Archives September 2014

Instalare DKIM cu sendmail sau postfix pe un server CentOS

Instalare OpenDKIM

Pentru instalarea OpenDKIM se foloseste comanda:

yum install opendkim

Generare cheie pentru semnarea mesajelor

Trebuie generata cate o cheie privata si una publica pentru fiecare domeniu pentru care se doreste semnarea email-urilor. Cheia privata se stocheaza pe server si nu este accesibila public, iar cheia publica va fi publicata in inregistrarile DNS asa incat serverele care primesc email-urile sa le poata verifica semnaturile.

La prima rulare, opendkim va genera un set implicit de chei care vor fi stocate in /etc/opendkim/keys/ folosind numele de domeniu al serverului si selectorul “default”. Pentru generarea manuala a cheilor se poate folosi acelasi selector, “default”.

Crearea cheilor se realizeaza cu comenzile urmatoare (se va inlocui example.com cu numele real al domeniului):

mkdir /etc/opendkim/keys/example.com
/usr/sbin/opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default
chown -R opendkim:opendkim /etc/opendkim/keys/example.com
mv /etc/opendkim/keys/example.com/default.private /etc/opendkim/keys/example.com/default

Optiuni utilizate:
-D: directory
-d: domain
-s: selector

Modificarea fisierelor de configurare

Trebuie create/modificate urmatoarele 4 fisiere de configurare:

1. /etc/opendkim.conf – fisierul principal de configurare
2. /etc/opendkim/KeyTable – lista cheilor disponibile pentru semnarea mesajelor
3. /etc/opendkim/SigningTable – lista domeniilor si conturilor pentru care se permite semnarea
4. /etc/opendkim/TrustedHosts – lista serverelor “de incredere” (trusted) la semnarea sau verificarea mesajelor

Editarea /etc/opendkim.conf si stabilirea valorilor ca mai jos:

## CONFIGURATION OPTIONS

# Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid

# Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
Mode sv

# Log activity to the system log.
Syslog yes

# Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes

# If logging is enabled, include detailed logging about why or why not a message was
# signed or verified. This causes a large increase in the amount of log data generated
# for each message, so it should be limited to debugging use only.
#LogWhy yes

# Attempt to become the specified user before starting operations.
UserID opendkim:opendkim

# Create a socket through which your MTA can communicate.
Socket inet:8891@127.0.0.1

# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
Umask 002

# This specifies a file in which to store DKIM transaction statistics.
#Statistics /var/spool/opendkim/stats.dat

## SIGNING OPTIONS

# Selects the canonicalization method(s) to be used when signing messages.
Canonicalization relaxed/simple

# Domain(s) whose mail should be signed by this filter. Mail from other domains will
# be verified rather than being signed. Uncomment and use your domain name.
# This parameter is not required if a SigningTable is in use.
Domain example.com

# Defines the name of the selector to be used when signing messages.
Selector default

# Gives the location of a private key to be used for signing ALL messages.
#KeyFile /etc/opendkim/keys/default.private

# Gives the location of a file mapping key names to signing keys. In simple terms,
# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
# setting in the configuration file.
KeyTable refile:/etc/opendkim/KeyTable

# Defines a table used to select one or more signatures to apply to a message based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM how to use your keys.
SigningTable refile:/etc/opendkim/SigningTable

# Identifies a set of "external" hosts that may send mail through the server as one
# of the signing domains without credentials as such.
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

# Identifies a set internal hosts whose mail should be signed rather than verified.
InternalHosts refile:/etc/opendkim/TrustedHosts

Trebuie decomentate optiunile Domain, KeyTable, SigningTable, ExternalIgnoreList si InternalHosts, iar, din moment ce se va folosi KeyTable se poate comenta optiunea KeyFile.

Urmeaza crearea/modificarea celor 3 fisiere pe care le-am decomentat in fisierul de configurare.

Crearea/modificarea fisierului /etc/opendkim/KeyTable cu urmatorul continut:

default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default

Pentru cazul in care se vor folosi mai multe chei (pentru semnarea mesajelor de pe diferite domenii virtuale cu diferite chei) se va adauga cate o linie pentru fiecare domeniu, dupa exemplul:

default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default
default._domainkey.example2.com example2.com:default:/etc/opendkim/keys/example2.com/default

Crearea/modificarea fisierului /etc/opendkim/SigningTable, in care trebuie doar decomentata linia:

*@example.com default._domainkey.example.com

Crearea/modificarea fisierului /etc/opendkim/TrustedHosts, dupa modelul:

127.0.0.1
hostname1.example.com
hostname2.example.com
example.com

Modificarea configurarii MTA (Mail Transport Agent)

Pentru Postfix, doar trebuie adaugate urmatoarele linii in fisierul main.cf:

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Daca se foloseste o versiune a Postfix mai veche de 2.6 mai trebuie adaugata si linia:

milter_protocol = 2

Pentru detalii suplimentare: http://www.postfix.org/MILTER_README.html#version

Nu se restarteaza acum serviciul Postfix, pentru ca mai intai trebuie pornit serviciul opendkim, altfel vor fi generate erori.

Pentru Sendmail trebuie adaugata urmatoarea linie in fisierul /etc/mail/sendmail.mc:

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@127.0.0.1')

Se genereaza fisierul sendmail.cf folosind comanda:

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Pornirea OpenDKIM si repornirea MTA

Pornirea OpenDKIM:

service opendkim start

Repornirea Postfix:

postfix reload

Sau, dupa caz, repornirea Sendmail:

service sendmail restart

Pentru pornirea serviciului opendkim la pornirea serverului se executa comanda chkconfig:

chkconfig opendkim on

Adaugarea inregistrarii DNS

Informatia care trebuie publicata in DNS este continuta in fisierul /etc/opendkim/keys/example.com/default.txt si poate fi vizualizata cu comanda:

cat /etc/opendkim/keys/example.com/default.txt

Informatia arata cam asa:

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB" ; ----- DKIM default for example.com

Aceasta informatie trebuie adaugata la finalul fisierului cu zonele DNS pentru domeniul respectiv.

Testarea configuratiei

Configurata poate fi testata folosind instrumentul http://www.brandonchecketts.com/emailtest.php
sau prin trimiterea unui email cu semnatura DKIM catre una (sau mai multe) din urmatoarele adrese de email:
autorespond+dkim@dk.elandsys.com
sa-test@sendmail.net
check-auth@verifier.port25.com

Alte articole pe aceeasi tema

http://www.dkim.org/
http://www.opendkim.org/
http://blog.mixu.net/2009/11/03/setting-up-spf-senderid-and-dkim-on-centos-5-3-using-sendmail/
http://www.mylinuxtips.info/linuxtipstutorials/setup-dkim-keys-with-sendmail/
http://server-support.co/blog/sysadmin/centos-configure-dkim-sendmail-multiple-domains/
http://www.elandsys.com/resources/sendmail/dkim.html

Eroare sendmail

Pe un server CentOS proaspat instalat, la trimiterea email-urilor, am observat in maillog urmatoarea eroare:

Sep 12 03:38:32 server sendmail[27862]: s9B9BnMZ003758: to=user@destination.com, ctladdr=user@mydomain.com (501/502), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30099, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, <span style="color: #ff0000;" data-mce-style="color: #ff0000;">stat=Deferred: Connection refused by [127.0.0.1]</span>

Pentru ca sendmail rula numai pe level 4, s-a rezolvat asa:

sudo chkconfig --levels 235 sendmail on
sudo service sendmail restart