Domainkeys dan SPF di Postfix

Implementasi Domainkeys dan SPF.
Anton Rahmadi @21 Januari 2009
versi 1.1 GPL

Bagian I -- Domainkeys (DKIM)

Update 23Jan2009:
Untuk double signature silakan lihat posting berikut
FYI, domainkeys didukung Yahoo, sementara DKIM didukung Google

1. Instalasi program-program PERL yang dibutuhkan

perl -MCPAN -e'CPAN::Shell->install("Build::CPAN")'
perl -MCPAN -e'CPAN::Shell->install("Crypt::OpenSSL::RSA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA1")'
perl -MCPAN -e'CPAN::Shell->install("Error")'
perl -MCPAN -e'CPAN::Shell->install("Mail::Address")'
perl -MCPAN -e'CPAN::Shell->install("MIME::Base64")'
perl -MCPAN -e'CPAN::Shell->install("Net::DNS")'
perl -MCPAN -e'CPAN::Shell->install("Net::Server")'

2. Instalasi Mail-DKIM versi 0.32 (last update: 21Jan2009)

cd /usr/local/src
wget -c http://search.cpan.org/CPAN/authors/id/J/JA/JASLONG/Mail-DKIM-0.32.tar.gz
tar -xzvf Mail-DKIM-0.32.tar.gz
cd Mail-DKIM-0.32
make clean
make tidy
perl Makefile.PL
make
make test
make install
cd ..

3. Instalasi dkimproxy versi 1.1 (last update: 21Jan2009)

cd /usr/local/src/
wget -c http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.1.tar.gz
tar -xzvf dkimproxy-1.1.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkimproxy
make install

4. Buat user

groupadd dkim
useradd -s /bin/false -d /dev/null -g dkim dkim

5. Buat private dan public key

cd /usr/local/dkimproxy
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
chown dkim.dkim private.key
chmod 600 private.key

6. Edit entri di DNS server / Hosting

_domainkey.namadomain.ac.id IN TXT “t=y; o=~;”
selector1._domainkey.namadomain.ac.id IN TXT "k=rsa; p=ISI_DARI_PUBLIC_KEY;"

7. Membuat script untuk memulai DKIMProxy

cd /usr/local/dkimproxy
vi dkimproxy.sh
-------------------------ISI dkimproxy.sh------------------------
#/bin/bash

#dkimproxy.in
/usr/local/dkimproxy/bin/dkimproxy.in 127.0.0.1:10025 127.0.0.1:10026 &
#dkimproxy.out
/usr/local/dkimproxy/bin/dkimproxy.out --keyfile=/usr/local/dkimproxy/private.key --selector=selector1 --domain=namadomain.ac.id,mail.unmul.ac.id,subdomain1.unmul.ac.id,subdomain2.unmul.ac.id --method=relaxed 127.0.0.1:10027 127.0.0.1:10028 &
[Esc][Shift-ZZ]
-------------------------ISI dkimproxy.sh------------------------

chmod 755 dkimproxy.sh
./dkimproxy.sh

8. Melihat keaktifan domain key

netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl

9. Apabila berhasil, maka masukkan dkimproxy.sh ke rc.local

cat "/usr/local/dkimproxy/dkimproxy.sh" >> /etc/rc.d/rc.local

10. Backup /etc/postfix/master.cf

cd /etc/postfix
cp master.cf master.cf.asli

11. Sesuaikan isi dari /etc/postfix/master.cf sebagai berikut:

# a line below is commented to support dkfilter inbound -Arahmadi@20jan2009
#smtp inet n - n - - smtpd

# begin ---- domainkeys implementation, ARahmadi @20Jan2009

#dk.in
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10

127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks

#dk.out
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime

127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# end ---- domainkeys implementation


13. Reload postfix

postfix reload

14. Melihat keaktifan domain key

netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 30205/master
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl
tcp 0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 30205/master

15. Mengubah SMTP port dari mail klien menjadi 587, BUKAN 25 atau gunakan NAT dari iptables


Bagian II -- SPF
(catatan Postfix harus versi > 2.3.x)

Update 23Jan2009:
Untuk triple protection silakan lihat posting berikut
FYI, SPF didukung oleh OpenSPF.org, SenderID didukung oleh Microsoft

1. Instalasi program-program PERL yang dibutuhkan

perl -MCPAN -e'CPAN::Shell->install("Mail::SPF")'

2. Instalasi SPF 2.007 (last update: 21Jan2009)

cd /usr/local/src
wget -c http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz
tar -xzvf postfix-policyd-spf-perl-2.007.tar.gz
cd postfix-policyd-spf-perl-2.007
cp postfix-policyd-spf-perl /usr/local/lib/policyd-spf-perl
chmod 755 /usr/local/lib/policyd-spf-perl

3. backup master.cf dan main.cf

cd /etc/postfix
cp master.cf master.cf.dkim
cp main.cf main.cf.dkim

4. tambahkan policyd di master.cf

cd /etc/postfix
vi master.cf

---------------------tambahan isi master.cf----------------------
# begin ---- policyd implementation, ARahmadi @20Jan2009

#policyd
127.0.0.1:9998 inet - n n - 0 spawn
user=nobody argv=/usr/local/lib/policyd-spf-perl
# end ---- policyd implementation
[Esc][Shift-ZZ]
---------------------tambahan isi master.cf----------------------

5. Reload postfix

postfix reload

6. Melihat keaktifan domain key

netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:9998 0.0.0.0:* LISTEN 30205/master

7. ubah konfigurasi di main.cf

cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
127.0.0.1:9998_time_limit = 3600
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unverified_recipient,
reject_unverified_sender,
reject_invalid_hostname,
reject_multi_recipient_bounce,
reject_unauth_destination,
#---policyd/spf
check_policy_service inet:127.0.0.1:9998,
permit
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------

8. Reload postfix

postfix reload

9. Coba mengirim email dan amati lognya


10. Apabila gagal, edit kembali main.cf, berikan tanda # didepan check_policy_service inet:127.0.0.1:9998

cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
smtpd_recipient_restrictions =
...
reject_unauth_destination,
#---policyd/spf
#check_policy_service inet:127.0.0.1:9998,
...
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------


11. Reload postfix

postfix reload

12. Ulangi langkah-langkah di atas, sampe kesalahannya ditemukan.

Update 1 (22Jan 2009):
13. Edit entri di DNS server / Hosting

namadomain.ac.id. TXT "v=spf1 a mx ptr -all"



SELESAI

Comments

Post a Comment

Popular posts from this blog

Xeon LGA 771 di mobo LGA 775

Image
Bermula dari jebolnya komputer pribadi yang digunakan untuk layanan e-learning dan repositori abstrak skripsi bagi institusi tempat kami mengabdi, petualangan menyambung nyawa komputer tua dimulai. Spike  listrik adalah biang utama rusaknya perangkat ini. Ya, sebaiknya perangkat elektronik perlu pelindung dari lonjakan listrik sekedipan mata yang mematikan. Komponen yang menjadi almarhum akibat spike  kali ini adalah VGA card dan tombol reset (kok bisa, ya?).  VGA card Radeon X1300 128 MB Komputer ini sudah cukup tua usianya, sekitar 9 tahun. Motherboard-nya Intel DG31PR dengan prosesor Intel Core 2 Duo E7500 , memori DDR 2 3 GB dan harddisk SATA 500 GB 7200 RPM.  Sistem operasi yang digunakan adalah Slackware Linux  versi 13.37. Kinerja komputer ini sebagai server e-learning untuk kategori dosen jelata macam kami sudah cukup memuaskan. Sekitar 80 orang pengguna dapat dilayani secara simultan, walau bottleneck -nya tentu saja di hard-disk dan wifi seputar ruang lab. 
Read more

Writing and reading float using Arduino EEPROM

This post is just for a personal reminder after reading discussions from elsewhere about storing and reading float values to/from EEPROM with Arduino. Scenario Writing negative float to EEPROM can be tricky, since EEPROM only recognises up to 8-bit values (see Tronixstuff  explanation ), therefore it requires an additional algorithm to make it able to store negative and float.  the scheme is to use four bits of the ATmega328's EEPROM to store numerical parts of a float value. The function involved is union . //union  value typedef union{   float flt;   byte array[4]; } FloatConverter; The code You may grab the code here
Read more

LM35 Incubator with LCD 16x2 on Arduino

Image
Past articles: NTC thermistor incubator (part 1): connecting triple thermistor NTC thermistor incubator (part 2): multi-buttons input for single Analog pin   Introducing CodeBender Today I found a great code sharing website called codebender  that allows me to use Arduino in any computer since it has online IDE with crossplatform browser plugin to upload to Arduino system. Remember, Arduino is an Open Source Hardware project, I encourage people to share as much as we learn from others too. Sharing knowledge is awesome! Since everything is online and pretty straight forward, I will try to explain my project as simple as possible. The Aim My aim is still to produce an incubator, but today the specification will be: Internal LM35 temperature sensor that will be placed inside the incubator External LM35 temperature sensor that will monitor ambient/room temperature Peltier element that will be connected through a relay module Displaying internal (current temp, CT), e
Read more