DomainKeys for Postfix on Red Hat ES 4
*** Note: This is only tested on RHEL4. RHEL5 has a newer version out of the box. RHEL3 might require some touching in the wrong places.
* Requires Postfix 2.3 and above for milter support
* http://www.postfix.org/MILTER_README.html
* http://sourceforge.net/projects/dk-milter
* http://postfix.wl0.org/en/
Quick & dirty steps (developed on RHEL4):
1. Upgrade Postfix using SRPM from postfix.wl0.org since you want SASL auth enabled
2. Configure Postfix to acknowledge the milter in main.cf:
smtpd_milters = inet:localhost:4442
3. Fetch and compile dk-milter from source, don't worry about RPMing this.
4. Generate a private/public key pair using OpenSSL:
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
Pick a selector name: ie. selector1
Add the public-key data in DNS for the domain using the selector name you picked. Take the contents of the public.key file and remove the PEM header and footer, and concatenate the lines of the file into one big line. Then create a TXT entry, like this:
selector1._domainkey IN TXT "k=rsa; p=MHwwDQYJK ... OprwIDAQAB; t=y"
where selector1 is the name of the selector chosen and the p= parameter contains the public-key as one long string of characters.
5. Start dk-milter. I set up a user 'dkfilter' so it doesn't run as root and also set a pid file. I also used an init script found via Google, which works great for Red Hat systems.
# dk-filter -u dkfilter -b s -p inet:4442@localhost -l -P /var/run/dk-milter/pid -s /etc/postfix/dk-milter/private.key -d mydomain.com -S selector1 -m smtp -c nofws
**** Note - -m needs to be -m smtp so that dk-filter signs mail going out over smtp. It will not sign messages otherwise.
init script:
#!/bin/sh
#
# "/etc/rc.d/init.d/dk-filter"
# Start/stop script for the dk-filter daemon on RedHat Linux
#
# chkconfig: - 79 31
# description: Acts as the "dk-filter" InputMailFilter (milter) for the \
# Sendmail MTA to provide DomainKeys service
########################################################################
#
# Be sure to edit these values:
#
KEYFILE="/etc/postfix/dk-milter/private.key"
DOMAIN="mydomain.com"
SELECTOR="selector1"
USER="dkfilter"
#
########################################################################
PIDFILE="/var/run/dk-milter/pid"
SUBMISSION_DAEMON="smtp"
PORT=4442
# Source function library. Provides the "status" option
. /etc/init.d/functions
test -x `which dk-filter` || exit 0
RETVAL=0
start() {
echo -n $"Starting dk-filter: "
COMMAND="dk-filter -u $USER -b s -p inet:$PORT@localhost -l -P $PIDFILE -s $KEYFILE -d $DOMAIN -S $SELECTOR -m $SUBMISSION_DAEMON -c nofws"
# echo -e "Now executing\n"$COMMAND""
daemon $COMMAND
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/dk-filter
return $RETVAL
}
stop() {
echo -n $"Stopping dk-filter: "
killproc dk-filter
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $PIDFILE /var/lock/subsys/dk-filter
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status dk-filter
;;
restart)
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit $?
* Requires Postfix 2.3 and above for milter support
* http://www.postfix.org/MILTER_README.html
* http://sourceforge.net/projects/dk-milter
* http://postfix.wl0.org/en/
Quick & dirty steps (developed on RHEL4):
1. Upgrade Postfix using SRPM from postfix.wl0.org since you want SASL auth enabled
2. Configure Postfix to acknowledge the milter in main.cf:
smtpd_milters = inet:localhost:4442
3. Fetch and compile dk-milter from source, don't worry about RPMing this.
4. Generate a private/public key pair using OpenSSL:
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
Pick a selector name: ie. selector1
Add the public-key data in DNS for the domain using the selector name you picked. Take the contents of the public.key file and remove the PEM header and footer, and concatenate the lines of the file into one big line. Then create a TXT entry, like this:
selector1._domainkey IN TXT "k=rsa; p=MHwwDQYJK ... OprwIDAQAB; t=y"
where selector1 is the name of the selector chosen and the p= parameter contains the public-key as one long string of characters.
5. Start dk-milter. I set up a user 'dkfilter' so it doesn't run as root and also set a pid file. I also used an init script found via Google, which works great for Red Hat systems.
# dk-filter -u dkfilter -b s -p inet:4442@localhost -l -P /var/run/dk-milter/pid -s /etc/postfix/dk-milter/private.key -d mydomain.com -S selector1 -m smtp -c nofws
**** Note - -m needs to be -m smtp so that dk-filter signs mail going out over smtp. It will not sign messages otherwise.
init script:
#!/bin/sh
#
# "/etc/rc.d/init.d/dk-filter"
# Start/stop script for the dk-filter daemon on RedHat Linux
#
# chkconfig: - 79 31
# description: Acts as the "dk-filter" InputMailFilter (milter) for the \
# Sendmail MTA to provide DomainKeys service
########################################################################
#
# Be sure to edit these values:
#
KEYFILE="/etc/postfix/dk-milter/private.key"
DOMAIN="mydomain.com"
SELECTOR="selector1"
USER="dkfilter"
#
########################################################################
PIDFILE="/var/run/dk-milter/pid"
SUBMISSION_DAEMON="smtp"
PORT=4442
# Source function library. Provides the "status" option
. /etc/init.d/functions
test -x `which dk-filter` || exit 0
RETVAL=0
start() {
echo -n $"Starting dk-filter: "
COMMAND="dk-filter -u $USER -b s -p inet:$PORT@localhost -l -P $PIDFILE -s $KEYFILE -d $DOMAIN -S $SELECTOR -m $SUBMISSION_DAEMON -c nofws"
# echo -e "Now executing\n"$COMMAND""
daemon $COMMAND
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/dk-filter
return $RETVAL
}
stop() {
echo -n $"Stopping dk-filter: "
killproc dk-filter
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $PIDFILE /var/lock/subsys/dk-filter
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status dk-filter
;;
restart)
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit $?