DomainKeys/DKIM Implementation on Zimbra+SLES 11 SP1 with OpenDKIM

Following tutorial will covers DomainKeys/DKIM implementation using OpenDKIM on SLES or openSUSE. Domain KeysIdentified Mail (DKIM) is a technology designed to make it difficult or impossible for criminals to steal the identities of legitimate organizations. This authentication technology allows good senders to “sign” a message to prove that it really did come from them..

DKIM originally written as sender authentication protocol developed in order to address the problem of forged email messages. Yahoo! released the DomainKeys specification and Cisco released the Internet Identified Mail specification. Both methods are based on cryptographic message signing. The two efforts have been merged, and the combined specification is known as DomainKeys Identified Mail (DKIM).
 
These are various options for implementing DomainKeys Signature : by using DK-Filter, DKIM-milter, OpenDKIM and also by using Amavisd-new DKIM implementation. Don’t be confused with all the terms. All method have similar function, signing your email as “trusted” or legitimate email.

Implementing OpenDKIM on openSUSE/SLES  for Zimbra Mail Server can be achieved with 5 easy steps :

  1. Installing OpenDKIM
  2. Configuring OpenDKIM
  3. Configuring DNS Records
  4. Integrating with Your Mail Server (in my case : Zimbra Mail Server)
  5. Testing & Verified DKIM Signature

OPENDKIM INSTALLATION

Download and install OpenDKIM. I found a repo on openSUSE Community Repository, Webpin. RPM has build for openSUSE 11.2 but you may also install it on openSUSE 11.3 or SLES 11.
In case the original RPM removed from repos, I make a backup copy on my repohttp://download.vavai.com.

wget -c http://download.vavai.com/repo/x86_64/opendkim-2.2.2-2.1.x86_64.rpm
wget -c http://download.vavai.com/repo/x86_64/libopendkim3-2.2.2-2.1.x86_64.rpm
zypper in *.rpm

OPENDKIM CONFIGURATION

  1. Create OpenDKIM configuration
    cp /usr/share/doc/packages/opendkim/opendkim.conf.sample /etc/opendkim.conf
    mkdir -p /etc/mail/dkim
  2. Modify  /etc/opendkim.conf to meet with your environment
    BaseDirectory /var/run/opendkim
    Domain vavai.web.id
    InternalHosts 192.168.10.0/24, 127.0.0.1
    KeyFile /etc/mail/dkim/selector.private
    Mode sv
    Selector selector
    Socket inet:8891@localhost
    Syslog Yes
    SyslogFacility mail
    X-Header Yes
  3. Create selector and key for signing message
    opendkim-genkey -d vavai.web.id -D /etc/mail/dkim -s selector
    cd /etc/mail/dkim
    chmod 440 selector.private

    The above command made  2 files : selector.txt &selector.private. selector.txt contain DNS records that we must insert into our DNS Server .

  4. Run openDKIM with following command :
    opendkim -x /etc/opendkim.conf

DNS SERVER CONFIGURATION

Open /etc/mail/dkim/selector.txt and copy it’s content into our DNS Server. If your public DNS managed by ISP, contact and ask them for inserting a TXT records into DNS Server for our domain.
Below are a sample of my DNS Server for domain vavai.web.id :

# cat /var/lib/named/master/vavai.web.id
$TTL 2d
@		IN SOA		ns1.vavai.web.id.	root.ns1.vavai.web.id. (
				2010122101	; serial
				3h		; refresh
				1h		; retry
				1w		; expiry
				1d )		; minimum
vavai.web.id.	IN NS		ns1.vavai.web.id.
vavai.web.id.	IN NS		ns2.vavai.web.id.
vavai.web.id.   IN A		174.120.9.XXX
vavai.web.id.	IN MX		0 mail.vavai.web.id.
www		IN CNAME	vavai.web.id.
ns1		IN A		202.158.52.xxx
mail		IN A		202.158.52.xxx
ns2		IN A		202.43.115.xxx
vavai.web.id.   IN TXT          "v=spf1 a mx include:mail.vavai.web.id ~all"
selector._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIG29fMA0GCSqsdfsdfdsfdsfGSIb3DQEBAQUAA4GNADCBiQKBgQDJ5IZT5e5nvmkotroz5ylTlwU8yEEZ+v/576aI+w6TkbP4XibYxDsWVweXXtVeQQMMAAmw8AwYuK5R9b373Xqu+Hv9HNAJoAteKF/qlKcZc5Akhj5B7P1imXaurZkkIBp63yBZyZRralzQYNT3UrVB7M/xONMWXcU9xm7Zv1PzH1Y1OQIDAQAB"

ZIMBRA MAIL SERVER CONFIGURATION
Open terminal/konsole, login as Zimbra user (su – zimbra) and replace/add following line into  /opt/zimbra/postfix/conf/main.cf :

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

Save and run reload command : postfix reload
TESTING & VERIFYING OPENDKIM
After all step has been successfully executed, testing OpenDKIM by sending a blank email into sa-test@sendmail.net or check-auth@verifier.port25.com or autorespond+dkim@dk.elandsys.com or into your Gmail/Yahoo email account.
Below are a sample of response message from sendmail :

Authentication System:       DomainKeys Identified Mail
Result:                   DKIM signature confirmed GOOD
Description:              Signature verified, message arrived intact
Reporting host:           sendmail.net
More information:         http://mipassoc.org/dkim/
Sendmail milter:          https://sourceforge.net/projects/dkim-milter/

Respon from elandsys :

This is an automatic response.  Replies to this message will not generate
an automatic response.
Do not reply to this message except for reporting a problem.
The results are as follows:
DKIM Signature validation: pass (1024-bit key)

Response from Gmail

Received-SPF: pass (google.com: domain of vavai@vavai.web.id designates XXX.158.52.XXX as permitted sender) client-ip=XXX.158.52.XXX;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of vavai@vavai.web.id designates XXX.158.52.XXX as permitted sender) smtp.mail=vavai@vavai.web.id; dkim=pass header.i=@vavai.web.id
Received: from localhost (localhost [127.0.0.1])
	by mx3.vavai.web.id (Postfix) with ESMTP id 0E666DB0302
	for ; Wed, 22 Dec 2010 09:42:12 +0700 (WIT)
X-Virus-Scanned: amavisd-new at vavai.web.id
Received: from mx3.vavai.web.id ([127.0.0.1])
	by localhost (mx3.vavai.web.id [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id On3P3QqkyMM4 for ;
	Wed, 22 Dec 2010 09:42:11 +0700 (WIT)
Received: from mx3.vavai.web.id (mx3.vavai.web.id [XXX.158.52.XXX])
	by mx3.vavai.web.id (Postfix) with ESMTP id 56CC1DB0136
	for ; Wed, 22 Dec 2010 09:42:11 +0700 (WIT)
X-DKIM: OpenDKIM Filter v2.2.2 mx3.vavai.web.id 56CC1DB0136
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=vavai.web.id;
	s=selector; t=1292985731;
	bh=cBOiyKgb7kh/ygTXq8sQihgwMCryqYRvRZBYcO6/z5U=;
	h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
	b=KMOYjsda6qPqNdf0NuyxdEayFxgRCAVmilYKobK3sKV8hSvybT3fmbWM+2mZUCzMY
	 sDSdVVTXMB6RnHoEPyPzNFK7y9TPpAn0SPkGqL0nSzQ+Fr6/VaEBHrcQGduUNm5Ot5
	 V0Y9vIcmfjLGWTkkAX0RjHpV/9ZK8VPJD0etRsM0=

Leave a Reply

Your email address will not be published. Required fields are marked *