Using DomainKeys with MailScanner

Introduction

MailScanner is an antispam software that does post SMTP-accept mail filtering. DomainKey signing and verification can be done by using dk-milter and configuring sendmail to use a smarthost for outgoing mail.

Overview

MailScanner requires sendmail to be configured in queue delivery mode for filtering. Sendmail cannot use a milter to process outbound mail because of the way MailScanner is designed to work. It is only possible to perform DomainKey signature verification with the default MailScanner setup. A sendmail smarthost is required to get around that limitation.

We will use the sendmail process receiving inbound mail for DomainKeys signature verification and send outbound mail through a smarthost where the DomainKeys signing can be done. Two dk-milter processes are required, one running in verification mode and the other in signing mode.

Installation

The following installation guide is based upon sendmail 8.13. The DomainKeys feature is implemented through a dk-milter. The milter does not support any sendmail version prior to 8.13.

Prerequisites

You should have sendmail 8.13 installed.

You should have MailScanner installed.

You should have dk-milter installed.

Configuring sendmail

The following IP addresses are used as an example:

192.0.2.1 IP address assigned by your ISP.
192.168.0.1 IP address for the smarthost.

The three sendmail processes used are as follows:

sendmail - inbound
sendmail - queue runner
sendmail - smarthost

The first sendmail (inbound) process should be configured to include the following directives:

define(`SMART_HOST',`[192.168.0.1]')dnl define(`confDELIVERY_MODE', `queueonly')dnl define(`QUEUE_DIR', `/var/spool/mqueue.in')dnl define(`confDONT_PROBE_INTERFACES',`True')dnl DAEMON_OPTIONS(`Port=smtp, Addr=192.0.2.1, Name=MTA')dnl DAEMON_OPTIONS(`Port=smtp, Addr=127.0.0.1, Name=MTA1')dnl INPUT_MAIL_FILTER(`dk-filter', `S=inet:9981@localhost')

Generate the sendmail.cf file.

Create a directory called /var/spool/mqueue.in owned by the root user.

The second sendmail (queue runner) process will use the same cf file (sendmail.cf).

The third sendmail (smarthost) process should be configured to include the following directives:

define(`QUEUE_DIR', `/var/spool/mqueue.smarthost')dnl define(`confPID_FILE'/var/run/sendmail-smarthost.pid')dnl define(`confDONT_PROBE_INTERFACES',`True')dnl DAEMON_OPTIONS(`Port=smtp, Addr=192.168.0.1, Name=MTAS')dnl INPUT_MAIL_FILTER(`dk-filter', `S=inet:9982@localhost')

Generate the smarthost.cf file.

Create a directory called /var/spool/mqueue.smarthost owned by the root user.

Configuring MailScanner

Your MailScanner.conf file should have the following options:
Incoming Queue Dir = /var/spool/mqueue.in Outgoing Queue Dir = /var/spool/mqueue

Starting sendmail, MailScanner and dk-milter

Starting MailScanner

Please refer to your MailScanner documentation on how to start MailScanner.

Starting dk-milter

The first dk-milter process should be started with:

dk-filter -l -p inet:9981@localhost -u dkuser -b v

and the second one with:

dk-filter -l -p inet:9982@localhost -d example.com -c simple -s /path/to/pem -S mail -u dkuser -b s -i /path/to/filename

where the file filename contains 192.168.0.1

Starting sendmail

Run the three sendmail processes with the following commands:

/usr/sbin/sendmail -bd -L sm-mta

/usr/sbin/sendmail -q5 OPidFile=/var/run/sendmail-outbound.pid -OQueueDirectory=/var/spool/mqueue

/usr/sbin/sendmail -bd -L sm-mtas -C/etc/mail/smarthost.cf

Testing DomainKeys

You can perform a DomainKeys test by sending an email to autorespond+dk@dk.elandsys.com.

Below is an example of a signature header:

DomainKey-Signature: a=rsa-sha1; s=mail; d=example.com; c=simple; q=dns; b=Th2SZylksW2kVFD8lROlZLQwp1GmOgYzUlgxVDV/7lcSu0TxgjOkFxAfJFV2NEm8

If the verification is successful, you should see the following header in your email:

Authentication-Results: mail.example.net; domainkeys=pass

search
Home » Resources » Sendmail » MailScanner
Products Solutions How to Buy Support Resources Sendmail Contact us	Using DomainKeys with MailScanner Introduction MailScanner is an antispam software that does post SMTP-accept mail filtering. DomainKey signing and verification can be done by using dk-milter and configuring sendmail to use a smarthost for outgoing mail. Overview MailScanner requires sendmail to be configured in queue delivery mode for filtering. Sendmail cannot use a milter to process outbound mail because of the way MailScanner is designed to work. It is only possible to perform DomainKey signature verification with the default MailScanner setup. A sendmail smarthost is required to get around that limitation. We will use the sendmail process receiving inbound mail for DomainKeys signature verification and send outbound mail through a smarthost where the DomainKeys signing can be done. Two dk-milter processes are required, one running in verification mode and the other in signing mode. Installation The following installation guide is based upon sendmail 8.13. The DomainKeys feature is implemented through a dk-milter. The milter does not support any sendmail version prior to 8.13. Prerequisites You should have sendmail 8.13 installed. You should have MailScanner installed. You should have dk-milter installed. Configuring sendmail The following IP addresses are used as an example: 192.0.2.1 IP address assigned by your ISP. 192.168.0.1 IP address for the smarthost. The three sendmail processes used are as follows: sendmail - inbound sendmail - queue runner sendmail - smarthost The first sendmail (inbound) process should be configured to include the following directives: define(`SMART_HOST',`[192.168.0.1]')dnl define(`confDELIVERY_MODE', `queueonly')dnl define(`QUEUE_DIR', `/var/spool/mqueue.in')dnl define(`confDONT_PROBE_INTERFACES',`True')dnl DAEMON_OPTIONS(`Port=smtp, Addr=192.0.2.1, Name=MTA')dnl DAEMON_OPTIONS(`Port=smtp, Addr=127.0.0.1, Name=MTA1')dnl INPUT_MAIL_FILTER(`dk-filter', `S=inet:9981@localhost') Generate the sendmail.cf file. Create a directory called /var/spool/mqueue.in owned by the root user. The second sendmail (queue runner) process will use the same cf file (sendmail.cf). The third sendmail (smarthost) process should be configured to include the following directives: define(`QUEUE_DIR', `/var/spool/mqueue.smarthost')dnl define(`confPID_FILE'/var/run/sendmail-smarthost.pid')dnl define(`confDONT_PROBE_INTERFACES',`True')dnl DAEMON_OPTIONS(`Port=smtp, Addr=192.168.0.1, Name=MTAS')dnl INPUT_MAIL_FILTER(`dk-filter', `S=inet:9982@localhost') Generate the smarthost.cf file. Create a directory called /var/spool/mqueue.smarthost owned by the root user. Configuring MailScanner Your MailScanner.conf file should have the following options: `Incoming Queue Dir = /var/spool/mqueue.in Outgoing Queue Dir = /var/spool/mqueue` Starting sendmail, MailScanner and dk-milter Starting MailScanner Please refer to your MailScanner documentation on how to start MailScanner. Starting dk-milter The first dk-milter process should be started with: `dk-filter -l -p inet:9981@localhost -u dkuser -b v` and the second one with: `dk-filter -l -p inet:9982@localhost -d example.com -c simple -s /path/to/pem -S mail -u dkuser -b s -i /path/to/filename` where the file filename contains 192.168.0.1 Starting sendmail Run the three sendmail processes with the following commands: `/usr/sbin/sendmail -bd -L sm-mta` `/usr/sbin/sendmail -q5 OPidFile=/var/run/sendmail-outbound.pid -OQueueDirectory=/var/spool/mqueue` `/usr/sbin/sendmail -bd -L sm-mtas -C/etc/mail/smarthost.cf` Testing DomainKeys You can perform a DomainKeys test by sending an email to autorespond+dk@dk.elandsys.com. Below is an example of a signature header: `DomainKey-Signature: a=rsa-sha1; s=mail; d=example.com; c=simple; q=dns; b=Th2SZylksW2kVFD8lROlZLQwp1GmOgYzUlgxVDV/7lcSu0TxgjOkFxAfJFV2NEm8` If the verification is successful, you should see the following header in your email: `Authentication-Results: mail.example.net; domainkeys=pass`
© 2004-2005 Eland Systems All rights reserved \| About us \| Privacy \| Site map \|