qmail-dk domainkeys implementation into qmailtoaster ---------------------------------------------------- Nick Hemmesch May 13, 2006 INSTALLATION: ---------------------------------------------------- You must have either a local dns server or dns caching on your mail server. libdomainkeys must installed before qmail-toaster version >= 1.3.2 can be installed. The default path to the private key is: /var/qmail/control/domainkeys Create a domain (yourdomain.com) directory for your domainkeys: mkdir /var/qmail/control/domainkeys/yourdomain.com Create your domainkey with dknewkey: dknewkey /var/qmail/control/domainkeys/yourdomain.com/private chown -R root:qmail /var/qmail/control/domainkeys/ chmod 444 /var/qmail/control/domainkeys/yourdomain.com/private dknewkey will also return your dns entry for a Bind zone file, BE SURE TO SAVE IT so you can make your dns entry. If you use djbdns, a typical entry will look like this: '_domainkey.yourdomain.com:o=-; r=you@yourdomain.com 'private._domainkey.yourdomain.com:k=rsa; p=MEwwDQYJKoZIhvcNAQEBBQ . . . Test your dns entry with dnstxt, it may take some time for your dns to update the roots to make this test: dnstxt private._domainkey.yourdomain.com Your /etc/tcprules.d/tcp.smtp file should look like this (without the "\"s): 127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private" :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",\ CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",\ DKQUEUE="/var/qmail/bin/qmail-queue.orig",\ DKSIGN="/var/qmail/control/domainkeys/%/private" The DKVERIFY statement is very conservative. To reject mail that has domainkeys but resolves to a different, or erroneous, key add "B". Example: DKVERIFY="BDEGIJKfh" Also see: http://jeremy.kister.net/howto/dk.html Note: You will find numerous qmail-dk configurations on the internet that DO NOT work. This setup DOES work and is a "no brainer" to setup. ----------------------------------------------------