DomainKeys is an anti-spam software application in development at Yahoo that uses a form of public key cryptography to authenticate the sender’s domain. dkfilter is an SMTP-proxy designed for Postfix. It implements DomainKeys message signing and verification. It comprises two separate filters, an “outbound” filter for signing outgoing email on port 587, and an “inbound” filter for verifying signatures of incoming email on port 25. This document is to describe step by step how to install dkfilter for postfix to deploy domainkeys signing and verification.
1 Install Postfix
Install postfix for your domain to send and receive mails.
yum -y install postfix
2 Resolving Dependencies – Installing Perl Modules
Dkfilter is written in Perl. It requires the following Perl Modules from CPAN archive.
* Crypt::OpenSSL::RSA
* Mail::Address
* MIME::Base64
* Net::DNS
* Test::More
* Text::Wrap
* Mail::DomainKeys
* Net::Server
Following commands would help.
perl -MCPAN -e’CPAN::Shell->install(“Crypt::OpenSSL::RSA”)’
perl -MCPAN -e’CPAN::Shell->install(“Mail::Address”)’
perl -MCPAN -e’CPAN::Shell->install(“MIME::Base64”)’
perl -MCPAN -e’CPAN::Shell->install(“Net::DNS”)’
perl -MCPAN -e’CPAN::Shell->install(“Test::More”)’
perl -MCPAN -e’CPAN::Shell->install(“Text::Wrap”)’
perl -MCPAN -e’CPAN::Shell->install(“Email::Address”)’
perl -MCPAN -e’CPAN::Shell->install(“Mail::DomainKeys”)’
perl -MCPAN -e’CPAN::Shell->install(“Net::Server”)’
Note: Also resolve any dependent Perl Module required in installing the above Perl modules.
3 Installing dkfilter
The following steps are recommended for installing dkfilter:
i. Download dkfilter from following URL:
http://jason.long.name/dkfilter/dkfilter-0.11.tar.gz
ii. Installing dkfilter
tar xvf dkfilter-0.11.tar.gz
cd dkfilter-0.11
./configure –prefix=/usr/local/dkfilter
make install
useradd dkfilter
The filter scripts will be installed in /usr/local/dkfilter/bin and the Perl module files will be in /usr/local/dkfilter/lib.
4 Setting up Inbound Filter
We need to make relevant changes inside Postfix configuration files to check incoming mails for the signature.
vi /etc/postfix/master.cf
#
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
#
smtp inet n – n – – smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
#
# After-filter SMTP server. Receive mail from the content filter on
# localhost port 10026.
#
127.0.0.1:10026 inet n – n – – smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
Insert above lines in the last of the files. Here we define that mail will received after smtp for verification on 127.0.0.1 with port 10026. You can define your own desired IP address on which you want to listen for signature checking.
5 Setting up the outbound filter
The outbound filter needs access to the private key used for signing messages. In addition, in needs to know the name of the key selector being used, and what domain it should sign messages for. This information is specified with command-line arguments to dkfilter.out.
1. Generate a private/public key pair and publish the public key in DNS.
cd /usr/local/dkfilter
openssl genrsa -out private.key 1024
openssl rsa -in private.key -out public.key
This creates the files private.key and public.key in the current directory, containing the private key and public key. Make sure private.key is not world-readable, but still readable by the dkfilter user.
2. Pick a selector name… e.g. m1
3. Put the public-key data in DNS, in your domain, using the selector name you picked. Copy the contents of the public.key file and remove the PEM header and footer, and paste it in dns zone file by creating a TXT entry, like this:
_domainkey.sohailriaz.com IN TXT “t=y; o=-;”
m1._domainkey.sohailriaz.com IN TXT “g=; k=rsa; p=MHwwDQYJK … OprwIDAQAB;”
where m1 is the name of the selector chosen in the last step and the p= parameter contains the public-key as one long string of characters.
Finally, configure Postfix to filter outgoing, authorized messages only through the dkfilter.out service on port 10027. In the following example, messages sent via SMTP on port 587 (the submission port) will go through an After-Queue content filter that signs messages with DomainKeys.
vi /etc/postfix/master.cf
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission inet n – n – – smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#
# specify the location of the DomainKeys signing filter
#
dksign unix – – n – 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime
#
# service for accepting messages FROM the DomainKeys signing filter
#
127.0.0.1:10028 inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
Execute postfix reload for Postfix to respond to changes in /etc/postfix/master.cf.
postfix reload
6 Startup Script
Download a startup/shutdown script from the following site:
http://www.enterux.com/files/dkfilter
Copy that script in /etc/rc.d/init.d and edit it as per your requirement.
7 References
http://www.postfix.org
http://antispam.yahoo.com/domainkeys
http://jason.long.name/dkfilter/
Hi Sohail,
Your tutorials are very helpful.
But i need this domain key to work. The link does not work http://www.enterux.com/files/dkfilter and also, what port do i need to send out emails on. (587???)
Thanks again.
Hi Sohail,
The DKIM is working fine now. My domain key is not recognized though. Does it just verifies DKIM or also produces a domain key?
Please let me know if you know anything in this regard.
And also, i cannot recieve emails since the time i installed this. is there a specific port i have to get emails from. like 10026 or 587, let me know.
Thanks
Hi. I’m trying to make dkfilter to work, but I’m a little bit confused. I made the exact thing as you did, but it does not send any emails! I think that the sample-dkfilter-init-script.sh might be wrong or it need configuration and I don’t know what to configure. Any help please?
Hi
Yaar I’ve wasted so much time on this “Remove Headers and Footer” I really don’t have a clue how to remove header and footer from public.key file to create a txt record in dns. Kindly guide me on it any body?
Regards
Imran Shakir
Hello! efbkkdd interesting efbkkdd site! I’m really like it! Very, very efbkkdd good!