knowledgebase/linux/mail/dkfilter setup If you are using postfix, and want to implement domain keys, using dkfilter is a good way to go. If your email is not being accepted by Yahoo, this could help fix that problem. Recently I followed the instructions here to implement domain keys: http://jason.long.name/dkfilter/ Also more information and specifications on Domain Keys here: http://www.dkim.org/ 1 Install PERL modules You can use CPAN to install these modules, although sometimes packages don't install as smoothly as you would hope. Depending on which distro you are using, you will need the openssl-devel package or equivalent. 1.1 On Centos 4 (EL4): {code} apt-get install openssl-devel Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: e2fsprogs-devel krb5-devel zlib-devel {code} After that I should be able to install the Crypt::OpenSSL::RSA module via CPAN {code} perl -MCPAN -e 'install Crypt::OpenSSL::RSA' {code} But ran into this problem when compiling the module: {code} Running make test PERL_DL_NONLAZY=1 /usr/bin/perl \"-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/bignum....skipped all skipped: no reason given t/format....ok t/rsa.......FAILED tests 44-45 {code} I googled for the answer, but couldn't find anything, so I entered the CPAN shell and used force install: {code} perl -MCPAN -e shell CPAN: File::HomeDir loaded ok (v0.64) cpan shell -- CPAN exploration and modules installation (v1.9101) ReadLine support enabled cpan[1]> force install Crypt::OpenSSL::RSA {code} Which resulted in this: {code} Appending installation info to /usr/lib/perl5/5.8.8/i386-linux-thread-multi/perllocal.pod IROBERTS/Crypt-OpenSSL-RSA-0.24.tar.gz /usr/bin/make install -- OK Failed during \this command: IROBERTS/Crypt-OpenSSL-RSA-0.24.tar.gz : make_test FAILED but failure ignored because 'force' in effect {code} We can live with that for now, if we find the solution to this build problem in the future, we will make a note of it here. I was able to install the rest of the necessary modules except for Net::DNS without having to 'force install'. Some modules were already installed. In theory these commands should just all work: {code} perl -MCPAN -e 'install Crypt::OpenSSL::RSA' perl -MCPAN -e 'install Mail::Address' perl -MCPAN -e 'install MIME::Base64' perl -MCPAN -e 'install Net::DNS' perl -MCPAN -e 'install Net::Server' perl -MCPAN -e 'install Test::More' {code} In my experience though, there is usually some finagling you have to do here. 1.1 on Debian Etch A CPAN name like Crypt::OpenSSL::RSA translates into a Debian package name of libcrypt-openssl-rsa-perl. So a::b::c is liba-b-c-perl. Thus, you want libcrypt-openssl-rsa-perl libmail-address-perl libmime-base64-perl ... However, Mail::Address and Test::More don't seem to be packaged in the Etch repos, so we'll install them via CPAN as above. Debian already has libmail-dkim-perl which is Mail::DKIM which is the replacement for dkfilter (per Justin Long's site). However, the Etch package is old. 1.1 on Debian Lenny You should use libmail-dkim-perl instead 1.1 on EL5 I prefer to install the rpmforge repo and then the perl module RPMs from there. install rpmforge-release-0.3.6-1.el5.rf.i386.rpm and yum-protectbase (important!) Then install ... 1 Install dkfilter With the required modules installed I downloaded the latest dkfilter tar, and compiled it, and created a user for it to run as. {code} wget http:\//jason.\long.name/dkfilter/dkfilter-0.11.tar.gz ./configure --prefix=/usr/local/dkfilter make install adduser -s /sbin/nologin dkfilter {code} The package archive comes with a sample init script, which I copied into place, and found needed only one small edit to work in my environment. {code} cp sample-dkfilter-init-script.sh /etc/init.d/dkfilter chmod +x /etc/init.d/dkfilter {code} I happened to notice that 'hostname -d' only echoed "com" on my host, but 'hostname -f' seemed to give the correct output. I edited the script: {code} #This won't work #DOMAIN=`hostname -d` DOMAIN=`hostname -f` {code} You may find the script doesn't need to be changed for your environment, or even more edits may be necessary. Then in /usr/local/dkfilter I created a private/public key pair {code} openssl genrsa -out \private.key 1024 Generating RSA \private key, 1024 bit \long modulus .......................++++++ ....++++++ e is 65537 (0x10001) openssl rsa -in \private.key -pubout -out \public.key writing RSA key chown dkfilter.dkfilter *.key chmod 600 *.key {code} After this I pasted in the code available on the dkfilter page listed above, into: /etc/postfix/master.cf It was important to read the FAQ and add this content filter to the pickup filter in master.cf: {code} pickup fifo n - n 60 1 pickup -o content_filter=dksign:127.0.0.1:10027 {code} This is important if you are sending mail locally, from an application, i.e. automated responders which email passwords to you users. 1 Editing your DNS Zone records This is easy to do using your Rimuhosting DNS control panel. From the control panel, go to "Manage your DNS", if you have more than one domain, select the zone you want to add domain keys to. In the "Edit" menu, click on "Text (TXT)". Your current records will be displayed, and beneath that will be a box to add a new record. We are going to add two records. A policy and a selector record. First the policy In the "Name" field, put: {code} _domainkey {code} In the "Value" field put: {code} t=y; o=~ {code} You can check this record here: http://domainkeys.sourceforge.net/policycheck.html To find the meaning of this concise and cryptic code, consult section 3.6.2 "Interim sending domain policy" of the Domain Keys Internet Draft available here: http://sourceforge.net/docman/index.php?group_id=107680 Assuming you are following the install instructions on the dkfilter (http://jason.long.name/dkfilter/) page to the letter. Your next step is to add the selector record. In the "Name" field, put: {code} selector1._domainkey {code} In the "Value" field you will put something like this: {code} k=rsa; p=MHwwDQYJK ... OprwIDAQAB; t=y {code} You can test your setup by emailing test@dktest.jason.long.name, you should get happy message back saying something like this: {code} *** This is an automated response *** This is the result of the message verification: pass {code} You can also test here: http://domainkeys.sourceforge.net/selectorcheck.html But the ultimate test is to send a message to Yahoo, especially if your previous logs had things like this in them: {code} postfix/smtp[17266]: connect to b.mx.mail.yahoo.com[66.196.97.250]: server refused to talk to me: 421 Message from (xx.xx.xxx.xx) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (port 25) {code} After setting up domain keys you should get something like this in your logs: {code} dkfilter.out[15741]: DomainKeys signing - signed; {code} The Yahoo webmail client will say something like this underneath the senders email address: {code} Yahoo! DomainKeys has confirmed that \this message was sent by root@yourdomain.com {code} 1 Using JavaMail? Now change the default port JavaMail is sending on from 25, to 587 to sign outgoing messages. i.e. if your Java app is sending out automated emails to your site's users. 2007-12-12 23:55:39.0 2007-05-14 21:14:49.0