34 lines
2.3 KiB
Markdown
34 lines
2.3 KiB
Markdown
# Adding DKIM to my Gentoo Postifx mail server #
|
|
*Oct 24, 2012*
|
|
|
|
So after being alterted to the existence of DKIM by [this article](http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/) posted on [HackerNews](http://news.ycombinator.com/item?id=4692453) I wanted to implement it immediatly on my server. DKIM is Domain Keys for Identified Mail, a crypo signing protocol where a pub key sits in your DNS and your mail servers sign your mail as it passes through your server. Seems a little stronger than SPF from a few years ago for authenticating mail's origin so I was keen to adopt it.
|
|
|
|
So I found the [freshest instructions on the Gentoo wiki](http://wiki.gentoo.org/wiki/DKIM_and_DomainKeys_with_Postfix) and followed them. They were a bit spartan so I went looking for a bit more material and found this [Ubuntu tutorial](https://help.ubuntu.com/community/Postfix/DKIM) which had some helpful suggestions like the testing section.
|
|
|
|
After giving the OpenDKIM instructions a first run through I gave the testing a try.
|
|
|
|
First using [dkimcore.org/tools/](http://dkimcore.org/tools/) I found that the Gentoo OpenDKIM config tool had spat out invalid TXT. It had spat out
|
|
|
|
v=DKIM1;=rsa; p=MIGfM......
|
|
|
|
And after some quick internet consultation I found out I needed to fix it to
|
|
|
|
v=DKIM1; k=rsa; p=MIGfM.....
|
|
|
|
|
|
The second test from the Ubuntu docs was an auto-respond test email system that along with wikipedia I learned about [ADSP](http://en.wikipedia.org/wiki/Author_Domain_Signing_Practices) from. So I added
|
|
|
|
_adsp._domainkey.mindstab.net. IN TXT "dkim=discardable"
|
|
|
|
to my Bind config as well. (I'm still not 100% about the final '.'). Also it seems the autoresponder email tool doesn't update its DNS too often so I may have to wait a bit to retest.
|
|
|
|
So now it seems I should have DKIM signed/valid email! :) Just another step to make sure my email is valid, slightly less spoofable and liked/accepted by the big email providers.
|
|
|
|
Also, seeing results like this from Gmail after receiving my email seems good:
|
|
|
|
|
|
Received-SPF: pass (google.com: domain of dan@mindstab.net designates 69.164.214.81 as permitted sender) client-ip=69.164.214.81;
|
|
Authentication-Results: mx.google.com; spf=pass (google.com: domain of dan@mindstab.net designates 69.164.214.81 as permitted sender)
|
|
smtp.mail=dan@mindstab.net; dkim=pass header.i=@mindstab.net
|
|
|