DomainKey -- What you need to know
Tuesday, 02 June 2009 12:14 Last Updated on Tuesday, 02 June 2009 17:48
Contributed by our forum member Maga
Why DomainKey?
DomainKey was first implemented by Yahoo in an effort to discover sender address faking.
The sending server signs a mail using a private key, the receiving server checks the
signature with the corresponding public key. The public key is published on the DNS
server of the sender domain.
For those who are familar with SPF, the DomainKey approach is similar to SPF. The receiving
server can verify that the mail was sent from the proper server. In addition, the receiving
server can verify that the mail is untampered. The advantage of Domainkey is that neither
forwarding nor relaying breaks the signature, as long as the mail is not converted or
re-addressed.
The DomainKey method was developed further into DKIM since. XWall does not implement
the DKIM standard. Other servers using the latest DKIM technology do recognize DomainKey
for backward compatibility.
Here is how you would configure XWall to use DomainKey:
1. Get and install OpenSSL
Either from
http://download.dataenter.co.at/ftp/demk/tls-toolkit.zip
or
http://www.slproweb.com/products/Win32OpenSSL.html
2. Generate an unsigned key pair:
openssl genrsa -out rsa.private.pem 1024 -outform PEM
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
......................++++++
..................................++++++
e is 65537 (0x10001)
openssl rsa -in rsa.private.pem -out rsa.public.pem -pubout -outform PEM
writing RSA key
The result are two files, rsa.private and rsa.public.pem:
File rsa.private-pem
-----BEGIN RSA PRIVATE KEY-----
MIICXwIBAAKBgQDT8G/tP42m+Aumpdu48uyJDLjnK9j+NFOm65EIkUWGiM4s/Zz+
ejBGxTnG6P6/ExnhigF9QB9qGWnXesUMIbE0CD+rBO6B+Umd4HKlfdGUweOn3UdS
41jWHzphWDMu/Mo/LFq/2e6MN/AiOlRxp+A8msHJVN50OBnC/qKETB5G9QIDAQAB
AoGBAIiW87umcueCAxhC2mnG/dSRw3URGEc0eBkixpUL8w/yiVYLmSuUmhpyL3tX
XB7O86YcqDsNoXFisYjzEZ1w9V9UE1vITHVKkzCb9E7zOaPrKBUXN+z9vOKP3Rsc
cRfycf29ZWXAuKpqLmMRqcbihi3zmgc8s3NYgBO6bRJTUMnBAkEA64p7M6+ajPsD
k2AEqKeZNBJJUOB5qCDnRXfKQtaBSQ6QRbJbh4ajtKLdeAiHqzDl1DP83hIPb00g
tpqNhEj/BQJBAOZZJQ4XTDAG8SYWs6xW3qsWKqoFnbtvNTVqyLngIL/ZemduAtXR
HbSafy5V4AI+FF28BYi9G4NG1cwXFn7jSzECQQCfUa8d+dSXMZ5tjBD6p0q4bvoK
a5u+fmsQkQNNjFwst14c1pSUqhyHLXaSH2rs/4klrPiImTy5czkCaq34YYulAkEA
pJx8AI/hoEi1uFRs3fHOelEC+DG/QJz+V0gSXdKvVKqj8JoLaKViJxhpXsF7rd6T
S1D8RJcvvCa4znqJVvAzYQJBAJko7adkSzeF7R0zRcSJxhYOjrau94MsbEtolqpr
VsrlOkHmIOvGny9DmF454bxyXhRbpOQGwToul8YjL40ZFfM=
-----END RSA PRIVATE KEY-----
File rsa.public.pem:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT8G/tP42m+Aumpdu48uyJDLjn
K9j+NFOm65EIkUWGiM4s/Zz+ejBGxTnG6P6/ExnhigF9QB9qGWnXesUMIbE0CD+r
BO6B+Umd4HKlfdGUweOn3UdS41jWHzphWDMu/Mo/LFq/2d6MN/AiOlRxp+A8msHJ
VN50OBnC/qKETB5G9QIDAQAB
-----END PUBLIC KEY-----
3. Copy the private keyfile to c:\xwall\cert\priv\rsa.private.pem
Copy the public keyfile (information only) to c:\xwall\cert\rsa.public.pem
4. Convert the public key file into a TXT record on the public DNS for your domain:
--------------------------
mail._domainkey IN TXT "k=rsa; p=MIG...(insert the public certificate here - all on one line)...QAB"
--------------------------
5. Configure XWall to use the signature for signing:
MBAdmin, Options, DomainKeys, DomainKeys Sign,
New, DomainKeys certificate rule
For messages from e-mail address: *@example.com
to e-mail address: *
use the certificate (file in PEM format): rsa.private.pem
and this selector: mail
Configure XWall to mark incoming mails with bad DomainKey signatures:
MBAdmin, Options, DomainKeys, DomainKeys Verify
Check Verify DomainKey signature
Check Block messages when the DomainKey signature is not valid
Action: Select appropriate action, e.g. "Mark subject and move to Junk-E-Mail folder"
6. Verify proper operation:
Outgoing:
Logfile MB.LOG:
09-05-12 11:02:08 107909: DKIM: Sign using rsa.private.pem
Incoming:
The logfile MB.LOG may contain some of these lines:
09-05-12 10:59:28 106154: DKIM: Signature is valid
09-05-12 09:37:21 63006: DKIM: Message is not valid syntax. Signature could not be created/checked
09-05-12 08:26:21 16235: DKIM: No signature available in message
09-05-12 06:35:42 519076: DKIM: Granularity mismatch: sender doesn't match g= option
09-05-11 15:18:52 10287: DKIM: No public key available (permanent failure)
09-05-11 21:31:25 243078: DKIM: Signature was available but failed to verify against domain specified key
09-05-11 15:16:38 0006: DKIM: Unusable key, public if verifying, private if signing
Headers in history message files:
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
d=example.com; s=mail;
h=Received:From:To:Reply-To:Subject:Date:X-Assembled-By:X-Mailer:Message-ID:X-XWALL-BCKS:Mime-Version:Content-Type:Content-Transfer-Encoding;
b=cqNeMJA0U5oUpFJf99u2Iw3xdQjm5M5Gts5gFO6PGokktUhF/E3D7b+y4zXN82eaS9JGE+vjmohP8j86PUo2Gpf5ZyAZENBmuj9v3/3y6SEJZpL3Jlu124slRa2KMkRb6ObXXvg+eq+FHI6Eq0KypOmpZ2WbdqmHsEUtZXr99CI=;
7. Send a Test Mail to one of these auto-responders:
Alt-N: dkim-test (at) altn (dot) com
Currently verifying both RFC4871 (and RFC4870):
Blackops: dktest (at) blackops (dot) org
Sendmail: sa-test (at) sendmail (dot) net
Currently verifying both draft allman-00 and allman-01 (better?):
Port 25: check-auth (at) verifier (dot) port25 (dot) com
Currently verifying both RFC4871 (and RFC4870):
Elandsys: autorespond+dkim (at) dk (dot) elandsys (dot) com
Currently verifying both RFC4871 (and RFC4870) :
DKIM.ORG: dkim-test (at) testing (dot) dkim (dot) org