Wednesday, May 27, 2009

Signing emails with DKIM

Yahoo once again started rejecting mails from our mail server. I wanted to title this post "Yahoo mail admins need to grow up" but then thought better of it. After filling in their bulk sender form for the third time, decided to enter their Complaint Feedback Loop programme. Had to implement DKIM first, so headed over to howtoforge after googling. Test mechanisms were in the centos setup page and the DNS setup required a request to our ISP. Then signed up for the complaint feedback loop, and the next day got 3 'complaints' - these 3 guys marked our mail as spam to cause yahoo to block 3000 of our subscribers.

In case the howtoforge articles vanish, here's the gist:
sudo apt-get install dkim-filter
sudo mkdir /var/dkim-filter
cd /var/dkim-filter
sudo openssl genrsa -out private.key 1024
sudo openssl rsa -in private.key -out public.key -pubout -outform PEM
sudo vim /etc/dkim-filter.conf
Here, un-comment the following, with the appropriate domain name. The selector can be anything, only remember to set the same selector name in dns. Relevant dkim-filter.conf settings:
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
#UMask 002


# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain DOMAIN.TLD
KeyFile /var/dkim-filter/private.key
Selector mail

# Common settings. See dkim-filter.conf(5) for more information.
AutoRestart no
Background yes
Canonicalization simple
DNSTimeout 5
Mode sv
SignatureAlgorithm rsa-sha256
SubDomains no
UseSSPDeny no
X-Header no
Actually setting the X-header to yes is useful for initial debugging - then, checking the headers shows you right away if the milter is working. (Milter = Mail API Filter, from sendmail-speak). Then
sudo /etc/init.d/dkim-filter start
sudo vi /etc/postfix/main.cf
to add the following lines to the end,
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
And then finally restart with
sudo /etc/init.d/postfix restart
The DNS record to be set is of the form
mail._domainkey.DOMAIN.TLD. IN TXT "k=rsa; t=y; p=MIGfKh1FC.....bfQIDAQAB"
where mail is the selector, DOMAIN.TLD should be your domain name and the p=is the key from /var/dkim-filter/public.key

Once the dns propagates, you can check by sending email to yahoo or gmail - gmail shows as "signed by radiosai.org" when you click show details. domainkeys.sourceforge.net lists some test tools - some of them are a bit flaky. I got dkim=pass from crynwr.com but sa-test@sendmail.net reported my SPF as bad - I thought it was working.

No comments:

Post a Comment