Signature ganda domainkeys dan DKIM di Postfix

Implementasi Domainkeys.
Anton Rahmadi @23 Januari 2009
versi 1.2 GPL

Bagian I -- Domainkeys
(DKIMProxy dan dkfilter)
catatan:
Yahoo hanya mendukung dkfilter
Gmail hanya mendukung DKIM


1. Instalasi program-program PERL yang dibutuhkan
perl -MCPAN -e'CPAN::Shell->install("Build::CPAN")'
perl -MCPAN -e'CPAN::Shell->install("Crypt::OpenSSL::RSA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA1")'
perl -MCPAN -e'CPAN::Shell->install("Error")'
perl -MCPAN -e'CPAN::Shell->install("Mail::Address")'
perl -MCPAN -e'CPAN::Shell->install("MIME::Base64")'
perl -MCPAN -e'CPAN::Shell->install("Net::DNS")'
perl -MCPAN -e'CPAN::Shell->install("Net::Server")'
perl -MCPAN -e'CPAN::Shell->install("Test::More")'

2. Instalasi Mail-DKIM versi 0.32 (last update: 21Jan2009)
cd /usr/local/src
wget -c http://search.cpan.org/CPAN/authors/id/J/JA/JASLONG/Mail-DKIM-0.32.tar.gz
tar -xzvf Mail-DKIM-0.32.tar.gz
cd Mail-DKIM-0.32
make clean
make tidy
perl Makefile.PL
make
make test
make install
cd ..


3a. Instalasi dkfilter versi 0.11 (last update: 22Jan2009)
cd /usr/local/src
wget -c http://jason.long.name/dkfilter/dkfilter-0.11.tar.gz
tar -xzvf dkfilter-0.11.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkfilter
make install


3b. Instalasi dkimproxy versi 1.1 (last update: 21Jan2009)
cd /usr/local/src/
wget -c http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.1.tar.gz
tar -xzvf dkimproxy-1.1.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkimproxy
make install


4. Buat user
groupadd dkim
useradd -s /bin/false -d /dev/null -g dkim dkim


5. Buat private dan public key
cd /usr/local/dkimproxy
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
chown dkim.dkim private.key
chmod 600 private.key
cp private.key public.key /usr/local/dkfilter


6. Edit entri di DNS server / Hosting
_domainkey.namadomain.ac.id IN TXT “t=y; o=~;”
selector1._domainkey.namadomain.ac.id IN TXT "k=rsa; p=ISI_DARI_PUBLIC_KEY;"


7a. Membuat script untuk memulai dkfilter
cd /usr/local/dkfilter
vi dkfilter.sh

-------------------------ISI dkfilter.sh------------------------
#/bin/bash

#dk.out
/usr/local/dkfilter/bin/dk.out --keyfile=/usr/local/dkfilter/private.key --selector=selector1 --domain=namadomain.ac.id,mail.namadomain.ac.id --method=nowfs 127.0.0.1:10029 127.0.0.1:10030 &
[Esc][Shift-ZZ]
-------------------------ISI dkfilter.sh------------------------
chmod 755 dkfilter.sh
./dkfilter.sh



7b. Membuat script untuk memulai DKIMProxy
cd /usr/local/dkimproxy
vi dkimproxy.sh

-------------------------ISI dkimproxy.sh------------------------
#/bin/bash

#dkimproxy.in
/usr/local/dkimproxy/bin/dkimproxy.in 127.0.0.1:10025 127.0.0.1:10026 &
#dkimproxy.out
/usr/local/dkimproxy/bin/dkimproxy.out --keyfile=/usr/local/dkimproxy/private.key --selector=selector1 --domain=namadomain.ac.id,mail.namadomain.ac.id
--method=relaxed 127.0.0.1:10027 127.0.0.1:10028 &
[Esc][Shift-ZZ]
-------------------------ISI dkimproxy.sh------------------------
chmod 755 dkimproxy.sh
./dkimproxy.sh


8. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl


9. Apabila berhasil, maka masukkan dkfilter.sh dan dkimproxy.sh ke rc.local
cat "/usr/local/dkimproxy/dkimproxy.sh" >> /etc/rc.d/rc.local
cat "/usr/local/dkfilter/dkfilter.sh" >> /etc/rc.d/rc.local


10. Backup /etc/postfix/master.cf
cd /etc/postfix
cp master.cf master.cf.asli


11. Sesuaikan isi dari /etc/postfix/master.cf sebagai berikut:
# a line below is commented to support dkfilter inbound -Arahmadi@20jan2009
#smtp inet n - n - - smtpd

# begin ---- domainkeys implementation, ARahmadi @20Jan2009

#dkim.in
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10

127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks

#dkim.out
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=no
-o content_filter=dkimsign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

dkimsign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime

127.0.0.1:10028 inet n - n - 10 smtpd
#---Langsung dilempar ke luar
# -o content_filter=
#---Dilempar kembali ke dkfilter
-o content_filter=dksign:[127.0.0.1]:10029
-o receive_override_options=no_unknown_recipient_checks,no_address_mappings
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

#dk.out
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime

127.0.0.1:10030 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

# end ---- domainkeys implementation
Update 23Jan2009:
Sedikit tune-up tambahan
12. Ubah konfigurasi di main.cf

cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
smtpd_delay_reject = yes
127.0.0.1:10026_time_limit = 3600
127.0.0.1:10028_time_limit = 3600
127.0.0.1:10030_time_limit = 3600
---------------------perubahan isi main.cf----------------------


13. Reload postfix
postfix reload


14. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 30205/master
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl
tcp 0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10029 0.0.0.0:* LISTEN 6651/perl
tcp 0 0 127.0.0.1:10030 0.0.0.0:* LISTEN 30205/master


15. Mengubah SMTP port dari mail klien menjadi 587, BUKAN 25 atau gunakan NAT dari iptables

Comments

Popular posts from this blog

NTC Thermistor Incubator Part 3: Integrating double digits 7-segment

Xeon LGA 771 di mobo LGA 775

Writing and reading float using Arduino EEPROM