The Baruwa project provides up to date deb packages for both distributions.

Packages are available for:

• squeeze
• wheezy
• sid
• lucid
• maverick
• natty
• oneiric
• precise
• quantal

Usage

To use the packages you need to enable the baruwa apt repo.

cat > /etc/apt/sources.list.d/baruwa.list << 'EOF'
deb http://apt.baruwa.org/ubuntu precise main
EOF

Change "precise" to your specific release name

Add the repo's GPG key

wget -O - http://apt.baruwa.org/baruwa-apt-keys.gpg | apt-key add -

Then run

apt-get update
apt-get install mailscanner

Support & Assistance

Use the friendly Baruwa project mailing list

To do this create a file with the extension ".ign2" in your ClamAV data directory with the name of the signature.

cat > /var/lib/clamav/mb.ign2 << 'EOF'
MBL_303159
EOF

Reload clamd and you should be good to go.

Return-Path:    <"andrew@topdog.za.net"@xxxx.xxxx.co.za>
...
Sender:     "andrew@topdog.za.net"@xxxx.xxxx.co.za
...

To fix this you need to modify your acl_check_rcp acl and add sender_retain to control.

accept  authenticated = *
          control       = submission/sender_retain

Restart exim and you are good to go.

In this post i will describe how you can catch the mail that has slipped through your SMTP DNSBL checks.

To identify these messages i use Spamassassin's URIDNSBL plugin which extracts the uri's in an email and checks each of them against the DNSBL.

Create a file called ispa.cf in your Spamassassin configuration directory usually /etc/mail/spamassassin with the following contents

# /etc/mail/spamassassin/ispa.cf
urirhsbl        URIBL_BARUWA    ispa.rbl.baruwa.net.   A
body            URIBL_BARUWA    eval:check_uridnsbl('URIBL_BARUWA')
describe        URIBL_BARUWA    Contains a URL listed in the Baruwa blocklist
score           URIBL_BARUWA    7.0

Restart Spamassassin and email from those domains that by pass the DNSBL checks by using 3rd party senders should now be tagged as Spam by Spamassassin with a score of 7.0

Feedback is welcome, as Spam fighting is always an on going battle.

So head off and get your copy.

DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

I previously wrote about setting up DKIM using dkim-milter, dkim-milter has since been depreciated.

We will be using the OpenDKIM implementation Centos, OpenDKIM is a fork of dkim-milter.

Installation

yum install opendkim

Generate the Keys

opendkim-genkey -d <domain_name> -s <selector>

Replace with the domain name you will be signing the mail for, and with a selector name it can be anything (but just one word). The command will create two files.

• .txt - contains the public key you publish via DNS

• .private - the private key you use for signing your email

Create a sub directory in /etc/opendkim/keys to store your key, i prefer to use the domain name as the sub directory name.

# mv <selector>.private /etc/opendkim/keys/<domain_name>/<selector>.pem
# chmod 600 /etc/opendkim/keys/<domain_name>/<selector>.pem
# chown opendkim.opendkim /etc/opendkim/keys/<domain_name>/<selector>.pem

DNS Setup

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of .txt is the record you need to add to your zone file a sample, is below (it uses default as the selector and example.com as the domain_name)

default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA
DCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDv
wn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+z
JVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for example.com

Configuration

Edit /etc/opendkim.conf comment out "KeyFile /etc/opendkim/keys/default.private" and uncomment "#KeyTable /etc/opendkim/KeyTable"

Edit the file /etc/opendkim/KeyTable and add your domain using the following format

<selector>._domainkey.<domain_name> <domain_name>:<selector>:/etc/opendkim/keys/<domain_name>/<selector>.pem

Add your servers IP addresses to /etc/opendkim/TrustedHosts

More advanced configuration options can be set in the file /etc/opendkim.conf

Configure Postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Append the OpenDKIM options to the existing milters if you have other milters already configured.

Start OpenDKIM and restart postfix

# service opendkim start
# service postfix restart

Testing

Send an email to sa-test@sendmail.net or autorespond+dkim@dk.elandsys.com, you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by “your domain” if your setup was done correctly.

I extract the data from this web page and publish it in a DNSBL ispa.rbl.baruwa.net, i use this DNSBL in my SAAS mail security product. So anyone should be able to use it in a similar way to the other DNSBL's like spamhaus and spamcop etc.

Command line checking

You can check if a domain is on the list using the normal command line utilities

Using host:

host amazingresults.co.za.ispa.rbl.baruwa.net

Output:

amazingresults.co.za.ispa.rbl.baruwa.net has address 127.0.0.2

Using dig:

dig amazingresults.co.za.ispa.rbl.baruwa.net

Output:

;; QUESTION SECTION:
;amazingresults.co.za.ispa.rbl.baruwa.net. IN A

;; ANSWER SECTION:
amazingresults.co.za.ispa.rbl.baruwa.net. 1993 IN A 127.0.0.2

Checking the TXT output:

host -t txt amazingresults.co.za.ispa.rbl.baruwa.net

Output:

amazingresults.co.za.ispa.rbl.baruwa.net descriptive text 
"Domain amazingresults.co.za is listed in the ISPA Hall of Shame,
http://ispa.org.za/spam/hall-of-shame/"

Usage

Usage of the DNSBL in various MTA's is described below.

Exim

Add the following to your rcpt acl (acl_check_rcpt:).

drop    message       = REJECTED - $dnslist_text
        dnslists      = ispa.rbl.baruwa.net/$sender_address_domain

Postfix

Add to smtpd_recipient_restrictions after permit_mynetworks in your main.cf file

reject_rhsbl_client ispa.rbl.baruwa.net,
reject_rhsbl_sender ispa.rbl.baruwa.net,

Sendmail

Add to your mc file and rebuild the cf

FEATURE(rhsbl,`ispa.rbl.baruwa.net',`"550 Mail from domain " $`'&{RHS} " refused.
Domain is listed in the ISPA Hall of Shame -  http://ispa.org.za/spam/hall-of-shame/"')

How the data is extracted

The data is extracted using an automated custom web crawler written using Scrapy in Python. The crawler extracts both the domains and the email addresses, the domains are processed and added to the DNSBL, the emails addresses get processed and added to the email blacklists on our SAAS platform.

Update

Some of these domains have resorted to using third party senders, which means the smtp envelope is no longer the one listed on the hall of shame, i have written a followup post which describes how you can identify and flag as spam these messages that bypass the SMTP time DNSBL checks.

DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

We will be using the milter implementation of dkim http://dkim-milter.sf.net on centos 5.3.

This howto has been updated to allow for the following.

• Multiple domains using different keys
• Same domain using different selectors
• Selective signing of email

Older versions are provided below for reference.

Installation

I provide Centos rpms for Dkim-milter at http://www.topdog- software.com/oss/ so we will install the latest version.

Install the rpm, ( 32bit and 64bit intel supported )

# wget http://www.topdog-software.com/oss/roundcube/andrew_topdog-software.com_key.txt
# rpm --import andrew_topdog-software.com_key.txt
# http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.2-2.$(uname -i).rpm

Generate the Keys

# dkim-genkey -d <domain_name> -s <selector> -t

Replace with the domain name you will be signing the mail for, and with a selector name it can be anything (but just one word). The command will create two files.

• .txt - contains the public key you publish via DNS

• .private - the private key you use for signing your email

Create a sub directory in /etc/mail/dkim/keys to store your key, i prefer to use the domain name as the sub directory name.

# mv <selector>.private /etc/mail/dkim/keys/<domain_name>/<selector>.pem
# chmod 600 /etc/mail/dkim/keys/<domain_name>/<selector>.pem
# chown dkim-milt.dkim-milt /etc/mail/dkim/keys/<domain_name>/<selector>.pem

DNS Setup

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of .txt is the record you need to add to your zone file a sample, is below (it uses default as the selector and topdog-software.com as the domain_name)

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA
DCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDv
wn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+z
JVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for topdog-software.com

Also add this to your zone file. (This sets your policy see http://www.sendmail.org/dkim/wizard for an explanation or refer to the RFC)

_adsp._domainkey    IN  TXT "dkim=unknown"

Configuration

Edit the file /etc/mail/dkim/keylist and add your domain using the following format

*@<domain_name>:<domain_name>:/etc/mail/dkim/keys/<domain_name>/<selector>
#sign only for andrew
andrew@<domain_name>:<domain_name>:/etc/mail/dkim/keys/<domain_name>/<selector>

Add your servers IP addresses to /etc/mail/dkim/trusted-hosts

More advanced configuration options can be set in the file /etc/dkim-filter.conf (Refer to the file and the man pages for details)

Configure Postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.

smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209

Append the dkim-milter options to the existing milters if you have other milters already configured.

Start dkim-milter and restart postfix

# service dkim-milter start
# service postfix restart

Testing

Send an email to sa-test@sendmail.net or autorespond+dkim@dk.elandsys.com, you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by “your domain” if your setup was done correctly.

Updates

Updated rpms are always provided at http://www.topdog-software.com/oss/dkim-milter/

This how to describes the installation and configuration of a mail system on Centos 5.1 with selinux enabled for enhanced security. This system will be able to service HTTP, HTTPS, SMTP, TLS, SMTP-AUTH, IMAP, POP3 clients and is virtual enabled allowing more that one domain to be served from the system.

The webmail client imp will provide a feature rich interface with a webmail component, an address book, calendaring, and ability to reset passwords all with a highly configurable preference system to enable users to modify their look and feel as well as the operation of the interface.

The IMAP/POP3 system is the high performance cyrus-imapd system that runs as a sealed unit (mail users are not system users) and utilizes a high end/ performance back end for mail storage. The other cyrus-imapd features include, mail indexing for quick search operations using squat, a notification daemon that can be configured to notify via sms or email, sieve filtering system (auto response, mail filtering, notifications, filing), and built in quota system. This system will use pam_mysql via the SASL (saslauthd) mechanism to authenticate users against the Mysql database back end shared by all the components.

The exim system will be configured to enable users relay mail using TLS secured SMTP-AUTH, using the same database backend that is shared by all the components. Address verification will take place using SQL queries to the mysql backend before any mail is accepted for delivery to the cyrus-imapd mail store. Anti-virus checks are integrated into this system with the use of clamav via a Unix domain socket. Spam checks are also run at smtp time via a socket connection to the spamd spamassasin system messages scoring over 6 are automatically rejected with out being spooled to the system.

The mysql database will store the user authentication information encrypted using md5-hex as well as other information for the other webmail components.

This system is designed for high performance and security, cutting down on open ports and prefering to use unix domain sockets and running selinux in enforcing mode.

User account management takes place via the horde web interface allowing the admin easy access to add and remove accounts or to manage passwords, it is also possible to interact directly with the database table and make alterations there.

OS Installation notes

For the purpose of keeping this howto precise i will not take you through the actually installation of the Centos 5.1 system i will assume that you have a bare bones install, a kickstart to help you get a bare bones install is can be downloaded here

For this tutorial i will be using the static IP address 192.168.1.4 and the hostname mail.home.topdog-software.com with a domain of home.topdog- software.com, please feel free to make alterations to suite your environment. The working directory will be /usr/local/src all packages to be downloaded should be downloaded and extracted there.

Software installation

Install prerequisites

Update the system.

yum update

Configure rpmforge repo

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Disable the repo (such that base packages not overwritten) edit /etc/yum.d/rpmforge.repo and set the following option

enabled = 0

Install Apache

yum install httpd php php-mysql php-xml php-imap php-mbstring php-mcrypt \
php-pecl-Fileinfo php-pear-DB php-pear-File php-pear-Log php-pear-Mail-Mime \
php-pear-Auth-SASL php-pear-Date php-pear-HTTP-Request php-pear-Mail php-pear-Net-Sieve \
php-pear-Net-Socket php-pear-Net-SMTP openssl mod_ssl -y

Install Exim

yum install exim system-switch-mail -y

Install Mysql

yum install mysql mysql-server -y

Install Horde

yum install horde imp-h3 ingo-h3 turba-h3 kronolith-h3 -y
wget ftp://ftp.horde.org/pub/passwd/passwd-h3-3.0.1.tar.gz
tar xzvf passwd-h3-3.0.1.tar.gz -C /usr/share/horde
mv /usr/share/horde/passwd-h3-3.0.1 /usr/share/horde/passwd

Install cyrus-imapd

I will use the Invoca systems source rpm as it is more recent and support many features that the Centos build does not provide.

yum install db4-utils -y
rpm -Uvh http://www.topdog-software.com/oss/cyrus-imapd/cyrus-imapd-perl-2.3.11-3.i386.rpm
rpm -Uvh http://www.topdog-software.com/oss/cyrus-imapd/cyrus-imapd-utils-2.3.11-3.i386.rpm
rpm -Uvh http://www.topdog-software.com/oss/cyrus-imapd/cyrus-imapd-2.3.11-3.i386.rpm

Install Pam_mysql

rpm -Uvh http://www.topdog-software.com/oss/pam_mysql/pam_mysql-0.7RC1-1.i386.rpm

Install ClamAV

yum --enablerepo=rpmforge install clamav clamav-db clamd -y

Install Spamassassin

yum install spamassassin -y

Configuration

Configure Apache

Enable virtual hosting and create default virtualhost, edit /etc/httpd/conf/httpd.conf and add at the end

NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin webmaster@home.topdog-software.com
</VirtualHost>

Create the virtual host for horde webmail add this under the above

<VirtualHost *:80>
        Servername mail.home.topdog-software.com
        DocumentRoot /usr/share/horde
        ErrorLog logs/mail-error_log
        CustomLog logs/mail-access_log common
</VirtualHost>

Enable horde security settings edit the file /etc/httpd/conf.d/horde.conf and set as below

#Alias /horde /usr/share/horde
<Directory /usr/share/horde>

    Options +FollowSymLinks
    php_admin_flag safe_mode off
    php_admin_flag magic_quotes_runtime off
    php_flag session.use_trans_sid off
    php_flag session.auto_start off
    php_admin_flag file_uploads on
    #php_admin_flag allow_url_fopen on

    php_value post_max_size 20M
    php_value upload_max_filesize 10M

    php_admin_value open_basedir "/usr/share/horde:/usr/share/horde/config:/usr/share/pear:/tmp"
    php_admin_flag register_globals off
</Directory>

<Directory /usr/share/horde/config>
    Order Deny,Allow
    Deny from all
</Directory>

<DirectoryMatch "^/usr/share/horde/(.*/)?(config|lib|locale|po|scripts|templates)/(.*)?">
    Order Deny,Allow
    Deny from all
</DirectoryMatch>

Increase PHP memory limit edit /etc/php.ini and change to below

memory_limit = 64M

Enable horde under SSL edit /etc/httpd/conf.d/ssl.conf and add the following to the default virtualhost between the tags

Servername mail.home.topdog-software.com:443
DocumentRoot /usr/share/horde

Configure Exim

Switch the MTA to exim

 system-switch-mail (select exim)

Anti-virus / Sanesecurity Checks

Configure Exim (/etc/exim/exim.conf) to use clamav to scan incoming mail and reject virus infected email and image and pdf spam at smtp time.

av_scanner = clamd:/var/run/clamav/clamd.sock

RBL's

Configure the RBL's under acl_check_rcpt:

drop    message       = REJECTED because $sender_host_address is in a black list spamhaus.org
           dnslists      = zen.spamhaus.org

drop    message       = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
           dnslists      = bl.spamcop.net

drop    message       = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
           dnslists      = dnsbl.sorbs.net

Anti Spam

If you want to reject messages from servers with no reverse dns add this under acl_check_rcpt:, it does have a exception list to which you can add domains where the acl should not be applied and trys to deliver a test message to sending address to verify if the sender is valid.

drop  message   = REJECTED - We don't accept messages from hosts without reverse DNS
        log_message = No reverse DNS
        domains = ! lsearch;/etc/exim/checks_exempt_hosts
        !verify = reverse_host_lookup
        !verify = sender/callout=2m,defer_ok
        !condition =  ${if eq{$sender_verify_failure}{}}

To reject messages from clients that dont provide a HELO/EHLO add this to acl_check_rcpt:

drop  message  = REFUSED - no HELO/EHLO greeting
        log_message = remote host did not present greeting
        condition = ${if def:sender_helo_name {false}{true}}

You can rate limit the connections to your server as well add this to acl_check_connect: to do so (read the exim docs on the parameters if you want to fine tune it for your site)

deny ratelimit = 250 / 15m / strict
       message = You can only send $sender_rate per $sender_rate_period
       log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit)

accept

Stop rogue spam bots from trashing your machine

smtp_accept_max_nonmail = 30
smtp_max_unknown_commands = 1

Don't advertise pipelining

pipelining_advertise_hosts =

Enable Spamassassin checks

spamd_address = /var/run/spamassassin/spamd.sock

Reject all messages with score above 6 at smtp time. (acl_check_data)

accept  condition  = ${if >={$message_size}{100000} {1}}
        add_header = X-Spam-Note: SpamAssassin run bypassed due to message size

  warn    spam       = nobody/defer_ok
        add_header = X-Spam-Flag: YES

  accept  condition  = ${if !def:spam_score_int {1}}
        add_header = X-Spam-Note: SpamAssassin invocation failed

  warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
#       X-Spam-Report: $spam_report

  drop    condition = ${if >{$spam_score_int}{60} {1}}
        message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
        $spam_report

Mail routing

Enable access to Mysql database

hide mysql_servers = localhost/horde/horde/hordepassword

Modify the local delivery router to deliver to cyrus but verify the email address of user before delivery (in routers section of exim.conf)

localuser:
  driver = accept
  local_parts = ${lookup mysql {SELECT REPLACE(user_uid,'${quote_mysql:@$domain}','') \
         as user FROM horde_users WHERE user_uid='${quote_mysql:$local_part@$domain}'}{$value}}
  transport = local_delivery
  cannot_route_message = Unknown user

Create a transport to deliver to cyrus via lmtp socket

local_delivery:
  driver = lmtp
  socket = /var/lib/imap/socket/lmtp
  batch_max = 50
  user = cyrus

SMTP Authentication

Add the following to the authentication section of /etc/exim/exim.conf

plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_set_id = $2
  server_condition = ${if saslauthd{{$2}{$3}{pop}}{1}{0}}
  server_advertise_condition = true

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = ${if saslauthd{{$1}{$2}{pop}}{1}{0}}
  server_set_id = $1
  server_advertise_condition = true

Full sample configuration

Download the full configuration file here

Configure Mysql

Disable TCP networking edit /etc/my.cnf and the following in the mysqld section

skip-networking

Set root password

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h impi password 'new-password' -p

Configure Horde

Edit the sql file and change the mysql password for the horde user

cp /usr/share/horde/scripts/sql/create.mysql.sql .
vi create.mysql.sql

REPLACE INTO user (host, user, password)
    VALUES (
        'localhost',
        'horde',
-- IMPORTANT: Change this password!
        PASSWORD('hordepassword')
);

Create the user and populate the horde database

mysql -p < create.mysql.sql

Create the tables for turba (Address book)

mysql -p horde < /usr/share/horde/turba/scripts/sql/turba_objects.mysql.sql

Create the tables for kronolith (calendering)

mysql -p horde < /usr/share/horde/kronolith/scripts/sql/kronolith.mysql.sql

Horde configuration

Create horde base configuration /usr/share/horde/config/conf.php

<?php
$conf['debug_level'] = E_ALL;
$conf['max_exec_time'] = 0;
$conf['compress_pages'] = true;
$conf['umask'] = 077;
$conf['use_ssl'] = 2;
$conf['server']['name'] = $_SERVER['SERVER_NAME'];
$conf['server']['port'] = $_SERVER['SERVER_PORT'];
$conf['session']['name'] = 'Horde';
$conf['session']['use_only_cookies'] = true;
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['timeout'] = 0;
$conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
$conf['cookie']['path'] = '/';
$conf['sql']['username'] = 'horde';
$conf['sql']['password'] = 'hordepassword';
$conf['sql']['socket'] = '/var/lib/mysql/mysql.sock';
$conf['sql']['protocol'] = 'unix';
$conf['sql']['database'] = 'horde';
$conf['sql']['charset'] = 'iso-8859-1';
$conf['sql']['phptype'] = 'mysqli';
$conf['auth']['admins'] = array('Administrator', 'andrew@home.topdog-software.com');
$conf['auth']['checkip'] = true;
$conf['auth']['checkbrowser'] = true;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['params']['driverconfig'] = 'horde';
$conf['auth']['params']['table'] = 'horde_users';
$conf['auth']['params']['username_field'] = 'user_uid';
$conf['auth']['params']['password_field'] = 'user_pass';
$conf['auth']['params']['encryption'] = 'md5-hex';
$conf['auth']['params']['show_encryption'] = false;
$conf['auth']['driver'] = 'sql';
$conf['signup']['allow'] = false;
$conf['log']['priority'] = PEAR_LOG_NOTICE;
$conf['log']['ident'] = 'HORDE';
$conf['log']['params'] = array();
$conf['log']['name'] = '/tmp/horde.log';
$conf['log']['params']['append'] = true;
$conf['log']['type'] = 'file';
$conf['log']['enabled'] = true;
$conf['log_accesskeys'] = false;
$conf['prefs']['params']['driverconfig'] = 'horde';
$conf['prefs']['driver'] = 'sql';
$conf['datatree']['params']['driverconfig'] = 'horde';
$conf['datatree']['driver'] = 'sql';
$conf['group']['driver'] = 'datatree';
$conf['cache']['default_lifetime'] = 1800;
$conf['cache']['params']['dir'] = Horde::getTempDir();
$conf['cache']['params']['gc'] = 86400;
$conf['cache']['driver'] = 'file';
$conf['token']['driver'] = 'none';
$conf['mailer']['params']['auth'] = '0';
$conf['mailer']['type'] = 'smtp';
$conf['vfs']['params']['driverconfig'] = 'horde';
$conf['vfs']['type'] = 'sql';
$conf['sessionhandler']['params']['persistent'] = false;
$conf['sessionhandler']['params']['rowlocking'] = true;
$conf['sessionhandler']['params']['socket'] = '/var/lib/mysql/mysql.sock';
$conf['sessionhandler']['params']['protocol'] = 'unix';
$conf['sessionhandler']['params']['hostspec'] = 'localhost';
$conf['sessionhandler']['params']['username'] = 'horde';
$conf['sessionhandler']['params']['password'] = 'hordepassword';
$conf['sessionhandler']['params']['database'] = 'horde';
$conf['sessionhandler']['type'] = 'mysql';
$conf['problems']['email'] = 'webmaster@home.topdog-software.com';
$conf['problems']['maildomain'] = 'home.topdog-software.com';
$conf['problems']['tickets'] = false;
$conf['menu']['apps'] = array();
$conf['menu']['always'] = true;
$conf['menu']['links']['help'] = 'authenticated';
$conf['menu']['links']['help_about'] = true;
$conf['menu']['links']['options'] = 'authenticated';
$conf['menu']['links']['problem'] = 'never';
$conf['menu']['links']['login'] = 'all';
$conf['menu']['links']['logout'] = 'authenticated';
$conf['hooks']['permsdenied'] = false;
$conf['hooks']['username'] = false;
$conf['hooks']['preauthenticate'] = false;
$conf['hooks']['postauthenticate'] = false;
$conf['hooks']['authldap'] = false;
$conf['portal']['fixed_blocks'] = array();
$conf['accounts']['driver'] = 'null';
$conf['imsp']['enabled'] = false;
$conf['kolab']['enabled'] = false;

Set horde preferences to make web mail the default application on logging in. Edit the file /usr/share/horde/config/prefs.php and modify $_prefs['initial_application'] to look as below

$_prefs['initial_application'] = array(
    'value' => 'imp',
    'locked' => true,
    'shared' => true,
    'type' => 'select',
    'desc' => sprintf(_("What application should %s display after login?"), $GLOBALS['registry']->get('name'))
);

Make horde work from within the default root of the web servers, edit /usr/share/horde/config/registry.php and modify $this→applications['horde'] as below

$this->applications['horde'] = array(
    'fileroot' => dirname(__FILE__) . '/..',
    'webroot' => '',
    'initial_page' => 'login.php',
    'name' => _("Horde"),
    'status' => 'active',
    'templates' => dirname(__FILE__) . '/../templates',
    'provides' => 'horde'
);

IMP configuration

Create imp base configuration /usr/share/horde/imp/config/conf.php

<?php
$conf['utils']['spellchecker'] = '/usr/bin/aspell';
$conf['utils']['gnupg'] = '/usr/bin/gpg';
$conf['utils']['gnupg_keyserver'] = array('pgp.mit.edu');
$conf['utils']['gnupg_timeout'] = '10';
$conf['utils']['openssl_cafile'] = '/etc/pki/tls/certs';
$conf['utils']['openssl_binary'] = '/usr/bin/openssl';
$conf['menu']['apps'] = array('ingo', 'kronolith', 'passwd', 'turba');
$conf['user']['select_sentmail_folder'] = false;
$conf['user']['allow_resume_all_in_drafts'] = true;
$conf['user']['allow_folders'] = true;
$conf['user']['allow_resume_all'] = false;
$conf['user']['allow_view_source'] = true;
$conf['user']['alternate_login'] = false;
$conf['user']['redirect_on_logout'] = false;
$conf['server']['change_server'] = false;
$conf['server']['change_port'] = false;
$conf['server']['change_protocol'] = false;
$conf['server']['change_smtphost'] = false;
$conf['server']['change_smtpport'] = false;
$conf['server']['server_list'] = 'none';
$conf['server']['sort_limit'] = '0';
$conf['server']['cache_folders'] = false;
$conf['server']['cache_msgbody'] = true;
$conf['mailbox']['show_attachments'] = false;
$conf['mailbox']['show_preview'] = false;
$conf['mailbox']['show_xpriority'] = false;
$conf['fetchmail']['show_account_colors'] = false;
$conf['fetchmail']['size_limit'] = '4000000';
$conf['msgsettings']['filtering']['words'] = './config/filter.txt';
$conf['msgsettings']['filtering']['replacement'] = '****';
$conf['spam']['reporting'] = false;
$conf['notspam']['reporting'] = false;
$conf['msg']['prepend_header'] = true;
$conf['msg']['append_trailer'] = true;
$conf['compose']['allow_cc'] = true;
$conf['compose']['allow_bcc'] = true;
$conf['compose']['allow_receipts'] = true;
$conf['compose']['special_characters'] = true;
$conf['compose']['use_vfs'] = false;
$conf['compose']['link_attachments'] = false;
$conf['compose']['add_maildomain_to_unexpandable'] = false;
$conf['compose']['attach_size_limit'] = '0';
$conf['compose']['attach_count_limit'] = '0';
$conf['hooks']['vinfo'] = false;
$conf['hooks']['signature'] = false;
$conf['hooks']['trailer'] = false;
$conf['hooks']['fetchmail_filter'] = false;
$conf['hooks']['mbox_redirect'] = false;
$conf['hooks']['mbox_icon'] = false;
$conf['hooks']['spam_bounce'] = false;
$conf['maillog']['use_maillog'] = true;
$conf['tasklist']['use_tasklist'] = true;
$conf['notepad']['use_notepad'] = true;

Create IMP servers configuration /usr/share/horde/imp/config/servers.php (remove all others) with content below

<?php

$servers['cyrus'] = array(
    'name' => 'localserver',
    'server' => 'localhost',
    'hordeauth' => 'full',
    'protocol' => 'imap/notls',
    'port' => 143,
    'maildomain' => '',
    'smtphost' => 'localhost',
    'smtpport' => 25,
    'realm' => '',
    'preferred' => '',
    'admin' => array(
        'params' => array(
            'login' => 'cyrus',
            'password' => '',
            'userhierarchy' => 'user.',
            'protocol' => 'imap/notls',
            'hostspec' => 'localhost',
            'port' => 143
        )
    ),
    'quota' => array(
        'driver' => 'cyrus',
        'params' => array(),
    ),
    'acl' => array(
        'driver' => 'rfc2086',
    ),
);

Prevent compose window from being a popup, edit /usr/share/horde/imp/config/prefs.php and change the variable $_prefs['compose_window'] to look like below

$_prefs['compose_popup'] = array(
    'value' => 0,
    'locked' => true,
    'shared' => true,
    'type' => 'checkbox',
    'desc' => _("Compose messages in a separate window?"));

Kronolith configuration

Create kronolith base configuration /usr/share/horde/kronolith/config/conf.php

<?php
$conf['calendar']['params']['table'] = 'kronolith_events';
$conf['calendar']['params']['driverconfig'] = 'horde';
$conf['calendar']['driver'] = 'sql';
$conf['storage']['params']['table'] = 'kronolith_storage';
$conf['storage']['params']['driverconfig'] = 'horde';
$conf['storage']['driver'] = 'sql';
$conf['metadata']['keywords'] = false;
$conf['reminder']['server_name'] = 'home.topdog-software.com';
$conf['reminder']['from_addr'] = 'postmaster@home.topdog-software.com';
$conf['autoshare']['shareperms'] = 'none';
$conf['menu']['print'] = true;
$conf['menu']['import_export'] = true;
$conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'turba');

Turba configuration

Configure the turba base configuration /usr/share/horde/turba/config/conf.php

<?php
$conf['menu']['import_export'] = true;
$conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'turba');
$conf['client']['addressbook'] = 'localsql';
$conf['comments']['allow'] = true;
$conf['documents']['type'] = 'horde';

Ingo configuration

Configure the ingo base configuration /usr/share/horde/ingo/config/conf.php

<?php
$conf['menu']['apps'] = array('imp', 'kronolith', 'turba');
$conf['storage']['driver'] = 'prefs';
$conf['storage']['maxblacklist'] = 0;
$conf['storage']['maxwhitelist'] = 0;
$conf['rules']['userheader'] = true;
$conf['rules']['usefolderapi'] = true

Configure the ingo backend to use timsieved in /usr/share/horde/ingo/config/backends.php (remove all other backends)

<?php
$backends['sieve'] = array(
    'driver' => 'timsieved',
    'preferred' => 'localhost',
    'hordeauth' => 'full',
    'params' => array(
        'hostspec' => 'localhost',
        'logintype' => 'PLAIN',
        'usetls' => true,
        'port' => 2000,
        'scriptname' => 'ingo',
    ),
    'script' => 'sieve',
    'scriptparams' => array()
);

Passwd configuration

Configure the passwd base configuration /usr/share/horde/passwd/config/conf.php

<?php
$conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'turba');
$conf['backend']['backend_list'] = 'hidden';
$conf['user']['change'] = true;
$conf['user']['refused'] = array('root', 'bin', 'daemon', 'adm', 'lp', 'shutdown',
'halt', 'uucp', 'ftp', 'anonymous', 'nobody', 'httpd', 'operator',
'guest', 'diginext', 'bind', 'cyrus', 'courier', 'games', 'kmem',
'mailnull', 'man', 'mysql', 'news', 'postfix', 'sshd', 'tty', 'www');
$conf['password']['strengthtests'] = false;
$conf['hooks']['full_name'] = true;
$conf['hooks']['default_username'] = false;
$conf['hooks']['username'] = false;
$conf['hooks']['userdn'] = false;

Configure the passwd back end to use the horde mysql database in /usr/share/horde/passwd/config/backends.php (remove all others)

<?php
$backends['hordesql'] = array (
    'name' => 'Horde Authentication',
    'preferred' => '',
    'password policy' => array(
        'minLength' => 5,
        'maxLength' => 8,
        'maxSpace' => 0,
        'minUpper' => 1,
        'minLower' => 1,
        'minNumeric' => 1,
        'minSymbols' => 1
    ),
    'driver' => 'sql',
    'params' => array_merge($conf['sql'],
                            array('table' => 'horde_users',
                                  'user_col' => 'user_uid',
                                  'pass_col' => 'user_pass',
                                  'show_encryption' => false)),
);

Secure Horde installation

Secure the horde installation

 chown apache:root -R /usr/share/horde/config
 chown apache:root -R /usr/share/horde/*/config
 chmod -R go-rwx /usr/share/horde/config
 chmod -R go-rwx /usr/share/horde/*/config
 chown -R root:root /usr/share/horde/scripts
 chown -R root:root /usr/share/horde/*/scripts
 chmod -R go-rwx /usr/share/horde/scripts
 chmod -R go-rwx /usr/share/horde/*/scripts
 chmod a-rwx /usr/share/horde/test.php
 chmod a-rwx /usr/share/horde/*/test.php
 find /usr/share/horde/ -iname readme -exec rm -f {} \;
 find /usr/share/horde/ -iname todo -exec rm -vf {} \;
 find /usr/share/horde/ -iname license -exec rm -vf {} \;
 find /usr/share/horde/ -iname copying -exec rm -vf {} \;
 find /usr/share/horde/ -iname docs -exec rm -vrf {} \;

Configure Cyrus-imapd

The cyrus-imapd system will have virtual hosting enabled, sieve scripts, quota's set to 10MB, auto creation (& auto subscription) of the mailbox with these folders (INBOX,sent-mail,drafts,spam,trash). Authentication of users will take place aganist the Mysql database via SASL using the saslauthd daemon.

Create the configuration /etc/imapd.conf with the following content

configdirectory: /var/lib/imap
servername: TDS-IMAP/POP3
partition-default: /var/spool/imap
virtdomains: on
defaultdomain: localhost.localdomain
admins: andrew@home.topdog-software.com
postmaster: support@home.topdog-software.com
quotawarn: 85
lmtp_over_quota_perm_failure: 1
lmtp_strict_quota: 1
autocreatequota: 10240
createonpost: 1
autocreateinboxfolders: sent-mail|drafts|spam|trash
autosubscribeinboxfolders: sent-mail|drafts|spam|trash
autocreate_sieve_script: /etc/default_sieve
autocreate_sieve_compiledscript: /etc/default_sieve_script.bc
sievedir: /var/lib/imap/sieve
md5_dir: /var/lib/imap/md5
#sievenotifier: sms
#sendsms: /usr/bin/mysmsprog
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
allowplainwithouttls: 0
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
loglevel: info

Create the configuration /etc/cyrus.conf with the following content

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
  idled         cmd="idled"
  # replication
  # syncclient       cmd="/usr/lib/cyrus-imapd/sync_client -r"
}

# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=1 proto=tcp maxchild=100 maxfds=1000 provide_uuid=1
#  imaps                cmd="imapd -s" listen="imaps" prefork=1
  pop3          cmd="pop3d" listen="pop3" prefork=1 proto=tcp maxchild=100 maxfds=1000 provide_uuid=1
#  pop3s                cmd="pop3d -s" listen="pop3s" prefork=1
  sieve         cmd="timsieved" listen="localhost:sieve" prefork=0 proto=tcp maxfds=1000 provide_uuid=1

  # these are only necessary if receiving/exporting usenet via NNTP
#  nntp         cmd="nntpd" listen="nntp" prefork=3
#  nntps                cmd="nntpd -s" listen="nntps" prefork=1

  #fud
  # fud           cmd="fud" listen="fud" prefork=1 proto="udp"
  # at least one LMTP is required for delivery
#  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1 maxfds=1000 provide_uuid=1

  # this is only necessary if using notifications
  notify        cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
  # replication
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30 maxfds=1000

  # this is only necessary if using duplicate delivery suppression,
  # Sieve or NNTP
  delprune      cmd="cyr_expire -E 3" at=0400

  # this is only necessary if caching TLS sessions
  #tlsprune     cmd="tls_prune" at=0400
  squat         cmd="squatter"  period=30
}

Configure Pam_mysql

Pam_mysql will be used to authenticate the following cyrus-imapd services aganist the mysql database, IMAP,POP,SIEVE,LMTP,CSYNC.

Pam_mysql configuration

Enable pam_mysql for the services make the changes below.

/etc/pam.d/imap

auth       optional     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3

/etc/pam.d/pop

auth       optional     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3

/etc/pam.d/sieve

auth       optional     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3

/etc/pam.d/lmtp

auth       optional     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3

/etc/pam.d/csync

auth       optional     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3

Saslauthd configuration

Edit /etc/sysconfig/saslauthd and modify to below

SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS="-r -n 0 -c"

Configure ClamAV

Add the clamav user to the exim group.

usermod -G exim clamav

Change the location of the socket and disable TCP. Make changes to /etc/clamd.conf

LocalSocket /var/run/clamav/clamd.socket
#TCPSocket 3310
#TCPAddr 127.0.0.1

Install sane security signatures

wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
chmod +x /usr/local/bin/update_sanesecurity.sh
ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
/usr/local/bin/update_sanesecurity.sh

Enable local selinux module for clamav, create file clamdlocal.te and add the following

module clamdlocal 1.0;

require {
        type proc_t;
        type var_t;
        type sysctl_kernel_t;
        type var_spool_t;
        type clamd_t;
        class dir { write search read remove_name add_name };
        class file { write getattr read lock create unlink };
}

#============= clamd_t ==============
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_spool_t:dir read;
allow clamd_t var_spool_t:file { read getattr };
allow clamd_t var_t:dir { write read add_name remove_name };
allow clamd_t var_t:file { write getattr read lock create unlink };

Compile and load the module

checkmodule -M -m -o clamdlocal.mod clamdlocal.te
semodule_package -o clamdlocal.pp -m clamdlocal.mod
semodule -i clamdlocal.pp

Configure Spamassassin

Modify the startup options edit /etc/sysconfig/spamassassin and modify as below

SPAMDOPTIONS=" -l -d -c -m5 -H -m 10 --socketpath=/var/run/spamassassin/spamd.sock --socketowner=exim"

Enable local spamd module for spamassassin, create file spamdlocal.te and add the following

module spamdlocal 1.0;

require {
        type spamd_t;
        type spamd_var_run_t;
        class capability { fowner chown kill };
        class sock_file { write create unlink getattr setattr };
}

#============= spamd_t ==============
allow spamd_t self:capability { fowner chown kill };
allow spamd_t spamd_var_run_t:sock_file { write create unlink getattr setattr };

Compile and install the module

checkmodule -M -m -o spamdlocal.mod spamdlocal.te
semodule_package -o spamdlocal.pp -m spamdlocal.mod
semodule -i spamdlocal.pp

Final touches

Disable services

Disable unwanted services, use this script

Enable services

chkconfig --level 234 exim on
chkconfig --level 234 mysqld on
chkconfig --level 234 spamassassin on
chkconfig --level 234 clamd on
chkconfig --level 234 httpd on
chkconfig --level 234 saslauthd on
chkconfig --level 234 cyrus-imapd on

service mysqld restart
service saslauthd restart
service spamassassin restart
service clamd restart
service exim restart
service cyrus-imapd restart
service httpd restart

Create admin user

Create a file admin.sql and add the following (modify the password to suite you)

USE horde;

REPLACE INTO horde_users (user_uid,user_pass)
    VALUES (
        'andrew@home.topdog-software.com',
-- Change this
        md5('verystrongpassword'),
);

Add user to database

mysql -p horde < admin.sql

Firewall

Add these rules in your configuration file /etc/sysconfig/iptables

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
COMMIT

Login

Phew ! you are done. Open your browser and go to https://192.168.1.4/ and login with the details above, you can the create other users under administration → users. You can test all the other features as well.

References

• http://www.horde.org
• http://wiki.horde.org/CentOS5InstallationNotes
• http://sanesecurity.co.uk/clamav/
• http://www.exim.org/
• http://cyrusimap.web.cmu.edu/imapd/install.html
• http://pam-mysql.sourceforge.net/
• http://dev.mysql.com/

Domainkeys is DomainKeys is a method of e-mail authentication. Unlike some other methods, it offers almost end-to-end integrity from a signing to a verifying Mail Transfer Agent (MTA). In most cases the signing MTA acts on behalf of the sender, and the verifying MTA on behalf of the receiver. DomainKeys is specified in Historic RFC 4870, which is obsoleted by Standards Track RFC 4871, DomainKeys Identified Mail (DKIM) Signatures. according to the wikipedia. So why a how to on it when there is DKIM ? Well domainkeys is still actively being used and is more widely deployed than DKIM, the developer yahoo still uses it to sign and verify mail although they are contributers to the DKIM standard.

We will be using the milter implementation of domainkeys http://sourceforge.net/projects/dk-milter on CENTOS 5.1.

Installation

Install the rpm

# rpm -Uvh http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm

Generate the keys

A script to do this is provided with the rpm.

# /usr/share/doc/dk-milter-0.6.0/gentxt.sh <selector> <domainname>

Where is anything you want to call it i use default and is your domain name for which you will be signing mail. This script will produce 3 files

.txt - this contains the text to add to your zone file

default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADS
wAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG9Oh2SpUytaru
P/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==" ; ----- DomainKey default for example.com

.public - It is the public key

-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoR
illFNbOpNOr5Gst5H8wG9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==
-----END PUBLIC KEY-----

.private - This is the private key

-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG
9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQJACHWqPCf+/yW0dmv24yWY
/eIFy3PNZNNxol2YjpVIZ28SgOSRrC0vzH+SpR1WZURAOcHi+WQa0AJPeqxM4Y1g
xQIhAMVjPNPW8u0sMpNIcev9JBUjUjbilOgY2FTfyNQV0SKjAiEAwBrO5T8XLZQ6
eRUUzz7yWYCHZln6CgD0lhBuZzu4wP8CIQCq8AT2Y7ie4l6uI9fcia2czKjfNRvF
X/bAkchGutoRRwIgF2KsEQgvICNNQvQoBlqZUf/te640XAdlvubdKcABa60CIQCU
DKlMOSxHp4Ms+KT41MFHkHDI/gkFfHvVRhL1PmuwtQ==
-----END RSA PRIVATE KEY----

Install the private key

mv default.private /etc/mail/domainkeys/dk_.pem

 # chown dk-milt.dk-milt /etc/mail/domainkeys/dk_<domainname>.pem
 # chmod 600 /etc/mail/domainkey/dk_<domainname>.pem

DNS

Add the contents of .txt to your DNS zone file

Add the following to your DNS zone file

_domainkey IN TXT "t=y; o=~"

Verify your DNS configuration http://domainkeys.sourceforge.net/policycheck.html

Configuration

Edit the file /etc/sysconfig/dk-milter and set the following options

# Default values
#
USER="dk-milt"
PORT="local:/var/run/dk-milter/dk.sock"
SIGNING_DOMAIN="<domainname>"
SELECTOR_NAME="<selector>"
KEYFILE="/etc/mail/domainkeys/dk_${SIGNING_DOMAIN}.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
MILTER_GROUP="mail"

Configure Postfix

Add this to the postfix configuration file /etc/postfix/main.cf

smtpd_milters = unix:/var/run/dk-milter/dk.sock
non_smtpd_milters = unix:/var/run/dk-milter/dk.sock

Append to the existing milters if you have other milters already configured.

Start dk-milter and Restart Postfix

chkconfig –level 345 dk-milter on

# service dk-milter start
# service postfix restart

Testing

To test send a mail to autorespond+dk@dk.elandsys.com. you will recieve a response email with the test results. If you have a yahoo account you can send a mail to that as well a sample of signed message in yahoo is below

References

• http://en.wikipedia.org/wiki/Domainkeys
• http://domainkeys.sourceforge.net/
• http://www.elandsys.com/resources/sendmail/domainkeys.html
• http://www.postfix.org/MILTER_README.html
• http://www.topdog-software.com/oss/dk-milter/