|
|
| Line 23: |
Line 23: |
| | awk '{gsub("OLD_IP", "NEW_IP", $0); print > FILENAME}' *.zone | | awk '{gsub("OLD_IP", "NEW_IP", $0); print > FILENAME}' *.zone |
| | | | |
| − | Getting Dkimproxy Installed and Configured | + | Getting Dkimproxy Installed and Configured: |
| − | Posted on June 21st, 2008 in Encryption,General,Linux System Administration,Mail,Spam by Brandon
| + | http://www.brandonchecketts.com/archives/getting-dkimproxy-installed-and-configured |
| | | | |
| − | Dkimproxy is a great program for getting Postfix to both sign and validate DomainKeys and DKIM messages. Prior to dkimproxy, one would have used dk-filter and dkim-filter which did DomainKeys and DKIM signing separately. dkimproxy is a newer version that combines the functionality into one program. Installing it can be a bit complicated because it isn’t available in most distro repositories, and requires several Perl modules that need to be installed. Configuring it can be difficult as well, because it involves making changes DNS and postfix, in addition to its own configuration.
| + | DomainKeys filter for Postfix: |
| − | | + | http://jason.long.name/dkfilter/ |
| − | I wrote these steps below as I went through a recent installation for a customer
| |
| − | | |
| − | You can install the required Perl modules through the RPM Forge Repository if you have it enabled with the command (Thanks JohnB for mentioning that):
| |
| − | | |
| − | yum install perl-Net-Server perl-Error perl-Mail-DKIM
| |
| − | | |
| − | Otherwise, you can install them manually with CPAN. First install the openssl-devel package (You’ll need it for CPAN to install Mail::DKIM)
| |
| − | | |
| − | yum install openssl-devel
| |
| − | | |
| − | Now install the required Perl modules
| |
| − | | |
| − | # perl -MCPAN -e shell
| |
| − | > install Net::Server
| |
| − | > install Error
| |
| − | > install Mail::DKIM
| |
| − | | |
| − | Download and install the actual dkimproxy code:
| |
| − | | |
| − | cd /usr/local/src
| |
| − | wget http://internap.dl.sourceforge.net/sourceforge/dkimproxy/dkimproxy-1.0.1.tar.gz
| |
| − | tar -xvzf dkimproxy-1.0.1.tar.gz
| |
| − | cd dkimproxy-1.0.1
| |
| − | ./configure --prefix=/usr/local/dkimproxy
| |
| − | make
| |
| − | make install
| |
| − | | |
| − | You should now have the program installed in /usr/local/dkimproxy. A sample init file is included, so we can copy it into place also:
| |
| − | | |
| − | cp /usr/local/src/dkimproxy-1.0.1/sample-dkim-init-script.sh /etc/init.d/dkimproxy
| |
| − | | |
| − | Create a ‘dkim’ user and group, but lock the password:
| |
| − | | |
| − | useradd -d /usr/local/dkimproxy dkim
| |
| − | passwd -l dkim
| |
| − | | |
| − | That should be enough to get dkimproxy running, but it isn’t configured yet.
| |
| − | | |
| − | Create a key file for your domain
| |
| − | | |
| − | cd /usr/local/dkimproxy/etc/
| |
| − | openssl genrsa -out domain.tld.key 1024
| |
| − | openssl rsa -in domain.tld.key -pubout -out domain.tld.pub
| |
| − | | |
| − | Now create a DNS TXT record for mail._domainkey.domain.tld with the contents of domain.tld.pub. Your public key will span at least two lines, so combine all of the lines of the key together when putting it in your DNS record. The whole DNS record will look something like this:
| |
| − | | |
| − | k=rsa; t=s; p=MFwwDQYJ......0JMCAwEAAQ==
| |
| − | | |
| − | (Note that the key is pretty long and I’ve shortened it here)
| |
| − | You could now confirm the key is correct in your DNS:
| |
| − | | |
| − | [root@host etc]# host -ttxt mail._domainkey.domain.tls
| |
| − | mail._domainkey.domain.tld descriptive text "k=rsa\; t=s\; p=MFwwDQYJ......0JMCAwEAAQ=="
| |
| − | | |
| − | (Note that the key is pretty long and I’ve shortened it here)
| |
| − | | |
| − | Now tell dkimproxy about the key files, and configuration parameters. Create /usr/local/dkimproxy/etc/dkimproxy_out.conf with this content
| |
| − | | |
| − | # specify what address/port DKIMproxy should listen on
| |
| − | listen 127.0.0.1:10027
| |
| − | | |
| − | # specify what address/port DKIMproxy forwards mail to
| |
| − | relay 127.0.0.1:10028
| |
| − | | |
| − | # specify what domains DKIMproxy can sign for (comma-separated, no spaces)
| |
| − | domain domain.tld
| |
| − | | |
| − | # specify what signatures to add
| |
| − | signature dkim(c=relaxed)
| |
| − | signature domainkeys(c=nofws)
| |
| − | | |
| − | # specify location of the private key
| |
| − | keyfile /usr/local/dkimproxy/etc/domain.tld.key
| |
| − | | |
| − | # specify the selector (i.e. the name of the key record put in DNS)
| |
| − | selector mail
| |
| − | | |
| − | And copy the sample inbound config to the real inbound config
| |
| − | | |
| − | cd /usr/local/dkimproxy/etc
| |
| − | cp dkimproxy_in.conf.example dkimproxy_in.conf
| |
| − | | |
| − | Now you should be able to start up dkimproxy, and configure it to start at boot:
| |
| − | | |
| − | /etc/init.d/dkimproxy start
| |
| − | chkconfig dkimproxy on
| |
| − | | |
| − | And the last step is just to modify the postfix configuration to tell it to forward messages sent to port 587 through dkimproxy for signing. I added these three sections to /etc/postfix/master.cf
| |
| − | | |
| − | ### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
| |
| − | #
| |
| − | # modify the default submission service to specify a content filter
| |
| − | # and restrict it to local clients and SASL authenticated clients only
| |
| − | #
| |
| − | submission inet n - n - - smtpd
| |
| − | -o smtpd_etrn_restrictions=reject
| |
| − | -o smtpd_sasl_auth_enable=yes
| |
| − | -o content_filter=dksign:[127.0.0.1]:10027
| |
| − | -o receive_override_options=no_address_mappings
| |
| − | -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
| |
| − | | |
| − | # specify the location of the DKIM signing proxy
| |
| − | # Note: the smtp_discard_ehlo_keywords option requires a recent version of
| |
| − | # Postfix. Leave it off if your version does not support it.
| |
| − | dksign unix - - n - 10 smtp
| |
| − | -o smtp_send_xforward_command=yes
| |
| − | -o smtp_discard_ehlo_keywords=8bitmime,starttls
| |
| − | | |
| − | # service for accepting messages FROM the DKIM signing proxy
| |
| − | 127.0.0.1:10028 inet n - n - 10 smtpd
| |
| − | -o content_filter=
| |
| − | -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
| |
| − | -o smtpd_helo_restrictions=
| |
| − | -o smtpd_client_restrictions=
| |
| − | -o smtpd_sender_restrictions=
| |
| − | -o smtpd_recipient_restrictions=permit_mynetworks,reject
| |
| − | -o mynetworks=127.0.0.0/8
| |
| − | -o smtpd_authorized_xforward_hosts=127.0.0.0/8
| |
| − | | |
| − | If you want it to sign messages sent from the command line sendmail program, modify the pickup service to use the content_filter like this:
| |
| − | | |
| − | pickup fifo n - n 60 1 pickup
| |
| − | -o content_filter=dksign:[127.0.0.1]:10027
| |
| − | | |
| − | Finally restart postfix with ‘postfix reload’, and you *should* have a working installation. You can now use my Domainkeys/Dkim validator to test and ensure that it is working.
| |
Building a server using CentOS 5.x/6.x
Setup Yum repo's first from backups. Then install everything va Yum.
Install required packages:
yum -y install httpd httpd-devel php php-gd php-pdo php-imap libtheora cdparanoia php-pear php-dba php-xml php-common php-cli php-devel php-mysql php-mbstring perl-Geography-Countries mysql-server gstreamer-ffmpeg ffmpeg ffmpeg-devel postfix dovecot spamassassin named
Packages to remove:
yum remove sendmail
Make sure following services are set to start on startup:
chkconfig httpd on
chkconfig mysqld on
chkconfig postfix on
chkconfig iptables on
chkconfig dovecot on
chkconfig spamassassin on
Import MySQL Databases:
mysql -u root mysql < alldatabases.sql
Replace IP Address in DNS zone files:
awk '{gsub("OLD_IP", "NEW_IP", $0); print > FILENAME}' *.zone
Getting Dkimproxy Installed and Configured:
http://www.brandonchecketts.com/archives/getting-dkimproxy-installed-and-configured
DomainKeys filter for Postfix:
http://jason.long.name/dkfilter/
