November 26, 2008

 Installing DKIM for outbound messages

Since Atmail 5.5 DKIM support is added to the mail-server version of the software.
DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. This can assist with marking your emails as "trusted" and guarantee a greater level of delivery and less false positives with spam-filters. Providers such as Gmail and other large ISP's validate DKIM headers, and we recommend admins adopt this practice to help with message integrity.
Should you wish for all outgoing messages sent from your server to be DKIM signed, follow the steps below.

1: Make sure you are running Atmail 5.5, otherwise upgrade your copy to the latest version. Verify your server has DKIM support compiled into Exim:

/usr/local/atmail//mailserver/bin/exim -dd 2>&1 | grep Experimental_DKIM

This should return:

Support for: crypteq iconv() OpenSSL Content_Scanning Experimental_DKIM

2: Create a new private/public pair key via the cmd-line:

openssl genrsa -out /usr/local/atmail/mailserver/dkim.key 1024
openssl rsa -in /usr/local/atmail/mailserver/dkim.key -out /usr/local/atmail/mailserver/dkim.public -pubout -outform PEM

3: View the contents of /usr/local/atmail/mailserver/dkim.public

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEYVlzEzrHH1ile+IYBZasjVTi
n+kacOvmpiJGhxNuGKhTmOCrvLh4Z+eQp1Dvj7kJNUU3EF5nEbFl7WTb/Z3uxxET
MImk47xX2eJdr/q98c+gJurZvlbpFuTT9JhXRmA8kkHZrARHUpsWZMsNt69ewgQK
XaAKH1MH5I4y0+JsqQIDAQAB
-----END PUBLIC KEY-----

4: Remove the --BEGIN and --END tags, and remove line breaks so the public key spans a single line. Add the following to your DNS server zone file:

mail._domainkey.yourdomain.com. IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQE............KXaAKH1MH5I4y0+JsqQIDAQAB"

5: Open the Exim configure file, locate the transport "remote_smtp" and append the following.

remote_smtp:
driver = smtp
#
dkim_domain=yourdomain.com
dkim_selector=mail
dkim_private_key=/usr/local/atmail/mailserver/dkim.key
#

6: Restart your nameserver and the Atmail services ( /etc/init.d/atmailserver restart )

7: Via Webmail or an external mail-client, send a message via SMTP to an outside address. View the headers of the email and if successful, you will see the header lines:

Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;d=yourdomain.com; s=mail; h=MIME-Version:Message-ID:To:Reply-To:Content-Type:Date:Subject:From; bh=4WWVzoOsUWW0f4BYC2VHYfz2dQAB9PwjbTcHsvaaHrY=; b=GvkmrnJM1f2MhkRxZjTwKIPWTYmVUm//P2hqSw4eJ7izAo0GFunTddhlZ4UOWfBiObJj7+E8OGcVjyoMKj+4bNVhPqaMEi3Iidzexn8uqYbM+1vGCUf7b1tg10C+dzfdnsQIiGrkAYYlMvWGefhDlRhFq0OQfI1sDYN7pMMoqeQ=
You can also test the DKIM header is successful by emailing dkimtest@atmail.org , on success you will receive an autoreply, otherwise a returned mail "Bad DKIM header"

--

This will be natively supported in Atmail 5.6 due Dec 2008 - In the meantime these changes can be made to any existing Atmail 5.5 installation with DKIM support.


Filed under: Anti-Spam,Exim,Linux version — info @ 6:17 pm

2 Comments »

  1. Here I found a good DomainKeys, DKIM and SPF validator.
    http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test

    Comment by Adrian — November 30, 2008 @ 1:56 am
  2. I don’t send much email through SMTP. Most of my newsletter content is auto-generated from my blog and sent through a PHP script.

    My question: Can I send the DKIM header through a specific header in the “mail()” in PHP? Or the DomainKeys header?

    Thanks. Please CC me if you respond to this message.

    Comment by Erick — March 4, 2009 @ 7:52 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment