dkfilter setup

http://jason.long.name/dkfilter/

Also more information and specifications on Domain Keys here:

http://www.dkim.org/

Install PERL modules

You can use CPAN to install these modules, although sometimes packages don't install as smoothly as you would hope.

Depending on which distro you are using, you will need the openssl-devel package or equivalent.

On Centos 4 (EL4):

apt-get install openssl-devel
Reading Package Lists… Done
Building Dependency Tree… Done
The following extra packages will be installed:
  e2fsprogs-devel krb5-devel zlib-devel

After that I should be able to install the Crypt::OpenSSL::RSA module via CPAN

perl -MCPAN -e 'install Crypt::OpenSSL::RSA'

But ran into this problem when compiling the module:

Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/bignum....skipped
        all skipped: no reason given
t/format....ok                                                               
t/rsa.......FAILED tests 44-45

I googled for the answer, but couldn't find anything, so I entered the CPAN shell and used force install:

perl -MCPAN -e shell
CPAN: File::HomeDir loaded ok (v0.64)
cpan shell -- CPAN exploration and modules installation (v1.9101)
ReadLine support enabled

cpan[1]> force install Crypt::OpenSSL::RSA

Which resulted in this:

Appending installation info to /usr/lib/perl5/5.8.8/i386-linux-thread-multi/perllocal.pod
  IROBERTS/Crypt-OpenSSL-RSA-0.24.tar.gz
  /usr/bin/make install  -- OK
Failed during this command:
 IROBERTS/Crypt-OpenSSL-RSA-0.24.tar.gz       : make_test FAILED but failure ignored because 'force' in effect

We can live with that for now, if we find the solution to this build problem in the future, we will make a note of it here.

I was able to install the rest of the necessary modules except for Net::DNS without having to 'force install'. Some modules were already installed. In theory these commands should just all work:

perl -MCPAN -e 'install Crypt::OpenSSL::RSA'
perl -MCPAN -e 'install Mail::Address'
perl -MCPAN -e 'install MIME::Base64'
perl -MCPAN -e 'install Net::DNS'
perl -MCPAN -e 'install Net::Server'
perl -MCPAN -e 'install Test::More'

In my experience though, there is usually some finagling you have to do here.

on Debian Etch

A CPAN name like Crypt::OpenSSL::RSA translates into a Debian package name of libcrypt-openssl-rsa-perl. So a::b::c is liba-b-c-perl. Thus, you want libcrypt-openssl-rsa-perl libmail-address-perl libmime-base64-perl ...

However, Mail::Address and Test::More don't seem to be packaged in the Etch repos, so we'll install them via CPAN as above.

Debian already has libmail-dkim-perl which is Mail::DKIM which is the replacement for dkfilter (per Justin Long's site). However, the Etch package is old.

on Debian Lenny

You should use libmail-dkim-perl instead

on EL5

I prefer to install the rpmforge repo and then the perl module RPMs from there. install rpmforge-release-0.3.6-1.el5.rf.i386.rpm and yum-protectbase (important!) Then install …

Install dkfilter

With the required modules installed I downloaded the latest dkfilter tar, and compiled it, and created a user for it to run as.

wget http://jason.long.name/dkfilter/dkfilter-0.11.tar.gz
./configure --prefix=/usr/local/dkfilter
make install
adduser -s /sbin/nologin dkfilter

The package archive comes with a sample init script, which I copied into place, and found needed only one small edit to work in my environment.

cp sample-dkfilter-init-script.sh /etc/init.d/dkfilter
chmod +x /etc/init.d/dkfilter

I happened to notice that 'hostname -d' only echoed "com" on my host, but 'hostname -f' seemed to give the correct output. I edited the script:

#This won't work 
#DOMAIN=`hostname -d`
DOMAIN=`hostname -f`

You may find the script doesn't need to be changed for your environment, or even more edits may be necessary.

Then in /usr/local/dkfilter I created a private/public key pair

openssl genrsa -out private.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
....++++++
e is 65537 (0x10001)
openssl rsa -in private.key -pubout -out public.key
writing RSA key
chown dkfilter.dkfilter *.key
chmod 600 *.key

After this I pasted in the code available on the dkfilter page listed above, into: /etc/postfix/master.cf

It was important to read the FAQ and add this content filter to the pickup filter in master.cf:

pickup    fifo  n       -       n       60      1       pickup
    -o content_filter=dksign:127.0.0.1:10027

This is important if you are sending mail locally, from an application, i.e. automated responders which email passwords to you users.

Editing your DNS Zone records

This is easy to do using your Rimuhosting DNS control panel. From the control panel, go to "Manage your DNS", if you have more than one domain, select the zone you want to add domain keys to.

In the "Edit" menu, click on "Text (TXT)". Your current records will be displayed, and beneath that will be a box to add a new record. We are going to add two records. A policy and a selector record.

First the policy

In the "Name" field, put:

_domainkey

In the "Value" field put:

t=y; o=~

You can check this record here: http://domainkeys.sourceforge.net/policycheck.html

To find the meaning of this concise and cryptic code, consult section 3.6.2 "Interim sending domain policy" of the Domain Keys Internet Draft available here: http://sourceforge.net/docman/index.php?group_id=107680

Assuming you are following the install instructions on the dkfilter (http://jason.long.name/dkfilter/) page to the letter. Your next step is to add the selector record.

In the "Name" field, put:

selector1._domainkey

In the "Value" field you will put something like this:

k=rsa; p=MHwwDQYJK … OprwIDAQAB; t=y

You can test your setup by emailing test@dktest.jason.long.name, you should get happy message back saying something like this:

*** This is an automated response ***
This is the result of the message verification:
  pass

You can also test here: http://domainkeys.sourceforge.net/selectorcheck.html

But the ultimate test is to send a message to Yahoo, especially if your previous logs had things like this in them:

postfix/smtp[17266]: connect to b.mx.mail.yahoo.com[66.196.97.250]: server refused to talk to me: 421 Message from (xx.xx.xxx.xx) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html   (port 25)

After setting up domain keys you should get something like this in your logs:

dkfilter.out[15741]: DomainKeys signing - signed;

The Yahoo webmail client will say something like this underneath the senders email address:

Yahoo! DomainKeys has confirmed that this message was sent by root@yourdomain.com

Using JavaMail?

Now change the default port JavaMail is sending on from 25, to 587 to sign outgoing messages. i.e. if your Java app is sending out automated emails to your site's users.