centos5.5でpostfixにDKIMを導入。
ドメインはhoge.com
1)
dkim-milter 2.8.3-4.el5 をyumでインストール
2)
> dkim-genkey -d hoge.com -r -D /etc/mail/dkim-milter
で公開キーと秘密キーを作成。
3)
> chown dkim-milter:dkim-milter /etc/mail/dkim-milter/default.private
で秘密キーのパーミッションをdkim-milterにする。
4)
/etc/mail/dkim-milter/dkim-filter.conf
を設定する。内容は以下のような感じ。
> more /etc/mail/dkim-milter/dkim-filter.conf
::::::::::::::
/etc/mail/dkim-milter/dkim-filter.conf
::::::::::::::
##
## dkim-filter.conf -- configuration file for DKIM filter
##
## $Id: dkim-filter.conf.sample,v 1.27 2008/12/27 05:21:56 msk Exp $
##
## ADSPDiscard { yes | no }
## default "no"
##
## Reject messages which are determined to be "suspicious" according to the
## sending domain's published signing procedure (ADSP) record if that record
## also recommends rejection of such messages.
# ADSPDiscard No
## ADSPNoSuchDomain { yes | no }
## default "no"
##
## Reject messages which are determined to be from nonexistent domains during
## the Author Domain Signing Practises (ADSP) check.
# ADSPNoSuchDomain No
## AllowSHA1Only { yes | no }
## default "no"
##
## By default, the filter will refuse to start if signing mode is enabled
## but rsa-sha1 will be used (either because it is the only algorithm
## available or because it was explicitly requested) since this violates
## the strong recommendations of RFC4871 section 3.3.
# AllowSHA1Only no
## AlwaysAddARHeader { yes | no }
## default "no"
##
## Add an "Authentication-Results:" header even to unsigned messages
## from domains with no "signs all" policy. The reported DKIM result
## will be "none" in such cases. Normally unsigned mail from non-strict
## domains does not cause the results header to be added.
# AlwaysAddARHeader no
## AlwaysSignHeaders header-list
## default (none)
##
## Specifies a list of headers whose names should appear in signatures
## whether or not they were signed, preventing their later addition.
# AlwaysSignHeaders header1,header2,...
## AuthservID string
## default (local host name)
##
## Defines the "authserv-id" token to be used when generating
## Authentication-Results headers after message verification.
# AuthservID example.com
## AuthservIDWithJobID
## default "no"
##
## Appends a "/" followed by the MTA's job ID to the "authserv-id" token
## when generating Authentication-Results headers after message verification.
# AuthservIDWithJobId no
## AutoRestart { yes | no }
## default "no"
##
## Indicate whether or not the filter should arrange to restart automatically
## if it crashes.
# AutoRestart No
AutoRestart yes
## AutoRestartCount n
## default 0
##
## Sets the maximum automatic restart count. After this number of
## automatic restarts, the filter will give up and terminate. A value of 0
## implies no limit.
# AutoRestartCount 0
## AutoRestartRate n/t[u]
## default (none)
##
## Sets the maximum automatic restart rate. See the dkim-filter.conf(5)
## man page for the format of this parameter.
# AutoRestartRate n/tu
AutoRestartRate 12/1h
## Background { yes | no }
## default "yes"
##
## Indicate whether or not the filter should run in the background.
# Background Yes
## BaseDirectory path
## default (none)
##
## Causes the filter to change to the named directory before beginning
## operation. Thus, cores will be dumped here and configuration files
## are read relative to this location.
# BaseDirectory /var/run/dkim-filter
## BodyLengths { yes | no }
## default "no"
##
## Indicate whether or not signatures with body length tags should be
## generated.
# BodyLengths No
## Canonicalization hdrcanon[/bodycanon]
## default "simple/simple"
##
## Select canonicalizations to use when signing. If the "bodycanon" is
## omitted, "simple" is used. Valid values for each are "simple" and
## "relaxed".
# Canonicalization simple/simple
## ClockDrift n
## default 300
##
## Specify the tolerance range for expired signatures or signatures
## which appear to have timestamps in the future, allowing for clock
## drift.
# ClockDrift 300
## Diagnostics { yes | no }
## default "no"
##
## Specifies whether or not signatures with header diagnostic tags should
## be generated.
# Diagnostics No
## DNSTimeout n
## default 10
##
## Specify the time in seconds to wait for replies from the nameserver when
## requesting keys or signing policies.
# DNSTimeout 10
## Domain name[,...]
## default (none)
##
## Specify for which domain(s) signing should be done. No default; must
## be specified for signing.
# Domain example.com
Domain hoge.com
## DontSignMailTo addrlist
## default (none)
##
## Gives a list of recipient addresses or address patterns whose mail should
## not be signed. Wildcard ("*") characters are allowed.
# DontSignMailTo addr1,addr2,...
## EnableCoredumps { yes | no }
## default "no"
##
## On systems which have support for such, requests that the kernel dump
## core even though the process may change user ID during its execution.
# EnableCoredumps no
## ExternalIgnoreList filename
##
## Names a file from which a list of externally-trusted hosts is read.
## These are hosts which are allowed to send mail through you for signing.
## Automatically contains 127.0.0.1. See man page for file format.
# ExternalIgnoreList filename
## FixCRLF { yes | no }
##
## Requests that the library convert "naked" CR and LF characters to
## CRLFs during canonicalization. The default is "no".
# FixCRLF no
## InternalHosts filename
##
## Names a file from which a list of internal hosts is read. These are
## hosts from which mail should be signed rather than verified.
## Automatically contains 127.0.0.1. See man page for file format.
# InternalHosts filename
InternalHosts /etc/mail/dkim-milter/internalhosts
## KeepTemporaryFiles { yes | no }
## default "no"
##
## If set, causes temporary files generated during message signing or
## verifying to be left behind for debugging use. Not for normal operation;
## can fill your disks quite fast on busy systems.
# KeepTemporaryFiles no
## KeyFile filename
##
## Specifies the path to the private key to use when signing. Ignored if
## Keylist is set. No default; must be specified for signing.
# KeyFile /var/db/dkim/example.private
KeyFile /etc/mail/dkim-milter/default.private
## KeyList filename
##
## Specifies the path to the list of keys and signing domains to be applied
## by the signing filter. The entries in this file should be of the form:
##
## pattern:domain:keypath
##
## ...where "pattern" is a pattern of user@host to match, with "*" being
## allowed as a wildcard; "domain" is the signing domain; and "keypath"
## is the path to the private key to use to generate signatures for such
## users. The selector used will be the filename portion of "keypath".
## Blank lines are ignored, and the hash ("#") character is interpreted
## as the beginning of a comment. See dkim-filter.conf(5) for more
## information.
#KeyList /etc/mail/dkim-milter/keys/keylist
## LocalADSP filename
##
## Allows specification of local ADSP overrides for domains. This should be
## a path to a file containing entries, one per line, with comments and
## blank lines allowed. An entry is of the form "domain:policy" where
## "domain" is either a fully-qualified domain name (e.g. "foo.example.com")
## or a subdomain name preceded by a period (e.g. ".example.com"), and
## "policy" is either "unknown", "all", or "discardable", as per the current
## ADSP draft specification. This allows local overrides of policies to
## enforce for domains which either don't publish ADSP or publish weaker
## policies than the verifier would like to enforce.
# LocalADSP /etc/mail/local-adsp-rules
## LogWhy { yes | no }
## default "no"
##
## If logging is enabled (see Syslog below), issues very detailed logging
## about the logic behind the filter's decision to either sign a message
## or verify it. The logic behind the decision is non-trivial and can be
## confusing to administrators not familiar with its operation. A
## description of how the decision is made can be found in the OPERATIONS
## section of the dkim-filter(8) man page. This causes a large increase
## in the amount of log data generated for each message, so it should be
## limited to debugging use and not enabled for general operation.
# LogWhy no
## MacroList macro[=value][,...]
##
## Gives a set of MTA-provided macros which should be checked to see
## if the sender has been determined to be a local user and therefore
## whether or not signing should be done. See dkim-filter.conf(5) for
## more information.
# MacroList foo=bar,baz=blivit
## MaximumHeaders n
##
## Disallow messages whose header blocks are bigger than "n" bytes.
## Intended to detect and block a denial-of-service attack. The default
## is 65536. A value of 0 disables this test.
# MaximumHeaders n
## MaximumSignedBytes n
##
## Don't sign more than "n" bytes of the message. The default is to
## sign the entire message. Setting this implies "BodyLengths".
# MaximumSignedBytes n
## MilterDebug n
##
## Request a debug level of "n" from the milter library. The default is 0.
# MilterDebug 0
## Minimum n[% | +]
## default 0
##
## Sets a minimum signing volume; one of the following formats:
## n at least n bytes (or the whole message, whichever is less)
## must be signed
## n% at least n% of the message must be signed
## n+ if a length limit was presented in the signature, no more than
## n bytes may have been added
# Minimum n
## Mode [sv]
## default sv
##
## Indicates which mode(s) of operation should be provided. "s" means
## "sign", "v" means "verify".
# Mode sv
## MTA mtaname[,...]
##
## Specifies a list of MTAs whos mail should always be signed rather than
## verified. The "mtaname" is extracted from the DaemonPortOptions line
## in effect.
# MTA name
MTA MSA
## MustBeSigned
## default (none)
##
## Defines a list of headers which, if present on a message, must be
## signed for the signature to be considered acceptable.
# MustBeSigned header1,header2,...
## OmitHeaders headerlist
## default (none)
##
## Specifies a list of headers that should always be omitted when signing.
## Header names should be separated by commas.
# OmitHeaders header1,header2,...
OmitHeaders Authentication-Results
## On-...
##
## Specifies what to do when certain error conditions are encountered.
##
## See dkim-filter.conf(5) for more information.
# On-Default
# On-BadSignature
# On-DNSError
# On-InternalError
# On-NoSignature
# On-Security
## PeerList filename
##
## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
## whose mail should be neither signed nor verified by this filter. See man
## page for file format.
# PeerList filename
## PidFile filename
##
## Name of the file where the filter should write its pid before beginning
## normal operations.
# PidFile filename
PidFile /var/run/dkim-milter/dkim-milter.pid
## POPDBFile filename
##
## Names a database which should be checked for "POP before SMTP" records
## as a form of authentication of users who may be sending mail through
## the MTA for signing. Requires special compilation of the filter.
## See dkim-filter.conf(5) for more information.
# POPDBFile filename
## Quarantine { yes | no }
## default "no"
##
## Indicates whether or not the filter should arrange to quarantine mail
## which fails verification. Intended for diagnostic use only.
# Quarantine No
## QueryCache { yes | no }
## default "no"
##
## Instructs the DKIM library to maintain its own local cache of keys and
## policies retrieved from DNS, rather than relying on the nameserver for
## caching service. Useful if the nameserver being used by the filter is
## not local. The filter must be compiled with the QUERY_CACHE flag to enable
## this feature, since it adds a library dependency.
# QueryCache No
## RemoveARAll { yes | no }
## default "no"
##
## Remove all Authentication-Results: headers on all arriving mail.
# RemoveARAll No
## RemoveARFrom list
## default (none)
##
## Remove all Authentication-Results: headers on all arriving mail that
## claim to have been added by hosts listed in this parameter. The list
## should be comma-separated. Entire domains may be specified by preceding
## the dopmain name by a single dot (".") character.
# RemoveARFrom host1,host2,.domain1,.domain2,...
## RemoveOldSignatures { yes | no }
## default "no"
##
## Remove old signatures on messages, if any, when generating a signature.
# RemoveOldSignatures No
## ReportAddress addr
## default (executing user)
##
## Specifies the sending address to be used on From: headers of outgoing
## failure reports. By default, the e-mail address of the user executing
## the filter is used.
# ReportAddress postmaster@example.com
## RequiredHeaders { yes | no }
## default no
##
## Rejects messages which don't conform to RFC2822 header count requirements.
# RequiredHeaders No
## Selector name
##
## The name of the selector to use when signing. No default; must be
## specified for signing.
Selector default
## SendADSPReports { yes | no }
## default "no"
##
## Specifies whether or not the filter should generate report mail back
## to senders when the ADSP (Author Domain Signing Practises) check fails for
## a message. See dkim-filter.conf(5) for details.
# SendADSPReports No
## SendReports { yes | no }
## default "no"
##
## Specifies whether or not the filter should generate report mail back
## to senders when verification fails and an address for such a purpose
## is provided. See dkim-filter.conf(5) for details.
# SendReports No
## SignatureAlgorithm signalg
## default "rsa-sha256"
##
## Signature algorithm to use when generating signatures. Must be either
## "rsa-sha1" or "rsa-sha256".
# SignatureAlgorithm rsa-sha256
SignatureAlgorithm rsa-sha1
## SignatureTTL seconds
## default "0"
##
## Specifies the lifetime in seconds of signatures generated by the
## filter. A value of 0 means no expiration time is included in the
## signature.
# SignatureTTL 0
## SignHeaders header-list
## default (none)
##
## Specifies the list of headers which should be included when generating
## signatures. The string should be a comma-separated list of header names.
## See the dkim-filter.conf(5) man page for more information.
# SignHeaders header1,header2,...
## Socket socketspec
##
## Names the socket where this filter should listen for milter connections
## from the MTA. Required. Should be in one of these forms:
##
## inet:port@address to listen on a specific interface
## inet:port to listen on all interfaces
## local:/path/to/socket to listen on a UNIX domain socket
# Socket inet:port@localhost
#Socket inet:8891@localhost
#Socket local:/var/run/dkim-milter/dkim-milter.sock
## StrictTestMode { yes | no }
## default "no"
##
## Selects strict CRLF mode during testing (see the "-t" command line
## flag in the dkim-filter(8) man page). Messages for which all header
## fields and body lines are not CRLF-terminated are considered malformed
## and will produce an error.
# StrictTestMode no
## SubDomains { yes | no }
## default "no"
##
## Sign for subdomains as well?
# SubDomains No
## Syslog { yes | no }
## default "no"
##
## Log informational and error activity to syslog?
# Syslog No
Syslog Yes
## SyslogFacility facility
## default "mail"
##
## Valid values are :
## auth cron daemon kern lpr mail news security syslog user uucp
## local0 local1 local2 local3 local4 local5 local6 local7
##
## syslog facility to be used
# SyslogFacility mail
## SyslogSuccess { yes | no }
## default "no"
##
## Log success activity to syslog?
# SyslogSuccess No
SyslogSuccess yes
## TemporaryDirectory path
## default /var/tmp
##
## Specifies which directory will be used for creating temporary files
## during message processing.
# TemporaryDirectory /var/tmp
## TestPublicKeys filename
## default (none)
##
## Names a file from which public keys should be read. Intended for use
## only during automated testing.
# TestPublicKeys /tmp/testkeys
## UMask mask
## default (none)
##
## Change the process umask for file creation to the specified value.
## The system has its own default which will be used (usually 022).
## See the umask(2) man page for more information.
# UMask 022
## Userid userid
## default (none)
##
## Change to user "userid" before starting normal operation? May include
## a group ID as well, separated from the userid by a colon.
# UserID userid
UserID dkim-milter:dkim-milter
## X-Header { yes | no }
## default "no"
##
## Add an X- header to messages passing through this filter to identify
## messages it has processed.
# X-Header No
5)
/etc/sysconfig/dkim-milter
を設定する。内容は以下のような感じ。
> more /etc/sysconfig/dkim-milter
::::::::::::::
/etc/sysconfig/dkim-milter
::::::::::::::
# To sign only, use -bs
# EXTRA_FLAGS=-bs
USER="dkim-milter"
#PORT=inet:8891@localhost
SIGNING_DOMAIN="hoge.com"
SELECTOR_NAME="default"
KEYFILE="/etc/mail/dkim-milter/default.private"
SIGNER=yes
VERIFIER=yes
CANON=simple
SIGALG=rsa-sha1
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
6)
/etc/rc.d/init.d/dkim-milter
のSOCKET,EXTRA_FLAGSの内容を修正する。内容は以下のような感じ。
> more /etc/rc.d/init.d/dkim-milter
::::::::::::::
/etc/rc.d/init.d/dkim-milter
::::::::::::::
#!/bin/bash
#
# /etc/init.d/dkim-milter
#
# chkconfig: - 79 21
# description: DomainKeys Identified Mail Milter
# processname: dkim-filter
# config: /etc/mail/dkim-milter/dkim-milter.conf
# config: /etc/sysconfig/dkim-milter
# pidfile: /var/run/dkim-milter/dkim-milter.pid
# Source function library.
. /etc/init.d/functions
desc="DomainKeys Identified Mail Milter"
name=dkim-milter
prog=dkim-filter
prog_with_path=/usr/sbin/${prog}
user=${name}
pidfile=/var/run/${name}/${name}.pid
config=/etc/mail/${name}/${prog}.conf
#SOCKET=local:/var/run/${name}/${name}.sock
SOCKET=inet:8891@localhost
#EXTRA_FLAGS=""
TRUST="/etc/mail/dkim-milter/internalhosts"
EXTRA_FLAGS="-h -l -D -i ${TRUST} -I ${TRUST}"
[ -r /etc/sysconfig/${name} ] && . /etc/sysconfig/${name}
start() {
echo -n "Starting ${desc} (${prog}): "
daemon --user ${user} ${prog_with_path} -x ${config} -P ${pidfile} -p ${SOCKET} ${EXTRA_FLAGS}
RETVAL=$?
echo
if [ ${RETVAL} -eq 0 ]; then
touch /var/lock/subsys/${name}
return 0
else
return 1
fi
}
stop() {
echo -n "Shutting down ${desc}: "
rm -f /var/lock/subsys/${name}
killproc ${prog}
RETVAL=$?
echo
if [ ${RETVAL} -eq 0 ]; then
rm -f ${pidfile}
return 0
else
return 1
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status -p ${pidfile} ${prog}
;;
restart|reload)
stop
start
;;
condrestart)
[ -f /var/lock/subsys/${name} ] && stop
start
;;
*)
echo "Usage: ${name} {start|stop|status|reload|restart}"
exit 1
;;
esac
exit $?
7)
Postfixの設定
/etc/postfix/main.cf に以下を追加する。
#DKIM
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept
8)
署名をつけるネットワークのリストを設定。
内容は以下のような感じ。
112.42.11.121は他のサーバのIP。このIPからのメールについても書名をつける。
> more /etc/mail/dkim-milter/internalhosts
::::::::::::::
/etc/mail/dkim-milter/internalhosts
::::::::::::::
127.0.0.1
112.42.11.121
9)
dkim-milter、postfixの順番で稼動。
(停止の場合は、postfix、dkim-milterの順番)
10)
DNSサーバに/etc/mail/dkim-milter/default.txtのレコードを登録して再起動。
※
設定ファイルや起動スクリプトに結構な重複があるが気にしない。
たぶん、もっとエレガントにできるんだろうけど、現状動くのでよしとする。
0 件のコメント:
コメントを投稿