Thursday, May 1, 2008

Domain Keys With Sendmail

Hi All,

I want to share something with of you. In previous days I was facing problems with my mail server. The problem was sometimes mails were going into the spam/bulk folder of yahoo and gmail sites. Then I found that it is domain keys problems.
Actually the Domain keys are the pair of ssl keys where private keys is to be placed on mail server and public keys placed in DNS with txt record, which tells other servers that the mail is coming through authenticated mail server.

Required Packages
Sendmail full package like sendmail, sendmail-devel etc..
(should be 8.13 or above version)
OpenSSL
SASL Packages

Download the Package of dk-milter (dk-milter-1.0.0.tar.gz)

tar zxvf dk-milter-1.0.0.tar.gz
cd dk-milter-1.0.0
cd devtools/Site
and add/modify the following lines to site.config.m4
APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')
APPENDDEF(`confENVDEF',`-DSASL -DSTARTTLS')
APPENDDEF(`confLIBS', `-lsasl -lssl -lcrypto')
APPENDDEF(`confINCDIRS', `-I/usr/local/ssl/include ')
APPENDDEF(`confLIBDIRS', `-L/usr/local/ssl/lib ')
APPENDDEF(`confENVDEF', `-D_FFR_ANTICIPATE_SENDMAIL_MUNGE ')

Add the following lines to dk-milter-1.0.0/dk-filter/Makefile.m4

APPENDDEF(`confLIBS', `-lssl -lcrypto')
dnl Enable and edit these paths as per your configuration:
APPENDDEF(`confINCDIRS', `-I/usr/local/ssl/include ')
APPENDDEF(`confLIBDIRS', `-L/usr/local/ssl/lib ')
bldPUSH_SMLIB(`dk')
APPENDDEF(`confINCDIRS', `-I../libdk/ ')
bldPUSH_SMLIB(`sm')
APPENDDEF(`confINCDIRS', `-I/usr/local/sendmail/include')
APPENDDEF(`confLIBDIRS', `-L/usr/local/sendmail/libmilter')
APPENDDEF(`confLIBDIRS', `-L/usr/local/sendmail/libsm')
APPENDDEF(`confLIBDIRS', `-L/usr/local/sendmail/libsmdb')
APPENDDEF(`confLIBDIRS', `-L/usr/local/sendmail/libsmutil')
And add the following line(s) to sendmail.mc
INPUT_MAIL_FILTER(`dk-filter', `S=inet:5000@localhost')
dk-filter is domain key filter and 5000 is port on which dk-filter daemon will listen...

Then goto the
dk-milter-1.0.0 directory and run the following commands
1) ./Build
2) ./Build install

Now create servers public/private key pair for the domain using the following command:
1) openssl genrsa -out rsa.private 1024
2) openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
Now change private key name to like test.com_key.pem

Now time to DNS TXT record entry with public key


mail._domainkey.test.com. 1D IN TXT "k=rsa; t=y;
p=MHwwDQYJKoZIhvcNAQEBBQADawAwaA
JhAJUf/A69N7tYPcoursysqYFzBl3+yzCCUsNQA
Y6TIcD02OEix1xETOOubJ1Z5i7UrR3E36aEeeH
A9tdDu1P+xvQ6PoQEXeevGWfs61j4lVRQErx4K
m+KKcqja6nSgZbflQIDAQAB"

Replace test.com with your domain, and *mail* in the DNS record *mail*._domainkey.test.com. is selector to select the key.

Create a user for dk-milter like dkuser and run the following command to start dk-milter for your server.
dk-filter -l -p inet:5000@localhost -c nofws -d test.com -D -H -s
/usr/share/ssl/private/test.com_key.pem -S mail -u dkuser -m MTA

restart sendmail service.

Send mail to any Yahoo!/GMail ID and check to see whether the
authentication-results header shows result as pass or fail.


-----
Manoj