There are two main options DomainKeys, and SenderID.
|
DomainKeys were invented by Yahoo, SenderID was invented by Microsoft. These are arguably competing techniques, however, implementing both seems to have no ill-effect. Given SenderID was invented by Microsoft, you can be assured Outlook Server SMTP gateways employ SenderID, and are unlikely to support DomainKeys any time soon. In early 2005 when these proposals came out simultaneously, they were seen as competing techniques. As time has passed, they are now seen as more complementary, and typically both are implemented.
|
|
-!!DomainKeys
|
-To use DomainKeys, typically a filter or "plugin" is needed for your SMTP gateway. There is a [http://jason.long.name/dkfilter/|postfix filter] that is fairly easy to install and configure. Several perl modules need to be installed:
|
-#Install necessary perl modules (make sure you have openssl-devel installed):{code source="bash"}cpan -i Crypt::OpenSSL::RSA Mail::Address MIME::Base64 Net::DNS Net::Server Test::More{/code}
|
-#[http://jason.long.name/dkfilter/|download source], extract tarball, cd into directory, and compile source with __./configure --prefix=/usr/local/dkfilter ; make install__
|
+!!DomainKeys Identified Mail |
+[http://www.dkim.org/|Domain Keys Identified Mail] is the newest open-standard e-mail authentication specification. To use DomainKeys, typically a filter or "plugin" is needed for your SMTP gateway. There is a [http://dkimproxy.sourceforge.net/|postfix filter] that is fairly easy to install and configure. Several perl modules need to be installed: |
+!!!DKIMproxy |
+#Install necessary perl modules (make sure you have openssl-devel installed):{code source="bash"}cpan -i Crypt::OpenSSL::RSA Mail::Address MIME::Base64 Net::DNS Net::Server Test::More Mail::DKIM Error{/code} |
+#[http://dkimproxy.sourceforge.net/|download source], extract tarball, cd into directory, and compile source with __./configure --prefix=/usr/local/dkimproxy ; make install__ |
# For outbound mail signing, you will need a public/private key combo. {code source="txt"}
|
openssl genrsa -out private_domainkey.key 1024
|
openssl rsa -in private.key -pubout -out public_domainkey.key{/code}
|
-# Tweak __sample-dkfilter-init-script.sh__ and copy to /etc/init.d/dkfilter - Either make a dkfilter user or change DKFILTERUSER and DKFILTERGROUP to postfix. The following are line changes made, adjust to your liking...{code source="bash"}
|
+#Tweak __sample-dkim-init-script.sh__ and copy to /etc/init.d/dkim - Either make a dkimproxy user or change DKIMPROXYUSER and DKIMPROXYGROUP to postfix. The following are line changes made, adjust to your liking...{code source="bash"} |
*snip*
|
-DKFILTERUSER=postfix
|
-DKFILTERGROUP=postfix
|
+DKIMPROXYUSER=postfix |
+DKIMPROXYGROUP=postfix |
*snip*
|
-DKFILTER_IN_ARGS="
|
- --hostname=$HOSTNAME
|
- 127.0.0.1:10026 127.0.0.1:10027"
|
-DKFILTER_OUT_ARGS="
|
- --keyfile=/etc/pki/domainkeys/private.key
|
- --selector=selector1
|
- --domain=$DOMAIN
|
- --method=nofws
|
- --headers
|
- 127.0.0.1:10028 127.0.0.1:10029"
|
+DKIMPROXY_IN_CFG="/etc/dkimproxy_in.conf" |
+DKIMPROXY_OUT_CFG="/etc/dkimproxy_out.conf" |
{/code}
|
-#start dkfilter with __service dkfilter start__. Test ports are up and running with telnet localhost 10026 and telnet localhost 10027
|
-#Add inbound dkfilter postfix configuration to __/etc/postfix/master.cf__{code source="txt"}#
|
-# Before-filter SMTP server. Receive mail from the network and
|
-# pass it to the content filter on localhost port 10026.
|
+#Customize the default in confiugration __cp /usr/local/dkimproxy/etc/dkimproxy_in.conf.example /etc/dkimproxy_in.conf__ and modify /etc/dkimproxy_in.conf{code source="bash"} |
+# specify what address/port DKIMproxy should listen on |
+listen 127.0.0.1:10026 |
+ |
+# specify what address/port DKIMproxy forwards mail to |
+relay 127.0.0.1:10027 |
+{/code} |
+#Customize the default out confiugration __cp /usr/local/dkimproxy/etc/dkimproxy_out.conf.example /etc/dkimproxy_out.conf__ and modify /etc/dkimproxy_out.conf{code source="bash"} |
+# specify what address/port DKIMproxy should listen on |
+listen 127.0.0.1:10028 |
+ |
+# specify what address/port DKIMproxy forwards mail to |
+relay 127.0.0.1:10029 |
+ |
+ |
+ |
+ |
+ |
+ |
+# specify what domains DKIMproxy can sign for (comma-separated, no spaces) |
+domain yourdomain.com |
+ |
+# specify what signatures to add |
+signature dkim(c=relaxed) |
+signature domainkeys(c=nofws) |
+ |
+# specify location of the private key |
+keyfile /etc/pki/domainkeys/private.key |
+ |
+# specify the selector (i.e. the name of the key record put in DNS) |
+selector selector1 |
+{/code} |
+#start dkim with __service dkim start__. Test ports are up and running with telnet localhost 10026 and telnet localhost 10028 |
+#Add inbound dkim postfix configuration to __/etc/postfix/master.cf__{code source="txt"}# |
+# The main SMTP server. It receives incoming mail from the network |
+# and passes it to the content filter on localhost port 10026. |
#
|
smtp inet n - n - - smtpd
|
-o smtpd_proxy_filter=127.0.0.1:10026
|
-o smtpd_client_connection_count_limit=10
|
#
|
-# After-filter SMTP server. Receive mail from the content filter on
|
+# After-filter SMTP server. Receive mail from the DKIM verifying proxy on |
# localhost port 10027.
|
#
|
127.0.0.1:10027 inet n - n - - smtpd
|