Saturday, September 15, 2007

Exim + DomainKeys Howto.

I ran into this problem a couple of months ago: all the mail one of my customers was sending ended up in bulk folder in Yahoo, Hotmail and other big free mail providers. While I was aware this will not solve the problem entirely, due to the fact that they open blindly any attachment in any email they receive (and thus get viruses which start sending emails/spam the next minute), I thought that I should also implement DomainKeys, since I was doing alot of maintenance work (like updating clamav, spamassasin and so on and so forth).

It took me a couple of days to finally get it working the right way due to different factors (dns, not being able to find a very comprehensive documentation, etc).

Here is what I came up with:

This is a quick tutorial on how to enable domainkeys (http://domainkeys.sourceforge.net/) on Exim on a FreeBSD server.

First, if you have not installed yet Exim, you have to install it. If you have installed it already, you have to recompile it.

The way to do it: 

cd /usr/ports/mail/exim
ee Makefile    (or use joe / vi /whatever you like)

Search for the following lines: 

# Enable DomainKeys support
#WITH_DOMAINKEYS=       yes

..and uncomment the "#WITH_DOMAINKEYS= yes".

Now you will have: 

# Enable DomainKeys support
WITH_DOMAINKEYS=       yes

Save and exit the text editor.

Do the following: 

make clean
make rmconfig
make
make FORCE_PKG_REGISTER=1 install  <-- if you already have exim installed. 
make install                       <-- if you don't have yet exim installed.

Copy & paste in your console: 

cd /usr/local/etc/exim
mkdir dk
cd dk
openssl genrsa -out rsa.private 768
openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
cat rsa.public

After all this you will have a result which will look something like that: 

-----BEGIN PUBLIC KEY-----
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l
MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E
XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB
-----END PUBLIC KEY-----

Save whats between ---BEGIN PUBLIC KEY--- and ---END PUBLIC KEY--- for later use.

Edit with your favorite text editor /usr/local/etc/exim/configure

find the line which starts with "remote_smtp:" . This should be under the "begin transports" section of the file.

It looks like that: 

remote_smtp:
  driver = smtp

Edit there and make it look like that: 

remote_smtp:
  driver = smtp
  dk_selector = myselector    # you will need this later when you will alter your dns config
  dk_private_key = /usr/local/etc/exim/dk/rsa.private
  dk_canon = nofws

Save the file, exit and start/restart exim : 

sh /usr/local/etc/rc.d/exim.sh restart

Login to the server that serves as DNS server for the domain name for which you are configuring this domainkey thing.

Go to /etc/namedb/

Find the file corresponding to your domain (look for it in named.conf and you will find the path to it).

Let's presume is /etc/namedb/pri/com/yourdomain.com. Edit this file, and just after/below the IN MX statement, add the following things: 

_domainkey.yourdomain.com.       IN      TXT     "t=y; o=-"

myselector._domainkey.yourdomain.com.  IN      TXT     "k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6lMIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7EXzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB"

Alter the serial (for example, if today is 28-aug-2007, make your serial look like 2007082800 or 2007082801, etc), save the file and reload named.

if your domain is something like customer.yourdomain.com, then the records will look like that: 

_domainkey.customer.yourdomain.com.       IN      TXT     "t=y; o=-"

myselector._domainkey.customer.yourdomain.com.  IN      TXT     "k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6lMIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7EXzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB"

Remember to also modify /etc/namedb/named.conf:

Add the following to your options { ... } section of named.conf 

        check-names master ignore;

This will allow you to use _ (underscore).

You will have to edit and add that "check-names master ignore;" thing if you get the following error in your logs: 

Aug 28 15:02:33 noc1 named[83277]: pri/com/yourdomain.com:15: myselector._domainkey.yourdomain.com: bad owner name (check-names)
Aug 28 15:02:33 noc1 named[83277]: zone yourdomain.com/IN: loading master file pri/com/yourdomain.com: bad owner name (check-names)

The long string after ....."k=rsa; t=y; p= is your public key which i said you should keep for later use.

To test send an e-mail to dk at dk.crynwr.com . You will receive about 5 messages back from different addresses with test results.

If any of them says test passed you should be ok. Send an e-mail to a yahoo.com e-mail address and check the headers.They should look like this: 

From Dan Caescu Tue Aug 28 06:20:08 2007
Return-Path: 
Authentication-Results: mta233.mail.mud.yahoo.com  from=yourdomain.com; domainkeys=pass (ok)
Received: from x.x.x.x  (EHLO relay.yourdomain.com) (x.x.x.y)
  by mta233.mail.mud.yahoo.com with SMTP; Tue, 28 Aug 2007 08:16:56 -0700
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=myselector; d=yourdomain.com;

That should be all.

Good luck!

PS: I also posted this here: http://wiki.exim.org/DomainKeys You will also find there some other useful documentation.
Posted by at
Labels: , ,

2 comments:

yolte said...

Compile finished without any errors.

But when i try to restart exim it returns;

Starting exim: 2008-05-24 08:19:08 Exim configuration error in line 835 of /etc/exim.conf:

option "dk_selector" unknown

Any ideas?

May 24, 2008 at 1:34 AM
dancaescu said...

thats because you dont have domain keys compiled. As said, you have to edit the Makefile and enable the domain keys support.

June 30, 2008 at 5:00 AM

Post a Comment

Subscribe to: Post Comments (Atom)