Monday, February 9, 2015

OpenBSD Mail Server - Part 5, DKIMproxy

1. Follow the steps here to create public and private keys that will be used by DKIMproxy.

2. Create a TXT record for each domain the server will be hosting that looks something like this:

selector1._domainkey v=DKIM1; k=rsa; p=KEY_GOES_HERE  TXT  1800 TTL

3. Install dkimproxy from ports (no packages available for OpenBSD 5.6).  It has no dependencies that aren't already pulled in from prior packages so it's an easy and quick build.

4. Edit /etc/dkimproxy_out.conf so it looks something like this (note that the default ports are different so they don't conflict with the earlier clamsmtpd setup):

# cat /etc/dkimproxy_out.conf
# specify what address/port DKIMproxy should listen on
#listen 127.0.0.1:10027
listen 127.0.0.1:10030

# specify what address/port DKIMproxy forwards mail to
#relay 127.0.0.1:10028
relay 127.0.0.1:10029

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
#domain example.org
domain example.com,example.net

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
#keyfile /full/path/to/private.key
keyfile /etc/mail/dkim/private.key

# specify the selector (i.e. the name of the key record put in DNS)
selector selector1
...

Since SpamAssassin already does DKIM checking for incoming mail, dkimproxy is only used for outgoing mail to add the DKIM keys etc. to outgoing headers.

5. Add "dkimproxy_out" to pkg_scripts in /etc/rc.conf.local and start it up.  Again, check netstat -na -f inet to see if it's listening on port 10030.

6. Same drill as before.  Edit /etc/mail/smtpd.conf so it looks something like this:

# cat /etc/mail/smtpd.conf
pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"

listen on lo0
listen on lo0 port 10026 tag CLAM_IN # incoming mail
listen on lo0 port 10028 tag CLAM_OUT # outgoing mail
listen on lo0 port 10036 tag SPAM_IN # incoming mail
listen on lo0 port 10029 tag DKIM_OUT # outgoing mail
listen on egress tls pki mail.example.com auth-optional
listen on egress port submission tls-require pki mail.example.com auth

table aliases db:/etc/mail/aliases.db
table vusers file:/etc/mail/vusers
table vdomains file:/etc/mail/vdomains

accept for local alias <aliases> deliver to maildir

# tagged mail returned from dkimproxy_out relay out
accept tagged DKIM_OUT for any relay

# tagged mail returned from spampd deliver to maildir
accept tagged SPAM_IN for domain <vdomains> virtual <vusers> deliver to maildir

# tagged mail returned from clamsmtpd either send to spampd or dkimproxy_out
accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10035 # send to spampd
accept tagged CLAM_OUT for any relay via smtp://127.0.0.1:10030 # send to dkimproxy_out

# start here - untagged mail is sent to clamsmtpd
accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail
accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail


7. So now here is what’s happening:

Incoming mail (unchanged from before since incoming mail is not using dkimproxy):

pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> -relay tagged CLAM_IN mail to spampd on port 10035 -> run it through SpamAssassin -> return to opensmtpd on lo0 port 10036 and tag it SPAM_IN -> deliver to maildir

Outoing mail:

opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay to dkimproxy on port 10030 -> add DKIM headers -> return to opensmtpd on lo0 port 10029 and tag it DKIM_OUT -> relay out

8. Send an email and look at the headers.  There should be some DKIM headers for the domain like these:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=example.com; h=from:date
 :message-id:to:subject; s=selector1; bh=[KEY HASH]
DomainKey-Signature: a=rsa-sha1; c=nofws; d=example.com; h=from:date
 :message-id:to:subject; q=dns; s=selector1; b=[KEY HASH]

2 comments:

  1. Hey thanks for the great guide, inspired me to make the switch from Linux for my mail server. I'm having issues with this section. I can't figure out how to install dkimproxy from ports without having to install X11. I don't understand why X11 would be a dependency to building this. I'm kind of a BSD newbie so I'm not so confortable with the packages and ports systems yet. Can you go into more detail about how you resolved this on 5.6?

    ReplyDelete
  2. I always install all OpenBSD base sets including the xorg ones. See the section called "Why do I have to install X for my non-graphical installation?" here: http://www.openbsd.org/faq/faq4.html#FilesNeeded

    ReplyDelete