I have written a much newer, clearer and better article on DomainKeys signing email `here`_.

About

This guide is a sister to another guide I wrote a while back about how to use DomainKeys Identified Mail (DKIM) with Postfix on Debian, which can be read here - /2010/01/11/dkim-on-debian-with-postfix/.

DomainKeys is an older implementation than DKIM, DKIM is a merge of DomainKeys and Identified Mail. Both DomainKeys and DKIM are used so having both configured is a good idea.

Getting started

Lets start off by installing the dk-filter

sudo apt-get install dk-filter

Once installed you can can create a public and private key set using the commands below, if you’re already using DKIM you can skip this step and just use your already existing key.

openssl genrsa -out private.key 1024
openssl rsa -in private.key -out public.key -pubout -outform PEM
sudo mkdir /etc/mail
sudo cp private.key /etc/mail/dk.key

So that’s the key sorted, now we’ll configure dk-filter.

Open the following file

/etc/default/dk-filter

You should see something like this

# Sane defaults: log to syslog
DAEMON_OPTS="-l"
# Sign for domain.tld with key in /etc/mail/domainkey.key using
# selector '2007' (e.g. 2007._domainkey.domain.tld)
DAEMON_OPTS="$DAEMON_OPTS -d domain.tld -s
/etc/mail/domainkey.key -S 2007"
# See dk-filter(8) for a complete list of options
#
# Uncomment to specify an alternate socket
#SOCKET="/var/run/dk-filter/dk-filter.sock" # default
#SOCKET="inet:54321" # listen on all interfaces on port 54321
#SOCKET="inet:8892@localhost" # listen on loopback on port 8892
#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345

You will need to modify the DAEMON_OPTS, changing the domain (-d), key file and location (-s) and selector (-S), an example is below

# Sane defaults: log to syslog
DAEMON_OPTS="-l"
# Sign for domain.tld with key in /etc/mail/domainkey.key using
# selector '2007' (e.g. 2007._domainkey.domain.tld)
DAEMON_OPTS="$DAEMON_OPTS -d syslog.tv -s /etc/mail/dk.key -S mail"
# See dk-filter(8) for a complete list of options
#
# Uncomment to specify an alternate socket
#SOCKET="/var/run/dk-filter/dk-filter.sock" # default
#SOCKET="inet:54321" # listen on all interfaces on port 54321
#SOCKET="inet:8892@localhost" # listen on loopback on port 8892
SOCKET="inet:12345@localhost" # listen on loopback on port 12345

You should notice that I specifically told the daemon to run on loopback on port 12345, you should do the same, if you already have something running on that port (like DKIM, which uses the same port in my other guide,) you should set this to something different, like 12346.

On Debian Sid I had problems with DAEMON_OPTS, for some reason the second DAEMON_OPTS was not overwriting and including the first, so I modified it to look like this

# Sane defaults: log to syslog
#DAEMON_OPTS="-l"
# Sign for domain.tld with key in /etc/mail/domainkey.key using
# selector '2007' (e.g. 2007._domainkey.domain.tld)
DAEMON_OPTS="-l -d syslog.tv -s /etc/mail/dk.key -S mail"

The problem meant that when the daemon was actually started, it would not know which domain, key or selector to use, doing the above solved this issue for me.

Now that dk-filter is configured, we can start it

sudo /etc/init.d/dk-filter start

Configuring Postfix

Next we need to modify Postfix to tell it to use dk-filter to sign emails. Lets open up

/etc/postfix/main.cf

Place the following as the end of that file

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

If you’ve already got this defined you simple append to the end, separating with commas

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345, inet:localhost:12346
non_smtpd_milters = inet:localhost:12345, inet:localhost:12346

That’s Postfix configured, we’ll reload it once the DNS is configured.

Configuring the DNS

How you configured your DNS is up to you, you will need to add the following 2 new records

_domainkey.DOMAIN.TLD. IN TXT “t=y; o=-;”

SELECTOR._domainkey.DOMAIN.TLD. IN TXT “k=rsa; t=y; p=YOUR_PUBLIC_KEY_HERE”

Replace the instances of DOMAIN.TLD with your actual mail domain name in both records, SELECTOR was configured in to opendkim earlier, in my example I used mail.

Your key will be called public.key, we created both public and private keys earlier. You only need to add the actual key from between the BEGIN and END lines, e.g. my test one below

-----BEGIN PUBLIC KEY-----
MIGfMWGwregWREGREwgERGREGergerDGdEPzFCAdYnf1Z9nRtfTqwP/mcdGg
NmbY11tCtwwFMu8/qEQwaK/Nc61q0D/z7NYwlsPFi08lnVSHGrewherh5630n
F6S0z961h6li/pOHiJy/l2ehnenhehO3d/NmATY90WlpEDmnlVAMTYgALBFJplp
1ruZ66Bgrewhg43y634567gewrgB
-----END PUBLIC KEY-----

Becomes

:

MIGfMWGwregWREGREwgERGREGerg […snip…] plp1ruZ66Bgrewhg43y634567gewrgB

Now we simply reload the Postfix config with

sudo /etc/init.d/postfix reload

Now you can send test mails once you’re sure DNS changes have propagated. You will see any errors in /var/log/mail.log.

Kura

Anarchist. Pessimist. Bipolar. Hacker. Hyperpolyglot. Musician. Ex pro gamer. Cunt. They/Them.

Kura

Join the discussion

View Source