About
DomainKeys Setup
Building dk-filter
Setup Private/Public Key
Sendmail Setup
System Setup
Starting dk-filter
Domainkeys Identified Mail Setup
Building dkim-filter
Sendmail Setup
System Setup
Starting dkim-filter
Sender-ID Setup
Building sid-filter
Whitelist Setup
Sendmail Setup
System Setup
Starting sid-filter
Monitoring & Testing

About

This document explains the method to set up DomainKeys, DomainKeys Identified Mail, and Sender-ID with Sendmail on a SLES 10.x system. Aside from the init startup scripts and locations of openssl and milter libs, this information will apply to most Linux distributions.

For years, spammers have forged the MAIL FROM and envelope addresses in email headers to conceal their identities. The original SMTP standard was drafted in 1982, long before there were enough people or networks to abuse the system. A new mail transfer protocol that could leverage updated technologies and account for the abusers would be excellent, but the monsterous effort to do that is only beginning and could take years before it is implemented and in a usable state. Meanwhile the spammers continue to improve their techniques and dilute the networks with their unwanted solicitations. So, while the Internet waits for a more robust mail transfer protocol, several companies and individuals have proposed methods and techniques to help limit the amount of spam sent today. The proposals which have attracted the most attention are Yahoo!'s DomainKeys, Cisco's Identified Internet Mail, and Microsoft's Sender-ID. Since their original IETF drafts, Yahoo! and Cisco have merged their proposals to create DomainKeys Identified Mail.

DomainKeys Setup

DomainKeys uses a public/private key pair to verify the origin of an email through DNS. The private key is kept on the mail server while the public key is stored in a DNS TXT record. The originating mail server inserts a special header into the outgoing email signed with its private key and a selector which indicates to the receiving mail server where to find its public key contained in the DNS TXT record.

By convention, all DomainKeys DNS TXT records are in the format of selector._domainkey.example.domain eg, dktest._domainkey.erikberg.com. By using selectors that are completely in the control of the organization, one can easily create new public keys to use at any time by adding a new DNS TXT record with the new key, telling sendmail to start signing with the new key, and keeping the old record in DNS until it is certain that no emails are still floating around that are signed with the old key.

DomainKeys is released under a liberal license that ensures it will remain royalty-free. The source code is freely available and may be modified and sublicensed.

Support for inserting custom headers into outgoing emails was introduced with Sendmail version 8.13.1-beta3. SuSE 9.2 ships with Sendmail 8.13.1, but SuSE 9.1 latest Sendmail package is 8.12.x. Sendmail 8.13.1 can be built on SuSE 9.1 by using the src.rpm from SuSE 9.2. This also requires dependencies on several other packages.

Prerequisites:

Building dk-filter

Building dk-milter 0.3.3 on SuSE 9.1 is straightforward and should not complain. View the README and INSTALL documents for complete information for your system.

Changes for dk-filter/Makefile.m4

Changes for libdk/Makefile.m4

Changes for devtools/Site/site.config.m4

After the configuration files are correct, dk-filter can be built by running the included Build shell script and a make install.

$ pwd
/d2/software/dk-milter-0.3.3
$ sh Build
Making all in:
/d2/software/dk-milter-0.3.3/libar
Configuration: pfx=, os=Linux, rel=2.6.5-7.252-default, rbase=2, rroot=2.6.5-7,
arch=i686, sfx=, variant=optimized
Using M4=/usr/bin/m4
Creating /d2/software/dk-milter-0.3.3/obj.Linux.2.6.5-7.252-default.i686/libar
using /d2/software/dk-milter-0.3.3/devtools/OS/Linux
Including /d2/software/dk-milter-0.3.3/devtools/Site/site.config.m4

 [ output from build/tests deleted ]

make[1]: Leaving directory `/d2/software/dk-milter-0.3.3/
obj.Linux.2.6.5-7.252-default.i686/dk-filter'
$ su -c "make install"
Password:
Making install in:
/d2/software/dk-milter-0.3.3/libar

 [ output from install deleted ]

$

Setup Private/Public Key

The private/publc key pair can be set up using openssl. The dk-milter package comes with a handy script to create a DomainKey record named gentxt.csh. This script outputs public and private key files and writes a DNS TXT record suitable for including in DNS to standard out. Note that the script creates a 512-bit key. To use a larger key, edit the script, find the openssl genrsa line, and change the number from 512 to a larger size eg, 1024.

$ pwd
/d2/software/dk-milter-0.3.3/dk-filter
$ ./gentxt.csh dktest erikberg.com > dktest._domainkey.erikberg.com
$ cat dktest._domainkey.erikberg.com
; ----- DomainKey dktest for erikberg.com
dktest._domainkey IN TXT "g=; k=rsa; t=y; p=MIGfMA0.............miQIDAQAB"
$

Alternatively, a suitable DomainKey record can be generated by hand by using the following steps. The number argument on the openssl genrsa line indicates what size key to create. In this case, a 1024-bit key.

$ openssl genrsa -out dktest.private 1024
Generating RSA private key, 1024 bit long modulus
...................................++++++
....++++++
e is 65537 (0x10001)
$ openssl rsa -in dktest.private -out dktest.pub -pubout
writing RSA key
$ cat dktest.pub
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDU3/k/9+/KxCAfg4Gpuut8Bhbr
YJnmFJgbjJmnyjY4wTq39lckMuBHTz7s9rmmqAV9Ut3UrJZBhAOxQc78MVc4P6DN
8X76HuRyeee0NfFwgtdSV5X3r6EYRZZITjV3dqmpAnKDFuorFxA79Imhq4oJYA1Y
I7yXgdAsVO0oxCmqjQIDAQAB
-----END PUBLIC KEY-----
$ sed -e '1i\"g=; k=rsa; t=y; p=' -e '/^----/d' dktest.pub | \
> tr -d '\n' | sed -e 's/$/"\n/' > dktest._domainkey.erikberg.com
$ cat dktest._domainkey.erikberg.com
"g=; k=rsa; t=y; p=MIGfMA0..................miQIDAQAB"
$

The private key dktest.pem is used by Sendmail/dk-filter to sign outgoing messages. It should be kept in a secure place.

# pwd
/d2/software/dk-milter-0.3.3/dk-filter
# mkdir -p /etc/mail/domainkeys
# chmod 0700 /etc/mail/domainkeys
# mv dktest.private /etc/mail/domainkeys/dktest.pem

The file with the public key, dktest._domainkey.erikberg.com, needs to be added to DNS as a TXT record. It is important that this file is added with the selector name that was used. In this case dktest is the selector name. DomainKey records always end with _domainkey.domainname.tld. This record is added as dktest._domainkey.erikberg.com. Once the record is added to DNS, a query for the TXT record should return something like the following.

$ dig +short dktest._domainkey.erikberg.com txt
"g=\; k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOXcmAUfgtJOJ24NUhM7
DQ9VNyOY//pNoufPjhN4GKJqHtMPMIz5gYW8dNiUgxWq9PuxiyadS4fqKS1mNNITOXfmZuljL7N+FaQY
MsA5R5UZsgInOVyxXB0kYODE6fsQhLlUEELdUsVG3KvL7M97pu09dpeYznHEM92hGefAM2aQIDAQAB"
$

Sendmail Setup

Time to tell Sendmail about our dk-filter. This is done by adding the following line to the /etc/mail/linux.mc file.

dnl
dnl # Setup the sendmail filters; milter
dnl
dnl INPUT_MAIL_FILTER(`filter1', `S=local:/var/run/f1.sock, F=R')
INPUT_MAIL_FILTER(`dk-filter', `S=inet:8891@localhost')

Rebuild the sendmail.cf file in the normal way.

System Setup

DomainKeys currently does not come with any system start scripts, so it is necessary to create one. This script will start and stop the DomainKeys milter. The following script is installed in /etc/init.d/domainkeys with permissions set to 0755. The lines in bold will need to be adjusted for each system.

The bold options indicate:

#! /bin/sh
#
#
# /etc/init.d/domainkeys
#
#   and symbolic link
#
# /usr/sbin/rcdomainkeys
#
### BEGIN INIT INFO
# Provides:       domainkeys
# Required-Start: $remote_fs $syslog
# Required-Stop:
# X-UnitedLinux-Should-Start: sendmail
# X-UnitedLinux-Should-Stop:
# Default-Start:  3 5
# Default-Stop:
# Description:    Start the DomainKeys milter
### END INIT INFO

PORT="-p inet:8891@localhost"
SIGNING_DOMAIN="-d erikberg.com"
USER="-u domainkeys"
KEYFILE="-s /etc/mail/domainkeys/dktest.pem"
SELECTOR_NAME="-S dktest"
REJECTION="-C bad=r,dns=t,int=t,no=a,miss=r"
DOMAINKEYS_ARGS="-h -l $PORT $REJECTION $SIGNING_DOMAIN $USER $KEYFILE $SELECTOR_NAME"

. /etc/rc.status
rc_reset
case "$1" in
    start)
	echo -n "Starting DomainKeys milter"
	startproc /usr/bin/dk-filter $DOMAINKEYS_ARGS
	rc_status -v
	;;
    stop)
	echo -n "Shutting down DomainKeys milter"
	killproc -TERM /usr/bin/dk-filter
	rc_status -v
	;;
    try-restart)
	$0 stop && $0 start
	rc_status
	;;
    restart)
	$0 stop
	$0 start
	rc_status
	;;
    reload|force-reload)
	echo -n "Reload service DomainKeys"
	killproc -HUP /usr/bin/dk-filter
	rc_status -v
	;;
    status)
	echo -n "Checking for service DomainKeys: "
	checkproc /usr/bin/dk-filter
	rc_status -v
	;;
    *)
	echo "Usage: $0 {start|stop|status|try-restart|restart|reload}"
	exit 1
esac
rc_exit

After the script is installed, create a link to /usr/sbin/rcdomainkeys. For all interactive control, the rcdomainkeys command should be used. It accepts all of the following options: start, stop, status, try-restart, restart, and reload.

# ln -s /etc/init.d/domainkeys /usr/sbin/rcdomainkeys
#

To tell the system to start DomainKeys upon entering run levels that are specified in the domainkeys init.d script above (Default-Start: 3 5), the insserv program is used. The insserv command below adds DomainKeys to the system startup and the chkconfig --list command verifies it.

# insserv /etc/init.d/domainkeys
# chkconfig --list domainkeys
domainkeys                0:off  1:off  2:off  3:on   4:off  5:on   6:off
#

In the init script above, a USER variable is set to "-u domainkeys". When this option is passed to dk-filter, it runs as the user "domainkeys". Add the user "domainkeys" to the system with the useradd program. The line below creates a system account (the -r option) for the login name domainkeys.

# useradd -r -c "DomainKeys System Account" domainkeys
# grep domainkeys /etc/passwd
domainkeys:x:304:100:DomainKeys System Account:/home/domainkeys:/bin/false
#

Make sure the domainkeys system account can read the private key file, /etc/mail/domainkeys/dktest.pem. Change the ownership on this file to domainkeys and set the permissions to read-only.

# chown domainkeys /etc/mail/domainkeys/dktest.pem
# chmod 400 /etc/mail/domainkeys/dktest.pem
# ls -l /etc/mail/domainkeys/
total 12
drwx------  2 domainkeys users 4096 Apr 21 09:40 .
drwxr-xr-x  7 root       root  4096 Apr 21 09:14 ..
-r--------  1 domainkeys users  887 Nov 19 19:48 dktest.pem
#

Start dk-filter

With all of that out of the way, dk-filter can be started. As long as the file locations, names, and permissions are correct, dk-filter should start without problems.

# rcdomainkeys start
Starting DomainKeys milter                                                  done
# tail /var/log/mail
Mar 22 09:47:18 dk-filter[1350]: Sendmail DomainKeys Filter v0.2.7 starting
(args: -h -l -p inet:8891@localhost -d erikberg.com -u domainkeys -s
/etc/mail/domainkeys/dktest.pem -S dktest)
# rcdomainkeys status
Checking for service DomainKeys:                                         running
#

Reload Sendmail so it begins to use dk-filter

# rcsendmail reload
Reload service sendmail                                                     done
#

DomainKeys Identified Mail Setup

Google's mail service, Gmail, signs messages with DKIM. Although Yahoo!'s mail service signs messages with DomainKeys, it should be anticipated they will begin signing with DKIM since they helped to develop and champion the DKIM standard.

DKIM acts in the same manner as DomainKeys. In fact, it can use the same DNS TXT record that DomainKeys uses with a slight modification.

Prerequisites:

Building dkim-filter

Before dkim-milter can be built, a configuration file must be created to instruct the build process where to find libraries for openssl and what dkim-milter features to enable among other options. An example configuration file is located in the root directory where dkim-milter is unpacked named site.config.m4.dist. Copy this file to devtools/Site/site.config.m4 and edit accordingly. My file looks like devtools/Site/site.config.m4. Although not enabled in this example, POP-before-SMTP and some of the features (see the FEATURES file in source root directory) may be useful for some sites.

This is a script file of what it takes to build and install DKIM.

$ pwd
/d2/software/dkim/dkim-milter-2.8.1
$ vi devtools/Site/site.config.m4
$ sh Build
Making all in:
/d2/software/dkim/dkim-milter-2.8.1/libar
Configuration: pfx=, os=Linux, rel=2.6.16.54-0.2.11-xen, rbase=2,
rroot=2.6.16.54-0.2, arch=x86_64, sfx=, variant=optimized
Using M4=/usr/bin/m4
Creating
/d2/software/dkim/dkim-milter-2.8.1/obj.Linux.2.6.16.54-0.2.11-xen.x86_64/libar
using /d2/software/dkim/dkim-milter-2.8.1/devtools/OS/Linux
Including /d2/software/dkim/dkim-milter-2.8.1/devtools/Site/site.config.m4

 [ output from build deleted ]

groff -Tascii -man dkim-filter.8 > dkim-filter.0 || cp dkim-filter.0.dist dkim-filter.0
groff -Tascii -man dkim-genkey.8 > dkim-genkey.0 || cp dkim-genkey.0.dist dkim-genkey.0
groff -Tascii -man dkim-stats.8 > dkim-stats.0 || cp dkim-stats.0.dist dkim-stats.0
groff -Tascii -man dkim-testkey.8 > dkim-testkey.0 || cp dkim-testkey.0.dist dkim-testkey.0
groff -Tascii -man dkim-testssp.8 > dkim-testssp.0 || cp dkim-testssp.0.dist dkim-testssp.0
make[1]: Leaving directory
`/d2/software/dkim/dkim-milter-2.8.1/obj.Linux.2.6.16.54-0.2.11-xen.x86_64/dkim-filter'
$ su -c "make install"
Password:
Making install in:
/d2/software/dkim/dkim-milter-2.8.1/libar
Configuration: pfx=, os=Linux, rel=2.6.16.54-0.2.11-xen, rbase=2,
rroot=2.6.16.54-0.2, arch=x86_64, sfx=, variant=optimized
Making in /d2/software/dkim/dkim-milter-2.8.1/obj.Linux.2.6.16.54-0.2.11-xen.x86_64/libar
make[1]: Entering directory
`/d2/software/dkim/dkim-milter-2.8.1/obj.Linux.2.6.16.54-0.2.11-xen.x86_64/libar'
install -c -o root -g root -m 444 ar.0 /usr/share/man/man3/ar.3

 [ output from build deleted ]

install -c -o root -g root -m 444 dkim-stats.0 /usr/share/man/man8/dkim-stats.8
install -c -o root -g root -m 444 dkim-testkey.0 /usr/share/man/man8/dkim-testkey.8
install -c -o root -g root -m 444 dkim-testssp.0 /usr/share/man/man8/dkim-testssp.8
make[1]: Leaving directory
`/d2/software/dkim/dkim-milter-2.8.1/obj.Linux.2.6.16.54-0.2.11-xen.x86_64/dkim-filter'
$

Sendmail Setup

Changes for /etc/mail/linux.mc.

dnl
dnl # Setup the sendmail filters; milter
dnl
dnl INPUT_MAIL_FILTER(`filter1', `S=local:/var/run/f1.sock, F=R')
INPUT_MAIL_FILTER(`dkim-filter', `S=inet:8891@localhost')
$ cd /etc/mail
$ su
Password:
# vi linux.mc
# m4 < linux.mc > linux.cf
# diff -u /etc/sendmail.cf linux.cf
--- /etc/sendmail.cf    2006-01-18 20:46:18.000000000 -0800
+++ linux.cf    2006-03-07 16:44:11.729050316 -0800
@@ -16,7 +16,7 @@
 #####
 #####          SENDMAIL CONFIGURATION FILE
 #####
-##### built by root@fore.erikberg.com on Wed Jan 18 20:46:18 PST 2006
+##### built by root@fore.erikberg.com on Tue Mar 7 16:44:11 PST 2006
 ##### on SuSE Linux 9.1 (i586)
 ##### in /etc/mail
 ##### using /usr/share/sendmail/ as configuration include directory
@@ -556,7 +559,7 @@
 #O TLSSrvOptions

 # Input mail filters
-O InputMailFilters=sid-filter
+O InputMailFilters=dkim-filter, sid-filter

 # Milter options
 #O Milter.LogLevel
@@ -1526,6 +1529,7 @@
 ######################################################################
 ######################################################################

 Xsid-filter, S=inet:8895@localhost
+Xdkim-filter, S=inet:8891@localhost
 #
# mv linux.cf /etc/sendmail.cf
#

System Setup

Add a user to run dkim-filter. Create startup and shutdown scripts for DKIM. Note that the command line options for DKIM are different than they are for DomainKeys. Also, beginning with dkim-milter 2.4.0, configuration file support is added so many of the options listed below in the startup shell script can be moved to /etc/mail/dkim-filter.conf. Refer to the dkim-filter.conf(5) manual page for details.

# useradd -r -c "DKIM System Account" dkim
# cd /etc/init.d
# cat <<'EOF' > dkim
> #! /bin/sh
> #
> #
> ### BEGIN INIT INFO
> # Provides:       dkim
> # Required-Start: $remote_fs $syslog
> # Required-Stop:
> # X-UnitedLinux-Should-Start: sendmail
> # X-UnitedLinux-Should-Stop:
> # Default-Start:  3 5
> # Default-Stop:
> # Description:    Start the dkim milter
> ### END INIT INFO
> 
> PORT="-p inet:8891@localhost"
> SIGNING_DOMAIN="-d erikberg.com"
> USER="-u dkim"
> KEYFILE="-k /etc/mail/domainkeys/dktest.key.pem"
> SELECTOR_NAME="-s dktest"
> REJECTION="-C bad=a,dns=t,int=t,no=a"
> DKIM_ARGS="-h -l $PORT $REJECTION $SIGNING_DOMAIN $USER $KEYFILE $SELECTOR_NAME"
> 
> . /etc/rc.status
> rc_reset
> case "$1" in
>     start)
>         echo -n "Starting DKIM milter: "
>         startproc /usr/sbin/dkim-filter $DKIM_ARGS
>         rc_status -v
>         ;;
>     stop)
>         echo -n "Shutting down DKIM milter: "
>         killproc -TERM /usr/sbin/dkim-filter
>         rc_status -v
>         ;;
>     try-restart)
>         $0 stop && $0 start
>         rc_status
>         ;;
>     restart)
>         $0 stop
>         $0 start
>         rc_status
>         ;;
>     reload|force-reload)
>         echo -n "Reload service DKIM: "
>         killproc -HUP /usr/sbin/dkim-filter
>         rc_status -v
>         ;;
>     status)
>         echo -n "Checking for service DKIM: "
>         checkproc /usr/sbin/dkim-filter
>         rc_status -v
>         ;;
>     *)
>         echo "Usage: $0 {start|stop|status|try-restart|restart|reload}"
>         exit 1
> esac
> rc_exit
> EOF
# chmod 744 dkim
# ln -s /etc/init.d/dkim /usr/sbin/rcdkim
# insserv /etc/init.d/dkim
# chkconfig --list dkim
dkim                      0:off  1:off  2:off  3:on   4:off  5:on   6:off
#

Setup Private/Public Key

Included with the dkim-milter 2.4.0 release is a shell script installed at /usr/bin/dkim-genkey which can be used to create a public/private key suitable for DKIM. This is very similar as the method used for DomainKeys listed above. Whether the key is created using the script or manually, move it to /etc/mail/domainkeys.

Change the owner of the key file to the user who will run the dkim-filter process. In this example, the user is dkim. The directory (0700) and file (0400) permissions where the key is stored should match the output below.

# cd /etc/mail/domainkeys/
# chown dkim dktest.key.pem
# chown dkim .
# ls -l
total 12
drwx------  2 dkim milters 4096 2005-04-21 09:40 .
drwxr-xr-x  7 root root    4096 2006-01-18 20:46 ..
-r--------  1 dkim milters  887 2004-11-19 19:48 dktest.key.pem
#

Also, since the 2.4.0 release of dkim-milter, a utility is included to test the validity of a dkim key. This check determines if the dkim key has the correct permissions, selector name, and path.

# /usr/bin/dkim-testkey -d erikberg.com -k /etc/mail/domainkeys/dktest.key.pem -s dktest
# echo $?
0

DomainKeys versus DKIM selector records

If the dkim-testkey result is "dkim-testkey: granularity mismatch" then either add a "g=*" (default) or omit the "g=" tag completely from the selector record. This behavior is different than how DomainKeys treats empty values. DKIM RFC 4871 specifies:

Unrecognized tags MUST be ignored.

Tags that have an empty value are not the same as omitted tags.  An
omitted tag is treated as having the default value; a tag with an
empty value explicitly designates the empty string as the value.  For
example, "g=" does not mean "g=*", even though "g=*" is the default
for that tag.

Start dkim-filter

Start dkim-filter and restart sendmail. A message similar to the following should show up in the mail log file indicating that dkim-filter has started successfully.

# rcdkim start
Starting DomainKeys milter                                      done
# tail -1 /var/log/mail
Jan 16 12:11:18 fore dkim-filter[17062]: Sendmail DKIM Filter v2.8.1 starting
(args: -h -l -p inet:8891@localhost -C bad=a,dns=t,int=t,no=a -d erikberg.com
-u dkim -k /etc/mail/domainkeys/dktest.key.pem -s dktest)
# ps uwwp $(pgrep dkim)
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
dkim     13393  0.0  0.1 42196 1812 ?        Ssl  12:11   0:00 /usr/sbin/dkim-filter
-h -l -p inet:8891@localhost -C bad=a,dns=t,int=t,no=a -d erikberg.com -u dkim
-k /etc/mail/domainkeys/dktest.key.pem -s dktest
# rcdkim status
Checking for service DKIM:                                      running
# rcsendmail reload
Reload service sendmail                                         done
# exit
$

Sender-ID Setup

Note that the license for Sender-ID is not as clear as the one for Yahoo!'s DomainKeys. The source distribution for sid-milter-0.2.7 contains the following provision.

Notice Regarding Sender ID

This source code may incorporate intellectual property owned by
Microsoft Corporation that is necessary to implement the IETF Sender
ID Specification.  A license for such intellectual property is
available from Microsoft under reasonable and non-discriminatory terms
with no fees or royalties.  Our provision of this source code does not
include any licenses or any other rights to you under any Microsoft
intellectual property.  If you would like a license from Microsoft
(e.g. rebrand, redistribute), you need to contact Microsoft directly.

Prerequisites:

Building Sender-ID

Changes for sid-filter/Makefile.m4

Changes for devtools/Site/site.config.m4

After the configuration files are correct, sid-milter can be built by running the included Build shell script.

$ pwd
/d2/software/sid-milter-0.2.7
$ sh Build
Making all in:
/d2/software/senderid/sid-milter-0.2.7/libar
Configuration: pfx=, os=Linux, rel=2.6.5-7.145-default, rbase=2, rroot=2.6.5-7,
arch=i686, sfx=, variant=optimized
Using M4=/usr/bin/m4

 [ output from build/tests deleted ]

make[1]: Leaving directory `/d2/software/senderid/sid-milter-0.2.7/obj.Linux.2.
6.5-7.145-default.i686/sid-filter'
$ su -c "make install"
Password:
Making install in:
/d2/software/sid-milter-0.2.7/libar

 [ output from install deleted ]

$

Sender-ID Whitelist (optional)

Domains and IP addresses that Sender-ID should never check can be listed one entry per line in a text file. The input below indicates that any connection from localhost or 127.0.0.1 to the mail server is not checked by sid-filter. For this example, the entries are stored in /etc/mail/spf/whitelist, but they can be stored anywhere.

# mkdir -p /etc/mail/spf
# cd /etc/mail/spf
# cat <<END > whitelist
> 127.0.0.1
> localhost
> END
#

Sender-ID Sendmail Setup

Now, another line must be added to the sendmail configuration file for Sender-ID. It is the same format as the one used for DomainKeys. Add the sid-filter line to /etc/mail/linux.mc.

dnl
dnl # Setup the sendmail filters; milter
dnl
dnl INPUT_MAIL_FILTER(`filter1', `S=local:/var/run/f1.sock, F=R')
INPUT_MAIL_FILTER(`dk-filter', `S=inet:8891@localhost')
INPUT_MAIL_FILTER(`sid-filter', `S=inet:8895@localhost')

Rebuild the sendmail.cf file.

# pwd
/etc/mail
# m4 < linux.mc > linux.cf
# mv linux.cf /etc/sendmail.cf

Sender-ID System Setup

Just like DomainKeys, Sender-ID does not currently come with a startup script so one must be created and installed manually. This script will start and stop the Sender-ID milter. It is installed in /etc/init.d/senderid with permissions set to 0755. The lines in bold will need to be adjusted for each system.

The bold options indicate:

#! /bin/sh
#
# /etc/init.d/senderid
#
#   and symbolic link
#
# /usr/sbin/rcsenderid
#
### BEGIN INIT INFO
# Provides:       senderid
# Required-Start: $remote_fs $syslog
# Required-Stop:
# X-UnitedLinux-Should-Start: sendmail
# X-UnitedLinux-Should-Stop:
# Default-Start:  3 5
# Default-Stop:
# Description:    Start the SenderId milter
### END INIT INFO

PORT="-p inet:8895@localhost"
REJECTION="-r 1"
USER="-u senderid"
WHITELIST="-a /etc/mail/spf/whitelist"
SENDERID_ARGS="-h -l $PORT $REJECTION $USER $WHITELIST"

. /etc/rc.status
rc_reset
case "$1" in
    start)
	echo -n "Starting SenderID milter"
	startproc /usr/bin/sid-filter $SENDERID_ARGS
	rc_status -v
	;;
    stop)
	echo -n "Shutting down SenderID milter"
	killproc -TERM /usr/bin/sid-filter
	rc_status -v
	;;
    try-restart)
	$0 stop && $0 start
	rc_status
	;;
    restart)
	$0 stop
	$0 start
	rc_status
	;;
    reload|force-reload)
	echo -n "Reload service SenderID"
	killproc -HUP /usr/bin/sid-filter
	rc_status -v
	;;
    status)
	echo -n "Checking for service SenderID: "
	checkproc /usr/bin/sid-filter
	rc_status -v
	;;
    *)
	echo "Usage: $0 {start|stop|status|try-restart|restart|reload}"
	exit 1
esac
rc_exit

After the senderid init script is installed with file permissions set to 0755, a symbolic link should be created to /usr/sbin/rcsenderid.

# ln -s /etc/init.d/senderid /usr/sbin/rcsenderid
#

To automatically start and stop Sender-ID at the appropriate system run levels, the insserv program is used. The "Default-Start: 3 5" parameters in the senderid init script tell insserv how to initially configure the senderid service. The command chkconfig --list verifies that the service is set up correctly.

# insserv /etc/init.d/senderid
# chkconfig --list senderid
senderid                0:off  1:off  2:off  3:on   4:off  5:on   6:off
#

Just like DomainKeys, a system user for Sender-ID should be set up so the program does not run as the root user. The following creates a system account named "senderid".

# useradd -r -c "Sender-ID System Account" senderid
# grep senderid /etc/passwd
senderid:x:305:100:Sender-ID System Account:/home/senderid:/bin/false
#

Start sid-filter

sid-filter can be started from the command line. As long as the file locations and names are passed correctly to sid-filter, it should start without problems.

# rcsenderid start
Starting SenderID milter                                                    done
# rcsenderid status
Checking for service SenderID:                                           running
#

Reload Sendmail so it begins to use sid-filter

# rcsendmail reload
Reload service sendmail                                                     done
#

Monitoring and Testing

Monitor /var/log/mail and /var/log/messages. When any of these milters are started with the -l option, they write log messages to /var/log/mail.

Normal dk-filter and dkim-filter messages will write to the mail log when outgoing messages are signed.

If the milters are started with the -h option, each milter will insert a header in the incoming message which will also be reflected in the mail log.

Dec 10 06:58:30 fore sendmail[32165]: iBAEwUww032165: Milter insert (1): header:
 DomainKey-Signature: a=rsa-sha1; s=dktest; d=erikberg.com; c=simple; q=dns;\n\t
b=usw1O02C9cA/L1Tl1ozrDGB3ZPitf+AMggQhcpHHvJUybgTp5uzWHedqw7MZgUgqP\n\tL96EB1YvF
0t3fvdwdxMeOqyH/93WOtewqgTnREBRheu7qncCT4HUvCL3d5hSnMHudnq\n\tU4PhIiWVi49B2FXz+4
mwWufnuTNKf0SyvQNB62M=
Creative Commons License
Copyright © 2004-2009 Erik Berg