Qmail SPF Setting and info. DKIM
read this site for
http://www.ghidinelli.com/2011/05/04/march-qmail-server-madness
======
DKIM (DomainKeys Identified Mail)是一種電子郵件的驗證技術,使用密碼學的基礎提供了簽名與驗證的功能。
一般來說,發送方會在電子郵件的標頭插入
DKIM-Signature及電子簽名資訊。而接收方則透過DNS查詢得到公開金鑰後進行驗證。
DKIM是由DomainKeys所改進的協定,大多數的運作方式與DomainKeys相同。在2007年2月時,DKIM被列入互聯網工程工作小組(IETF)的標準提案(Proposed Standard),並於同年5月成為正式標準(Standards Track)。
=======
郵件驗證簽章服務
The Port25 Solutions, Inc. team ========================================================== Summary of Results ========================================================== SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham ==========================================================
Add Domainkey
==============================================
10. Add domainkeys: <from qmailtoaster >
http://wiki.qmailtoaster.com/index.php/CentOS_5_QmailToaster_Install
Note: I found the links sent to me by Eric Shupes on the toaster list VERY helpful. http://wiki.qmailtoaster.com/index.php/Domainkeys#bind_2 http://wiki.qmailtoaster.com/index.php/Domainkeys#Policy_Record http://wiki.qmailtoaster.com/index.php/Domainkeys#Selector_Record I suggest going there as the links contain a more in depth set of details. Below is borrowed from those links.
Create the directory for your domain's private key:
You want to be sure that the private key is kept private, so to change its ownership and permissions accordingly:
==============================================
10. Add domainkeys: <from qmailtoaster >
http://wiki.qmailtoaster.com/index.php/CentOS_5_QmailToaster_Install
Note: I found the links sent to me by Eric Shupes on the toaster list VERY helpful. http://wiki.qmailtoaster.com/index.php/Domainkeys#bind_2 http://wiki.qmailtoaster.com/index.php/Domainkeys#Policy_Record http://wiki.qmailtoaster.com/index.php/Domainkeys#Selector_Record I suggest going there as the links contain a more in depth set of details. Below is borrowed from those links.
Create the directory for your domain's private key:
cd /var/qmail/control/domainkeys mkdir your-domain.comCreate your domain's key pair (a private key and a corresponding public key) with the dknewkey command:
cd your-domain.com dknewkey private > public.txt
You want to be sure that the private key is kept private, so to change its ownership and permissions accordingly:
chmod 440 private cd .. chown -R root:vchkpw yourdomain.com
Make dns entry:
BIND - in the your-domain.com zone file (see public.txt for the private._domainkey.your-domain.com entry):
_domainkey.your-domain.com. IN TXT "t=y; o=-"Note: This is putting it into test mode. If you are done testing, and want to take it out of testing mode, change the above to reflect below.
_domainkey.your-domain.com. IN TXT "o=-"Then also add this to your zone file:
private._domainkey.your-domain.com. IN TXT "k=rsa; p=MEwwDQY . . . to end of key"
(NOTE QUOTATION MARKS MUST BE THERE)
Note: I have not tested DJBDNS as I do not run it - DK DJBDNS - in /var/djbdns/tinydns/root/data (make from public.txt):
'_domainkey.your-domain.com:o=-; r=postmaster@your-domain.com
'private._domainkey.your-domain.com:k=rsa; p=MEwwDQY . . . to end of key
Test your mailserver:
http://domainkeys.sourceforge.net/policycheck.html
http://domainkeys.sourceforge.net/selectorcheck.html
In squirrelmail, send a test email, select View Full Header and you
should find something like the following:
----------- snip ------------
DomainKey-Status: good
Received: by simscan 1.2.0 ppid: 22641, pid: 22644, t: 0.8416s
scanners: clamav: 0.88.2/m:38/d:1476 spam: 3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on ndh1.whatgives.org
X-Spam-Level: *
X-Spam-Status: No, score=1.6 required=5.0 tests=FROM_DOMAIN_NOVOWEL
autolearn=no version=3.1.1
Received: from unknown (HELO ns1.ndhsdns.com) (216.221.100.227)
by ndh1.whatgives.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 22 May 2006 20:03:36 -0000
Received-SPF: pass (ndh1.whatgives.org: SPF record at ndhsdns.com designates 216.221.100.227 as permitted sender)
Received: (qmail 28034 invoked by uid 89); 22 May 2006 20:03:36 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=private; d=ndhsdns.com;
b=XVKQZe446BXMnSoQKvgchf0DRx4v8YQYZn5KVLj5O8XYf7V1dX7ETaJ1VGWGp5Bf ;
Received: from unknown (HELO www.ndhsdns.com) (127.0.0.1)
by ns1.ndhsdns.com with SMTP; 22 May 2006 20:03:36 -0000
----------- snip ------------
=======
SPF 基本概念
我們舉個例子:新聞或報紙上常有的詐騙事件提到某人打電話給你或寄存證信函聲稱是某某檢察官,進行金錢的詐取。中間的手段不外乎是用假以亂真的台詞或是公文信封信紙得到你的信任。在網路上,同樣的情形也一再上演:垃圾信源盜用別人的電子郵件帳號寄信以避免信被退回自己真正的郵件信箱中;詐騙集團盜用別人的電子郵件帳號避免自己行蹤敗露;電腦病毒或蠕蟲想刻意模糊自己的出處而隨機使用任一電子郵件帳號;帳號密碼盜賊裝扮成某人的好友來信竊取私人機密等等不勝枚舉。
此時,SPF機制讓寄信端在寄出的信封上出示自己的「良民證」告訴對方:「我是乖寶寶!」。收信端則可以與寄信端所屬的DNS伺服器做驗證。同時,收信端也能對寄信端DNS的回應做出判斷此來信是否為垃圾信?
B. 如何建置 SPF 紀錄?
對於大多數中小企業都會使用的ADSL網路方案,ISP通常只配發一組固定制IP位址給客戶。簡單來說,SPF紀錄只需要參照「選擇和設定DNS代管」的示範教學在「DNS 紀錄」中加入簡短的一行即可應付大多數使用者的網路環境,如:
[v=spf1 a mx ptr ~all]
SPF 記錄中的參數請參照下面的解說:
1. ' a ' :比對 dns 中的 a 紀錄,若沒有指定哪個網域名,則以目前的的網域為主。
2. ' mx ' :比對 dns 中的 mx 紀錄,若沒有指定哪個網域名,則以目前的網域為主。
3. ' ptr ' :比對 dns 中的 ptr 紀錄,若沒有指定哪個網域名,則以目前的網域為主。
4. ' ~all ':參數若比對失敗,信件仍能寄進來,但該信件標題會加註 'SPF-Failure' ,並置於垃圾信件資料夾中。
加入上述參數後,SPF 紀錄能提供「收信端郵件伺服器」更多資訊去對從您網域寄出的郵件做更正確的辨識。
DK Tester..... http://domainkeys.sourceforge.net/policycheck.html
http://www.appmaildev.com/en/domainkeys/
mails.taching.com.tw. IN TXT "v=spf1 ip4:mails.taching.com.tw -all"
mails.taching.com.tw. IN TXT "v=spf1 mx ip4:mails.taching.com.tw -all"
To test SPF Setting from Linux
==========================
host -t txt mail.abc.com
mail.abc.com descriptive text "v=spf1 a:mails.taching.com.tw mx -all"
or use Dig txt ntu.edu.tw
==========================
download dkim.tgz and should update yum RPMforge repo first
http://wiki.qmailtoaster.com/index.php/How_to_Setup_DKIM_with_Qmail_Toaster
RPMforge Repository
RPMforge is a collaboration of Dag, Dries, and other packagers. They provide over 4000 packages for CentOS, including mplayer, xmms-mp3, and other popular media tools. Visit the RPMforge Website for more information.
Requirements
Install and Configure the Yum Priorities plugin
Install RPMforge Repository on CentOS
Download the RPMforge-release package
i386: http://apt.sw.be/redhat/el5/en/i386/dag/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
http://apt.sw.be/redhat/el5/en/i386/dag/RPMS/rpmforge-release-0.5.3-1.el5.rf.i386.rpm
x86_64: http://apt.sw.be/redhat/el5/en/x86_64/dag/RPMS/rpmforge-release-0.3.6-1....
Install DAG’s GPG Key
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
Verify the package you have downloaded
rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm
Install the package
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.*.rpm
Delete the downloaded RPMforge-release package
Configure RPMforge Repository on CentOS
Open the RPMforge configuration file
/etc/yum.repos.d/rpmforge.repo
Add the following text to the end of the RPMForge repository entry
priority=3
Check that you got the priorities set correctly
yum check-update
You should output similar to the following:
Loaded plugins: fastestmirror, priorities
…
469 packages excluded due to repository priority protections
Need to install the following when install.sh is run under dkim
Package
===============================
Installing:
perl-Mail-DKIM
Installing for dependencies:
perl-Crypt-OpenSSL-RSA
perl-Crypt-OpenSSL-Random
perl-Digest-SHA
perl-Email-Date-Format
perl-MIME-Lite
perl-MailTools
perl-Pod-Escapes
perl-Pod-Simple
perl-Test-Pod
perl-TimeDate
Transaction Summary
===============================
Install 11 Package(s)
===============================
You won't be able to install these packages without RPMForge.
===
Run install.sh from dkim.tgz
===
result....
We have set up and configured DKIM up to a point. You now need to add the
DKIM entry to your DNS config. For BIND, here is the entry you need to
make into your DNS zone file:
dkim1 IN TXT "k=rsa; p=MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAPfbMddOsTYCCywvUOYg5oQMT9k/ze5mOZfgT5I5mlZ+IY+zauRxhkvUJ7IxW9YCLwIDAQAB"
This script will configure your machine to sign *ALL* domains on this serves
to sign with this key. If you do not wish to sign all domains, you will need
to edit the /var/qmail/control/dkim/signconf.xml file to reflect this.
At this point, outbound emails are not signed. When you are ready to
continue, hit [enter] and this script will stop qmail, replace the
qmail-remote file with the wrapper to sign messages, and then start
qmail back up.
============================
DKIM
============================
1) wget http://qmailtoaster.com/dkim.tgz
2) tar –zxf dkim.tgz
3) cd dkim
4) yum install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
5) mkdir /var/qmail/control/dkim
6) cp signconf.xml /var/qmail/control/dkim/
7) chown -R qmailr:qmail /var/qmail/control/dkim/
8) dknewkey /var/qmail/control/dkim/global.key > /var/qmail/control/dkim/public.txt
9) perl -pi -e 's/global.key._domainkey/dkim1/' /var/qmail/control/dkim/public.txt
10) qmailctl stop
11) mv /var/qmail/bin/qmail-remote /var/qmail/bin/qmail-remote.orig
12) mv qmail-remote /var/qmail/bin
13) chmod 777 /var/qmail/bin/qmail-remote
14) chown root:qmail /var/qmail/bin/qmail-remote
15) qmailctl start
16) cat /var/qmail/control/dkim/public.txt
17) Create a TXT record on DNS server for the domain you want to set DKIM as
shown in the output of step 16.
18) Your DKIM setup is done.
19) Just send test mail on any yahoo email id and check headers.
If show error in headers then just wait to reflect DNS.
In order to test your settings, simply send an email to: check-auth@verifier.port25.com
and/or check-auth2@verifier.port25.com with the suject of "test" (without the quotes)
and "Just testing" in the body (also without quotes). It is best but not required to
have a subject and body because this service will also show you how spamassassin rated
your email.
====================
SPF Check (DKIM Check)
====================
check-auth@verifier.port25.com
========================
========================
SimScan http://www.inter7.com/index.php?page=simscan
simscan
Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum. The project is open source and uses other open source components. Small, very efficient and written in C.
=====================================
To test SPF Setting from Linux
==========================
host -t txt mail.abc.com
mail.abc.com descriptive text "v=spf1 a:mails.taching.com.tw mx -all"
or use Dig txt ntu.edu.tw
==========================
download dkim.tgz and should update yum RPMforge repo first
http://wiki.qmailtoaster.com/index.php/How_to_Setup_DKIM_with_Qmail_Toaster
RPMforge Repository
RPMforge is a collaboration of Dag, Dries, and other packagers. They provide over 4000 packages for CentOS, including mplayer, xmms-mp3, and other popular media tools. Visit the RPMforge Website for more information.
Requirements
Install and Configure the Yum Priorities plugin
Install RPMforge Repository on CentOS
Download the RPMforge-release package
i386: http://apt.sw.be/redhat/el5/en/i386/dag/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
http://apt.sw.be/redhat/el5/en/i386/dag/RPMS/rpmforge-release-0.5.3-1.el5.rf.i386.rpm
x86_64: http://apt.sw.be/redhat/el5/en/x86_64/dag/RPMS/rpmforge-release-0.3.6-1....
Install DAG’s GPG Key
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
Verify the package you have downloaded
rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm
Install the package
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.*.rpm
Delete the downloaded RPMforge-release package
Configure RPMforge Repository on CentOS
Open the RPMforge configuration file
/etc/yum.repos.d/rpmforge.repo
Add the following text to the end of the RPMForge repository entry
priority=3
Check that you got the priorities set correctly
yum check-update
You should output similar to the following:
Loaded plugins: fastestmirror, priorities
…
469 packages excluded due to repository priority protections
Need to install the following when install.sh is run under dkim
Package
===============================
Installing:
perl-Mail-DKIM
Installing for dependencies:
perl-Crypt-OpenSSL-RSA
perl-Crypt-OpenSSL-Random
perl-Digest-SHA
perl-Email-Date-Format
perl-MIME-Lite
perl-MailTools
perl-Pod-Escapes
perl-Pod-Simple
perl-Test-Pod
perl-TimeDate
Transaction Summary
===============================
Install 11 Package(s)
===============================
You won't be able to install these packages without RPMForge.
===
Run install.sh from dkim.tgz
===
result....
We have set up and configured DKIM up to a point. You now need to add the
DKIM entry to your DNS config. For BIND, here is the entry you need to
make into your DNS zone file:
dkim1 IN TXT "k=rsa; p=MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAPfbMddOsTYCCywvUOYg5oQMT9k/ze5mOZfgT5I5mlZ+IY+zauRxhkvUJ7IxW9YCLwIDAQAB"
This script will configure your machine to sign *ALL* domains on this serves
to sign with this key. If you do not wish to sign all domains, you will need
to edit the /var/qmail/control/dkim/signconf.xml file to reflect this.
At this point, outbound emails are not signed. When you are ready to
continue, hit [enter] and this script will stop qmail, replace the
qmail-remote file with the wrapper to sign messages, and then start
qmail back up.
============================
DKIM
============================
1) wget http://qmailtoaster.com/dkim.tgz
2) tar –zxf dkim.tgz
3) cd dkim
4) yum install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
5) mkdir /var/qmail/control/dkim
6) cp signconf.xml /var/qmail/control/dkim/
7) chown -R qmailr:qmail /var/qmail/control/dkim/
8) dknewkey /var/qmail/control/dkim/global.key > /var/qmail/control/dkim/public.txt
9) perl -pi -e 's/global.key._domainkey/dkim1/' /var/qmail/control/dkim/public.txt
10) qmailctl stop
11) mv /var/qmail/bin/qmail-remote /var/qmail/bin/qmail-remote.orig
12) mv qmail-remote /var/qmail/bin
13) chmod 777 /var/qmail/bin/qmail-remote
14) chown root:qmail /var/qmail/bin/qmail-remote
15) qmailctl start
16) cat /var/qmail/control/dkim/public.txt
17) Create a TXT record on DNS server for the domain you want to set DKIM as
shown in the output of step 16.
18) Your DKIM setup is done.
19) Just send test mail on any yahoo email id and check headers.
If show error in headers then just wait to reflect DNS.
In order to test your settings, simply send an email to: check-auth@verifier.port25.com
and/or check-auth2@verifier.port25.com with the suject of "test" (without the quotes)
and "Just testing" in the body (also without quotes). It is best but not required to
have a subject and body because this service will also show you how spamassassin rated
your email.
====================
SPF Check (DKIM Check)
====================
check-auth@verifier.port25.com
========================
========================
SimScan http://www.inter7.com/index.php?page=simscan
simscan
Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum. The project is open source and uses other open source components. Small, very efficient and written in C.
=====================================
留言