more info see RFC 6376

Installation

Install opendkim

You may add user for opendkim or use existing one (for example: postfix)

Basic configuration

  • Generate key:
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
  • Create /etc/opendkim/opendkim.conf (see example in the same directory)

Minimal config:

 Domain                  YOUR-DOMAIN1.com, YOUR-DOMAIN2.com
 KeyFile                 /path/to/private.key
 Selector                server1
 Socket                  inet:8891@localhost
 UserID                  postfix
  • Add a DNS TXT record with your selector (see Selector in config, you may choose random name) and public key:
server1._domainkey IN TXT "k=rsa; p=MHwwDQYJK ... OprwIDAQAB; t=y"

p= is your public key, k= the algorithm (rsa by default). There are two possible flags for the t= value: y means testing (unsigned mail is not to be treated as spam/unauthorized), s means the key is not valid for subdomains.

  • Run it with /etc/rc.d/opendkim start or add it to DAEMONS in /etc/rc.conf

Postfix integration

Just add

 non_smtpd_milters=inet:127.0.0.1:8891

and/or

 smtpd_milters=inet:127.0.0.1:8891

into main.cf or smtpd options in master.cf

master.cf example:

smtp      inet  n       -       n       -       -       smtpd
    -o smtpd_client_connection_count_limit=10
    -o smtpd_milters=inet:127.0.0.1:8891

submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_path=smtpd
  -o cyrus_sasl_config_path=/etc/sasl2
  -o smtpd_milters=inet:127.0.0.1:8891

Notes

While you're about to fight spam and increase people's trust in your server, you might want to take a look at Sender Policy Framework, which basically means adding a DNS Record stating which servers are authorized to send email for your domain.