Debian, DKIM, Qmail

DKIM signing in Qmail

DKIM and SPF are becoming most commonly adopted methods for email validation. Even if we want to use the DMARC (Domain-based Message Authentication, Reporting & Conformance), we need to configure SPF and DKIM first. DMARC acts as a layer above the SPF and DKIM. DMARC allows the receiever’s mail server to check if the Email is aligned properly as per the DMARC policy, and it queries the sender’s DNS server for the DMARC action, ie, whether to reject or quarantine if alignment fails. The action will be mentioned in the TXT record on the Sender’s DNS server. There is a good collection of DMARC training videos available in MAAWG site. We will get a clear idea on how DMARC works from those videos.

In this post, i will explain on how to make Qmail to do DKIM sign on the outgoing mails. There is a qmail-patch method available, but since i’m using qmail-1.0.3 with custom patch, i was not able to use the DKIM patch along with my custom patch. So the next method is to use a wrapper around “qmail-remote”, since qmail-remote is responsible for delivering remote mails, a wrapper around it will help us to sign the email and then start the remote delivery. There are a few wrappers mentioned in this site. I’m going to use this qmail-remote wrapper.

Initial Settings

First move the current ”qmail-remote” binary to ”qmail-remote.orig”. Now download the wrapper and move it to the /var/qmail/bin/ file.

$ mv /var/qmail/bin/qmail-remote /var/qmail/bin/qmail-remote.orig

$ wget -O /var/qmail/bin/qmail-remote "http://www.memoryhole.net/qmail/qmail-remote.sh"

$ chmod 755 /var/qmail/bin/qmail-remote

This wrapper depends on two programs, 1) dktest, which comes with the libdomainkeys, 2) dkimsign.pl, which is perl script for signing the emails. Both these files, must be available at the path mentioned in the “qmail-remote” wrapper file.

Go through the ”dkimsign.pl” script and install the Perl modules mentioned in it using cpan. There is no official debian package for libdomainkeys, so we need to compile it from the source.

setting up dktest

Download the latest source code from the sourceforge link.

$ tar -xzf libdomainkeys-0.69.tar.gz

$ cd libdomainkeys-0.69

Edit the Makefile and add ”-lresolv” to the end of the ”LIBS” line and run make

$ install -m 644 libdomainkeys.a /usr/local/lib

$ install -m 644 domainkeys.h dktrace.h /usr/local/include

$ install -m 755 dknewkey /usr/bin

$ install -m 755 dktest /usr/local/bin

Generate Domain keys for the domains

Before we can sign an email, we must create at least one public/private key pair. I’m going to create a key pair for the domain “example.com”.

$ mkdir -p /etc/domainkeys/example.com

$ cd /etc/domainkeys/example.com

$ dknewkey default 1024 > default.pub

$ chown -R root:root /etc/domainkeys

$ chmod 640 /etc/domainkeys/example.com/default

$ chown root:qmail /etc/domainkeys/example.com/default

It is very important that the default file be readable only by root and the group which qmailr (the qmail-remote user) belongs to. Now add a TXT entry to the DNS for ”default._domainkey.example.com” containing the quoted part in the /etc/domainkeys/example.com/default.pub

Once everything is added, restart the “qmail-send” and send a test mail to any non local domain. IF things goes fine, we can see a line like the below in “qmail-send” log.

$ @40000000517f518b1e1eb75c delivery 1: success: ktest_---_/tmp/dk2.sign.Gajw948FX1A1L0hugfQ/in_dkimsignpl_---_/tmp/dk2.sign.Gajw948FX1A1L0hugfQ/r74.125.25.27_accepted_message./Remote_host_said:_250_2.0.0_OK_1367298812_ps11si19566038pab.170_-_gsmtp/

Once the DKIM is working properly, add the SPF entries in our DNS, and we are ready to try out DMARC. DMARC is already in use by mail giants like Google,Yahoo,Paypal,Linkedin etc.

Standard