Using DomainKeys with MailScanner
MailScanner is an antispam software that does post SMTP-accept mail filtering. DomainKey signing and verification can be done by using dk-milter and configuring sendmail to use a smarthost for outgoing mail.
MailScanner requires sendmail to be configured in queue delivery mode for filtering. Sendmail cannot use a milter to process outbound mail because of the way MailScanner is designed to work. It is only possible to perform DomainKey signature verification with the default MailScanner setup. A sendmail smarthost is required to get around that limitation.
We will use the sendmail process receiving inbound mail for DomainKeys signature verification and send outbound mail through a smarthost where the DomainKeys signing can be done. Two dk-milter processes are required, one running in verification mode and the other in signing mode.
The following installation guide is based upon sendmail 8.13. The DomainKeys feature is implemented through a dk-milter. The milter does not support any sendmail version prior to 8.13.
You should have sendmail 8.13 installed.
You should have MailScanner installed.
You should have dk-milter installed.
The following IP addresses are used as an example:
The three sendmail processes used are as follows:
The first sendmail (inbound) process should be configured to include the following directives:
Generate the sendmail.cf file.
Create a directory called /var/spool/mqueue.in owned by the root user.
The second sendmail (queue runner) process will use the same cf file (sendmail.cf).
The third sendmail (smarthost) process should be configured to include the following directives:
Generate the smarthost.cf file.
Create a directory called /var/spool/mqueue.smarthost owned by the root user.
Your MailScanner.conf file should have the following options:
Starting sendmail, MailScanner and dk-milter
Please refer to your MailScanner documentation on how to start MailScanner.
The first dk-milter process should be started with:
dk-filter -l -p inet:9981@localhost -u dkuser -b v
and the second one with:
dk-filter -l -p inet:9982@localhost -d example.com -c simple -s /path/to/pem -S mail -u dkuser -b s -i /path/to/filename
where the file filename contains 192.168.0.1
Run the three sendmail processes with the following commands:
/usr/sbin/sendmail -bd -L sm-mta
/usr/sbin/sendmail -q5 OPidFile=/var/run/sendmail-outbound.pid -OQueueDirectory=/var/spool/mqueue
/usr/sbin/sendmail -bd -L sm-mtas -C/etc/mail/smarthost.cf
You can perform a DomainKeys test by sending an email to firstname.lastname@example.org.
Below is an example of a signature header:
DomainKey-Signature: a=rsa-sha1; s=mail; d=example.com; c=simple;
If the verification is successful, you should see the following header in your email:
Authentication-Results: mail.example.net; domainkeys=pass