特殊:Badtitle/NS100:Postfix/DKIM
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/Postfix/DKIM }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/af | • {{#if: UbuntuHelp:Postfix/DKIM|Afrikaans| [[::Postfix/DKIM/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/ar | • {{#if: UbuntuHelp:Postfix/DKIM|العربية| [[::Postfix/DKIM/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/az | • {{#if: UbuntuHelp:Postfix/DKIM|azərbaycanca| [[::Postfix/DKIM/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/bcc | • {{#if: UbuntuHelp:Postfix/DKIM|جهلسری بلوچی| [[::Postfix/DKIM/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/bg | • {{#if: UbuntuHelp:Postfix/DKIM|български| [[::Postfix/DKIM/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/br | • {{#if: UbuntuHelp:Postfix/DKIM|brezhoneg| [[::Postfix/DKIM/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/ca | • {{#if: UbuntuHelp:Postfix/DKIM|català| [[::Postfix/DKIM/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/cs | • {{#if: UbuntuHelp:Postfix/DKIM|čeština| [[::Postfix/DKIM/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/de | • {{#if: UbuntuHelp:Postfix/DKIM|Deutsch| [[::Postfix/DKIM/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/el | • {{#if: UbuntuHelp:Postfix/DKIM|Ελληνικά| [[::Postfix/DKIM/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/es | • {{#if: UbuntuHelp:Postfix/DKIM|español| [[::Postfix/DKIM/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/fa | • {{#if: UbuntuHelp:Postfix/DKIM|فارسی| [[::Postfix/DKIM/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/fi | • {{#if: UbuntuHelp:Postfix/DKIM|suomi| [[::Postfix/DKIM/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/fr | • {{#if: UbuntuHelp:Postfix/DKIM|français| [[::Postfix/DKIM/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/gu | • {{#if: UbuntuHelp:Postfix/DKIM|ગુજરાતી| [[::Postfix/DKIM/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/he | • {{#if: UbuntuHelp:Postfix/DKIM|עברית| [[::Postfix/DKIM/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/hu | • {{#if: UbuntuHelp:Postfix/DKIM|magyar| [[::Postfix/DKIM/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/id | • {{#if: UbuntuHelp:Postfix/DKIM|Bahasa Indonesia| [[::Postfix/DKIM/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/it | • {{#if: UbuntuHelp:Postfix/DKIM|italiano| [[::Postfix/DKIM/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/ja | • {{#if: UbuntuHelp:Postfix/DKIM|日本語| [[::Postfix/DKIM/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/ko | • {{#if: UbuntuHelp:Postfix/DKIM|한국어| [[::Postfix/DKIM/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/ksh | • {{#if: UbuntuHelp:Postfix/DKIM|Ripoarisch| [[::Postfix/DKIM/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/mr | • {{#if: UbuntuHelp:Postfix/DKIM|मराठी| [[::Postfix/DKIM/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/ms | • {{#if: UbuntuHelp:Postfix/DKIM|Bahasa Melayu| [[::Postfix/DKIM/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/nl | • {{#if: UbuntuHelp:Postfix/DKIM|Nederlands| [[::Postfix/DKIM/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/no | • {{#if: UbuntuHelp:Postfix/DKIM|norsk| [[::Postfix/DKIM/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/oc | • {{#if: UbuntuHelp:Postfix/DKIM|occitan| [[::Postfix/DKIM/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/pl | • {{#if: UbuntuHelp:Postfix/DKIM|polski| [[::Postfix/DKIM/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/pt | • {{#if: UbuntuHelp:Postfix/DKIM|português| [[::Postfix/DKIM/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/ro | • {{#if: UbuntuHelp:Postfix/DKIM|română| [[::Postfix/DKIM/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/ru | • {{#if: UbuntuHelp:Postfix/DKIM|русский| [[::Postfix/DKIM/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/si | • {{#if: UbuntuHelp:Postfix/DKIM|සිංහල| [[::Postfix/DKIM/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/sq | • {{#if: UbuntuHelp:Postfix/DKIM|shqip| [[::Postfix/DKIM/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/sr | • {{#if: UbuntuHelp:Postfix/DKIM|српски / srpski| [[::Postfix/DKIM/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/sv | • {{#if: UbuntuHelp:Postfix/DKIM|svenska| [[::Postfix/DKIM/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/th | • {{#if: UbuntuHelp:Postfix/DKIM|ไทย| [[::Postfix/DKIM/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/tr | • {{#if: UbuntuHelp:Postfix/DKIM|Türkçe| [[::Postfix/DKIM/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/vi | • {{#if: UbuntuHelp:Postfix/DKIM|Tiếng Việt| [[::Postfix/DKIM/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/yue | • {{#if: UbuntuHelp:Postfix/DKIM|粵語| [[::Postfix/DKIM/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/zh | • {{#if: UbuntuHelp:Postfix/DKIM|中文| [[::Postfix/DKIM/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/zh-hans | • {{#if: UbuntuHelp:Postfix/DKIM|中文(简体)| [[::Postfix/DKIM/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:Postfix/DKIM | UbuntuHelp:Postfix/DKIM | {{#if: | :}}Postfix/DKIM}}/zh-hant | • {{#if: UbuntuHelp:Postfix/DKIM|中文(繁體)| [[::Postfix/DKIM/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:Postfix/DKIM|:Postfix/DKIM|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :Postfix/DKIM/zh | | {{#ifexist: Postfix/DKIM/zh | | {{#ifeq: {{#titleparts:Postfix/DKIM|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:Postfix/DKIM|1|-1|}} | zh | | }}
Introduction
DomainKeys Identified Mail (DKIM) is a method for E-mail authentication, allowing a person who receives email to verify that the message actually comes from the domain that it claims to have come from. The need for this type of authentication arises because spam often has forged headers. DKIM uses public-key cryptography to allow the sender to electronically sign legitimate emails in a way that can be verified by recipients. DKIM also guards against tampering with mail, offering almost end-to-end integrity from a signing to a verifying Mail transfer agent (MTA). Read more on Wikipedia dkim-milter is a milter-based application (dkim-filter) which plugs in to Postfix to provide DomainKeys Identified Mail service for your.
Installation
We assume you already successfully installed Postfix MTA, if not, please read the Postfix dedicated page. To install dkim-milter, you need Universe repositories added, if so, use your favorite package manager and install the package. For example:
sudo aptitude install dkim-filter
Simply accept the defaults when the installation process asks questions. The configuration will be done in greater detail in the next stage.
Configuration
dkim-milter configuration consists of two files:
/etc/dkim-filter.conf /etc/default/dkim-filter
Use your favorite editor to edit those files. Here's an example of /etc/dkim-filter.conf file already edited to suit my needs:
# Log to syslog Syslog yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) #UMask 002 # dkim-milter (2.5.2.dfsg-1ubuntu1) hardy: # Disable new umask option by default (not needed since Ubuntu default # uses a TCP socket instead of a Unix socket). # Attempt to become the specified userid before starting operations. #UserID 105 # 'id postfix' in your shell # Sign for example.com with key in /etc/mail/dkim.key using # selector '2007' (e.g. 2007._domainkey.example.com) Domain ubuntu.ro KeyFile /etc/mail/dkim.key # See bellow how to generate and set up the key Selector mail # Common settings. See dkim-filter.conf(5) for more information. AutoRestart yes Background yes Canonicalization simple DNSTimeout 5 Mode sv SignatureAlgorithm rsa-sha256 SubDomains no #UseASPDiscard no #Version rfc4871 X-Header no #InternalHosts /etc/mail/dkim-InternalHosts.txt # The contents of /etc/mail/dkim-InternalHosts.txt should be # 127.0.0.1/8 # 192.168.1.0/24 # other.internal.host.domain.tld # You need InternalHosts if you are signing e-mails on a gateway mail server # for each of the computers on your LAN. # Other (less-standard) configuration options # # # If enabled, log verification stats here Statistics /var/log/dkim-filter/dkim-stats # # KeyList is a file containing tuples of key information. Requires # KeyFile to be unset. Each line of the file should be of the format: # sender glob:signing domain:signing key file # Blank lines and lines beginning with # are ignored. Selector will be # derived from the key's filename. #KeyList /etc/dkim-keys.conf # # If enabled, will generate verification failure reports for any messages # that fail signature verification. These will be sent to the r= address # in the policy record, if any. #ReportInfo yes # # If enabled, will issue a Sendmail QUARANTINE for any messages that fail # signature verification, allowing them to be inspected later. #Quarantine yes # # If enabled, will check for required headers when processing messages. # At a minimum, that means From: and Date: will be required. Messages not # containing the required headers will not be signed or verified, but will # be passed through #RequiredHeaders yes
Actually /etc/dkim-filter.conf is the most important file. It provides our milter with required information about selector (used for DNS requests and email verifications) and used signing key (the key is used for signing the outgoing emails). Here's an example of /etc/default/dkim-filter. This file is used to literally connect the milter to MTA:
# Command-line options specified here will override the contents of # /etc/dkim-filter.conf. See dkim-filter(8) for a complete list of options. #DAEMON_OPTS="" # # Uncomment to specify an alternate socket # Note that setting this will override any Socket value in dkim-filter.conf #SOCKET="local:/var/run/dkim-filter/dkim-filter.sock" # Debian default #SOCKET="inet:54321" # listen on all interfaces on port 54321 SOCKET="inet:8891@localhost" # Ubuntu default - listen on loopback on port 8891 #SOCKET="inet:[email protected]" # listen on 192.0.2.1 on port 12345
In my case, this file needs no additional editing. Now, to tell the Postfix about the existing milter, and where to connect with it, edit your Postfix main.cf file /etc/postfix/main.cf, and append to its content the following data:
# DKIM milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
If you are using already some milter (for example Postfix/DomainKeys), you can add the new one like this:
milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891,inet:localhost:8892 non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
Key generation for dkim-milter and its setup with DNS
Actually it's no big deal. Generate an OpenSSL RSA key as you do it always, then move it private part to the location you indicated in your /etc/dkim-filter.conf:
openssl genrsa -out private.key 1024 openssl rsa -in private.key -out public.key -pubout -outform PEM cp private.key /etc/mail/dkim.key
RFC 4871 allows up to RSA keys ranging from 512 bits to 2048 bits. BIND 9.4.2-P2 (included in Ubuntu 8.04.3) cannot handle 2048 bits in the TXT field, so stay with 1024. The DNS record should look like this:
mail._domainkey.ubuntu.ro. IN TXT "k=rsa; t=y; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB"
Where everything after p= is actually the content of the public key we generated above, public.key. To use it, strip out the comments inside it, this:
-----BEGIN PUBLIC KEY-----
and this:
-----END PUBLIC KEY-------
Startup and testing
Once configuration above was done, the daemon can be started with:
sudo /etc/init.d/dkim-filter start
If it doesn't start, search the logs for problems and see what it requires more:
grep -i dkim /var/log/mail.log
Instead of using /etc/init.d/dkim-filter you can run dkim-filter directly:
dkim-filter -x /etc/dkim-filter.conf
If you get the error like: dkim-filter: milter socket must be specified Then try manually specifying the socket. Use this to specify local (which does not match /etc/default/dkim-filter above):
dkim-filter -x /etc/dkim-filter.conf -p local
Now restart the Postfix MTA, and check for email signing:
/etc/init.d/postfix restart
For testing purposes, I recommend you tools like:
- http://www.sendmail.org/dkim/tools
- or just send an email to autorespond+dkim[at]dk.elandsys.com
Testing results should look like this in Gmail: 模板:Http://stas.nerd.ro/blog/data/dkim-filter.png