GIT –  is an SMTP-proxy that signs and/or verifies emails, using the Mail::DKIM module. It is designed for , but should work with any . It comprises two separate proxies, an “outbound” proxy for signing outgoing email, and an “inbound” proxy for verifying signatures of incoming email. With , the proxies can operate as either Before-Queue or After-Queue content filters.

Website – http://dkimproxy.sourceforge.net/

Installing DKIMproxy

http://dkimproxy.sourceforge.net/download.html
Prerequisites

cpan Mail::DKIM
cpan install Crypt::OpenSSL::RSA
cpan install Digest::SHA
cpan install Mail::Address
cpan install MIME::Base64
cpan install Net::DNS
cpan install Net::Server
cpan install Error

Installing DKIMproxy Service:

cd /home/admin/
wget http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.2.tar.gz
tar -xzvf dkimproxy-1.2.tar.gz
cd dkimproxy-1.2
./configure –prefix=/usr/local/dkimproxy
make install
useradd dkimuser
passwd dkimuser
cp sample-dkim-init-script.sh /etc/init.d/dkimproxy
chkconfig –add dkimproxy
chkconfig dkimproxy on

Installing DKIMproxy to sign outbound messages

http://dkimproxy.sourceforge.net/usage.html
Generate a private/public key pair using OpenSSL:

cd /usr/local/dkim/
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
chown dkimuser.root private.key
chmod 640 private.key

Pick a selector name… e.g. selector1
Put the public-key data in DNS, in your domain, using the selector name you picked. Take the contents of the public.key file and remove the PEM header and footer, and concatenate the lines of the file into one big line. Then create a TXT entry, like this:

selector1._domainkey IN TXT “k=rsa; t=s; p=MHwwDQYJK … OprwIDAQAB”

where selector1 is the name of the selector chosen in the last step and the p= parameter contains the public-key as one long string of characters.

Configure DKIMproxy

Create a file named /usr/local/dkimproxy/etc/dkimproxy_out.conf and give it the following content:

# specify what address/port DKIMproxy should listen on
listen 127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to
relay 127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain clubmom.com

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile /usr/local/dkimproxy/private.key

# specify the selector (i.e. the name of the key record put in DNS)
selector clubmomdkim

Start DKIMproxy

service dkimproxy start

Setting up the outbound proxy with Postfix

http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
Edit the /etc/postfix/master.cf with the the following:

#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission inet n – n – – smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

#
# specify the location of the DKIM signing proxy
# Note: we allow “4″ simultaneous deliveries here; high-volume sites may
# want a number higher than 4.
# Note: the smtp_discard_ehlo_keywords option requires Postfix 2.2 or
# better. Leave it off if your version does not support it.
#
dksign – – n – 4 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

#
# service for accepting messages FROM the DKIM signing proxy
#
127.0.0.1:10028 inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

reload postfix

Setup your mail server to send to dkimproxy

A dev environment is setup on office1 using dev04 as an outbound mailserver using dkimproxy on port 587

To use sendmail and configure a smarthost onto a port other than 25. Modify /etc/mail/sendmail.mc

define(`SMART_HOST’,`relay:dev04.clubmom.local’)dnl
define(`RELAY_MAILER’,`esmtp’)dnl
define(`RELAY_MAILER_ARGS’, `TCP $h 587′)dnl
#make -C /etc/mail
#service sendmail restart

Print Friendly

Comments

comments

Bài viết liên quan