July 2010 Archives

DKIM in amavisd-new and postfix

| No Comments | No TrackBacks

As most of you know, email is an inherently insecure protocol. Basically, you're sending around text files with a certain format and you have to trust the servers that are forwarding the email, that they wont modify the content or lie about who they are.

One of the big issues here is, that anybody can claim to be sending email from bill.gates@microsoft.com and whoever receives the email has to believe it.

DKIM adds a certain level of protecting. What it does is, it gives the owner of the DNS record of a domain the possibility to provide a cryptographic public key to anyone who cares to validate the signature. The sending mailserver holds a copy of the corresponding private key and signs every outgoing message with that key. Every recipient can the check weather the signature is correct by checking the published public key.

A lot of the big players like gmail, etc. have added support for DKIM signatures in their infrastructure.

I have also implemented DKIM (along with SPF) on my mail server.

Following are the basic steps necessary to implement DKIM:

  1. create a crypto key-pair
  2. setup a separate path in your mailer for outgoing mail
  3. configure mailer to sign outgoing messages
  4. publish the public key through DNS

The best howto I came across is this

The most important part is to set postfix to tag mails as incoming or outgoing by using the

smtpd_sender_restrictions = 
    check_sender_access regexp:/etc/postfix/tag_as_originating.re
    ...
    check_sender_access regexp:/etc/postfix/tag_as_foreign.re

part in main.cf.

The rest of the setup happens in amavis by adding an additional policy in amavis:

$inet_socket_port = [10024,10026];  # listen on two ports
$enable_dkim_signing = 1;  # loads DKIM signing code
dkim_key('DOMAIN_NAME, 'dk1', '/path/to/keyfile');
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {  # mail originating from our users
    originating => 1,  # indicates client is ours, allows signing
};

The only remaining thing to do is publish the public key. My domains are managed by united domains. To get this working you have to create a subdomain and set the TXT record for this subdomain called dk1._domainkey.homemadecode.de (the dk1 part has to be the same as the identifier provided in the amavisd config above).

About this Archive

This page is an archive of entries from July 2010 listed from newest to oldest.

May 2010 is the previous archive.

August 2010 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Creative Commons License
This blog is licensed under a Creative Commons License.
homemade code GmbH
powered by homemade code GmbH ~ the application security experts!