View Issue Details

IDProjectCategoryView StatusLast Update
0000545Main CAcert Websitemiscpublic2014-04-21 18:32
ReporterDaniel Black Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Summary0000545: dkim deployment
DescriptionThe following setups are to deploy DKIM on all mail sending servers of CAcert.

scp root@lists.cacert.org:~/dkim-filter_2.5.5-1_i386.deb (to XXXX machine)

dpkg -i dkim-filter_2.5.5-1_i386.deb

check user and group dkim-filter exists. create otherwise

check the following directory with permissions/ownership
/var/run/dkim-filter
drwxr-xr-x 2 dkim-filter dkim-filter 4096 May 4 12:35 /var/run/dkim-filter

create the following file with the SOCKET contents
/etc/default/dkim-filter
SOCKET="local:/var/spool/postfix/milter/dkim-filter.sock"

create the following directory with permissions/ownership
/var/spool/postfix/milter/
drwxr-xr-x 2 dkim-filter root 4096 May 4 12:01 /var/spool/postfix/milter/

create the following directory with permissions/ownership
/etc/mail/dkim-filter/
drwx------ 3 dkim-filter root 4096 May 4 12:00 /etc/mail/dkim-filter/

cd /etc/mail/dkim-filter/
# dkim-genkey -s XXXX

XXXX is something meaningful and unique for each server. I'm going with
a servername convention.
e.g. mail, cert, backup, mainweb, wiki

create the following file with the following contents
/etc/dkim-filter.conf
Background Yes
Mode s
Canonicalization relaxed/simple
Domain cacert.org
KeyFile /etc/mail/dkim-filter/XXXX.private
Selector XXXX
Syslog Yes
SyslogSuccess Yes
Umask 0000

/etc/init.d/dkim-filter start

update-rc.d dkim-filter defaults

add the following to the postfix configuration file- /etc/postfix/main.cf
# DKIM filter
# http://www.postfix.org/MILTER_README.html
smtpd_milters = unix:/milter/dkim-filter.sock
non_smtpd_milters = $smtpd_milters
# what to do if the dkim filter fails
milter_default_action = accept
milter_command_timeout = 5s
milter_connect_timeout = $milter_command_timeout
milter_content_timeout = 60s

add XXXX.txt as a DNS record replacing 'g=*' with t=y (test mode)

please also add the following as it seems to have been lost
mail._domainkey IN TXT "v=DKIM1; t=y; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOZV5h3rm18QRiNfNnwXadX8jeSC3zjpU7GFNTfZk1ifjLxrlVrSsfAvlVfFvR2/uQXegwEkiNV5bd57d989T+VVLZZbSv+OAXX4ZwihsLkf3huDszKtJTvsybqUNh97OE00THSyJCrcowFDcLv5IN2ULCOlMjTqbZxZuaNW0S6wIDAQAB" ; ----- DKIM mail for cacert.org

all DNS records should exist under _domainkey.cacert.org

dig -t txt mail._domainkey.cacert.org should show the above DNS entry.

send email to check-auth@verifier.port25.com / sa-test@sendmail.net to see if the DKIM signing works.

TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0000679 new Infrastructure request bugs.cacert.org email are DKIM signed 
related to 0001274 new Infrastructure DMARC for Cacert.org 

Activities

Daniel Black

2008-05-31 03:40

reporter   ~0001091

note 1: dkim-filter_2.5.5.dfsg-1_i386.deb - is now the official deb-src upstream package generated on lists. This no longer 1/2 installs like my previous hack job..

note 2:
the dkim key for lists._domainkey.lists.cacert.org is:
lists._domainkey IN TXT "v=DKIM1; g=*; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs2Hu5HQpT5FWj2TrqHZwFM/h0Tc35idlBvia
Arkdp5fRPx402ID+pMYZZW6lVM/IJlmeTqPGO73oQyl/tFlnXWj/X8p809IFqWnKWzGKJLhnxMAZW7bmzyjR8siK3It93+s5mu9r/4pwHCW3bEbdtKartd7cud84JO15cL
JYA+QIDAQAB" ; ----- DKIM default for .ist.cacert.org

note 3: key generation revised:
dkim-genkey -s {selector} -d cacert.org -t -D /etc/mail

Daniel Black

2009-02-22 00:42

reporter   ~0001278

dkim-filter is a debian package.
http://packages.debian.org/etch-backports/dkim-filter

recommend using inet sockets rather than unix ones and it doesn't require all the fiddling with file permissions.

could also deploy it for bugs.cacert.org

Daniel Black

2009-09-12 09:37

reporter   ~0001479

using http://sourceforge.net/projects/php-dkim/

Would be a lot easier though. Just need to call it with a $body, $subject, and $header and it will return a header to add.

From doco:

$sender='john@example.com' ;
$headers="From: \"Fresh DKIM Manager\" <$sender>>\r\n".
        "To: $to\r\n".
        "Reply-To: $sender\r\n".
        "Content-Type: text/html\r\n".
        "MIME-Version: 1.0" ;
$headers = AddDKIM($headers,$subject,$body) . $headers;

$result=mail($to,$subject,$body,$headers,"-f $sender") ;

DavidMcIlwraith

2012-08-16 09:28

reporter   ~0003142

Last edited: 2012-08-16 09:31

View 3 revisions

Not recommended practice. The MTA should bear sole responsibility for signing outgoing electronic mail, which is why OpenDKIM is implemented as a milter (noting that dkim-filter has been abandoned for many years now, and that OpenDKIM is its replacement).

[Edit: php-dkim has also not been updated since 2009]
[Edit 0000002: There is no need for unique DKIM selectors for each server per se, merely that the private keys utilised by each selector are shared. Thus, it may save significant effort to share a selector for particular boxes.]

LordMike

2014-04-21 18:30

reporter   ~0004749

Has anyone given thought to key rotation?

Issue History

Date Modified Username Field Change
2008-05-04 12:46 Daniel Black New Issue
2008-05-31 03:40 Daniel Black Note Added: 0001091
2009-02-22 00:42 Daniel Black Note Added: 0001278
2009-09-12 09:37 Daniel Black Note Added: 0001479
2012-08-16 09:28 DavidMcIlwraith Note Added: 0003142
2012-08-16 09:29 DavidMcIlwraith Note Edited: 0003142 View Revisions
2012-08-16 09:31 DavidMcIlwraith Note Edited: 0003142 View Revisions
2012-12-18 19:11 Werner Dworak Relationship added related to 0000679
2014-04-21 18:30 LordMike Note Added: 0004749
2014-04-21 18:31 LordMike Relationship added related to 0001274