In case the howtoforge articles vanish, here's the gist:
sudo apt-get install dkim-filterHere, un-comment the following, with the appropriate domain name. The selector can be anything, only remember to set the same selector name in dns. Relevant dkim-filter.conf settings:
sudo mkdir /var/dkim-filter
cd /var/dkim-filter
sudo openssl genrsa -out private.key 1024
sudo openssl rsa -in private.key -out public.key -pubout -outform PEM
sudo vim /etc/dkim-filter.conf
# Log to syslogActually setting the X-header to yes is useful for initial debugging - then, checking the headers shows you right away if the milter is working. (Milter = Mail API Filter, from sendmail-speak). Then
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
#UMask 002
# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain DOMAIN.TLD
KeyFile /var/dkim-filter/private.key
Selector mail
# Common settings. See dkim-filter.conf(5) for more information.
AutoRestart no
Background yes
Canonicalization simple
DNSTimeout 5
Mode sv
SignatureAlgorithm rsa-sha256
SubDomains no
UseSSPDeny no
X-Header no
sudo /etc/init.d/dkim-filter startto add the following lines to the end,
sudo vi /etc/postfix/main.cf
milter_default_action = acceptAnd then finally restart with
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
sudo /etc/init.d/postfix restartThe DNS record to be set is of the form
mail._domainkey.DOMAIN.TLD. IN TXT "k=rsa; t=y; p=MIGfKh1FC.....bfQIDAQAB"where mail is the selector, DOMAIN.TLD should be your domain name and the p=is the key from /var/dkim-filter/public.key
Once the dns propagates, you can check by sending email to yahoo or gmail - gmail shows as "signed by radiosai.org" when you click show details. domainkeys.sourceforge.net lists some test tools - some of them are a bit flaky. I got dkim=pass from crynwr.com but sa-test@sendmail.net reported my SPF as bad - I thought it was working.
No comments:
Post a Comment