Qmail domain keys

From Gentoo Linux Wiki

Contents 1 Installation 2 Setting up your RSA key pair 3 Create a TXT record for your DNS using BIND 4 Modify /etc/tcprules.d/tcp.qmail-smtp 5 Modify /etc/tcprules.d/tcp.qmail-qmtp 6 Restart bind and qmail 7 Testing your new domainkey 8 Conclusion

[edit] Installation

Bolded text means you should add the information relevant to your setup.

1) emerge netqmail and set it up

2) emerge openssl

3) emerge libdomainkeys

4) emerge perl

  Unfortunately there is no ebuild for qmail-dk so you will need to download the qmail source code and qmail-dk patch to build qmail-dk. 

5) cd /usr/local/src/

6) wget http://cr.yp.to/software/qmail-1.03.tar.gz

7) wget http://www.qmail.org/qmail-1.03-dk-0.54.patch

8) tar -zxvf qmail-1.03.tar.gz

9) patch -d qmail-1.03/ < qmail-1.03-dk-0.54.patch

10) cp /usr/include/domainkeys.h /usr/local/src

11) cp /usr/lib/libdomainkeys.a /usr/local/src

12) cd qmail-1.03

13) Edit conf-cc and add the following

  cc -O2 -include /usr/include/errno.h
   

14) Type make

  make 
   

It may fail but qmail-dk should have been created which is all that is needed.

15) cp qmail-dk /var/qmail/bin/

16) chown qmailq /var/qmail/bin/qmail-dk

17) chmod 4711 /var/qmail/bin/qmail-dk

[edit] Setting up your RSA key pair

1) mkdir -p /etc/domainkeys/example.com/

2) cd /etc/domainkeys/example.com/

3) openssl genrsa -out rsa.private 768

4) openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM

5) mv rsa.private default

6) chown -R qmailq /etc/domainkeys

7) chmod 0600 default

8) Make your public domainkey with the following command

  grep -v ^- rsa.public | perl -e 'while(<>){chop;$l.=$_;}print "t=y; p=$l;\n";'

[edit] Create a TXT record for your DNS using BIND

1) Edit your /var/bind/example.com.hosts file. The following is two separate lines.

  _domainkey.example.com. IN TXT "t=y; o=-"
  default._domainkey.example.com. IN TXT "t=y; k=rsa; p=enter your public key from step 8 just above"

[edit] Modify /etc/tcprules.d/tcp.qmail-smtp

  nano /etc/tcprules.d/tcp.qmail-smtp

Where it says

  127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

add the following so it looks like this

  127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD="",DKSIGN="/etc/domainkeys/example.com/default",QMAILQUEUE="/var/qmail/bin/qmail-dk"

then run

  tcprules /etc/tcprules.d/tcp.qmail-smtp.cdb /etc/tcprules.d/.tcp.qmail-smtp.tmp < /etc/tcprules.d/tcp.qmail-smtp

[edit] Modify /etc/tcprules.d/tcp.qmail-qmtp

  nano /etc/tcprules.d/tcp.qmail-qmtp

Where it says

  127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

add the following so it looks like this

  127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD="",DKSIGN="/etc/domainkeys/example.com/default",QMAILQUEUE="/var/qmail/bin/qmail-dk"

Then run

  tcprules /etc/tcprules.d/tcp.qmail-qmtp.cdb /etc/tcprules.d/.tcp.qmail-qmtp.tmp < /etc/tcprules.d/tcp.qmail-qmtp

[edit] Restart bind and qmail

  /etc/init.d/named restart
  /etc/inid.d/svscan restart

[edit] Testing your new domainkey

You can test your new domainkey at these two websites.

1) http://senderid.espcoalition.org/

2) http://domainkeys.sourceforge.net/policycheck.html

[edit] Conclusion

Once you have everything working and the tests pass you can remove the following from your /var/bind/example.com.hosts file

  t=y;

The t=y; means that your domain is in testing mode. After you remove it remember to restart bind

  /etc/init.d/named restart

Also be aware that your key may not work right away. You have to wait for your DNS information to propogate around the world.