wget ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.5.tar.gz
2,编译libmilter
[root@localhost dkim]# mv sendmail.8.14.5.tar.gz sendmail-8.14.5.tar.gz [root@localhost dkim]# tar zxf sendmail-8.14.5.tar.gz [root@localhost dkim]# cd sendmail-8.14.5/libmilter/ [root@localhost libmilter]# ./Build .... [root@localhost libmilter]# ./Build install Configuration: pfx=, os=Linux, rel=2.6.18-194.el5, rbase=2, rroot=2.6.18-194, arch=x86_64, sfx=, variant=optimized Making in /home/iedm/dkim/sendmail-8.14.5/obj.Linux.2.6.18-194.el5.x86_64/libmilter if [ ! -d /usr/include/libmilter ]; then mkdir -p /usr/include/libmilter; else :; fi install -c -o root -g bin -m 0444 ../../include/libmilter/mfapi.h /usr/include/libmilter/mfapi.h install -c -o root -g bin -m 0444 ../../include/libmilter/mfdef.h /usr/include/libmilter/mfdef.h install -c -o root -g bin -m 0444 libmilter.a /usr/lib [root@localhost libmilter]#
注:在编译opendkim前要编译libmilter,否则在opendkim执行configure会出错
checking for milter library and includes... configure: error: milter not found
3,下载opendkim
wget http://sourceforge.net/projects/opendkim/files/opendkim-2.6.2.tar.gz
4,编译opendkim
[root@localhost dkim]# tar zxf opendkim-2.6.2.tar.gz [root@localhost dkim]# cd opendkim-2.6.2 [root@localhost opendkim-2.6.2]# ./configure .... [root@localhost opendkim-2.6.2]# make .... [root@localhost opendkim-2.6.2]# make install .... [root@localhost opendkim-2.6.2]#
5,使用openssl生成公钥和私钥
[root@localhost dkim]# openssl genrsa -out rsa.private 1024 Generating RSA private key, 1024 bit long modulus ...............................++++++ ..................++++++ e is 65537 (0x10001) [root@localhost dkim]# openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM writing RSA key [root@localhost dkim]# ls -l rsa* -rw-r--r-- 1 root root 887 07-04 10:53 rsa.private -rw-r--r-- 1 root root 272 07-04 10:53 rsa.public [root@localhost dkim]# cat rsa.public -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5/9JMdcOkRvhfNRWXzKUuWypJ oaLsL1jhZzZ535NYDEZTyUu8SUaZenY8+j84yzf8D/CiaLa6fQIE3ORD8rttdQAH 0P4Zvztak7k6UptojT/lFqEVAEgAcYrKbB4EGM0df1N7coSGDe6FBshRzgW4lI75 fThJnSxKbe5KrVyKUQIDAQAB -----END PUBLIC KEY----- [root@localhost dkim]#
6,通过dns txt记录设置公钥
[root@localhost dkim]# host -t txt s120701._domainkey.iyoutui.com s120701._domainkey.iyoutui.com descriptive text "k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5/9JMdcOkRvhfNRWXzKUuWypJoaLsL1jhZzZ535NYDEZTyUu8SUaZenY8+j84yzf8D/CiaLa6fQIE3ORD8rttdQAH0P4Zvztak7k6UptojT/lFqEVAEgAcYrKbB4EGM0df1N7coSGDe6FBshRzgW4lI75fThJnSxKbe5KrVyKUQIDAQAB" [root@localhost dkim]#
其中s120701是selector,_domainkey固定,iyoutui.com是发信域名。比如gmail发出邮件的DKIM-Signature如下
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=hDX73a4kPsHa/h6++RPoq1865EevSf3TwGuZJ9ZDZdU=; b=X5GwgZLp5AEeSkswVMgPhpE0/f4r/+vzq/b4WK6ppNcE4VfvPk1aGNHWp/5tknMpGM hK80iNSl+IqyDWL5vEr9sUfCXOHpRas10X2jHeK+SPQS86Lq6qB2W2M9enrKFYRovuwk ZZ3Gv2w8GLIcRcvZ7GTuNem8Jkr3Vou6vAgg5zSpFFtsI/gOSsnmZcg0kUq+/bPTb8rg JM23yjvFkWWLJkxx5SuItBnJmWL9//yhRFuRKAs5iA3mgGu6JyP4XMTeWRP/kNi7d8Vo Jzmtz2mrJVfi3r2wyYws+4//C3uOCoBzKhR+i4WpXJH9ho554Tmhk6gnaI+eFSjAyU7P /bwQ==
可看到s=20120113;是selector,d=gmail.com;是域名,例如查询gmail.com的公钥方法如下
[root@localhost dkim]# host -t txt 20120113._domainkey.gmail.com 20120113._domainkey.gmail.com descriptive text "k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD0" "7y2+07wlNWwIt8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB" [root@localhost dkim]#
7,通过dns txt记录设置验证失败的操作策略
[root@localhost dkim]# host -t txt _adsp._domainkey.iyoutui.com _adsp._domainkey.iyoutui.com descriptive text "dkim=all" [root@localhost dkim]#
dkim配置的值有unknown/all/discardable,查看各大ESP都没有配置策略,所以这步可以省略。验证失败时,收件方按自己的策略来执行。测试了,gmail会丢弃邮件,qq、163会正常收下邮件。
8,修改t-test16.c扫描邮件内容生成DKIM-Signature
if ( argc < 2 ) { printf("Usage: %s $eml_file\n", argv[0]); return 1; } while ( fgets(pEmlLine, 1024, fEmlFile) != NULL ) { nLine++; if ( bHeader ) { if ( strncmp(pEmlLine, "\r\n", 2) == 0 || strncmp(pEmlLine, "\n", 1) == 0 ) { status = dkim_eoh(dkim); assert(status == DKIM_STAT_OK); bHeader = 0; continue; } if ( strncasecmp(pEmlLine, "From:", 5) != 0 && strncasecmp(pEmlLine, "To:", 3) != 0 && strncasecmp(pEmlLine, "Subject:", 8) != 0 && strncasecmp(pEmlLine, "Date:", 5) != 0 && strncasecmp(pEmlLine, "Reply-To:", 9) != 0 && strncasecmp(pEmlLine, "X-mailer:", 9) != 0 && strncasecmp(pEmlLine, "Message-ID:", 11) != 0 ) continue; status = dkim_header(dkim, pEmlLine, strlen(pEmlLine)); printf("num:%d, header:%d, [%s] %u\n", nLine, bHeader, pEmlLine, strlen(pEmlLine)); } else { status = dkim_body(dkim, pEmlLine, strlen(pEmlLine)); } // if ( bHeader ) assert(status == DKIM_STAT_OK); memset(pEmlLine, '\0', 1024); }
[root@localhost dkim]# cd opendkim-2.6.2/libopendkim/tests/ [root@localhost tests]# make t-test16 [root@localhost tests]# ./t-test16 Usage: ../../opendkim-2.6.2/libopendkim/tests/.libs/lt-t-test16 $eml_file [root@localhost tests]# ../../libopendkim/tests/.libs/lt-t-test16 plain.eml ... DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iyoutui.com; s=s120701; t=1341298992; bh=0iceU5a2cO3bQhL4Os527y4UIwNUmDEbsrqJ8a30EUI=; h=From:To:Subject:Date:Reply-To:X-mailer:Message-ID; b=cgopPO7K54jr4ezxTXpN0i6oCmyt3aPJgDT4vxcZDY3WDf0QfSIEOUa7bDf8W6PTN 4Gw/GEXdLzxSLVArYTnZ64ij/LwALKvjF+oDPgBnHbC3xTODgEvIvtWe9OhcAcPOeV 4WuZRZgYQjp4VpCs7GuAxSFBClCY2XUxpnbuowQM=
9,在邮件信头加上DKIM-Signature,发邮件到gmail通过签名验证
Received-SPF: pass (google.com: domain of [email protected] designates 173.252.205.131 as permitted sender) client-ip=173.252.205.131; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 173.252.205.131 as permitted sender) [email protected]; dkim=pass (test mode) [email protected] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iyoutui.com; s=s120701; t=1341298992; bh=0iceU5a2cO3bQhL4Os527y4UIwNUmDEbsrqJ8a30EUI=; h=From:To:Subject:Date:Reply-To:X-mailer:Message-ID; b=cgopPO7K54jr4ezxTXpN0i6oCmyt3aPJgDT4vxcZDY3WDf0QfSIEOUa7bDf8W6PTN 4Gw/GEXdLzxSLVArYTnZ64ij/LwALKvjF+oDPgBnHbC3xTODgEvIvtWe9OhcAcPOeV 4WuZRZgYQjp4VpCs7GuAxSFBClCY2XUxpnbuowQM=
在gmail查看邮件原文看到如上信息,表示通过了dkim验证。
至此,使用libmilter和opendkim生成DKIM-Signature成功。