View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000545 | Main CAcert Website | misc | public | 2008-05-04 12:46 | 2014-04-21 18:32 |
| Reporter | Daniel Black | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Summary | 0000545: dkim deployment | ||||
| Description | The following setups are to deploy DKIM on all mail sending servers of CAcert. scp root@lists.cacert.org:~/dkim-filter_2.5.5-1_i386.deb (to XXXX machine) dpkg -i dkim-filter_2.5.5-1_i386.deb check user and group dkim-filter exists. create otherwise check the following directory with permissions/ownership /var/run/dkim-filter drwxr-xr-x 2 dkim-filter dkim-filter 4096 May 4 12:35 /var/run/dkim-filter create the following file with the SOCKET contents /etc/default/dkim-filter SOCKET="local:/var/spool/postfix/milter/dkim-filter.sock" create the following directory with permissions/ownership /var/spool/postfix/milter/ drwxr-xr-x 2 dkim-filter root 4096 May 4 12:01 /var/spool/postfix/milter/ create the following directory with permissions/ownership /etc/mail/dkim-filter/ drwx------ 3 dkim-filter root 4096 May 4 12:00 /etc/mail/dkim-filter/ cd /etc/mail/dkim-filter/ # dkim-genkey -s XXXX XXXX is something meaningful and unique for each server. I'm going with a servername convention. e.g. mail, cert, backup, mainweb, wiki create the following file with the following contents /etc/dkim-filter.conf Background Yes Mode s Canonicalization relaxed/simple Domain cacert.org KeyFile /etc/mail/dkim-filter/XXXX.private Selector XXXX Syslog Yes SyslogSuccess Yes Umask 0000 /etc/init.d/dkim-filter start update-rc.d dkim-filter defaults add the following to the postfix configuration file- /etc/postfix/main.cf # DKIM filter # http://www.postfix.org/MILTER_README.html smtpd_milters = unix:/milter/dkim-filter.sock non_smtpd_milters = $smtpd_milters # what to do if the dkim filter fails milter_default_action = accept milter_command_timeout = 5s milter_connect_timeout = $milter_command_timeout milter_content_timeout = 60s add XXXX.txt as a DNS record replacing 'g=*' with t=y (test mode) please also add the following as it seems to have been lost mail._domainkey IN TXT "v=DKIM1; t=y; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOZV5h3rm18QRiNfNnwXadX8jeSC3zjpU7GFNTfZk1ifjLxrlVrSsfAvlVfFvR2/uQXegwEkiNV5bd57d989T+VVLZZbSv+OAXX4ZwihsLkf3huDszKtJTvsybqUNh97OE00THSyJCrcowFDcLv5IN2ULCOlMjTqbZxZuaNW0S6wIDAQAB" ; ----- DKIM mail for cacert.org all DNS records should exist under _domainkey.cacert.org dig -t txt mail._domainkey.cacert.org should show the above DNS entry. send email to check-auth@verifier.port25.com / sa-test@sendmail.net to see if the DKIM signing works. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
note 1: dkim-filter_2.5.5.dfsg-1_i386.deb - is now the official deb-src upstream package generated on lists. This no longer 1/2 installs like my previous hack job.. note 2: the dkim key for lists._domainkey.lists.cacert.org is: lists._domainkey IN TXT "v=DKIM1; g=*; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs2Hu5HQpT5FWj2TrqHZwFM/h0Tc35idlBvia Arkdp5fRPx402ID+pMYZZW6lVM/IJlmeTqPGO73oQyl/tFlnXWj/X8p809IFqWnKWzGKJLhnxMAZW7bmzyjR8siK3It93+s5mu9r/4pwHCW3bEbdtKartd7cud84JO15cL JYA+QIDAQAB" ; ----- DKIM default for .ist.cacert.org note 3: key generation revised: dkim-genkey -s {selector} -d cacert.org -t -D /etc/mail |
|
|
dkim-filter is a debian package. http://packages.debian.org/etch-backports/dkim-filter recommend using inet sockets rather than unix ones and it doesn't require all the fiddling with file permissions. could also deploy it for bugs.cacert.org |
|
|
using http://sourceforge.net/projects/php-dkim/ Would be a lot easier though. Just need to call it with a $body, $subject, and $header and it will return a header to add. From doco: $sender='john@example.com' ; $headers="From: \"Fresh DKIM Manager\" <$sender>>\r\n". "To: $to\r\n". "Reply-To: $sender\r\n". "Content-Type: text/html\r\n". "MIME-Version: 1.0" ; $headers = AddDKIM($headers,$subject,$body) . $headers; $result=mail($to,$subject,$body,$headers,"-f $sender") ; |
|
|
Not recommended practice. The MTA should bear sole responsibility for signing outgoing electronic mail, which is why OpenDKIM is implemented as a milter (noting that dkim-filter has been abandoned for many years now, and that OpenDKIM is its replacement). [Edit: php-dkim has also not been updated since 2009] [Edit 0000002: There is no need for unique DKIM selectors for each server per se, merely that the private keys utilised by each selector are shared. Thus, it may save significant effort to share a selector for particular boxes.] |
|
|
Has anyone given thought to key rotation? |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2008-05-04 12:46 | Daniel Black | New Issue | |
| 2008-05-31 03:40 | Daniel Black | Note Added: 0001091 | |
| 2009-02-22 00:42 | Daniel Black | Note Added: 0001278 | |
| 2009-09-12 09:37 | Daniel Black | Note Added: 0001479 | |
| 2012-08-16 09:28 | DavidMcIlwraith | Note Added: 0003142 | |
| 2012-08-16 09:29 | DavidMcIlwraith | Note Edited: 0003142 | |
| 2012-08-16 09:31 | DavidMcIlwraith | Note Edited: 0003142 | |
| 2012-12-18 19:11 | Werner Dworak | Relationship added | related to 0000679 |
| 2014-04-21 18:30 | LordMike | Note Added: 0004749 | |
| 2014-04-21 18:31 | LordMike | Relationship added | related to 0001274 |
