DomainKeys and DKIM

What are DomainKeys?

A simple description is that it's a method of cryptographically signing outbound mails such that recipients can verify that the sender domain is correct (to avoid spam spoofing) and that the mail hasn't been tampered with en route.

How does it work?

Much like with PGP signing, a private/public key pair is generated, and each outbound mail is hashed against the private key. That hash is put into a custom mail header called 'DomainKey-Signature', which the recipient MTA is able to check against the message when it does it's own hash at the other end.

The clever part is that the public key needed by the recipient MTA is made available over a simple DNS query, so it's easy to retrieve.

Installation of dkfilter

Google pointed me towards an SMTP-proxy for Postfix called 'dkfilter', available at :

http://jason.long.name/dkfilter/

The instructions were pretty straightforward so I won't replicate them step-by-step, but rather point out the gotchas and tweaks used along the way.

This is for dkfilter-0.11, current at time of writing.

Add a user and a group called 'dkfilter', /sbin/nologin as the shell.

you'll need openssl-perl and openssl-devel installed (rug packages)

if 'configure' complains about any missing Perl packages, install them. I ended up needing:

Crypt::OpenSSL::RSA

Net::Server

Mail::Address

– copy 'sample-dkfilter-init-script.sh' to /etc/init.d/dkfilter and set '-selector=private'

NOTE: This will only be useful in multi-key setups which they generally won't be, but the selector is used for picking which key to sign/decrypt against. Our first setup seemed to use 'private' as the selector, so I followed suit.)

– copy the private.key into /usr/local/dkfilter

– if you don't have a private.key to copy, have another read of the instructions at the homepage, the section about setting up the outbound filter.

- run chkconfig dkfilter on

OR

– put '/etc/init.d/dkfilter start' into /etc/rc.local so that it'll start at boot, and run it manually

Configure Postfix to use dkfilter

So that's dkfilter installed and running, hopefully. Now to get Postfix to use it.

Edit /etc/postfix/master.cf to change the 'submission' and 'pickup' entries to read :

submission inet

n - n - - smtpd -o content_filter=dksign:[127.0.0.1]:10027 pickup fifo

n - n 60 1 pickup -o content_filter=dksign:127.0.0.1:10027

Stick the remainder at the end of the master.cf file:

# specify the location of the DomainKeys signing filter

#

dksign unix - - n - 10 smtp

-o smtp_send_xforward_command=yes

-o smtp_discard_ehlo_keywords=8bitmime

# service for accepting messages FROM the DomainKeys signing filter

#

127.0.0.1:10028 inet n - n - 10 smtpd

-o content_filter=

-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

-o smtpd_helo_restrictions=

-o smtpd_client_restrictions=

-o smtpd_sender_restrictions=

-o smtpd_recipient_restrictions=permit_mynetworks,reject

-o mynetworks=127.0.0.0/8

-o smtpd_authorized_xforward_hosts=127.0.0.0/8

A quick 'postfix reload' and Robert is your mother's brother.

Testing

Send any old test mail from the server, a la -

cat master.cf | mail -s "dk test" rob.wilderspin@rackspace.co.uk

When it arrives, check the headers for something like -

DomainKey-Signature: a=rsa-sha1; h=Received:To:Subject:Message-Id:Date:From; b=AGFSkLNduogEKxm5Z5eePCdsF/EUc8af4u6iU7qE9CI44inolcXaumBF3SRezHBEqVLiKjtN1vAGNncQUG85jsmRxZEbydQYZA+90BC3h9fzjdMi/BF0yE250pjhGrBG; c=nofws; d=clickjobs.com; q=dns; s=private

Looks good, hey?

***********

*DNS Setup*

***********

Now this bit I didn't need to do as this customer already had it set up from an earlier ticket, but it seems that all you need to do is take the contents of the public key

-----BEGIN PUBLIC KEY-----

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALITBW3zeP2C7KTObQm7TDmgH0FZKNFz

xCJ8LTv3CejkksIfaMbKJ3TPP4e0O5MUZoHcTyR3Z/VUdgYPqOYbt3aIqofUSP+W

YKa3INBAejxe81by9g6PkV1G6cPUErVrOQIDAQAB

-----END PUBLIC KEY-----

and paste them into two DNS TXT records like

_domainkey.clickjobs.com. IN TXT "o=~; r=postmaster@clickjobs.com; t=y"

private._domainkey.clickjobs.com. IN TXT "IN TXT k=rsa; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALITBW3zeP2C7KTObQm7TDmgH0FZKNFzxCJ8LTv3CejkksIfaMbKJ3TPP4e0O5MUZoHcTyR3Z/VUdgYPqOYbt3aIqofUSP+WYKa3INBAejxe81by9g6PkV1G6cPUErVrOQIDAQAB"

Note the 'private.'

...bit at the start of the entry? That's the selector we talked about earlier, which would let you choose any of a number of keys. In our case we only have one, called 'private'. This is something you'd ask ProfServe to do.

I've not set up a mail client to check the receipt ourselves, but the header is there and the customer says it works fine.

Examples

If the above isn't enough to get it working or you want to see it in action, take a butcher's at

mail1.clickjobs.com https://core.rackspace.com/py/ticket/view.pt?ref_no=060925-01442

mail2.clickjobs.com https://core.rackspace.com/py/ticket/view.pt?ref_no=061117-01773

If you still get stuck, ask me (rob.w) and we'll thrash it out.