From: Mike M. <mi...@ma...> - 2009-03-02 02:05:32
|
Tony, It doesn't appear that you're actually generating signatures; instead, it seems that you're simply prepending a manually-assembled DKIM-Signature header to each message, and sticking your public key into it. That's not how DKIM works, and if it were, it wouldn't be very helpful in preventing forgery since anyone could get the same public key from DNS and insert it into a header they crafted. The purpose of dkim-milter and other signing solutions is to calculate cryptographic hashes of each individual message's content (headers and body) using your private key; any receiver can then use the public key to verify that signature. You may want to start again using the INSTALL file in the dkim-milter source, if that's what you've opted to sign and verify with (I'm not clear on this point since there aren't separate versions of dkim-milter for Sendmail and for Postfix). Once dkim-milter itself is set up, you'll need to use the smtpd_milters (and possibly non_smtpd_milters) options in main.cf. For example, I have a postfix system I've configured to sign with DKIM; my milter listens on port 8025 (arbitrarily chosen) on localhost, and my main.cf contains: non_smtpd_milters = inet:localhost:8025 smtpd_milters = inet:localhost:8025 milter_default_action = tempfail milter_protocol = 2 I'm not a heavy Postfix user so I'm not sure if the milter_protocol option is still required. The milter_default_action option causes my Postfix system to tempfail messages if the filter is unreachable. Many more detailed guides exist to configuring dkim-milter and Postfix, but this should get you started. -- Mike Markley <mi...@ma...> Murphy's Law, that brash proletarian restatement of Godel's Theorem. - Thomas Pynchon, "Gravity's Rainbow" |