Re: [dkim-milter-discuss] Postfix installation instructions?

Doug Kingston Fri, 25 Apr 2008 15:24:31 -0700

OpenSUSE already packages dkim-milter in their contrib section and thereis a README.suse_postfix there. They also have other config changes andsupporting tempate files to complete the package. I include their READMhere.


-Doug-


Scott Kitterman wrote:

On Friday 25 April 2008 13:27:46 Murray S. Kucherawy wrote:

The INSTALL file for dkim-milter has a section called "CONFIGURING AND
RESTARTING SENDMAIL" which you perform after getting your key(s)
generated and the filter configured and started.

Can I get a volunteer that uses postfix to write up a similar section for
configuring postfix to talk to the filter, for inclusion in future
releases?

As a starting point, here's what Mike Markley put in the Debian package andwhat I aded for Ubuntu package (Postfix is the standard MTA for Ubuntu):


Notes for Postfix users
-----------------------

Postfix users who wish to access the dkim-filter service via UNIX socket
(the default) may need to add the postfix user to the dkim-filter
group and ensure that UMask is set to 002 in /etc/dkim-filter.conf, in
order to make the socket readable by Posfix.

Users may also need to move the socket into a directory accessible by the
Postfix chroot; this can be accomplished by setting the SOCKET variable
in /etc/default/dkim-filter.

As an alternative, you may opt to connect to the filter over TCP. The
filter can be bound to localhost to prevent other hosts from accessing it.

Notes for Ubuntu specific changes
--------------------------------

Postfix is the standard MTA in Ubuntu, so the dkim-filter init is modified
to use a TCP socket on localhost port 8891 when installed.  This will work
with a chrooted Postfix (the Ubuntu default configuration).  To use the
dkim-filter, add:

# Milters for mail that arrives via the smtpd(8) server.
smtpd_milters = inet:localhost:8891

to your main.cf

By default, if the milter is not available Postfix will defer messages.  You
change this by also adding:

milter_default_action = accept

These can also be set on a per process basis in master.cf using standard
Postfix master.cf syntax:

        -o milter_default_action=accept
        -o smtpd_milters=inet:localhost:8891

See the Postfix MILTER_README for additional information.

Scott K

-------------------------------------------------------------------------

This SF.net email is sponsored by the 2008 JavaOne(SM) ConferenceDon't miss this year's exciting event. There's still time to save $100.Use priority code J8TL2D2.http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

INTRODUCTION
------------

This package is build to be used by postfix MTA to verify and/or sign emails
with DKIM. You can read complete details about DKIM in document rfc8741.txt
released with this package.

What you need to use DKIM with postfix?

- Postfix 2.4.x, openssl 0.9.8x

- You MUST be capable to add TXT records to your domain DNS server. Some ISP
don't
offer this posibility. If this is your case I would recomend to move to another
DNS
provider, otherwise forget to use DKIM, Domainkey, SPF or other efficient mail
filter
tool.

SETUP DKIM
----------

After installing you can use YAST to set your options for DKIM_* vars.

yast2 -> system -> /etc/sysconfig editor -> network -> mail -> dkim-milter

You can check dkim-filter man pages to select your preferred options here.
It is recommended you changed the defaut DKIM_DOMAIN value to your domain.

SETUP YOUR DNS RECORDS
----------------------

When installing the package, it generate a key pair (private, public) and store
them in /etc/mail/dkim directory. First time the name of files are
'default.private'
and 'default.txt'. With the aid of yast you can change the sysconfig variables
DKIM_DOMAIN and DKIM_SELECTOR as you want. If you change the 'default' value for
DKIM_SELECTOR then another pair will be generate for new selector value.

You should keep the '*.private' files out of unwanted visitants. The '*.txt'
files
are what you have to copy and past to your DNS server as showed below.

Suppose your domain is 'example.com'. Public 'txt' key parts are supossed to be
stored in the TXT records of subdomain '_domainkey'. If DKIM_SELECTOR is set as
example 'default' then you need to add the TXT record to the
'default._domainkey'
subdomain of your 'example.com' domain.

As example, the two files in /etc/mail/dkim are

File 'default.private':

And 'default.txt' file

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; t=y;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJEWqvOR/Rp36YZP5ZesYg1+oCYQV4vQkyLRuPFVJ815SCWyr1YgDfE2b5wmUxxjtHemnULxmUhntYwTMiWhkUcVUEzH0DeKlEfh2b1fCkc0jy5PRZaO9G5tXn+ADux3FSP2EgeZeYpgJgKDzIcg/krZPSoEwGgFd0q42hcm+9dQIDAQAB"
; ----- DKIM default for example.com

This second file is what you need to add to the new TXT record in your DNS
server.
The "v=DKIM1; ..... p=....AB" part is what you need to copy and paste to
record, including
the "". This TXT record has to be for 'default._domainkey.example.com' domain.

HINT: it is possible that the lengh of TXT record is greater than permitted.
You can
cut the default settings 'g=*; k=rsa ' to save some bytes. If you also don't
want to
test, you also can cut 't=y; '.

After seting your DNS record, and assuming it is already live and released in
the net,
you can test the key with the aid of dkim-testkey binary. Replace here your
domain
and selector

dkim-testkey -d example.com -s default -k /etc/mail/dkim/default.private

if no messages, you're lucky, all gone well.

You also can generate your personalized pair of keys with the aid of
'dkim-genkey'
binary. See dkim-genkey man pages.

SETUP POSTFIX
-------------

It is strong recommended you read the postfix documentation here

http://www.postfix.org/MILTER_README.html

If you are impatient, you simply should add the lines to /etc/postfix/main.cf

# to use dkim-milter
# as verifier
smtpd_milters = unix:/var/spool/postfix/milter/dkim
# as signer
non_smtpd_milters = unix:/var/spool/postfix/milter/dkim
milter_default_action = accept

NOTE: After some days of proofs and checks, you then can supress or change the
line 'milter_default_option = accept' if you are sure the things are running
well.
Actually, with the 'accept' option as default it doesn't filter anything. See
postfix documentation. In addition, you have to check the rejection policy of
filter with the DKIM_REJECTION sysconfig var.

Finally you should start DKIM daemon (as root)

rcdkim start

If success then you must reload postfix to begin to use dkim-milter

rcpostfix reload

you also should manage to start dkim daemon at boot time activating the service
with the aid of yast

yast2 -> system -> run-level

so it will ready every time you boot your system.

And that's all, but don't forget RTFM!

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Postfix installation instructions?

Reply via email to