problem implementing domainkeys

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

problem implementing domainkeys

Ben Crowell-2
I'm attempting to implement domainkeys using Jason Long's
dkfilter. (If I'd been more knowledgeable, I'd have done
DKIM instead, but I think my current problem may be unrelated
to domainkeys versus DKIM.)

I've been trying to follow these tutorials:
  http://www.howtoforge.com/postfix_dkfilter_domain_keys_implementation
  http://fluzo.org/blog/post/tutorial-domainkeys-dkim-postfix#3980
  http://wiki.railsmachine.com/UsingDkimEmailAuthentication

I've succeeded in getting it all set up to the point that incoming
mail gets appropriate Authentication-Results headers added to it.
However, my outgoing mail isn't getting DomainKey-Signature
headers added to it, and I can't figure out what's wrong. I have
my public and private keys in /usr/local/dkfilter. A "ps x" shows
that I have both dkfilter.in and dkfilter.out daemons running.
My DNS has what I think are an appropriate TXT records
(_domainkey.lightandmatter.com and m1._domainkey.lightandmatter.com).
Below is the relevant section of my /etc/postfix/master.cf
file.

Is there some further configuration step that I'm missing?
Any help would be much appreciated!

- Ben

-----------------------------------------------------------
#
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
#
smtp      inet  n       -       n       -       -       smtpd
    -o smtpd_proxy_filter=127.0.0.1:10025
    -o smtpd_client_connection_count_limit=10
#
# After-filter SMTP server. Receive mail from the content filter on
# localhost port 10026.
#
127.0.0.1:10026 inet n  -       n       -        -      smtpd
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o receive_override_options=no_unknown_recipient_checks
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#
# specify the location of the DomainKeys signing filter
#
dksign    unix  -       -       n       -       10      smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime
#
# service for accepting messages FROM the DomainKeys signing filter
#
127.0.0.1:10028 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8


     

Reply | Threaded
Open this post in threaded view
|

Re: problem implementing domainkeys

Barney Desmond
2008/9/13 Ben Crowell <[hidden email]>:
> I'm attempting to implement domainkeys using Jason Long's
> dkfilter. (If I'd been more knowledgeable, I'd have done
> DKIM instead, but I think my current problem may be unrelated
> to domainkeys versus DKIM.)

As far as sysadmins care, dkim==domainkeys. </my experience>
dkfilter supports both. At once. (from the docs, "DKIMproxy can now
add multiple signatures in one pass. This lets you, for example,
generate a DomainKey-Signature *and* a DKIM-Signature on your outgoing
messages")

> I've been trying to follow these tutorials:
>  http://www.howtoforge.com/postfix_dkfilter_domain_keys_implementation
>  http://fluzo.org/blog/post/tutorial-domainkeys-dkim-postfix#3980
>  http://wiki.railsmachine.com/UsingDkimEmailAuthentication

For what it's worth, I followed the canonical guide on
dkimproxy.sourceforge.net and got it working. Disclaimer: the customer
that wanted it doesn't care about inwards filtering, just signing for
their outbound mail campaigns.

> However, my outgoing mail isn't getting DomainKey-Signature
> headers added to it, and I can't figure out what's wrong. I have

Assuming the mail *is* actually coming through, your dkfilter+postfix
setup is probably right (my conf-file-reading fu is pretty weak). One
thing our customer discovered when we set it up was that outgoing mail
would get a dkim signature but stubbornly refused to get domainkey'd.

I haven't had a look at dkfilter's code, but I believe signing is done
based on the envelope-from domain, if memory serves me correctly. We
had an odd issue due to the envelope-from not matching the
From/Reply-To header in the mail itself. This was solved with the
addition of a Sender: header matching the envelope-from. Once added,
the mail got both dkim and domainkeys headers as expected.

To my mind, you might as well enable the generation of both headers,
it can't hurt (unless your system is heavily loaded).