Getting Dkimproxy Installed and Configured

Posted on June 21st, 2008 in Encryption, General, Linux System Administration, Mail, Spam by Brandon

Dkimproxy is a great program for getting Postfix to both sign and validate DomainKeys and DKIM messages. Prior to dkimproxy, one would have used dk-filter and dkim-filter which did DomainKeys and DKIM signing separately. dkimproxy is a newer version that combines the functionality into one program. Installing it can be a bit complicated because it isn’t available in most distro repositories, and requires several Perl modules that need to be installed. Configuring it can be difficult as well, because it involves making changes DNS and postfix, in addition to its own configuration.

I wrote these steps below as I went through a recent installation for a customer

Install the openssl-devel package (You’ll need it for CPAN to install Mail::DKIM)

yum install openssl-devel

Now install the required Perl modules

# perl -MCPAN -e shell
> install Net::Server
> install Error
> install Mail::DKIM

Download and install the actual dkimproxy code:

cd /usr/local/src
wget http://internap.dl.sourceforge.net/sourceforge/dkimproxy/dkimproxy-1.0.1.tar.gz
tar -xvzf dkimproxy-1.0.1.tar.gz
cd dkimproxy-1.0.1
./configure --prefix=/usr/local/dkimproxy
make
make install

You should now have the program installed in /usr/local/dkimproxy. A sample init file is included, so we can copy it into place also:

cp /usr/local/src/dkimproxy-1.0.1/sample-dkim-init-script.sh /etc/init.d/dkimproxy

Create a ‘dkim’ user and group, but lock the password:

useradd -d /usr/local/dkimproxy dkim
passwd -l dkim

That should be enough to get dkimproxy running, but it isn’t configured yet.

Create a key file for your domain

cd /usr/local/dkimproxy/etc/
openssl genrsa -out domain.tld.key 1024
openssl rsa -in domain.tld.key -pubout -out domain.tld.pub

Now create a DNS TXT record for mail._domainkey.domain.tld with the contents of domain.tld.pub. Your public key will span at least two lines, so combine all of the lines of the key together when putting it in your DNS record. The whole DNS record will look something like this:

k=rsa; t=s; p=MFwwDQYJ......0JMCAwEAAQ==

(Note that the key is pretty long and I’ve shortened it here)
You could now confirm the key is correct in your DNS:

[root@host etc]# host -ttxt mail._domainkey.domain.tls
mail._domainkey.domain.tld descriptive text "k=rsa; t=s; p=MFwwDQYJ......0JMCAwEAAQ=="

(Note that the key is pretty long and I’ve shortened it here)

Now tell dkimproxy about the key files, and configuration parameters. Create /usr/local/dkimproxy/etc/dkimproxy_out.conf with this content

# specify what address/port DKIMproxy should listen on
listen    127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to
relay     127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain    domain.tld

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile   /usr/local/dkimproxy/etc/domain.tld.key

# specify the selector (i.e. the name of the key record put in DNS)
selector  mail

And copy the sample inbound config to the real inbound config

cd /usr/local/dkimproxy/etc
cp dkimproxy_in.conf.example dkimproxy_in.conf

Now you should be able to start up dkimproxy, and configure it to start at boot:

/etc/init.d/dkimproxy start
chkconfig dkimproxy on

And the last step is just to modify the postfix configuration to tell it to forward messages sent to port 587 through dkimproxy for signing. I added these three sections to /etc/postfix/master.cf

### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

# specify the location of the DKIM signing proxy
# Note: the smtp_discard_ehlo_keywords option requires a recent version of
# Postfix. Leave it off if your version does not support it.
dksign    unix  -       -       n       -       10      smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls

# service for accepting messages FROM the DKIM signing proxy
127.0.0.1:10028 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Finally restart postfix with ‘postfix reload’, and you *should* have a working installation. You can now use my Domainkeys/Dkim validator to test and ensure that it is working.

5 Responses to 'Getting Dkimproxy Installed and Configured'

Subscribe to comments with RSS or TrackBack to 'Getting Dkimproxy Installed and Configured'.

  1. flash said,

    on July 16th, 2008 at 8:09 am

    Following these instructions works OK, including validator. After ensuring all of the various Postfix ‘pieces’ (amavisd, dkimproxy, greylisting, razor, etc.) work individually, I began to consolidate functions.

    My problem today is using dkimproxy when forwarding filtered mail from amavisd via Postfix submission. The complaint is, “warning: proxy 127.0.0.1:10026 rejected “XFORWARD NAME=hosta ADDR=MY.IP.HOST.A PORT=47805 HELO=smtpd.example.com PROTO=ESMTP SOURCE=REMOTE”: “530 5.7.0 Must issue a STARTTLS command first” ” While searching for an answer, found a dkimproxy FAQ suggesting “-o smtpd_use_tls=no” in master.cf After-queue. but that didn’t stop the complaint. Is there another solution?

  2. Brandon said,

    on July 18th, 2008 at 12:59 pm

    Flash, it sounds like your configuration is requiring the use of TLS. Take a look in your master.cf for the smtpd process running on port 10026 and remove the line with ’smtpd_enforce_tls=yes’ if it exists.

  3. Johnb said,

    on August 8th, 2008 at 5:18 am

    Hi Brandon - I’m kinda stuck on the first hurdle - I know nothing about python can you please give me a course of action here - I bow to your unix knowledge I am but a mere windows goof….have also posted to adress given…thanks in advance

    root@mail:/usr/local/src/dkimproxy-1.0.1# yum install openssl-devel
    There was a problem importing one of the Python modules
    required to run yum. The error leading to this problem was:

    No module named cElementTree

    Please install a package which provides this module, or
    verify that the module is installed correctly.

    It’s possible that the above module doesn’t match the
    current version of Python, which is:
    2.5.2 (r252:60911, Apr 21 2008, 11:17:30)
    [GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)]

    If you cannot solve this problem yourself, please send this
    message to .

  4. Johnb said,

    on August 8th, 2008 at 9:20 am

    No worries,

    I finally found the openssl-devel stuff in a package called libcurl4-openssl-dev which was more ubuntu friendly ;¬)
    my server is just rebooting - fingers xed
    thanks for the article

    Johnb.

  5. Brandon said,

    on August 8th, 2008 at 9:56 am

    Johnb - if you don’t have yum working, you have a lot lower level problems. Yum is the package manager for RHEL/CentOS, so you are probably not likely able to update or install *any* packages. Your hosting company, or whoever maintains the server will have to fix that for you, and I’m not terribly familiar with Python myself.

Post a comment

Please copy the string aZhRck to the field below: