Oh my God, this is the first time I successfully make Sendmail works on DKIM for outgoing and SPF verification for incoming emails. Hey, HSBC and Citibank do not use DKIM for anti-phishing even they send email notices to customers. In short, I am doing better than the two banks.
The benefits are two fold. My emails can be verified by other DKIM-enabled SMTP servers for source authentication and the signature can guarantee no tamper is made in the end-to-end delivery process. On my server, the same can be done.
The public key can be found by:
#dig -t txt sept2013._domainkey.i3way,net
;; ANSWER SECTION:
sept2013._domainkey.i3way.net. 3600 IN TXT "v=DKIM1\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDq8KAvkv66AOeWd3UnpR74kDcIS4dkL8xR8wzzHUTvrrJR9l3B+X5wTZkHctfhjKHBmZg+W7MZW1b5O4SHI/n3FbqJ+6MK5jxHyx02Q6HSTtaYXjzalE3K0zgy4DRN7n/iYvRgS99OJw6LrKDcnzfRuO554G68aRgd32yflw+DQIDAQAB"
Forget to mention that the RSA key pair has no expiry. I can use for signing emails forever.
For DKIM. the processes as I can recall
are:
1.
Generate key pair under the designated
path /etc/mail/dkim-milter/keys, specifying a
selector (e.g. sept2013, my-dkim etc)
2. Extract the public key for publishing as DNS txt records
3.
Edit keylists to tell which
public keys be included and for what domain
4.
Edit sendmail.mc to add:
INPUT_MAIL_FILTER(`dkim-filter',
`S=local:/var/run/dkim-milter/dkim-milter.sock')
5. Recompile sendmail.mc to sendmail.cf by m4
6.
Start up dkim-milter
7.
Restart sendmail
2. Extract the public key for publishing as DNS txt records
5. Recompile sendmail.mc to sendmail.cf by m4
The benefits are two fold. My emails can be verified by other DKIM-enabled SMTP servers for source authentication and the signature can guarantee no tamper is made in the end-to-end delivery process. On my server, the same can be done.
The public key can be found by:
#dig -t txt sept2013._domainkey.i3way,net
;; ANSWER SECTION:
sept2013._domainkey.i3way.net. 3600 IN TXT "v=DKIM1\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDq8KAvkv66AOeWd3UnpR74kDcIS4dkL8xR8wzzHUTvrrJR9l3B+X5wTZkHctfhjKHBmZg+W7MZW1b5O4SHI/n3FbqJ+6MK5jxHyx02Q6HSTtaYXjzalE3K0zgy4DRN7n/iYvRgS99OJw6LrKDcnzfRuO554G68aRgd32yflw+DQIDAQAB"
Forget to mention that the RSA key pair has no expiry. I can use for signing emails forever.
No comments:
Post a Comment