Signature ganda domainkeys dan DKIM di Postfix

Implementasi Domainkeys.
Anton Rahmadi @23 Januari 2009
versi 1.2 GPL

Bagian I -- Domainkeys
(DKIMProxy dan dkfilter)
catatan:
Yahoo hanya mendukung dkfilter
Gmail hanya mendukung DKIM


1. Instalasi program-program PERL yang dibutuhkan
perl -MCPAN -e'CPAN::Shell->install("Build::CPAN")'
perl -MCPAN -e'CPAN::Shell->install("Crypt::OpenSSL::RSA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA1")'
perl -MCPAN -e'CPAN::Shell->install("Error")'
perl -MCPAN -e'CPAN::Shell->install("Mail::Address")'
perl -MCPAN -e'CPAN::Shell->install("MIME::Base64")'
perl -MCPAN -e'CPAN::Shell->install("Net::DNS")'
perl -MCPAN -e'CPAN::Shell->install("Net::Server")'
perl -MCPAN -e'CPAN::Shell->install("Test::More")'

2. Instalasi Mail-DKIM versi 0.32 (last update: 21Jan2009)
cd /usr/local/src
wget -c http://search.cpan.org/CPAN/authors/id/J/JA/JASLONG/Mail-DKIM-0.32.tar.gz
tar -xzvf Mail-DKIM-0.32.tar.gz
cd Mail-DKIM-0.32
make clean
make tidy
perl Makefile.PL
make
make test
make install
cd ..


3a. Instalasi dkfilter versi 0.11 (last update: 22Jan2009)
cd /usr/local/src
wget -c http://jason.long.name/dkfilter/dkfilter-0.11.tar.gz
tar -xzvf dkfilter-0.11.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkfilter
make install


3b. Instalasi dkimproxy versi 1.1 (last update: 21Jan2009)
cd /usr/local/src/
wget -c http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.1.tar.gz
tar -xzvf dkimproxy-1.1.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkimproxy
make install


4. Buat user
groupadd dkim
useradd -s /bin/false -d /dev/null -g dkim dkim


5. Buat private dan public key
cd /usr/local/dkimproxy
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
chown dkim.dkim private.key
chmod 600 private.key
cp private.key public.key /usr/local/dkfilter


6. Edit entri di DNS server / Hosting
_domainkey.namadomain.ac.id IN TXT “t=y; o=~;”
selector1._domainkey.namadomain.ac.id IN TXT "k=rsa; p=ISI_DARI_PUBLIC_KEY;"


7a. Membuat script untuk memulai dkfilter
cd /usr/local/dkfilter
vi dkfilter.sh

-------------------------ISI dkfilter.sh------------------------
#/bin/bash

#dk.out
/usr/local/dkfilter/bin/dk.out --keyfile=/usr/local/dkfilter/private.key --selector=selector1 --domain=namadomain.ac.id,mail.namadomain.ac.id --method=nowfs 127.0.0.1:10029 127.0.0.1:10030 &
[Esc][Shift-ZZ]
-------------------------ISI dkfilter.sh------------------------
chmod 755 dkfilter.sh
./dkfilter.sh



7b. Membuat script untuk memulai DKIMProxy
cd /usr/local/dkimproxy
vi dkimproxy.sh

-------------------------ISI dkimproxy.sh------------------------
#/bin/bash

#dkimproxy.in
/usr/local/dkimproxy/bin/dkimproxy.in 127.0.0.1:10025 127.0.0.1:10026 &
#dkimproxy.out
/usr/local/dkimproxy/bin/dkimproxy.out --keyfile=/usr/local/dkimproxy/private.key --selector=selector1 --domain=namadomain.ac.id,mail.namadomain.ac.id
--method=relaxed 127.0.0.1:10027 127.0.0.1:10028 &
[Esc][Shift-ZZ]
-------------------------ISI dkimproxy.sh------------------------
chmod 755 dkimproxy.sh
./dkimproxy.sh


8. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl


9. Apabila berhasil, maka masukkan dkfilter.sh dan dkimproxy.sh ke rc.local
cat "/usr/local/dkimproxy/dkimproxy.sh" >> /etc/rc.d/rc.local
cat "/usr/local/dkfilter/dkfilter.sh" >> /etc/rc.d/rc.local


10. Backup /etc/postfix/master.cf
cd /etc/postfix
cp master.cf master.cf.asli


11. Sesuaikan isi dari /etc/postfix/master.cf sebagai berikut:
# a line below is commented to support dkfilter inbound -Arahmadi@20jan2009
#smtp inet n - n - - smtpd

# begin ---- domainkeys implementation, ARahmadi @20Jan2009

#dkim.in
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10

127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks

#dkim.out
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=no
-o content_filter=dkimsign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

dkimsign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime

127.0.0.1:10028 inet n - n - 10 smtpd
#---Langsung dilempar ke luar
# -o content_filter=
#---Dilempar kembali ke dkfilter
-o content_filter=dksign:[127.0.0.1]:10029
-o receive_override_options=no_unknown_recipient_checks,no_address_mappings
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

#dk.out
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime

127.0.0.1:10030 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

# end ---- domainkeys implementation
Update 23Jan2009:
Sedikit tune-up tambahan
12. Ubah konfigurasi di main.cf

cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
smtpd_delay_reject = yes
127.0.0.1:10026_time_limit = 3600
127.0.0.1:10028_time_limit = 3600
127.0.0.1:10030_time_limit = 3600
---------------------perubahan isi main.cf----------------------


13. Reload postfix
postfix reload


14. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 30205/master
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl
tcp 0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10029 0.0.0.0:* LISTEN 6651/perl
tcp 0 0 127.0.0.1:10030 0.0.0.0:* LISTEN 30205/master


15. Mengubah SMTP port dari mail klien menjadi 587, BUKAN 25 atau gunakan NAT dari iptables

Comments

Popular posts from this blog

Merakit Destilator Bioetanol Sederhana (1)

DHT11 incubator with I2C LCD (part 1)

LM35 Incubator with LCD 16x2 on Arduino