Pelicanux

Just A Few Random Words

DomainKeys Identified Mail

Setting up DomainKeys Identified Mail

Once SPF set up, I decided to have a look at the DKIM procedure to help fighting against spam.

(Well, however necessary may be war against spam, I have to admit that my purpose is more getting some Internet reliability and emails sent, than dealing with mails already dealt with by greylisting or spamassassin.)

The principe is quite different here: in SPF, we determine a policy the receiver is encourage to follow for received mails, it’s the responsability of the receiver to take an action he/she feels appropriate. SPF only states is mail may or may not be sent from a given location, and it’s quite easy to check it with a simple DNS requets.

About DKIM, there is a cryptographic proof showing that a given mail has been sent from a mail server trusted by the owner of the domain.

The idea is quite simple: The DNS publishes a simple public key. The mail server owns the related private key a use it to sign parts of the mail (among them, Subject, From and content length fields). Then receiving the e-mail, the receiver get the public key from the domain and check if it matches.

Let’s go!

Amavisd-new package already provides all the necessary. Let’s start creating private key:

1
2
3
4
5

umask 077
mkdir /var/db/dkim
umask 0022
amavisd-new genrsa /var/db/dkim/pelicanux.net.key.pem
chmod 400 /var/db/dkim/pelicanux.net.key.pem

Let’s try our keys for the first time:

1
2

amavisd-new testkeys
TESTING#1: pelicanux._domainkey.pelicanux.net => invalid (public key: not available)

We need to create the public key and to configure our DNS server to publish it:

1
2
3
4
5
6
7
8

amavisd-new showkeys
; key#1, domain pelicanux.net, /var/db/dkim/pelicanux.net.key.pem
pelicanux._domainkey.pelicanux.net.   3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFnXMqpRrS34kq1s26yWWryOsG"
  "b3ynJZphpqU4CZrB/32OP1G5XdeNXjl4B3qVEzXifMrrvXv+a2UnXhA1RWKBL2cq"
  "nHnh5QTvQFRpEJNlYTH50tMQU/JT7TvqZSsLxuhKOQ6P0+Rth4T2dsFCySd4jBtJ"
  "AtVNAyX3LQ9Jd/+T/QIDAQAB")

Quite simple, one has just to copy paste this to bind configuration file and increment the serial. That’s already done for the DNS. Let’s check our key pair;

1
2

amavisd-new testkeys
TESTING#1: pelicanux._domainkey.pelicanux.net => pass

And now, amavisd-new configuration:

This lines are to be copied to 50-user, which overrides other configuration files in case of conflict:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# Some tuto says it should equal 1,
# in fact, this is if you want to check mails againt DKIM, not sending emails with DKIM set.
$enable_dkim_verification = 0; #disabled to prevent warning

$enable_dkim_signing = 1;
dkim_key('pelicanux.net', 'pelicanux', '/var/db/dkim/pelicanux.net.key.pem');
@dkim_signature_options_bysender_maps = (
   { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } }
);

# I have commented this out, as mails are not always sent from my internal network
#@mynetworks = qw(
#  127.0.0.0/8
#  x.x.x.x/24
# x.x.x.x/32
#);

# I prefer setting these two lines which will always treat e-mails with DKIM
$interface_policy{'10024'} = 'DKIM_ALWAYS';
$policy_bank{'DKIM_ALWAYS'} = { originating => 1, };

Done! Restart amavisd-new and it’s now time for testing :)