Denie's Tech Blog » Sendmail

Setting up DomainKeys on Centos

Denie — Tue, 09 Mar 2010 14:30:22 +0000

This is a quick walk through on how to set up domain keys on Centos 5 using sendmail. It should also be very similar for Redhat or Fedora.

Domainkeys is a method mostly used by yahoo to verify that the sender of an email is valid. I did notice that gmail changes the domainkeys header line to a pass value but I don’t know if they block/accept mail based on that.

First install some dependencies.

yum install sendmail-devel openssl-devel

First download the latest version of dk-milter by going to http://sourceforge.net/projects/dk-milter/

cd /usr/src/
wget http://downloads.sourceforge.net/dk-milter/dk-milter-1.0.0.tar.gz

Then extract it using the command

tar xzf dk-milter-1.0.0.tar.gz
cd dk-milter-2.6.0

Start by copying the sample config file to the proper directory and the make/make installing

cp site.config.m4.dist devtools/Site/site.config.m4
make; make install

You may see a few errors during the install, as long as they are just about creating the man pages you should be alright. Now change back to a good working directory and create your new keys.

cd ~/ssl-gen
openssl genrsa -out rsa.private 768
openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM

Make the directory and move the private key into it.

mkdir -p /var/db/domainkeys/
cp rsa.private /var/db/domainkeys/mail.key.pem

Now we should set up our DNS TXT records with our public key. This is how it should look in a bind zone file. Put the public key only and not the “BEGIN RSA PRIVATE…” or “END RSA…” parts of the key with out parenthesis.

mail._domainkey.jkurtzman.com. IN TXT “k=rsa; t=y; p=(Paste the public key here)”
_domainkey.jkurtzman.com. IN TXT “t=y; o=~”

You can use the following command to verify that your TXT record was set up correctly.

dig +short mail._domainkey.jkurtzman.com TXT

Now we will need to make the init script so the it starts when the computer reboots. Put the following into a file called /etc/init.d/domainkeys. Of course be sure to change the domain to your own domain. Remember to fix any lines that have wrapped when copying. Especially the COMMAND line.

#!/bin/sh
#
# “/etc/rc.d/init.d/dk-filter”
# Start/stop script for the dk-filter daemon on RedHat Linux
#
# chkconfig: – 79 31
# description: Acts as the “dk-filter” InputMailFilter (milter) for the \
# Sendmail MTA to provide DomainKeys service

############################################################
#
# Be sure to edit these values:
#
KEYFILE=”/var/db/domainkeys/mail.key.pem”
DOMAIN=”jkurtzman.com”
SELECTOR=”mail”
USER=”domainkeys”
#
############################################################

PIDFILE=”/var/run/dk-milter/pid”
SUBMISSION_DAEMON=”smtp”
PORT=8891

# Source function library. Provides the “status” option
. /etc/init.d/functions

test -x `which dk-filter` || exit 0

RETVAL=0

start() {
echo -n $”Starting dk-filter: ”
COMMAND=”dk-filter -u $USER -b s -p inet:$PORT@localhost -l -P $PIDFILE -s $KEYFILE -d $DOMAIN -S $SELECTOR -m$SUBMISSION_DAEMON -c nofws”
# echo -e “Now executing\n”$COMMAND””
daemon $COMMAND
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/dk-filter
return $RETVAL
}

stop() {
echo -n $”Stopping dk-filter: ”
killproc dk-filter
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $PIDFILE /var/lock/subsys/dk-filter
return $RETVAL
}

restart() {
stop
start
}

case “$1″ in
start)
start
;;
stop)
stop
;;
status)
status dk-filter
;;
restart)
restart
;;
*)
echo $”Usage: $0 {start|stop|status|restart}”
exit 1
esac

exit $?

Give your new file execute permisions, create a user for domain keys to run as, and start it

chmod +x /etc/init.d/domainkeys
useradd domainkeys
service domainkeys start

If everything work you should see that the dk-filter has started.
Now run chkconfig so the service starts when you reboot.

chkconfig domainkeys on

Now add this to your /etc/mail/sendmail.mc file.

INPUT_MAIL_FILTER(`dk-filter’, `S=inet:8891@localhost’)

And make and restart sendmail.

cd /etc/mail
make
service sendmail restart

You should now be able to send email and be domainkey verified. If you are relaying mail through the mail server you will need to make sure you are using SMTP Authentication otherwise the dk-filter will not add the header information.

Try sending an email to a yahoo account and see if you get secure icon.

Source:

http://luxio.us/cMZ11e

Share this on :

Optimizing Sendmail

Denie — Wed, 09 Dec 2009 15:14:12 +0000

Most of them involve changing the daemon’s configuration in /etc/sendmail.mc and rebuilding sendmail.cf

Specific things that can affect performance:

dnl # Sendmail, Chap 24.9.13, Page 955
dnl # Disable re-write of queue control file (will result in duplicates
dnl # if the daemon is interrupted during a delivery)
define(`confCHECKPOINTINTERVAL’,`0′)dnl

dnl # Sendmail, Chap 24.9.21, Page 960
dnl # Disable throttling the acceptance of new connections
define(`confCONNECTION_RATE_THROTTLE’,`0′)dnl

dnl # Sendmail, Chap 24.9.25, Page 967
dnl # Specify the maximum size, in bytes, of buffered df* files (default is
dnl # 4096 bytes; 0 turns this off and is not recommended)
define(`confDF_BUFFER_SIZE’,`16384′)dnl

dnl # Sendmail, Chap 24.9.60, Page 1011
dnl # Disable limit on the daemon spawning new children
define(`confMAX_DAEMON_CHILDREN’,`0′)dnl

dnl # Sendmail, Chap 24.9.66, Page 1016
dnl # Disbale limit on the number of messages that may be processed
dnl # during any one queue run
define(`confMAX_QUEUE_RUN_SIZE’,`0′)dnl

dnl # Sendmail, Chap 24.9.19, Page 959
dnl # Turn on connection caching and set maximum number of simultaneous
dnl # outbound connections kept open to 4; default is 2; this option also
dnl # depends on MCI_CACHE_TIMEOUT (below)
define(`confMCI_CACHE_SIZE’,`4′)dnl

dnl # Sendmail, Chap 24.9.19, Page 959
dnl # Set time limit on how long a cached outbound connection may be
dnl # kept open to 120 seconds (2 minutes) – see MCI_CACHE_SIZE above
define(`confMCI_CACHE_TIMEOUT’,`120s’)dnl

dnl # Sendmail, Chap 24.9.72, Page 1022
dnl # Disable time delay for queued messages not delivered on the first try
define(`confMIN_QUEUE_AGE’,`0′)dnl

dnl # Sendmail, Chapter 24.9.107, Page 1057
dnl # Disable MTA setting that forces MTA to queue each message and to sync
dnl # to disk before forking (a system crash may result in lost mail)
define(`confSAFE_QUEUE’,`false’)dnl

dnl # Sendmail, Chap 24.9.109.13, Page 1065
dnl # Disable IDENT (RFC 1413) calls/turn off sending user-host verification
define(`confTO_IDENT’,`0′)dnl

dnl # Sendmail, Chap 24.9.120, Page 1077
dnl # Specify the maximum size, in bytes, of buffered xf* files (default is
dnl # 4096 bytes; 0 turns this off and is not recommended)
define(`confXF_BUFFER_SIZE’,`16384′)dnl

dnl # Sendmail, Chap 4.8.28, Page 192
dnl # Turn off E-Mail canonization (should be done by MSA, and this
dnl # is a mail relay with no local users)
FEATURE(`nocanonify’)dnl

I’m assuming you’re using a modern version of sendmail – v8.12.10 or later. These settings may be different, or not exist at all, for older versions.

Source

How to manually install DKIM-Filter with Sendmail

Denie — Fri, 14 Aug 2009 19:32:32 +0000

Source: [click here]

Max 30 mins work.

However, life is rarely so simple.
yum search dkim didn't find anything.

So, based on what I could find, I ended up here. Downloaded dkim-filter
2.4.1 and went on an epic voyage of discovery into the RFCs and other stuff.
I just want to install, configure and run the thing!

Anyway. I thought compilation would be straightforward, but no. More
unfamiliar stuff to read. I dutifully read the site.config.m4.dist, copied
to devtools/Site/site.config.m4 and hoped to make some intelligent decisions
on what options to enable.

 # ./Build
...
>Making all in:
>/etc/mail/dkim/dkim-milter-2.4.1/dkim-filter
>Configuration: pfx=, os=Linux, rel=2.6.23.1-10.fc7, rbase=2,
>rroot=2.6.23.1-10, arch=x86_64, sfx=, variant=optimized
>Using M4=/usr/bin/m4
>Creating
>/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
>using /etc/mail/dkim/dkim-milter-2.4.1/devtools/OS/Linux
>Making dependencies in
>/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
>make[1]: Entering directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>rm -f sm_os.h
>ln -f -s ../../include/sm/os/sm_os_linux.h sm_os.h
>cc -M -I. -I../../include  -I../libdkim/   -D_REENTRANT config.c dkim-ar.c
>dkim-filter.c stats.c test.c util.c   dkim-testkey.c   dkim-testssp.c    >>
>Makefile
>In file included from config.h:23,
>                 from config.c:20:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>In file included from dkim-ar.h:19,
>                 from dkim-ar.c:23:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>dkim-filter.c:59:29: error: libmilter/mfapi.h: No such file or directory
>In file included from config.h:23,
>                 from dkim-filter.c:78:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>In file included from test.c:31:
>test.h:24:29: error: libmilter/mfapi.h: No such file or directory
>In file included from util.c:49:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>make[1]: *** [depend] Error 1
>make[1]: Leaving directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>Making in
>/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
>make[1]: Entering directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>cc -O2 -I. -I../../include  -I../libdkim/   -D_REENTRANT -DXP_MT   -c -o
>config.o config.c
>In file included from config.h:23,
>                 from config.c:20:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>In file included from config.h:23,
>                 from config.c:20:
>dkim-filter.h:86: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_connect’
>dkim-filter.h:87: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_envfrom’
>dkim-filter.h:88: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_header’
>dkim-filter.h:89: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_eoh’
>dkim-filter.h:90: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_body’
>dkim-filter.h:91: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_eom’
>dkim-filter.h:92: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_abort’
>dkim-filter.h:93: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_close’
>make[1]: *** [config.o] Error 1
>make[1]: Leaving directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>make: *** [all] Error 2

After some googling, a "yum install sendmail-devel" fixed this problem, and
a ./Build -c completed successfully.
I copied /devtools/OS/Linux to /devtools/Site/site.Linux.m4

./Build install was successful after manually creating dirs /usr/man/man15
and /usr/man/man18
Fedora manuals are in /usr/share/man
The files /usr/bin/dk* should have ownership root:root instead of bin.

Sendmail of Fedora 7 is currently 8.14.1:
# sendmail -d0.1
Version 8.14.1
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
 MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
 TCPWRAPPERS USERDB USE_LDAP_INIT

I created the keys, updated the dns zone files and decided to use user smmsp
instead of creating yet another user.

I created:
/var/db/dkim :
-rw-r----- 1 smmsp smmsp 887 2008-01-01 08:30 jan2008.admin.key.pem
-rw-r--r-- 1 smmsp smmsp 272 2008-01-01 08:30 jan2008.admin.public.pem

/var/run :
drwxr-xr-x 2 smmsp   smmsp   4096 2008-01-04 09:23 milter

and created this basic start/stop init script:
/etc/init.d/dkim-filter
then:
chkconfig --add dkim-filter
chkconfig dkim-filter on

contents:
>#
># dkim-filter        Starts /usr/bin/dkim-filter
>#
># chkconfig: 2345 67 33
>#
># description: Domain Keys Milter
># processname: dkim-filter
>#
># Source function library.
>. /etc/init.d/functions
>
>[ -f /usr/bin/dkim-filter ] || exit 0
>RETVAL=0
>
>umask 077
>
>start() {
>        echo -n $"Starting dkim-filter: "
>        /usr/bin/dkim-filter -x /etc/mail/dkim.conf
>        RETVAL=$?
>        if [ $RETVAL -eq 0 ]
>        then
>                echo_success
>                touch /var/lock/subsys/dkim-filter
>        else
>                echo_failure
>        fi
>        echo
>}
>stop() {
>        echo -n $"Shutting down dkim-filter: "
>        /bin/kill `cat /var/run/milter/dkim-filter.pid 2> /dev/null ` >
> /dev/null 2>&1
>        RETVAL=$?
>        sleep 3
>        if [ $RETVAL -eq 0 ]
>        then
>                echo_success
>                rm -f /var/lock/subsys/dkim-filter
>                rm -f /var/run/milter/dkim-filter.pid
>        else
>                echo_failure
>        fi
>        echo
>}
>rhstatus() {
>        status dkim-filter
>}
>restart() {
>        stop
>        start
>}
>
>case "$1" in
>  start)
>        start
>        ;;
>  stop)
>        stop
>        ;;
>  status)
>        rhstatus
>        ;;
>  restart|reload)
>        restart
>        ;;
>  condrestart)
>        [ -f /var/lock/subsys/dkim-filter ] && restart || :
>        ;;
>  *)
>        echo $"Usage: $0 {start|stop|status|restart|condrestart}"
>        exit 1
>esac
>
>exit $?

Now for configuration files:

/etc/mail/dkim.conf :
Canonicalization        relaxed/simple
Domain                  /etc/mail/domains
KeyFile                 /var/db/dkim/jan2008.admin.key.pem
#MTA                    MTA
Selector                jan2008.admin
SignatureAlgorithm      rsa-sha256
Socket                  inet:[EMAIL PROTECTED]
#Socket                 /var/run/milter/dkim-filter.sock
Syslog                  Yes
SyslogSuccess           Yes
Userid                  smmsp
PidFile                 /var/run/milter/dkim-filter.pid
SubDomains              Yes
X-Header                No
SendReports             No

/etc/mail/domains contains just one domain on one line.

and added to sendmail.rc:
INPUT_MAIL_FILTER(`dkim-filter', `S=inet:[EMAIL PROTECTED]')

I started the script with
/etc/init.d/dkim-filter start
and it worked, eg:
>Jan  4 10:58:10 gaia dkim-filter[6033]: Sendmail DKIM Filter v2.4.1 starting
>(args: -x /etc/mail/dkim.conf)

It even adds signatures to my messages (hopefully to this one), but silently
crashes regularly without any indication on processing a simple locally
generated mail from a perl script and/or/exor from logwatch or virus
notification from MailScanner. eg:

DKIMDEBUG=ct :
>Jan  3 02:57:18 gaia sendmail[12260]: m031vIL6012260: from=<[EMAIL
>PROTECTED]>, size=1780,, nrcpts=1, msgid=<[EMAIL PROTECTED]>,
>proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
>Jan  3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 header
>Jan  3 02:57:18 gaia last message repeated 6 times
>Jan  3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 eoh
>Jan  3 02:57:18 gaia sendmail[12260]: m031vIL6012260:
>milter_sys_read(dkim-filter): cmd read returned 0, expecting 5
>Jan  3 02:57:18 gaia sendmail[12260]: m031vIL6012260: Milter (dkim-filter): to
>error state
>Jan  3 02:57:18 gaia sendmail[12260]: m031vIL6012260: to=<[EMAIL PROTECTED]>,
>delay=00:00:00, mailer=esmtp, pri=31780, stat=queued

I have spent the last couple of days trying to solve this
The only relevant information I found was Jim Hermann's useful message and
thread last month
http://www.mail-archive.com/dkim-milter-discuss@lists.sourceforge.net/msg00409.html

I'm disappointed, disillusioned and frustrated in trying to nail jelly to a
wall... This doesn't say anything useful at all!
>milter_sys_read(dkim-filter): cmd read returned 0, expecting 5

It only seems to happen by locally generated mail, sometimes it even seemed
as if having a Reply-To: field influenced its crash frequency, but without
real diagnostic tools, skills and a lot of time, I can't solve it. I'm an
experienced sysadmin, not a C programmer! Programmers should try to make all
our lives easier!  

I want to get this working reliably and dependably on a few production
systems, and know what options to compile with and what settings to use for
Fedora, but I'm now stumped.

When it does work, another gripe is this padding too short error, which may
or may not be a reason for the verification failure:
>Jan  4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080 SSL error:04067069:rsa
>routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short; error:04077068:rsa
>routines:RSA_verify:bad signature
>Jan  4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080: bad signature data
>Jan  4 08:14:35 gaia sendmail[10080]: m047EY6O010080: Milter insert (1):
>header: Authentication-Results:  gaia.haveland.com; dkim=neutral (verification
>failed) [EMAIL PROTECTED]

How can a gmail signature fail verification? What did it fail on? What is
the "i" in  "header.i" ?
It was a mysql mailing list, so perhaps other headers got in the way, but
this isn't what I would call a robust solution! Omitheaders command in
dkim.conf seems to be a blanket fudge.

If we are to stand a chance of defeating spammers, then we have to make DKIM
easier to install and configure so mere mortals can install and use it, and
encourage adoption.  I'm sure many would like to see dkim-filter available
in rpm for various distros.

However, Network Solutions, amongst others need to wake up and allow people
to modify their DNS TXT attributes... Here's what their completely
ridiculous FAQ says on the subject:
http://customersupport.networksolutions.com/article.php?id=369

>"Can I Make Changes To The TXT Record
>
> Network Solutions does not currently support changes to the
> TXT record for a domain name registration.
>
> The TXT Record is strictly informational, not functional."

What planet are they living on?

Cheers,
Andy.