Signature ganda domainkeys dan DKIM di Postfix
Implementasi Domainkeys.
Anton Rahmadi @23 Januari 2009
versi 1.2 GPL
Yahoo hanya mendukung dkfilter
Gmail hanya mendukung DKIM
1. Instalasi program-program PERL yang dibutuhkan
2. Instalasi Mail-DKIM versi 0.32 (last update: 21Jan2009)
3a. Instalasi dkfilter versi 0.11 (last update: 22Jan2009)
3b. Instalasi dkimproxy versi 1.1 (last update: 21Jan2009)
4. Buat user
5. Buat private dan public key
6. Edit entri di DNS server / Hosting
7a. Membuat script untuk memulai dkfilter
7b. Membuat script untuk memulai DKIMProxy
8. Melihat keaktifan domain key
9. Apabila berhasil, maka masukkan dkfilter.sh dan dkimproxy.sh ke rc.local
10. Backup /etc/postfix/master.cf
11. Sesuaikan isi dari /etc/postfix/master.cf sebagai berikut:
Sedikit tune-up tambahan
12. Ubah konfigurasi di main.cf
cd /etc/postfix
vi main.cf
---------------------perubahan isi main.cf----------------------
smtpd_delay_reject = yes
127.0.0.1:10026_time_limit = 3600
127.0.0.1:10028_time_limit = 3600
127.0.0.1:10030_time_limit = 3600
---------------------perubahan isi main.cf----------------------
13. Reload postfix
14. Melihat keaktifan domain key
15. Mengubah SMTP port dari mail klien menjadi 587, BUKAN 25 atau gunakan NAT dari iptables
Anton Rahmadi @23 Januari 2009
versi 1.2 GPL
Bagian I -- Domainkeys
(DKIMProxy dan dkfilter)
catatan:Yahoo hanya mendukung dkfilter
Gmail hanya mendukung DKIM
1. Instalasi program-program PERL yang dibutuhkan
perl -MCPAN -e'CPAN::Shell->install("Build::CPAN")'
perl -MCPAN -e'CPAN::Shell->install("Crypt::OpenSSL::RSA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA1")'
perl -MCPAN -e'CPAN::Shell->install("Error")'
perl -MCPAN -e'CPAN::Shell->install("Mail::Address")'
perl -MCPAN -e'CPAN::Shell->install("MIME::Base64")'
perl -MCPAN -e'CPAN::Shell->install("Net::DNS")'
perl -MCPAN -e'CPAN::Shell->install("Net::Server")'
perl -MCPAN -e'CPAN::Shell->install("Test::More")'
2. Instalasi Mail-DKIM versi 0.32 (last update: 21Jan2009)
cd /usr/local/src
wget -c http://search.cpan.org/CPAN/authors/id/J/JA/JASLONG/Mail-DKIM-0.32.tar.gz
tar -xzvf Mail-DKIM-0.32.tar.gz
cd Mail-DKIM-0.32
make clean
make tidy
perl Makefile.PL
make
make test
make install
cd ..
3a. Instalasi dkfilter versi 0.11 (last update: 22Jan2009)
cd /usr/local/src
wget -c http://jason.long.name/dkfilter/dkfilter-0.11.tar.gz
tar -xzvf dkfilter-0.11.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkfilter
make install
3b. Instalasi dkimproxy versi 1.1 (last update: 21Jan2009)
cd /usr/local/src/
wget -c http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.1.tar.gz
tar -xzvf dkimproxy-1.1.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkimproxy
make install
4. Buat user
groupadd dkim
useradd -s /bin/false -d /dev/null -g dkim dkim
5. Buat private dan public key
cd /usr/local/dkimproxy
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
chown dkim.dkim private.key
chmod 600 private.key
cp private.key public.key /usr/local/dkfilter
6. Edit entri di DNS server / Hosting
_domainkey.namadomain.ac.id IN TXT “t=y; o=~;”
selector1._domainkey.namadomain.ac.id IN TXT "k=rsa; p=ISI_DARI_PUBLIC_KEY;"
7a. Membuat script untuk memulai dkfilter
cd /usr/local/dkfilter
vi dkfilter.sh
-------------------------ISI dkfilter.sh------------------------
#/bin/bash
#dk.out
/usr/local/dkfilter/bin/dk.out --keyfile=/usr/local/dkfilter/private.key --selector=selector1 --domain=namadomain.ac.id,mail.namadomain.ac.id --method=nowfs 127.0.0.1:10029 127.0.0.1:10030 &
[Esc][Shift-ZZ]
-------------------------ISI dkfilter.sh------------------------
chmod 755 dkfilter.sh
./dkfilter.sh
7b. Membuat script untuk memulai DKIMProxy
cd /usr/local/dkimproxy
vi dkimproxy.sh
-------------------------ISI dkimproxy.sh------------------------
#/bin/bash
#dkimproxy.in
/usr/local/dkimproxy/bin/dkimproxy.in 127.0.0.1:10025 127.0.0.1:10026 &
#dkimproxy.out
/usr/local/dkimproxy/bin/dkimproxy.out --keyfile=/usr/local/dkimproxy/private.key --selector=selector1 --domain=namadomain.ac.id,mail.namadomain.ac.id
--method=relaxed 127.0.0.1:10027 127.0.0.1:10028 &
[Esc][Shift-ZZ]
-------------------------ISI dkimproxy.sh------------------------
chmod 755 dkimproxy.sh
./dkimproxy.sh
8. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl
9. Apabila berhasil, maka masukkan dkfilter.sh dan dkimproxy.sh ke rc.local
cat "/usr/local/dkimproxy/dkimproxy.sh" >> /etc/rc.d/rc.local
cat "/usr/local/dkfilter/dkfilter.sh" >> /etc/rc.d/rc.local
10. Backup /etc/postfix/master.cf
cd /etc/postfix
cp master.cf master.cf.asli
11. Sesuaikan isi dari /etc/postfix/master.cf sebagai berikut:
# a line below is commented to support dkfilter inbound -Arahmadi@20jan2009Update 23Jan2009:
#smtp inet n - n - - smtpd
# begin ---- domainkeys implementation, ARahmadi @20Jan2009
#dkim.in
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
#dkim.out
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=no
-o content_filter=dkimsign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
dkimsign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime
127.0.0.1:10028 inet n - n - 10 smtpd
#---Langsung dilempar ke luar
# -o content_filter=
#---Dilempar kembali ke dkfilter
-o content_filter=dksign:[127.0.0.1]:10029
-o receive_override_options=no_unknown_recipient_checks,no_address_mappings
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
#dk.out
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime
127.0.0.1:10030 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# end ---- domainkeys implementation
Sedikit tune-up tambahan
12. Ubah konfigurasi di main.cf
cd /etc/postfix
vi main.cf
---------------------perubahan isi main.cf----------------------
smtpd_delay_reject = yes
127.0.0.1:10026_time_limit = 3600
127.0.0.1:10028_time_limit = 3600
127.0.0.1:10030_time_limit = 3600
---------------------perubahan isi main.cf----------------------
13. Reload postfix
postfix reload
14. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 30205/master
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl
tcp 0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10029 0.0.0.0:* LISTEN 6651/perl
tcp 0 0 127.0.0.1:10030 0.0.0.0:* LISTEN 30205/master
15. Mengubah SMTP port dari mail klien menjadi 587, BUKAN 25 atau gunakan NAT dari iptables
Comments