Domainkeys dan SPF di Postfix

Implementasi Domainkeys dan SPF.
Anton Rahmadi @21 Januari 2009
versi 1.1 GPL

Bagian I -- Domainkeys (DKIM)

Update 23Jan2009:
Untuk double signature silakan lihat posting berikut
FYI, domainkeys didukung Yahoo, sementara DKIM didukung Google

1. Instalasi program-program PERL yang dibutuhkan

perl -MCPAN -e'CPAN::Shell->install("Build::CPAN")'
perl -MCPAN -e'CPAN::Shell->install("Crypt::OpenSSL::RSA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA1")'
perl -MCPAN -e'CPAN::Shell->install("Error")'
perl -MCPAN -e'CPAN::Shell->install("Mail::Address")'
perl -MCPAN -e'CPAN::Shell->install("MIME::Base64")'
perl -MCPAN -e'CPAN::Shell->install("Net::DNS")'
perl -MCPAN -e'CPAN::Shell->install("Net::Server")'

2. Instalasi Mail-DKIM versi 0.32 (last update: 21Jan2009)

cd /usr/local/src
wget -c http://search.cpan.org/CPAN/authors/id/J/JA/JASLONG/Mail-DKIM-0.32.tar.gz
tar -xzvf Mail-DKIM-0.32.tar.gz
cd Mail-DKIM-0.32
make clean
make tidy
perl Makefile.PL
make
make test
make install
cd ..

3. Instalasi dkimproxy versi 1.1 (last update: 21Jan2009)

cd /usr/local/src/
wget -c http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.1.tar.gz
tar -xzvf dkimproxy-1.1.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkimproxy
make install

4. Buat user

groupadd dkim
useradd -s /bin/false -d /dev/null -g dkim dkim

5. Buat private dan public key

cd /usr/local/dkimproxy
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
chown dkim.dkim private.key
chmod 600 private.key

6. Edit entri di DNS server / Hosting

_domainkey.namadomain.ac.id IN TXT “t=y; o=~;”
selector1._domainkey.namadomain.ac.id IN TXT "k=rsa; p=ISI_DARI_PUBLIC_KEY;"

7. Membuat script untuk memulai DKIMProxy

cd /usr/local/dkimproxy
vi dkimproxy.sh
-------------------------ISI dkimproxy.sh------------------------
#/bin/bash

#dkimproxy.in
/usr/local/dkimproxy/bin/dkimproxy.in 127.0.0.1:10025 127.0.0.1:10026 &
#dkimproxy.out
/usr/local/dkimproxy/bin/dkimproxy.out --keyfile=/usr/local/dkimproxy/private.key --selector=selector1 --domain=namadomain.ac.id,mail.unmul.ac.id,subdomain1.unmul.ac.id,subdomain2.unmul.ac.id --method=relaxed 127.0.0.1:10027 127.0.0.1:10028 &
[Esc][Shift-ZZ]
-------------------------ISI dkimproxy.sh------------------------

chmod 755 dkimproxy.sh
./dkimproxy.sh

8. Melihat keaktifan domain key

netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl

9. Apabila berhasil, maka masukkan dkimproxy.sh ke rc.local

cat "/usr/local/dkimproxy/dkimproxy.sh" >> /etc/rc.d/rc.local

10. Backup /etc/postfix/master.cf

cd /etc/postfix
cp master.cf master.cf.asli

11. Sesuaikan isi dari /etc/postfix/master.cf sebagai berikut:

# a line below is commented to support dkfilter inbound -Arahmadi@20jan2009
#smtp inet n - n - - smtpd

# begin ---- domainkeys implementation, ARahmadi @20Jan2009

#dk.in
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10

127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks

#dk.out
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime

127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# end ---- domainkeys implementation


13. Reload postfix

postfix reload

14. Melihat keaktifan domain key

netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 30205/master
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl
tcp 0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 30205/master

15. Mengubah SMTP port dari mail klien menjadi 587, BUKAN 25 atau gunakan NAT dari iptables


Bagian II -- SPF
(catatan Postfix harus versi > 2.3.x)

Update 23Jan2009:
Untuk triple protection silakan lihat posting berikut
FYI, SPF didukung oleh OpenSPF.org, SenderID didukung oleh Microsoft

1. Instalasi program-program PERL yang dibutuhkan

perl -MCPAN -e'CPAN::Shell->install("Mail::SPF")'

2. Instalasi SPF 2.007 (last update: 21Jan2009)

cd /usr/local/src
wget -c http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz
tar -xzvf postfix-policyd-spf-perl-2.007.tar.gz
cd postfix-policyd-spf-perl-2.007
cp postfix-policyd-spf-perl /usr/local/lib/policyd-spf-perl
chmod 755 /usr/local/lib/policyd-spf-perl

3. backup master.cf dan main.cf

cd /etc/postfix
cp master.cf master.cf.dkim
cp main.cf main.cf.dkim

4. tambahkan policyd di master.cf

cd /etc/postfix
vi master.cf

---------------------tambahan isi master.cf----------------------
# begin ---- policyd implementation, ARahmadi @20Jan2009

#policyd
127.0.0.1:9998 inet - n n - 0 spawn
user=nobody argv=/usr/local/lib/policyd-spf-perl
# end ---- policyd implementation
[Esc][Shift-ZZ]
---------------------tambahan isi master.cf----------------------

5. Reload postfix

postfix reload

6. Melihat keaktifan domain key

netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:9998 0.0.0.0:* LISTEN 30205/master

7. ubah konfigurasi di main.cf

cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
127.0.0.1:9998_time_limit = 3600
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unverified_recipient,
reject_unverified_sender,
reject_invalid_hostname,
reject_multi_recipient_bounce,
reject_unauth_destination,
#---policyd/spf
check_policy_service inet:127.0.0.1:9998,
permit
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------

8. Reload postfix

postfix reload

9. Coba mengirim email dan amati lognya


10. Apabila gagal, edit kembali main.cf, berikan tanda # didepan check_policy_service inet:127.0.0.1:9998

cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
smtpd_recipient_restrictions =
...
reject_unauth_destination,
#---policyd/spf
#check_policy_service inet:127.0.0.1:9998,
...
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------


11. Reload postfix

postfix reload

12. Ulangi langkah-langkah di atas, sampe kesalahannya ditemukan.

Update 1 (22Jan 2009):
13. Edit entri di DNS server / Hosting

namadomain.ac.id. TXT "v=spf1 a mx ptr -all"



SELESAI

Comments

Popular posts from this blog

Merakit Destilator Bioetanol Sederhana (1)

DHT11 incubator with I2C LCD (part 1)

LM35 Incubator with LCD 16x2 on Arduino