Difference between revisions of "Postfix: Setup DNS dkim"
Onnowpurbo (talk | contribs) (Created page with "Introduction Contents Introduction Installation Configuration Key generation for dkim-milter and its setup with DNS Startup and testing Common errors...") |
Onnowpurbo (talk | contribs) |
||
Line 1: | Line 1: | ||
− | + | DomainKeys Identified Mail (DKIM) adalah metode untuk otentikasi e-mail, yang memungkinkan seseorang yang menerima email untuk memverifikasi bahwa pesan tersebut sebenarnya berasal dari domain yang diklaim berasal. Kebutuhan akan jenis otentikasi ini muncul karena spam sering kali memalsukan header. | |
− | + | DKIM menggunakan public-key cryptography untuk memungkinkan pengirim menandatangani email yang sah secara elektronik dengan cara yang dapat diverifikasi oleh penerima. | |
− | + | DKIM juga menjaga agar tidak merusak surat, menawarkan integritas end-to-end dari penandatanganan sampai verifikasi Mail transfer agent (MTA). | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | DomainKeys Identified Mail | + | dkim-milter adalah aplikasi berbasis-milter (dkim-filter) yang terhubung ke Postfix untuk menyediakan layanan DomainKeys Identified Mail untuk server email Anda. dkim-milter tidak lagi dikembangkan, dan pembuat awalnya telah forked source-nya dan sekarang sedang mengembangkan opendkim. Untuk rilis Lucid dan yang lebih baru, opendkim lebih disukai daripada dkim-filter. Petunjuk pada halaman ini harus sama (hanya dengan nama paket yang disesuaikan sesuai kebutuhan). |
− | + | ==Instalasi== | |
− | + | Asumsi Postfix sudah di install. Instalasi opendkim menggunakan perintah, | |
− | + | sudo apt -y install opendkim opendkim-tools | |
− | + | ==Konfigurasi== | |
− | + | Ada dua (2) file yang penting, yaitu, | |
− | + | /etc/opendkim.conf | |
+ | /etc/default/opendkim | ||
− | + | Edit /etc/opendkim.conf misalnya, | |
− | + | # Log to syslog | |
+ | Syslog yes | ||
+ | # Required to use local socket with MTAs that access the socket as a non- | ||
+ | # privileged user (e.g. Postfix) | ||
+ | UMask 002 | ||
+ | |||
+ | # Sign for example.com with key in /etc/dkimkeys/dkim.key using | ||
+ | # selector '2007' (e.g. 2007._domainkey.example.com) | ||
+ | Domain onnocenter.or.id | ||
+ | KeyFile /etc/dkimkeys/dkim.key | ||
+ | Selector krs | ||
+ | |||
+ | # Common settings. See dkim-filter.conf(5) for more information. | ||
+ | AutoRestart yes | ||
+ | Background yes | ||
+ | Canonicalization relaxed/relaxed | ||
+ | DNSTimeout 5 | ||
+ | Mode sv | ||
+ | SignatureAlgorithm rsa-sha256 | ||
+ | SubDomains no | ||
+ | #UseASPDiscard no | ||
+ | #Version rfc4871 | ||
+ | X-Header no | ||
+ | |||
+ | OversignHeaders From | ||
+ | TrustAnchorFile /usr/share/dns/root.key | ||
− | |||
− | + | File /etc/opendkim.conf adalah yang paling penting. Ini memberi informasi yang diperlukan tentang selector (digunakan untuk DNS request dan verifikasi email) dan signing key yang digunakan (key yang digunakan untuk menandatangani email keluar). | |
− | |||
− | + | Edit /etc/default/opendkim yang digunakan untuk menyambungkan milter ke MTA: | |
− | |||
− | /etc/opendkim.conf | + | # Command-line options specified here will override the contents of |
− | / | + | # /etc/opendkim.conf. See opendkim(8) for a complete list of options. |
+ | #DAEMON_OPTS="" | ||
+ | # | ||
+ | # Uncomment to specify an alternate socket | ||
+ | # Note that setting this will override any Socket value in opendkim.conf | ||
+ | # default: | ||
+ | # SOCKET="local:/var/run/opendkim/opendkim.sock" | ||
+ | # listen on all interfaces on port 54321: | ||
+ | #SOCKET="inet:54321" | ||
+ | # listen on loopback on port 12345: | ||
+ | SOCKET="inet:8891@localhost" # Ubuntu default - listen on loopback on port 8891 | ||
+ | # listen on 192.0.2.1 on port 12345: | ||
+ | #SOCKET="inet:12345@192.0.2.1" | ||
− | + | Edit /etc/postfix/main.cf, tambahkan setup berikut ini, | |
− | # | + | # DKIM |
− | + | milter_default_action = accept | |
− | + | milter_protocol = 2 | |
− | + | smtpd_milters = inet:localhost:8891 | |
− | + | non_smtpd_milters = inet:localhost:8891 | |
− | |||
− | |||
− | |||
− | + | ==Key generation dan setup DNS== | |
− | |||
+ | Generate key menggunakan perintah | ||
− | + | opendkim-genkey -t -s krs -d onnocenter.or.id | |
− | |||
− | |||
− | |||
− | |||
− | + | Akan menghasilkan dua (2) file: | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | * krs.private - berisi private key. | |
− | + | * krs.txt - berisi entry DNS | |
− | |||
− | |||
− | |||
− | |||
− | |||
+ | Argumen | ||
− | + | -s memberikan informasi selector yang digunakan | |
− | + | -d domain yang digunakan | |
− | + | -t menyatakan DKIM dalam test mode. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Copy private key | |
− | + | mkdir /etc/mail/dkim.key | |
− | + | cp mail.private /etc/mail/dkim.key | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Tambahkan di DNS sesuai dengan krs.txt, kira2 sebagai berikut | |
− | + | krs._domainkey.onnocenter.or.id IN TXT "v=DKIM1; g=*; k=rsa; | |
+ | p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB" | ||
− | + | ==Startup and testing== | |
− | |||
− | |||
− | |||
− | |||
− | + | Start opendkim | |
− | + | sudo service opendkim start | |
− | |||
− | |||
− | |||
− | + | Jika tidak jalan cek | |
− | + | grep -i dkim /var/log/mail.log | |
− | + | Atau jalankan langsung menggunakan perintah | |
− | + | /usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -p 8891 | |
− | + | Restart postfix MTA, | |
− | + | sudo service postfix restart | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | sudo service postfix restart | ||
For testing purposes, I recommend you tools like: | For testing purposes, I recommend you tools like: | ||
Line 198: | Line 137: | ||
If something is not functioning properly (emails are not being signed) look for errors in the log: | If something is not functioning properly (emails are not being signed) look for errors in the log: | ||
− | grep -i dkim /var/log/mail.log | + | grep -i dkim /var/log/mail.log |
The following error indicates the filter ran properly however could not match the outgoing email domain with a filter (and thus no signature was generated): | The following error indicates the filter ran properly however could not match the outgoing email domain with a filter (and thus no signature was generated): | ||
− | Nov 21 06:59:56 appname dkim-filter[2911]: 81AA7E688: no signature data | + | Nov 21 06:59:56 appname dkim-filter[2911]: 81AA7E688: no signature data |
Consider changing the domain to a wildcard in /etc/opendkim.conf: | Consider changing the domain to a wildcard in /etc/opendkim.conf: | ||
− | # Sign for example.com with key in /etc/mail/dkim.key using | + | # Sign for example.com with key in /etc/mail/dkim.key using |
− | # selector '2007' (e.g. 2007._domainkey.example.com) | + | # selector '2007' (e.g. 2007._domainkey.example.com) |
− | Domain * | + | Domain * |
− | KeyFile /etc/mail/dkim.key | + | KeyFile /etc/mail/dkim.key |
− | Selector mail | + | Selector mail |
Using a domain of * will require putting the dkim key into EACH domain's DNS zone file for those domains that send email using this server. The dkim signing will work for your server, but without updating each DNS zone file, the public key will not be found by the recipient mail server. | Using a domain of * will require putting the dkim key into EACH domain's DNS zone file for those domains that send email using this server. The dkim signing will work for your server, but without updating each DNS zone file, the public key will not be found by the recipient mail server. | ||
Line 220: | Line 159: | ||
Head to /etc/postfix/master.cf look for the section starting with: | Head to /etc/postfix/master.cf look for the section starting with: | ||
− | 127.0.0.1:10025 inet n - - - - smtpd | + | 127.0.0.1:10025 inet n - - - - smtpd |
Find the option -o receive_override_options= and add ,no_milters to the end of that line. A corrected config could look something like this: | Find the option -o receive_override_options= and add ,no_milters to the end of that line. A corrected config could look something like this: | ||
− | 127.0.0.1:10025 inet n - - - - smtpd | + | 127.0.0.1:10025 inet n - - - - smtpd |
− | + | -o content_filter= | |
− | + | -o local_recipient_maps= | |
− | + | -o relay_recipient_maps= | |
− | + | -o smtpd_restriction_classes= | |
− | + | -o smtpd_delay_reject=no | |
− | + | -o smtpd_client_restrictions=permit_mynetworks,reject | |
− | + | -o smtpd_helo_restrictions= | |
− | + | -o smtpd_sender_restrictions= | |
− | + | -o smtpd_recipient_restrictions=permit_mynetworks,reject | |
− | + | -o smtpd_data_restrictions=reject_unauth_pipelining | |
− | + | -o smtpd_end_of_data_restrictions= | |
− | + | -o mynetworks=127.0.0.0/8 | |
− | + | -o smtpd_error_sleep_time=0 | |
− | + | -o smtpd_soft_error_limit=1001 | |
− | + | -o smtpd_hard_error_limit=1000 | |
− | + | -o smtpd_client_connection_count_limit=0 | |
− | + | -o smtpd_client_connection_rate_limit=0 | |
− | + | -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters | |
Revision as of 02:03, 29 April 2019
DomainKeys Identified Mail (DKIM) adalah metode untuk otentikasi e-mail, yang memungkinkan seseorang yang menerima email untuk memverifikasi bahwa pesan tersebut sebenarnya berasal dari domain yang diklaim berasal. Kebutuhan akan jenis otentikasi ini muncul karena spam sering kali memalsukan header.
DKIM menggunakan public-key cryptography untuk memungkinkan pengirim menandatangani email yang sah secara elektronik dengan cara yang dapat diverifikasi oleh penerima.
DKIM juga menjaga agar tidak merusak surat, menawarkan integritas end-to-end dari penandatanganan sampai verifikasi Mail transfer agent (MTA).
dkim-milter adalah aplikasi berbasis-milter (dkim-filter) yang terhubung ke Postfix untuk menyediakan layanan DomainKeys Identified Mail untuk server email Anda. dkim-milter tidak lagi dikembangkan, dan pembuat awalnya telah forked source-nya dan sekarang sedang mengembangkan opendkim. Untuk rilis Lucid dan yang lebih baru, opendkim lebih disukai daripada dkim-filter. Petunjuk pada halaman ini harus sama (hanya dengan nama paket yang disesuaikan sesuai kebutuhan).
Instalasi
Asumsi Postfix sudah di install. Instalasi opendkim menggunakan perintah,
sudo apt -y install opendkim opendkim-tools
Konfigurasi
Ada dua (2) file yang penting, yaitu,
/etc/opendkim.conf /etc/default/opendkim
Edit /etc/opendkim.conf misalnya,
# Log to syslog Syslog yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 002 # Sign for example.com with key in /etc/dkimkeys/dkim.key using # selector '2007' (e.g. 2007._domainkey.example.com) Domain onnocenter.or.id KeyFile /etc/dkimkeys/dkim.key Selector krs # Common settings. See dkim-filter.conf(5) for more information. AutoRestart yes Background yes Canonicalization relaxed/relaxed DNSTimeout 5 Mode sv SignatureAlgorithm rsa-sha256 SubDomains no #UseASPDiscard no #Version rfc4871 X-Header no OversignHeaders From TrustAnchorFile /usr/share/dns/root.key
File /etc/opendkim.conf adalah yang paling penting. Ini memberi informasi yang diperlukan tentang selector (digunakan untuk DNS request dan verifikasi email) dan signing key yang digunakan (key yang digunakan untuk menandatangani email keluar).
Edit /etc/default/opendkim yang digunakan untuk menyambungkan milter ke MTA:
# Command-line options specified here will override the contents of # /etc/opendkim.conf. See opendkim(8) for a complete list of options. #DAEMON_OPTS="" # # Uncomment to specify an alternate socket # Note that setting this will override any Socket value in opendkim.conf # default: # SOCKET="local:/var/run/opendkim/opendkim.sock" # listen on all interfaces on port 54321: #SOCKET="inet:54321" # listen on loopback on port 12345: SOCKET="inet:8891@localhost" # Ubuntu default - listen on loopback on port 8891 # listen on 192.0.2.1 on port 12345: #SOCKET="inet:12345@192.0.2.1"
Edit /etc/postfix/main.cf, tambahkan setup berikut ini,
# DKIM milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
Key generation dan setup DNS
Generate key menggunakan perintah
opendkim-genkey -t -s krs -d onnocenter.or.id
Akan menghasilkan dua (2) file:
- krs.private - berisi private key.
- krs.txt - berisi entry DNS
Argumen
-s memberikan informasi selector yang digunakan -d domain yang digunakan -t menyatakan DKIM dalam test mode.
Copy private key
mkdir /etc/mail/dkim.key cp mail.private /etc/mail/dkim.key
Tambahkan di DNS sesuai dengan krs.txt, kira2 sebagai berikut
krs._domainkey.onnocenter.or.id IN TXT "v=DKIM1; g=*; k=rsa; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB"
Startup and testing
Start opendkim
sudo service opendkim start
Jika tidak jalan cek
grep -i dkim /var/log/mail.log
Atau jalankan langsung menggunakan perintah
/usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -p 8891
Restart postfix MTA,
sudo service postfix restart
For testing purposes, I recommend you tools like:
http://www.sendmail.org/dkim/tools or just send an email to autorespond+dkim[at]dk.elandsys.com
Testing results should look like this in Gmail: http://stas.nerd.ro/blog/data/dkim-filter.png
Common errors and fixes
Missing signature
If something is not functioning properly (emails are not being signed) look for errors in the log:
grep -i dkim /var/log/mail.log
The following error indicates the filter ran properly however could not match the outgoing email domain with a filter (and thus no signature was generated):
Nov 21 06:59:56 appname dkim-filter[2911]: 81AA7E688: no signature data
Consider changing the domain to a wildcard in /etc/opendkim.conf:
# Sign for example.com with key in /etc/mail/dkim.key using # selector '2007' (e.g. 2007._domainkey.example.com) Domain * KeyFile /etc/mail/dkim.key Selector mail
Using a domain of * will require putting the dkim key into EACH domain's DNS zone file for those domains that send email using this server. The dkim signing will work for your server, but without updating each DNS zone file, the public key will not be found by the recipient mail server.
Multiple signatures
If amavis-new is installed and dkim signs emails multiple times with same domain and selector, is the configuration error likely to be how you feed messages back to postfix from amavis.
Head to /etc/postfix/master.cf look for the section starting with:
127.0.0.1:10025 inet n - - - - smtpd
Find the option -o receive_override_options= and add ,no_milters to the end of that line. A corrected config could look something like this:
127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters