1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
dkimproxy for Debian
--------------------
This is some general notes about using dkproxy under Debian, this also includes
notes for integration with Amavisd (along with DTC).
IMPORTANT: Note that you will NEED to have either Amavis or Postfix listening
to the port 10024 so that dkimproxy.in can send the filtered messages back to
your MTA. Please read further.
1) Installation without amavisd-new (or other filters)
### Stuff to add to /etc/postfix/master.cf ###
#
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10026.
#
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10026
-o smtpd_client_connection_count_limit=5
#
# After-filter SMTP server. Receive mail from the content filter on
# localhost port 10027.
#
127.0.0.1:10027 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dkimsign:[127.0.0.1]:10028
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#
# specify the location of the DomainKeys signing filter
#
dkimsign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime
#
# service for accepting messages FROM the DomainKeys signing filter
#
127.0.0.1:10029 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# For Postfix to sign mails sent out using Webmails or other locally delivered mail
pickup fifo n - n 60 1 pickup
-o content_filter=dkimsign:127.0.0.1:10028
2) For integration with amavisd-new:
Following just the steps for DTC integration, but omit 3bi).
3) For integration with DTC:
a) Follow step 2 (as amavisd-new is a part of the default DTC installation)
b) Change /etc/init.d/dkimproxy for the following (i is to retrieve the list of
valid domains for signing, ii is to make dkimproxy.in pipe back into amavisd)
i) DOMAIN=`cat /var/lib/dtc/etc/local_domains | tr \\\r\\\n ,,`
ii) DKIMPROXY_IN_ARGS="--hostname=$DKIM_HOSTNAME 127.0.0.1:10026 127.0.0.1:10024"
c) Apply the following configuration to the /etc/postfix/master.cf
# change for DomainKeys
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dkimsign:[127.0.0.1]:10028
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#
# specify the location of the DomainKeys signing filter
#
dkimsign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime
#
# service for accepting messages FROM the DomainKeys signing filter
#
127.0.0.1:10029 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# For Postfix to sign mails sent out using Webmails or other locally delivered mail
pickup fifo n - n 60 1 pickup
-o content_filter=dkimsign:127.0.0.1:10028
d) Add the following to the last smtpd_recipient_restrictions stanza (before the last permit):
check_sender_access regexp:/etc/postfix/filter_10026_catchall
Create the file /etc/postfix/filter_10026_catchall with the following contents:
/^/ FILTER dkimsign:[127.0.0.1]:10026
e) Change the default filter action to be the signing filter (the dkimsign
verification, for incoming mail, is done as a FILTER applied to the recipient
restrictions):
content_filter = smtp-amavis:[127.0.0.1]:10028
OTHER INFO FOR DKIMPROXY
### THIS CODE WILL GENERATE THE DOMAINKEY ENTRY FOR DNS ###
KEY=`grep -v "PUBLIC" /var/lib/dkimproxy/public.key | tr -d \\n`
SELECTOR=postfix
DOMAIN=packrat.datalexsin.local
NSRECORD="$SELECTOR._domainkey IN TXT \"k=rsa; p=$KEY; t=y\""
echo $NSRECORD
-- Damien Mascord <damien@gplhost.com> Mon, 18 Feb 2008 06:16:06 +0000
|
