[gentoo-user] Postfix and Domainkeys

[gentoo-user] Postfix and Domainkeys

[Jason Carson]

Greetings,

I am trying to setup postfix with domainkeys. I installed dk-milter and
ran the following as I was told to do after emerging it ...

emerge --config mail-filter/dk-milter

...which told me to do the following...

Configuring pkg...

Enter the selector name (default penguin): default
 * The private key for this selector already exists.

 * Make sure you add these parameters to your dk-filter command line:
 *   -b sv -d your-domain.com -H -s /etc/mail/dk-filter/default.private -S
default

 * If you are using Postfix, add following lines to your main.cf:
 *   smtpd_milters     = unix:/var/run/dk-filter/dk-filter.sock
 *   non_smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock

 * After you configured your MTA, publish your key by adding this TXT
record to your domain:
 *   default._domainkey   IN   TXT  "g=; k=rsa; t=y; o=~; p=keygoeshere"

 * t=y signifies you only test the DK on your domain.
 * See the DomainKeys specification for more info.

but I don't understand what this part mean...

* Make sure you add these parameters to your dk-filter command line:
 *   -b sv -d your-domain.com -H -s /etc/mail/dk-filter/default.private -S
default

...Anyone know what to do?

Re: [gentoo-user] Postfix and Domainkeys

[Eray Aslan]

On 12.01.2009 00:13, Jason Carson wrote:
> Greetings,
> 
> I am trying to setup postfix with domainkeys. I installed dk-milter and
> ran the following as I was told to do after emerging it ...

DomainKeys is deprecated and is replaced by DKIM.  You are much better
off using mail-filter/dkim-milter.  If you are using amavisd-new with
your postfix, I suggest you use amavisd-new to check and sign your mail
and do not use milters at all.

[...]
>  * After you configured your MTA, publish your key by adding this TXT
> record to your domain:
>  *   default._domainkey   IN   TXT  "g=; k=rsa; t=y; o=~; p=keygoeshere"
> 
>  * t=y signifies you only test the DK on your domain.
>  * See the DomainKeys specification for more info.
> 
> but I don't understand what this part mean...

You need to publish your public key in your DNS server so that others
can check your signature.

> * Make sure you add these parameters to your dk-filter command line:
>  *   -b sv -d your-domain.com -H -s /etc/mail/dk-filter/default.private -S
> default
> 
> ...Anyone know what to do?

You need to read up on DKIM (or domainkeys if you want to go that way).
 Links below should get you started:

http://www.dkim.org/
http://en.wikipedia.org/wiki/DomainKeys
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
http://www.postfix.org/MILTER_README.html

-- 
Eray

Re: [gentoo-user] Postfix and Domainkeys

[Jason Carson]

> On 12.01.2009 00:13, Jason Carson wrote:
>> Greetings,
>>
>> I am trying to setup postfix with domainkeys. I installed dk-milter and
>> ran the following as I was told to do after emerging it ...
>
> DomainKeys is deprecated and is replaced by DKIM.  You are much better
> off using mail-filter/dkim-milter.  If you are using amavisd-new with
> your postfix, I suggest you use amavisd-new to check and sign your mail
> and do not use milters at all.
>
> [...]
>>  * After you configured your MTA, publish your key by adding this TXT
>> record to your domain:
>>  *   default._domainkey   IN   TXT  "g=; k=rsa; t=y; o=~; p=keygoeshere"
>>
>>  * t=y signifies you only test the DK on your domain.
>>  * See the DomainKeys specification for more info.
>>
>> but I don't understand what this part mean...

I don't understand what this part below means...

Make sure you add these parameters to your dk-filter command line:
-b sv -d your-domain.com -H -s /etc/mail/dk-filter/default.private
-S default

I tried the following two commands with no luck

dk-filter -b sv -d jasoncarson.ca -H -s
/etc/mail/dk-filter/default.private -S default

...and...

 /etc/init.d/dk-filter -b sv -d jasoncarson.ca -H -s
/etc/mail/dk-filter/default.private -S default

...any other suggestions or am I doing something wrong?

> http://www.dkim.org/
> http://en.wikipedia.org/wiki/DomainKeys
> http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
> http://www.postfix.org/MILTER_README.html

Thanks for the links, I will check them out.

Re: [gentoo-user] Postfix and Domainkeys

[Eray Aslan]

On 12.01.2009 17:33, Jason Carson wrote:
[...]
> I don't understand what this part below means...
> 
> Make sure you add these parameters to your dk-filter command line:
> -b sv -d your-domain.com -H -s /etc/mail/dk-filter/default.private
> -S default
> 
> I tried the following two commands with no luck
> 
> dk-filter -b sv -d jasoncarson.ca -H -s
> /etc/mail/dk-filter/default.private -S default
> 
> ...and...
> 
>  /etc/init.d/dk-filter -b sv -d jasoncarson.ca -H -s
> /etc/mail/dk-filter/default.private -S default
> 
> ...any other suggestions or am I doing something wrong?

It's been awhile but:

Make the necessary changes:
vi /etc/mail/dk-filter/dk-filter.conf

and start the milter:
/etc/init.d/dk-filter start

-- 
Eray

Re: [gentoo-user] Postfix and Domainkeys

[Jason Carson]

> On 12.01.2009 17:33, Jason Carson wrote:
> [...]
>> I don't understand what this part below means...
>>
>> Make sure you add these parameters to your dk-filter command line:
>> -b sv -d your-domain.com -H -s /etc/mail/dk-filter/default.private
>> -S default
>>
>> I tried the following two commands with no luck
>>
>> dk-filter -b sv -d jasoncarson.ca -H -s
>> /etc/mail/dk-filter/default.private -S default
>>
>> ...and...
>>
>>  /etc/init.d/dk-filter -b sv -d jasoncarson.ca -H -s
>> /etc/mail/dk-filter/default.private -S default
>>
>> ...any other suggestions or am I doing something wrong?
>
> It's been awhile but:
>
> Make the necessary changes:
> vi /etc/mail/dk-filter/dk-filter.conf
>
> and start the milter:
> /etc/init.d/dk-filter start
>
> --
> Eray

ok, the file is /usr/portage/mail-filter/dk-milter/files/dk-filter.conf or
/etc/conf.d/dk-filter (they both look the same when you open them up)so I
modified /etc/conf.d/dk-filter and started the milter but Postfix still
isn't signing emails. The only two options I was told to add to the
postfix main.cf file was...

smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock
non_smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock

Re: [gentoo-user] Postfix and Domainkeys

[Jason Carson]

>> On 12.01.2009 17:33, Jason Carson wrote:
>> [...]
>>> I don't understand what this part below means...
>>>
>>> Make sure you add these parameters to your dk-filter command line:
>>> -b sv -d your-domain.com -H -s /etc/mail/dk-filter/default.private
>>> -S default
>>>
>>> I tried the following two commands with no luck
>>>
>>> dk-filter -b sv -d jasoncarson.ca -H -s
>>> /etc/mail/dk-filter/default.private -S default
>>>
>>> ...and...
>>>
>>>  /etc/init.d/dk-filter -b sv -d jasoncarson.ca -H -s
>>> /etc/mail/dk-filter/default.private -S default
>>>
>>> ...any other suggestions or am I doing something wrong?
>>
>> It's been awhile but:
>>
>> Make the necessary changes:
>> vi /etc/mail/dk-filter/dk-filter.conf
>>
>> and start the milter:
>> /etc/init.d/dk-filter start
>>
>> --
>> Eray
>
> ok, the file is /usr/portage/mail-filter/dk-milter/files/dk-filter.conf or
> /etc/conf.d/dk-filter (they both look the same when you open them up)so I
> modified /etc/conf.d/dk-filter and started the milter but Postfix still
> isn't signing emails. The only two options I was told to add to the
> postfix main.cf file was...
>
> smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock
> non_smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock
>

Here is what I have added to /etc/conf.d/dk-filter

ADDITIONAL_OPTS="-l -b sv -d jasoncarson.ca -H -s /etc/mail/dk-filter/jason.private -S jason \
        -C badsignature=reject,dnserror=tempfail,internal=tempfail,nosignature=accept,signaturemissing=reject"

The emails are now being signed with a domainkey but when I run a test here http://www.mailradar.com/domainkeys/ it comes back as...

"Domain-Key Status: NOT PASSED"

Anyone have any suggestions as to what I am doing wrong?

Re: [gentoo-user] Postfix and Domainkeys

[Jason Carson]

> On 12.01.2009 00:13, Jason Carson wrote:
>> Greetings,
>>
>> I am trying to setup postfix with domainkeys. I installed dk-milter and
>> ran the following as I was told to do after emerging it ...
>
> DomainKeys is deprecated and is replaced by DKIM.  You are much better
> off using mail-filter/dkim-milter.  If you are using amavisd-new with
> your postfix, I suggest you use amavisd-new to check and sign your mail
> and do not use milters at all.

Can I use both dk-milter and dkim-milter simultaneously?

> [...]
>>  * After you configured your MTA, publish your key by adding this TXT
>> record to your domain:
>>  *   default._domainkey   IN   TXT  "g=; k=rsa; t=y; o=~; p=keygoeshere"
>>
>>  * t=y signifies you only test the DK on your domain.
>>  * See the DomainKeys specification for more info.
>>
>> but I don't understand what this part mean...
>
> You need to publish your public key in your DNS server so that others
> can check your signature.
>
>> * Make sure you add these parameters to your dk-filter command line:
>>  *   -b sv -d your-domain.com -H -s /etc/mail/dk-filter/default.private -S
>> default
>>
>> ...Anyone know what to do?
>
> You need to read up on DKIM (or domainkeys if you want to go that way).
>  Links below should get you started:
>
> http://www.dkim.org/
> http://en.wikipedia.org/wiki/DomainKeys
> http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
> http://www.postfix.org/MILTER_README.html
>
> --
> Eray
>
>

Re: [gentoo-user] Postfix and Domainkeys

[Eray Aslan]

On 14.01.2009 06:24, Jason Carson wrote:
>> On 12.01.2009 00:13, Jason Carson wrote:
>>> Greetings,
>>>
>>> I am trying to setup postfix with domainkeys. I installed dk-milter and
>>> ran the following as I was told to do after emerging it ...
>> DomainKeys is deprecated and is replaced by DKIM.  You are much better
>> off using mail-filter/dkim-milter.  If you are using amavisd-new with
>> your postfix, I suggest you use amavisd-new to check and sign your mail
>> and do not use milters at all.
> 
> Can I use both dk-milter and dkim-milter simultaneously?

Yes you can use both simultaneously.  First sign with domainkeys and
then with DKIM.

-- 
Eray