Getting Dkimproxy Installed and Configured

Posted on June 21st, 2008 in Encryption,General,Linux System Administration,Mail,Spam by Brandon

Dkimproxy is a great program for getting Postfix to both sign and validate DomainKeys and DKIM messages. Prior to dkimproxy, one would have used dk-filter and dkim-filter which did DomainKeys and DKIM signing separately. dkimproxy is a newer version that combines the functionality into one program. Installing it can be a bit complicated because it isn’t available in most distro repositories, and requires several Perl modules that need to be installed. Configuring it can be difficult as well, because it involves making changes DNS and postfix, in addition to its own configuration.

I wrote these steps below as I went through a recent installation for a customer

You can install the required Perl modules through the RPM Forge Repository if you have it enabled with the command (Thanks JohnB for mentioning that):

yum install perl-Net-Server perl-Error perl-Mail-DKIM

Otherwise, you can install them manually with CPAN. First install the openssl-devel package (You’ll need it for CPAN to install Mail::DKIM)

yum install openssl-devel

Now install the required Perl modules

# perl -MCPAN -e shell
> install Net::Server
> install Error
> install Mail::DKIM

Download and install the actual dkimproxy code:

cd /usr/local/src
wget http://internap.dl.sourceforge.net/sourceforge/dkimproxy/dkimproxy-1.0.1.tar.gz
tar -xvzf dkimproxy-1.0.1.tar.gz
cd dkimproxy-1.0.1
./configure --prefix=/usr/local/dkimproxy
make
make install

You should now have the program installed in /usr/local/dkimproxy. A sample init file is included, so we can copy it into place also:

cp /usr/local/src/dkimproxy-1.0.1/sample-dkim-init-script.sh /etc/init.d/dkimproxy

Create a ‘dkim’ user and group, but lock the password:

useradd -d /usr/local/dkimproxy dkim
passwd -l dkim

That should be enough to get dkimproxy running, but it isn’t configured yet.

Create a key file for your domain

cd /usr/local/dkimproxy/etc/
openssl genrsa -out domain.tld.key 1024
openssl rsa -in domain.tld.key -pubout -out domain.tld.pub

Now create a DNS TXT record for mail._domainkey.domain.tld with the contents of domain.tld.pub. Your public key will span at least two lines, so combine all of the lines of the key together when putting it in your DNS record. The whole DNS record will look something like this:

k=rsa; t=s; p=MFwwDQYJ......0JMCAwEAAQ==

(Note that the key is pretty long and I’ve shortened it here)
You could now confirm the key is correct in your DNS:

[root@host etc]# host -ttxt mail._domainkey.domain.tls
mail._domainkey.domain.tld descriptive text "k=rsa\; t=s\; p=MFwwDQYJ......0JMCAwEAAQ=="

(Note that the key is pretty long and I’ve shortened it here)

Now tell dkimproxy about the key files, and configuration parameters. Create /usr/local/dkimproxy/etc/dkimproxy_out.conf with this content

# specify what address/port DKIMproxy should listen on
listen    127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to
relay     127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain    domain.tld

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile   /usr/local/dkimproxy/etc/domain.tld.key

# specify the selector (i.e. the name of the key record put in DNS)
selector  mail

And copy the sample inbound config to the real inbound config

cd /usr/local/dkimproxy/etc
cp dkimproxy_in.conf.example dkimproxy_in.conf

Now you should be able to start up dkimproxy, and configure it to start at boot:

/etc/init.d/dkimproxy start
chkconfig dkimproxy on

And the last step is just to modify the postfix configuration to tell it to forward messages sent to port 587 through dkimproxy for signing. I added these three sections to /etc/postfix/master.cf

### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

# specify the location of the DKIM signing proxy
# Note: the smtp_discard_ehlo_keywords option requires a recent version of
# Postfix. Leave it off if your version does not support it.
dksign    unix  -       -       n       -       10      smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls

# service for accepting messages FROM the DKIM signing proxy
127.0.0.1:10028 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8

If you want it to sign messages sent from the command line sendmail program, modify the pickup service to use the content_filter like this:

pickup    fifo  n       -       n       60      1       pickup
    -o content_filter=dksign:[127.0.0.1]:10027

Finally restart postfix with ‘postfix reload’, and you *should* have a working installation. You can now use my Domainkeys/Dkim validator to test and ensure that it is working.

34 Responses to 'Getting Dkimproxy Installed and Configured'

Subscribe to comments with RSS or TrackBack to 'Getting Dkimproxy Installed and Configured'.

  1. flash said,

    on July 16th, 2008 at 8:09 am

    Following these instructions works OK, including validator. After ensuring all of the various Postfix ‘pieces’ (amavisd, dkimproxy, greylisting, razor, etc.) work individually, I began to consolidate functions.

    My problem today is using dkimproxy when forwarding filtered mail from amavisd via Postfix submission. The complaint is, “warning: proxy 127.0.0.1:10026 rejected “XFORWARD NAME=hosta ADDR=MY.IP.HOST.A PORT=47805 HELO=smtpd.example.com PROTO=ESMTP SOURCE=REMOTE”: “530 5.7.0 Must issue a STARTTLS command first” ” While searching for an answer, found a dkimproxy FAQ suggesting “-o smtpd_use_tls=no” in master.cf After-queue. but that didn’t stop the complaint. Is there another solution?

  2. Brandon said,

    on July 18th, 2008 at 12:59 pm

    Flash, it sounds like your configuration is requiring the use of TLS. Take a look in your master.cf for the smtpd process running on port 10026 and remove the line with ‘smtpd_enforce_tls=yes’ if it exists.

  3. Johnb said,

    on August 8th, 2008 at 5:18 am

    Hi Brandon – I’m kinda stuck on the first hurdle – I know nothing about python can you please give me a course of action here – I bow to your unix knowledge I am but a mere windows goof….have also posted to adress given…thanks in advance

    root@mail:/usr/local/src/dkimproxy-1.0.1# yum install openssl-devel
    There was a problem importing one of the Python modules
    required to run yum. The error leading to this problem was:

    No module named cElementTree

    Please install a package which provides this module, or
    verify that the module is installed correctly.

    It’s possible that the above module doesn’t match the
    current version of Python, which is:
    2.5.2 (r252:60911, Apr 21 2008, 11:17:30)
    [GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)]

    If you cannot solve this problem yourself, please send this
    message to .

  4. Johnb said,

    on August 8th, 2008 at 9:20 am

    No worries,

    I finally found the openssl-devel stuff in a package called libcurl4-openssl-dev which was more ubuntu friendly ;¬)
    my server is just rebooting – fingers xed
    thanks for the article

    Johnb.

  5. Brandon said,

    on August 8th, 2008 at 9:56 am

    Johnb – if you don’t have yum working, you have a lot lower level problems. Yum is the package manager for RHEL/CentOS, so you are probably not likely able to update or install *any* packages. Your hosting company, or whoever maintains the server will have to fix that for you, and I’m not terribly familiar with Python myself.


  6. on November 13th, 2008 at 6:07 pm

    [...] in addition or instead of DKIM follow the instructions for setting up a DKIMProxy_out.conf file on Brandon Checketts’ web site. You may also find his DKIM Validator to be [...]

  7. Jason said,

    on December 5th, 2008 at 4:56 pm

    You need gcc on the system to build one of the Mail::DKIM dependencies. Specifically, building of Crypt::OpenSSL::Random (itself a dependency of Crypt::OpenSSL::RSA) fails without gcc.

    Cheers

  8. other JohnB said,

    on May 24th, 2009 at 11:38 pm

    Since I always test sending messages from the command line, I always forget to add this line to the pickup daemon:

    http://dkimproxy.sourceforge.net/faq.html#sendmail

  9. Brandon said,

    on May 29th, 2009 at 8:37 am

    @JohnB

    Thanks for mentioning that. Most programs now submit things to the smtpd server listening on port 25, but many system administration scripts and CGI programs will use the sendmail command line program which requires this change to /etc/postfix/master.cf:

    pickup    fifo  n       -       n       60      1       pickup
        -o content_filter=dksign:[127.0.0.1]:10027
    
  10. other JohnB said,

    on June 8th, 2009 at 8:28 pm

    I always follow this guide to the letter, with the exception, when using Centos 5, I prefer to install the perl modules from packages on rpmforge. Once you enable rpm forge per:

    http://dag.wieers.com/rpm/FAQ.php#B1

    You can install these packages:

    yum install perl-Net-Server perl-Error perl-Mail-Dkim

    I just find it easier to track rpm packages then what’s installed through CPAN.

  11. MrEleodore said,

    on June 11th, 2009 at 10:25 am

    I use the pickup line to sign mails submitted from thunderbird but my problem is that i use spamassassin too, like this:
    smtp inet n – – – – smtpd
    -o content_filter=spamassassin
    spamassassin unix – n n – – pipe
    user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

    When a mail arrives, it goes to spamassassin and after that it is reinjected with sendmail. Therefore it goes to the pickup service and then to the dkimproxy.OUT !! (it was an arraving email)
    The mail finally arrives without problems but i don’t like this aditional step and i’m worried about performance…
    What can i do?
    Cheers


  12. on August 10th, 2009 at 1:23 pm

    [...] seems that I have now appeased the Yahoo! mail gods. Yesterday, I implemeted Domain Keys using the excellent guide over at Brandon Checketts’ site. ¬†Yahoo! now considers me worthy of sending mail to their [...]

  13. Manish said,

    on September 14th, 2009 at 12:05 pm

    Hi

    I followed your tutorial and everything works fine, but when the mail is send through squirrelmail then mail is not signed through DKIMProxy and when the mail is send from the server itself using cli like mail or sendmail command then mail is signed with DKIMProxy. Is there any configuration which I am missing in configuring dkimproxy. I get that message form maillog is

    dkimproxy.in[27581]: DKIM verify – none;

    What could be wrong.

    Thank you
    Manish

  14. Brandon said,

    on September 14th, 2009 at 9:40 pm

    Manish,

    Did you add this line to your master.cf file:

    pickup    fifo  n       -       n       60      1       pickup
        -o content_filter=dksign:[127.0.0.1]:10027
    

    That is the service used when programs use the command-line sendmail program to submit messages, which is likely what your CLI scripts and squirrelmail use.

    Thanks,
    Brandon

  15. Manish said,

    on September 15th, 2009 at 10:53 am

    Hi Brandon,

    Thank you for the prompt response, well yes that line is already there in my master.cf file. Squireelmail is using Port 25 for making SMTP connection and maillog gives status as

    dkimproxy.in[27581]: DKIM verify – none;

    as the mail is send through squirrelmail, also it has dovecot installed with IMAP and POP

    So is there something I am missing.

    Thank you
    Manish

  16. Brandon said,

    on September 15th, 2009 at 11:02 am

    @Manish,

    I didn’t think about that correctly. The master.cf file I mentioned above doesn’t sign mail coming in on port 25 (since all inbound mail comes in on that port).

    Ideally, you would configure squirrelmail to send to port 587 which should get signed. Alternatively, you could change the ‘smtp’ section of master.cf to look like this:

    smtp  inet  n     -       n       -       -       smtpd
        -o content_filter=dksign:[127.0.0.1]:10027
    

    That will send all incoming messages through dkimproxy and try to sign them, which obviously adds some un-necessary overhead.

  17. Manish said,

    on September 30th, 2009 at 9:09 pm

    Hi Brandon,

    Your suggestions worked perfectly. I changed the SMTP port from 25 to 587 in Squirrelmail configuration and that worked. Thank you for you time and you made a great job by posting this tutorial.

    Thank you
    Manish

  18. Tapan said,

    on December 1st, 2009 at 12:06 am

    Hi!!!
    I have followed the above instructions and as per Email Validation Results of Brandon my mails are properly being singed and verified but still yahoo and hotmail put my mails to Junk folder. Please let me know what could be the reason.

  19. Aaron said,

    on December 7th, 2009 at 1:07 pm

    Hi Brandon

    I had a lot of perl dependency errors during install on CentOS 5.4. I used CPAN ay first and still couldn’t quiet the errors. Next I tried searching for RPMs online and eliminated some. Finally, I installed DAG and used YUM to install latest versions of MAIL::DKIM and dependencies without errors. Next, I installed dkimproxy 1.2 with success. I followed the configure instructions exactly, setup the init/d script and config files, made the mods to EXIM, and was ready to go. or so I thought. When starting with service dmproxy start I get green lights, but when I check a few seconds later with service dmproxy status I see that both the in and out processes have stopped. Nothing at all in the system logs, so I have nothing to go on.

    Any ideas? Is there a switch for debug or verbose logging?

    Thanks!

  20. Brandon said,

    on December 7th, 2009 at 11:43 pm

    @Tapan,

    A working signature does not automatically mean that emails won’t be marked as spam. It just provides a way for them to reliably track your domain’s reputation.

  21. Chetan Surpur said,

    on January 26th, 2010 at 1:46 pm

    Hi,

    I think you have a typo in the following code:

    [root@host etc]# host -ttxt mail._domainkey.domain.tls
    mail._domainkey.domain.tld descriptive text “k=rsa\; t=s\; p=MFwwDQYJ……0JMCAwEAAQ==”

    Shouldn’t it be:

    [root@host etc]# host -ttxt mail._domainkey.domain.tld

  22. Raul said,

    on September 19th, 2010 at 9:11 pm

    Hello Brandon,

    This is great informaiton. I was able to install dkimproxy on a server running debian 4.0. I still haven’t been abel to get the dkimproxy service to run properly.

    When I run:

    /etc/init.d/dkimproxy start

    everything seems to run fine. But when I check the status with “dkimproxy status” the result are:

    dkimproxy.in… stopped
    dkimproxy.out… stopped

    Any idea why services won’t start? Any help would be appreciated.

  23. Brandon said,

    on October 2nd, 2010 at 3:32 pm

    @Raul, try taking a look at /var/log/mail.info for any hints as to what is failing.

  24. rasta said,

    on November 10th, 2010 at 7:02 pm

    how would this work with multiple instances on postfix 2.7+


  25. on November 16th, 2010 at 4:31 pm

    [...] have my server setup exactly like this article here: Getting DKIMproxy installed and configured, yet I am having the following [...]

  26. Ashrocks said,

    on December 2nd, 2010 at 2:26 pm

    Hi Brandon,

    Your tutorial is commendable. I have used SPF validator so many times to check my Domain validation. Now i want to install domain key and dkim on my Debian5 installation.

    What perl modules or packages can i get from debian repository to proceed with this installation.

    Thank you for your help.

    Keep up good work

  27. Manish said,

    on February 23rd, 2011 at 5:55 pm

    Hi

    I have One SMTP gateway server configured with dkimproxy and the mail sent from that server is getting signed with domainkeys and dkim but when the mail is sent from the relayed server to this server the mails are not getting signed. I have 30 mail nodes and all those nodes are setup to relay mails to the main SMTP gateway. I want all the mails sent by all of those 30 nodes to be signed through SMTP gateway. Any help would be appreciated.

    Thanking You,

  28. Manish said,

    on February 24th, 2011 at 10:39 am

    Hi Brandon,

    How I can get mail signed using dkimproxy on SMTP gateway server for which the mails are send from different web nodes to this main SMTP gateway server to deliver it outside the world. Dkimproxy is installed and configured on main server and it’s working fine but doesn’t works when the mails are relayed through that server.

    Thanking you,
    Manish

  29. Brandon said,

    on February 25th, 2011 at 4:05 pm

    @Manish,

    You’ll probably need to make a change to master.cf which will send the authenticated messages through DKIMProxy

  30. sajid said,

    on July 28th, 2011 at 4:55 am

    Hi Brandon

    I have already configured dkimproxy for outbound mails and it works fine.
    now i need to configure dkimproxy for inbound mails on the same server where dkimproxy running for outbound mails.
    Please help me in that,
    because i folllowed the instruction given in below URL
    i.e. http://dkimproxy.sourceforge.net/postfix-inbound-howto.html

    can you please provide me detail information about how to setup dkimproxy for inbound mails or steps
    like any free article on internet ,

    i followed above mention URL for settingup dkimproxy for inbound mails

    Here is the my dkimproxy.in
    ——————————————
    # specify what address/port DKIMproxy should listen on
    listen 127.0.0.1:10025

    # specify what address/port DKIMproxy forwards mail to
    relay 127.0.0.1:10026

    Dkimproxy inbound ports seen on server
    =====================

    tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 24229/perl
    tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 15399/master

    & i successfully achieved, i have seen Dkimproxy inbound ports on my server
    is it enough ?
    one more thing , please tell me if i am missing anything that are necessary in setup of dkimproxy for inbound mails

    And how to verify that your mails are getting signed,
    or how to send mail for checking inbound mails
    please suggest me because i am new to dkimproxy implementation .
    Awaiting for your kind reply

  31. donnie said,

    on August 7th, 2011 at 9:45 pm

    hello,

    thank you in advance for thix wonderful tutorial,

    i have some problem if you can help me that will be appreciated.

    when i try to write that host -ttxt mail._domainkey.domain.tls

    this message appears
    Host mail._domainkey.domain.tld not found: 3(NXDOMAIN)

    thank you in advance..

  32. Nick Bykov said,

    on September 3rd, 2011 at 2:52 am

    Hi Brandon,

    Thank you soooo much for this great tutorial! I spent many hours trying to get Dkimproxy work until I found this page. Just a single line of code helped me a lot! :)

    Once again, thank you, and all the best to you!

    Nick


  33. on March 16th, 2012 at 3:37 am

    [...] the SPF records. Yahoo Mail prefer DKIM. For more info about DKIM and setting that up check this old post by Brandon Checketts. Bookmark on Delicious Digg this post Share on Linkedin share via Reddit Share with Stumblers [...]


  34. on June 19th, 2012 at 10:04 am

    [...] Posted at ServerFault, member neezer asks:I have my server setup exactly like this article here: Getting DKIMproxy installed and configured, yet I am having the following [...]

Post a comment

Please copy the string VthsAH to the field below: