Dkimproxy and postfix on suse
note, originally by Chris, I'm putting it here to clear out my mailbox:
How to set up SUSE as a mail server:
1. Install SUSE. I downloaded a CD and kept all the defaults. Reboot when prompted.
2. Patch SUSE. This should happen automatically after the reboot, right after you've set up the root password and that kind of stuff. Reboot again.
3. After patches are done, you'll be logged into your desktop. Start yast2, click "community repositories", and make sure that the "Main Repository (OSS) has a checkmark by it. Postfix should be installed by default. (If it's not, download a package.) If anything seems to be missing at any point, try to install an appropriate package through yast2.
Edit the firewall to allow the mail server access to the outside world.
Start yast2, click "firewall", click "allowed services", select "mail
server" from the service to allow dropdown, and click "add." Then click next, verify that this is what you want.
Confirm that Postfix is running by telnetting from another box:
# telnet <mailserver> 25 Trying <IP of mailserver>... Connected to mailserver Escape character is '^]' 220 <mailserver.domain.tld> ESMTP Postfix
You'll probably want to edit the /etc/postfix/main.cf file if any of those values look incorrect. In particular, the myhostname, mydomain, and mydestination parameters. If you change the config file, restart postfix:
# rcpostfix restart
Configure postfix further as desired.
4. Install DKIMproxy
First you'll need some perl modules. Fire up cpan.
# cpan
Answer the configuration script's questions, then type:
> install Mail::DKIM
Answer "yes" to everything about missing dependencies. CPAN will download and install the DKIM module and its prerequisites. You will have to build some stuff, so make sure make, gcc, and libopenssl-devel are installed. If the DKIM tests seem to fail erratically, try "force install Mail::DKIM". Also install Net::Server and Error:
> install Net::Server > install Error
Exit CPAN. Next, create a user and group to run the DKIM filter:
# groupadd dkim # useradd -g dkim dkim
5. Set up DKIMproxy
Download the DKIMproxy distribution from http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.0.1.tar.gz . Untar it somewhere convenient, thus:
# tar xzvf dkimproxy-1.0.1.tar.gz # cd dkimproxy-1.0.1
Install dkimproxy to an appropriate location. We're using the default:
# ./configure --prefix=/usr/local/dkimproxy
Set up the init script so that DKIMproxy will run at boot:
# cp sample-dkim-init-script.sh /etc/init.d/dkimproxy # ln -s ../dkimproxy /etc/init.d/rc5.d/S11dkimproxy # ln -s ../dkimproxy /etc/init.d/rc5.d/K11dkimproxy
Substitute the appropriate runlevel directory where it says "rc5.d". For example, a text-only system will likely default to rc3.d
Generate a keypair
# cd /usr/local/dkimproxy/etc # openssl genrsa -out dkim-private.key 1024 # openssl rsa -in dkim-private.key -out dkim-public.key # chown dkim dkim-private.key # chmod 400 dkim-private.key
Edit the dkimproxy config files:
# cd /usr/local/dkimproxy/etc # cp dkimproxy_out.conf.example dkimproxy_out.conf # cp dkimproxy_in.conf.example dkimproxy_in.conf
Edit /usr/local/dkimproxy/etc/dkimproxy_out.conf.
Make sure that the domain is correct (for example we set prgmr.com) and the keyfile location is correct. If you're following along precisely, the keyfile should be /usr/local/dkimproxy/etc/dkim-private.key If you opt to use a different selector, set that here and in the next step. (The particular selector isn't important. It's just a text identifier.)
6. Configure DNS
The entire point of DomainKeys is to match cryptographic signatures on mail to txt records in DNS. Create an appropriate record on your DNS server, in the appropriate zone file.
selector1._domainkey IN TXT "k=rsa t=s p=<public key>"
Note the <public key> in this record. This should be the full contents of the dkim-public.key file, minus the two framing lines (the ones that begin with dashes and say BEGIN or END.) All on one long line.
7. Start dkimproxy:
# /etc/init.d/dkimproxy start
8. Set up Postfix to use DKIMproxy
Edit /etc/postfix/master.cf
Anywhere in the file, add lines that look like the following. (Taken from the howto at dkimproxy.sourceforge.net):
BEGIN CONF SNIPPET-----
- modify the default submission service to specify a content filter
- and restrict it to local clients and SASL authenticated clients only
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
- specify the location of the DKIM signing proxy
- Note: the smtp_discard_ehlo_keywords option requires a recent version of
- Postfix. Leave it off if your version does not support it.
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls
- service for accepting messages FROM the DKIM signing proxy
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
END CONF SNIPPET-----
Reload postfix so that it notices the change:
# postfix reload
9. Test the mail server
Note that we've set up postfix to accept outgoing mail using the submission service, which runs on port 587. Configure the mail-sending program to send mail via that port.
Test outgoing mail by sending some mail to test@dkimtest.jason.long.name. This address will send back a message indicating whether the mail wasor was not correctly signed.
