artmouse · November 25, 2014 13:48
diff --git a/DKIM_SPF_Sendmail b/DKIM_SPF_Sendmail
 DKIM is DomainKeys Identified Mail and is used in mail servers, such as Postfix or Sendmail to sign e-mails and thus authenticating the sender so that a forgery can be detected. It also reduces the possibility of an e-mail being flagged as spam, but it's not a definite prevention.

 A much simpler method is using SPF (Sender Policy Framework) which, in a nutshell, verifies the sender IP address.

 According to the internet, using both should result to ????, PROFIT !!!.

 SPF does not need a specific configuration. Whitelisted servers are listed in a DNS record, TXT or SPF, and an example record is:

 example.com. IN TXT "v=spf1 a mx ~all"


 And that's preety much it, for the simplest case there is. This record specifies the policy (v=spf1), whitelisted servers (a and mx records), and ~all states that every other IP address should be tagged as SOFTFAIL.
 It can get much more complicated than this, so RTFM.

 Okay, so, DKIM.

 DKIM includes a cryptographic hash in the e-mail header which is calculated with the private key (on the server) and verified with the public key (in the DNS record).

 DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
     c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
     h=from:to:subject:date:keywords:keywords;
     bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
     b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
              VoG4ZHRNiYzR



 First, install opendkim.

 apt-get install opendkim


 Edit the configuration file of opendkim.conf, located in /etc/opendkim.conf.

 AutoRestart             Yes
 UMask                   002
 Syslog                  yes
 AutoRestartRate         10/1h
 Canonicalization        relaxed/simple
 ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
 InternalHosts           refile:/etc/opendkim/TrustedHosts
 KeyTable                refile:/etc/opendkim/KeyTable
 LogWhy                  Yes
 Mode                    sv
 PidFile                 /var/run/opendkim/opendkim.pid
 SignatureAlgorithm      rsa-sha256
 SigningTable            refile:/etc/opendkim/SigningTable
 Socket                  inet:8891@localhost
 SyslogSuccess           Yes
 TemporaryDirectory      /var/tmp
 UserID                  opendkim:opendkim

 As you can see, there are three more files to be added, TrustedHosts (whitelisted IPs that can sign e-mails), KeyTable (multiple domain configuration for public and private keys) and SigningTable (whitelisted users that can sign e-mail).

 /etc/opendkim/TrustedHosts:

 127.0.0.1
 example.com
 192.168.0.1/24

 You get the idea.

 /etc/opendkim/SigningTable:

 *@example.com default._domainkey.example.com

 All users from @example.com can sign. You can specifiy usernames and domains, instead of the wildcard, for additional security.

 /etc/opendkim/KeyTable:

 default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com.pvt

 Location of the private key and name of the DNS record for each domain. The "default" before _domainkey.example.com and :default: is a selector. This can be changed to something else.

 Next, we need to generate the public and private key for each domain.
 Shouldn't be too difficult.
 If some folders don't exist, just create them.

 root@ubuntu:/etc/opendkim/keys# opendkim-genkey -D /etc/opendkim/keys/example.com -d example.com -s default

 Again -s flag is for the selector. If you changed it, you need to enter it here.
 The command generates a private key (default) and public key (default.txt). You will probably rename them, to match the configuration.
 An important note here is that the files are owned by user opendkim, or you will get permission denied errors in /var/log/mail.err. Default permissions on those files are -rw------.

 Move the private key to where you specified it should be in the KeyTable.
 Insert the public key in your DNS as a TXT record.

 Next up, telling sendmail to talk to opendkim.
 Edit /etc/mail/sendmail.mc and add this line at the end. DO NOT EDIT sendmail.cf.

 INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')


 Rebuild sendmail configuration and restart, start opendkim if it's not running yet

 root@ubuntu:~# sendmailconfig; service sendmail restart; service opendkim start

 Test it out.

 That's it, you're done!
	DKIM is DomainKeys Identified Mail and is used in mail servers, such as Postfix or Sendmail to sign e-mails and thus authenticating the sender so that a forgery can be detected. It also reduces the possibility of an e-mail being flagged as spam, but it's not a definite prevention.

	A much simpler method is using SPF (Sender Policy Framework) which, in a nutshell, verifies the sender IP address.

	According to the internet, using both should result to ????, PROFIT !!!.

	SPF does not need a specific configuration. Whitelisted servers are listed in a DNS record, TXT or SPF, and an example record is:

	example.com. IN TXT "v=spf1 a mx ~all"


	And that's preety much it, for the simplest case there is. This record specifies the policy (v=spf1), whitelisted servers (a and mx records), and ~all states that every other IP address should be tagged as SOFTFAIL.
	It can get much more complicated than this, so RTFM.

	Okay, so, DKIM.

	DKIM includes a cryptographic hash in the e-mail header which is calculated with the private key (on the server) and verified with the public key (in the DNS record).

	DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
	c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
	h=from:to:subject:date:keywords:keywords;
	bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
	b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
	VoG4ZHRNiYzR



	First, install opendkim.

	apt-get install opendkim


	Edit the configuration file of opendkim.conf, located in /etc/opendkim.conf.

	AutoRestart Yes
	UMask 002
	Syslog yes
	AutoRestartRate 10/1h
	Canonicalization relaxed/simple
	ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
	InternalHosts refile:/etc/opendkim/TrustedHosts
	KeyTable refile:/etc/opendkim/KeyTable
	LogWhy Yes
	Mode sv
	PidFile /var/run/opendkim/opendkim.pid
	SignatureAlgorithm rsa-sha256
	SigningTable refile:/etc/opendkim/SigningTable
	Socket inet:8891@localhost
	SyslogSuccess Yes
	TemporaryDirectory /var/tmp
	UserID opendkim:opendkim

	As you can see, there are three more files to be added, TrustedHosts (whitelisted IPs that can sign e-mails), KeyTable (multiple domain configuration for public and private keys) and SigningTable (whitelisted users that can sign e-mail).

	/etc/opendkim/TrustedHosts:

	127.0.0.1
	example.com
	192.168.0.1/24

	You get the idea.

	/etc/opendkim/SigningTable:

	*@example.com default._domainkey.example.com

	All users from @example.com can sign. You can specifiy usernames and domains, instead of the wildcard, for additional security.

	/etc/opendkim/KeyTable:

	default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com.pvt

	Location of the private key and name of the DNS record for each domain. The "default" before _domainkey.example.com and :default: is a selector. This can be changed to something else.

	Next, we need to generate the public and private key for each domain.
	Shouldn't be too difficult.
	If some folders don't exist, just create them.

	root@ubuntu:/etc/opendkim/keys# opendkim-genkey -D /etc/opendkim/keys/example.com -d example.com -s default

	Again -s flag is for the selector. If you changed it, you need to enter it here.
	The command generates a private key (default) and public key (default.txt). You will probably rename them, to match the configuration.
	An important note here is that the files are owned by user opendkim, or you will get permission denied errors in /var/log/mail.err. Default permissions on those files are -rw------.

	Move the private key to where you specified it should be in the KeyTable.
	Insert the public key in your DNS as a TXT record.

	Next up, telling sendmail to talk to opendkim.
	Edit /etc/mail/sendmail.mc and add this line at the end. DO NOT EDIT sendmail.cf.

	INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')


	Rebuild sendmail configuration and restart, start opendkim if it's not running yet

	root@ubuntu:~# sendmailconfig; service sendmail restart; service opendkim start

	Test it out.

	That's it, you're done!