Domainkeys dan SPF di Postfix
Implementasi Domainkeys dan SPF.
Anton Rahmadi @21 Januari 2009
versi 1.1 GPL
Update 23Jan2009:
Untuk double signature silakan lihat posting berikut
FYI, domainkeys didukung Yahoo, sementara DKIM didukung Google
1. Instalasi program-program PERL yang dibutuhkan
2. Instalasi Mail-DKIM versi 0.32 (last update: 21Jan2009)
3. Instalasi dkimproxy versi 1.1 (last update: 21Jan2009)
4. Buat user
5. Buat private dan public key
6. Edit entri di DNS server / Hosting
7. Membuat script untuk memulai DKIMProxy
8. Melihat keaktifan domain key
9. Apabila berhasil, maka masukkan dkimproxy.sh ke rc.local
10. Backup /etc/postfix/master.cf
11. Sesuaikan isi dari /etc/postfix/master.cf sebagai berikut:
13. Reload postfix
14. Melihat keaktifan domain key
15. Mengubah SMTP port dari mail klien menjadi 587, BUKAN 25 atau gunakan NAT dari iptables
Update 23Jan2009:
Untuk triple protection silakan lihat posting berikut
FYI, SPF didukung oleh OpenSPF.org, SenderID didukung oleh Microsoft
1. Instalasi program-program PERL yang dibutuhkan
2. Instalasi SPF 2.007 (last update: 21Jan2009)
3. backup master.cf dan main.cf
4. tambahkan policyd di master.cf
5. Reload postfix
6. Melihat keaktifan domain key
7. ubah konfigurasi di main.cf
8. Reload postfix
9. Coba mengirim email dan amati lognya
10. Apabila gagal, edit kembali main.cf, berikan tanda # didepan check_policy_service inet:127.0.0.1:9998
11. Reload postfix
12. Ulangi langkah-langkah di atas, sampe kesalahannya ditemukan.
Update 1 (22Jan 2009):
13. Edit entri di DNS server / Hosting
SELESAI
Anton Rahmadi @21 Januari 2009
versi 1.1 GPL
Bagian I -- Domainkeys (DKIM)
Update 23Jan2009:
Untuk double signature silakan lihat posting berikut
FYI, domainkeys didukung Yahoo, sementara DKIM didukung Google
1. Instalasi program-program PERL yang dibutuhkan
perl -MCPAN -e'CPAN::Shell->install("Build::CPAN")'
perl -MCPAN -e'CPAN::Shell->install("Crypt::OpenSSL::RSA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA1")'
perl -MCPAN -e'CPAN::Shell->install("Error")'
perl -MCPAN -e'CPAN::Shell->install("Mail::Address")'
perl -MCPAN -e'CPAN::Shell->install("MIME::Base64")'
perl -MCPAN -e'CPAN::Shell->install("Net::DNS")'
perl -MCPAN -e'CPAN::Shell->install("Net::Server")'
2. Instalasi Mail-DKIM versi 0.32 (last update: 21Jan2009)
cd /usr/local/src
wget -c http://search.cpan.org/CPAN/authors/id/J/JA/JASLONG/Mail-DKIM-0.32.tar.gz
tar -xzvf Mail-DKIM-0.32.tar.gz
cd Mail-DKIM-0.32
make clean
make tidy
perl Makefile.PL
make
make test
make install
cd ..
3. Instalasi dkimproxy versi 1.1 (last update: 21Jan2009)
cd /usr/local/src/
wget -c http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.1.tar.gz
tar -xzvf dkimproxy-1.1.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkimproxy
make install
4. Buat user
groupadd dkim
useradd -s /bin/false -d /dev/null -g dkim dkim
5. Buat private dan public key
cd /usr/local/dkimproxy
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
chown dkim.dkim private.key
chmod 600 private.key
6. Edit entri di DNS server / Hosting
_domainkey.namadomain.ac.id IN TXT “t=y; o=~;”
selector1._domainkey.namadomain.ac.id IN TXT "k=rsa; p=ISI_DARI_PUBLIC_KEY;"
7. Membuat script untuk memulai DKIMProxy
cd /usr/local/dkimproxy
vi dkimproxy.sh
-------------------------ISI dkimproxy.sh------------------------
#/bin/bash
#dkimproxy.in
/usr/local/dkimproxy/bin/dkimproxy.in 127.0.0.1:10025 127.0.0.1:10026 &
#dkimproxy.out
/usr/local/dkimproxy/bin/dkimproxy.out --keyfile=/usr/local/dkimproxy/private.key --selector=selector1 --domain=namadomain.ac.id,mail.unmul.ac.id,subdomain1.unmul.ac.id,subdomain2.unmul.ac.id --method=relaxed 127.0.0.1:10027 127.0.0.1:10028 &
[Esc][Shift-ZZ]
-------------------------ISI dkimproxy.sh------------------------
chmod 755 dkimproxy.sh
./dkimproxy.sh
8. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl
9. Apabila berhasil, maka masukkan dkimproxy.sh ke rc.local
cat "/usr/local/dkimproxy/dkimproxy.sh" >> /etc/rc.d/rc.local
10. Backup /etc/postfix/master.cf
cd /etc/postfix
cp master.cf master.cf.asli
11. Sesuaikan isi dari /etc/postfix/master.cf sebagai berikut:
# a line below is commented to support dkfilter inbound -Arahmadi@20jan2009
#smtp inet n - n - - smtpd
# begin ---- domainkeys implementation, ARahmadi @20Jan2009
#dk.in
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
#dk.out
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# end ---- domainkeys implementation
13. Reload postfix
postfix reload
14. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 30205/master
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl
tcp 0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 30205/master
15. Mengubah SMTP port dari mail klien menjadi 587, BUKAN 25 atau gunakan NAT dari iptables
Bagian II -- SPF
(catatan Postfix harus versi > 2.3.x)
(catatan Postfix harus versi > 2.3.x)
Update 23Jan2009:
Untuk triple protection silakan lihat posting berikut
FYI, SPF didukung oleh OpenSPF.org, SenderID didukung oleh Microsoft
1. Instalasi program-program PERL yang dibutuhkan
perl -MCPAN -e'CPAN::Shell->install("Mail::SPF")'
2. Instalasi SPF 2.007 (last update: 21Jan2009)
cd /usr/local/src
wget -c http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz
tar -xzvf postfix-policyd-spf-perl-2.007.tar.gz
cd postfix-policyd-spf-perl-2.007
cp postfix-policyd-spf-perl /usr/local/lib/policyd-spf-perl
chmod 755 /usr/local/lib/policyd-spf-perl
3. backup master.cf dan main.cf
cd /etc/postfix
cp master.cf master.cf.dkim
cp main.cf main.cf.dkim
4. tambahkan policyd di master.cf
cd /etc/postfix
vi master.cf
---------------------tambahan isi master.cf----------------------
# begin ---- policyd implementation, ARahmadi @20Jan2009
#policyd
127.0.0.1:9998 inet - n n - 0 spawn
user=nobody argv=/usr/local/lib/policyd-spf-perl
# end ---- policyd implementation
[Esc][Shift-ZZ]
---------------------tambahan isi master.cf----------------------
5. Reload postfix
postfix reload
6. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:9998 0.0.0.0:* LISTEN 30205/master
7. ubah konfigurasi di main.cf
cd /etc/postfix
vi main.cf
---------------------perubahan isi main.cf----------------------
127.0.0.1:9998_time_limit = 3600
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unverified_recipient,
reject_unverified_sender,
reject_invalid_hostname,
reject_multi_recipient_bounce,
reject_unauth_destination,
#---policyd/spf
check_policy_service inet:127.0.0.1:9998,
permit
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------
8. Reload postfix
postfix reload
9. Coba mengirim email dan amati lognya
10. Apabila gagal, edit kembali main.cf, berikan tanda # didepan check_policy_service inet:127.0.0.1:9998
cd /etc/postfix
vi main.cf
---------------------perubahan isi main.cf----------------------
smtpd_recipient_restrictions =
...
reject_unauth_destination,
#---policyd/spf
#check_policy_service inet:127.0.0.1:9998,
...
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------
11. Reload postfix
postfix reload
12. Ulangi langkah-langkah di atas, sampe kesalahannya ditemukan.
Update 1 (22Jan 2009):
13. Edit entri di DNS server / Hosting
namadomain.ac.id. TXT "v=spf1 a mx ptr -all"
SELESAI
Comments