|
|
Using DomainKeys with MailScannerIntroductionMailScanner is an antispam software that does post SMTP-accept mail filtering. DomainKey signing and verification can be done by using dk-milter and configuring sendmail to use a smarthost for outgoing mail. OverviewMailScanner requires sendmail to be configured in queue delivery mode for filtering. Sendmail cannot use a milter to process outbound mail because of the way MailScanner is designed to work. It is only possible to perform DomainKey signature verification with the default MailScanner setup. A sendmail smarthost is required to get around that limitation. We will use the sendmail process receiving inbound mail for DomainKeys signature verification and send outbound mail through a smarthost where the DomainKeys signing can be done. Two dk-milter processes are required, one running in verification mode and the other in signing mode. InstallationThe following installation guide is based upon sendmail 8.13. The DomainKeys feature is implemented through a dk-milter. The milter does not support any sendmail version prior to 8.13. PrerequisitesYou should have sendmail 8.13 installed. You should have MailScanner installed. You should have dk-milter installed. Configuring sendmailThe following IP addresses are used as an example:
The three sendmail processes used are as follows:
The first sendmail (inbound) process should be configured to include the following directives: define(`SMART_HOST',`[192.168.0.1]')dnl Generate the sendmail.cf file. Create a directory called /var/spool/mqueue.in owned by the root user. The second sendmail (queue runner) process will use the same cf file (sendmail.cf). The third sendmail (smarthost) process should be configured to include the following directives: Generate the smarthost.cf file. Create a directory called /var/spool/mqueue.smarthost owned by the root user. Configuring MailScanner Your MailScanner.conf file should have the following options: Starting sendmail, MailScanner and dk-milterStarting MailScannerPlease refer to your MailScanner documentation on how to start MailScanner. Starting dk-milterThe first dk-milter process should be started with: dk-filter -l -p inet:9981@localhost -u dkuser -b v and the second one with: dk-filter -l -p inet:9982@localhost -d example.com -c simple -s /path/to/pem -S mail -u dkuser -b s -i /path/to/filename where the file filename contains 192.168.0.1 Starting sendmailRun the three sendmail processes with the following commands: /usr/sbin/sendmail -bd -L sm-mta /usr/sbin/sendmail -q5 OPidFile=/var/run/sendmail-outbound.pid -OQueueDirectory=/var/spool/mqueue /usr/sbin/sendmail -bd -L sm-mtas -C/etc/mail/smarthost.cf Testing DomainKeysYou can perform a DomainKeys test by sending an email to autorespond+dk@dk.elandsys.com. Below is an example of a signature header: DomainKey-Signature: a=rsa-sha1; s=mail; d=example.com; c=simple;
q=dns; If the verification is successful, you should see the following header in your email: Authentication-Results: mail.example.net; domainkeys=pass |
|