Tag Archives: DomainKeys

exim and domainkeys on debian

This post if a follow up on one of my previous posts that described how you can create a custom exim package on debian.

In this post I will show you how to compile and configure exim with domainkeys support. The configuration will be only for signing outgoing emails but it's easy to make it verify signed messages if you read the exim DomainKeys documentation

To do this first follow the steps described in my previous post and between steps 7 and 8 do these steps :

  1. install libdomainkeys:
    download from: domainkeys.sourceforge.net , extract and make:
    1.  
    2. tar -xzpf libdomainkeys-0.69.tar.gz
    3. cd libdomainkeys-0.69
    4. make
    5.  

    if it doesn't compile with errors about resolv do this:

    1.  
    2. echo '-lresolv' > dns.lib
    3. make
    4.  

    to install just copy the static lib and the header files:

    cp libdomainkeys.a /usr/local/lib
    cp domainkeys.h dktrace.h  /usr/local/include
    

    and then cleanup :

    1.  
    2. rm -rf libdomainkeys-0.69*
    3.  
  2. Configure the exim custom package for domainkeys:
    add domainkeys support to exim makefile:
    1.  
    2. echo < <EOF > EDITME-exim4-custom
    3. EXPERIMENTAL_DOMAINKEYS=yes
    4. CFLAGS  += -I/usr/local/include
    5. LDFLAGS += /usr/local/lib/libdomainkeys.a
    6. EOF
    7.  

    And now continue with step 8 in the previous post

When you're done all that's left to do is edit exim configuration to enable domain keys signing:

open /etc/exim4/exim4.conf  or /etc/exim4/exim4.conf.template  in an editor

look up for the remote_smtp transport definition and add the following configuration to it:

dk_domain = ${lc:${domain:$h_from:}}
dk_selector = default
dk_private_key = /etc/exim4/dk_keys/${dk_domain}_priv.key

Key management

create the directory that will hold the keys :

mkdir /etc/exim4/dk_keys

create the scripts that will generate and show the the keys :

  1.  
  2. cd /etc/exim4/dk_keys
  3. cat < <EOF > gen_key.sh
  4. #!/bin/sh
  5. if [ "$1" = "" ] ; then
  6. echo "Usage: $0 domain_name";
  7. exit 1;
  8. fi
  9. openssl genrsa -out $1_priv.key 1024
  10. openssl rsa -in $1_priv.key -pubout -out $1_pub.key
  11. EOF
  12.  
  13. cat < <EOF > cat_key.sh
  14. #!/bin/sh
  15. domain=$1
  16. p=$(echo $(cat ${domain}_pub.key )| \
  17. sed -r -e 's/ //g' \
  18. -e 's/-----BEGINPUBLICKEY-----//' \
  19. -e 's/-----ENDPUBLICKEY-----//' )
  20. echo default._domainkey IN TXT "\"k=rsa; t=s; p=$p\""
  21. EOF
  22.  
  23. chmod +x gen_key.sh cat_key.sh
  24.  

generate a key for a new domain:

  1.  
  2. cd /etc/exim4/dk_keys
  3. # generate the keys
  4. ./gen_key.sh my_new_domain.tld
  5. # show the DNS record that needs to be set
  6. ./cat_key.sh my_new_domain.tld
  7.  

After you set the DNS TXT record you can test the new setup by sending an email from the newly configured domain to an account @ gmail or yahoo . At gmail view the new message and click on "details", it should show up as "signed-by: my_new_domain.tld" , yahoo will just show an icon with a key in the message header.

debian: building custom exim packages

This is a small howto that explains how to build custom exim4 packages on debian.

It was tested with both exim 4.63 ( on debian etch ) and exim 4.69 ( on debian testing/lenny ) .

I needed to build a custom exim email server that would be built with domainkeys and/or dkim support for signing outgoing messages.

So here are the 12 steps I took to get this done:

  1. Create a directory named exim where all activity will take place.
  2. Make sure you have the 'source' URIs in your source.list file.
    If you don't have them put them in  and then run apt-get update
  3. Install packages required for creating a custom package and building it:
    1. apt-get install dpatch fakeroot devscripts \
    2. grep-dctrl debhelper gcc libc6-dev libssl-dev pbuilder
    3.  
  4. Install exim4 source package:
    1. cd exim
    2. apt-get source exim4
  5. unpack standard configuration files:
    1. cd exim4-4.63
    2. fakeroot debian/rules unpack-configs
  6. Define the new package name. In this step we just put the new package name in a variable and export it in the environment to make the next steps easier. You can use anything for the package name ( actually it's just a package name suffix ) but I recommend using 'custom' for the package name for one main reason: dependencies. Packages that depend on exim4-daemon-light or exim4-daemon-heavy (like sa-exim, mailx and maybe others ) already accept exim4-daemon-custom as a replacement so with this custom package you're not breaking any dependencies.
    Ex:
    1. export my_pkg_name=custom
  7. Edit configuration files. There should be 3 EDITME configuration files for exim and one for eximon, one for each package that will be built. Copy one of the exim EDITME file to EDITME.exim4-$your_pkg_name then edit the new file to set up the new options you want.
    Ex:
    1. cp EDITME.exim4-heavy EDITME.exim4-$my_pkg_name
  8. pack the configuration files so your new configuration will be saved and used at build time:
    1. fakeroot debian/rules pack-configs
  9. Create the custom package. This is required only if you use a package name other then 'custom':
    1. sh debian/create-custom-package $my_pkg_name
  10. Activate the new package in debian/rules. Edit debian/rules and look for the line where the extradaemonpackages variable is defined and add your package name ( exim4-daemon-$my_pkg_name ) to the list of packages defined there.
  11. Install build dependencies. You can skip this step if this is not the first time you build this package.
    1.  
    2. /usr/lib/pbuilder/pbuilder-satisfydepends
    3.  
  12. Build the packages:
    1.  
    2. debuild -us -uc
  13. Install the new package. if you already had some version of the exim4-daemon package installed you will have to remove it first and then you can install the custom package. The new package will be in the base directory created at step 1.
    Ex. (for amd64 etch exim 4.63-17 ) :
    1. cd ..
    2. dpkg -i exim4-daemon-${my_pkg_name}_4.63-17_amd64.deb

This process went pretty well for both exim 4.63 and 4.69 on lenny. Exim 4.63 only had experiemental support for domainkeys ( not dkim ) and exim 4.69 on lenny had support for both but I was only able to build it after applying a small patch to exim to make it work with the latest version of libdkim ( 1.0.19 ) .

This post was intended to be a general howto about building a custom exim package. I will write more details about actually building exim with domainkeys and/or dkim in a future post.

qmail and DKIM

DomainKeys Identified Mail (DKIM) is a method for validating the identity associated with a message using using public-key cryptography and key server technology. DKIM is an enhanced version of Yahoo's Domain Keys and Cisco's Identified Internet Mail methods. As of February 2007 an IETF draft was accepted as "Proposed standard", it may take some more time till this will be a standard but the current version is stable ( according to dkim.org ).

Implementations of DKIM in email servers is not available as much as DomainKeys.
For qmail there is a patch that uses libdomainkeys to implement a replacement for qmail-queue that will verify and sign messages but this only works for DomainKeys not DKIM. I have developed a solution for qmail to be able to verify and sign messages with DKIM. Continue reading

Qmail with smtp-auth and DomainKeys on FreeBSD

I tried to set up qmail with tls and smtp auth on freebsd. I have configured my server with SMTP-AUTH so that I can use it to relay messages for me and other authenticated users. I would like qmail to sign the messages that the authenticated users send through my server.

I compiled qmail-tls from ports, checked the smtp-auth and qmailqueue options, then I compiled qmail-dk and selected the SMTP-AUTH patch. I set up my private and public keys, I set up bin/qmail-dk for qmailqueue as described on this page : http://jeremy.kister.net/howto/dk.htm but still not results. It just does not want to add the DomainKeys signature but instead it tries to verify the messages. Continue reading