dkimproxy for Debian -------------------- This is some general notes about using dkproxy under Debian, this also includes notes for integration with Amavisd. Note that if you use dkimproxy with DTC, everything will be be configured for you, so you don't need to read this file. IMPORTANT: Note that you will NEED to have either Amavis or Postfix listening to the port 10024 so that dkimproxy.in can send the filtered messages back to your MTA. Please read further. 1) General principle when using DKIMproxy ----------------------------------------- DKIMproxy is in fact an SMTP server by itself. The way to use it is to have it bind to a port, so that postfix sends emails to it for scanning/signing. When it come to signing, it's done the following way. Ports are written bellow each programs for a better understanding. Postfix----->Dkimproxy----->Postfix 25 587 in=10027 in=10029 10027 out=10029 As for incoming emails, if you use DKIMproxy without a content scanner (like Amavis), it goes like this: Postfix----->Dkimproxy----->Postfix 25 in=10026 10024 out=10026 out=10024 If you want to use a content filter, then you should do this way: Postfix----->Dkimproxy----->Amavis------------------>Postfix 25 in=10026 | |---->ClamAV 10028 out=10026 out=10024 ------->SpamAssassin in=10024 out=10028 If you resepect the above, you will not have to change any of the default ports for DKIMproxy or Amavis, so it is recommended to not change these ports. What's below will describe how to configure postfix in order to have what is above up and running. This does not covers how to setup amavis, clamav or spamassassin. It covers postfix only, but you might be able to use dkimproxy with any MTA that supports inbound and outbound SMTP proxies. 2) Setting-up the outbound signing system ----------------------------------------- 2.a) master.cf addition: ------------------------ # # specify the location of the DomainKeys signing filter # dkimsign unix - - n - 10 smtp -o smtp_send_xforward_command=yes -o smtp_discard_ehlo_keywords=8bitmime # # service for accepting messages FROM the DomainKeys signing filter # as every checks must have been performed before sending emails to # the signer proxy, we overwrite all restrictions and allow all. # 127.0.0.1:10029 inet n - n - 10 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 # # modify the default submission service to specify a content filter # and restrict it to local clients and SASL authenticated clients only # submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes -o content_filter=dkimsign:[127.0.0.1]:10028 -o receive_override_options=no_address_mappings -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject # For Postfix to sign mails sent out using Webmails or other locally delivered mail pickup fifo n - n 60 1 pickup -o content_filter=dkimsign:127.0.0.1:10028 2.b) main.cf addition: ---------------------- Then in your main.cf, add: content_filter=dkimsign:[127.0.0.1]:10028 This will use dkimsign as content filter, always, and we will overwrite it for inbound checking (see later). 3) Installation of inbound checking without amavisd-new (or other filters): --------------------------------------------------------------------------- 3.a) Addition to master.cf: --------------------------- Stuff to add to /etc/postfix/master.cf to add inbound filtering: # # Before-filter SMTP server. Receive mail from the network and # pass it to the content filter on localhost port 10026. # smtp inet n - n - - smtpd -o smtpd_proxy_filter=127.0.0.1:10026 -o smtpd_client_connection_count_limit=5 3.b) Setting-up amavisd-new in master.cf: ----------------------------------------- If you are running amavis, then you might have something like this: smtp-amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks 4) For integration with amavisd-new: ------------------------------------ a) Apply the following configuration to the /etc/postfix/master.cf: ------------------------------------------------------------------- b) Add the following to the last smtpd_recipient_restrictions stanza : ---------------------------------------------------------------------- This is to be put before the last permit: check_sender_access regexp:/etc/postfix/filter_10026_catchall Create the file /etc/postfix/filter_10026_catchall with the following contents: /^/ FILTER dkimsign:[127.0.0.1]:10026 c) Change the default filter action to be the signing filter: ------------------------------------------------------------- The dkimsign verification, for incoming mail, is done as a FILTER applied to the recipient restrictions: content_filter = smtp-amavis:[127.0.0.1]:10028 4) Other info for DKIMproxy --------------------------- This code will generate the domainkey entry for your DNS: #!/bin/sh KEY=`grep -v "PUBLIC" /var/lib/dkimproxy/public.key | tr -d \\n` SELECTOR=postfix DOMAIN=packrat.datalexsin.local NSRECORD="$SELECTOR._domainkey IN TXT \"k=rsa; p=$KEY; t=y\"" echo $NSRECORD -- Damien Mascord Mon, 18 Feb 2008 06:16:06 +0000