Thursday, April 28, 2011

DomainKeys Identified Mail

I configured my Postfix mail server to sign emails using the DomainKeys Identified Mail protocol. Postfix does not handle DKIM internally so additional software is needed. I tried dkim-milter and opendkim, which is a fork of the former. Both worked but opendkim seems to be a little more actively developed, so I choose it.

There are plenty of tutorials on the Web so set up is not very difficult. The problem was the signature would not verify. It's a good thing DKIM has a test mode!

I suspected that the signature was broken when the From: header on the outgoing email was rewritten with the my public email address. There were only two solutions: sign after rewriting or rewrite before signing. Because of where Postfix connects to the DKIM filter in the processing flow, the first solution requires a dual queue configuration which sounds complicated, although I have not investigated it.

The second solution uses a different Postfix mapping table which is much easier to configure. I moved the rewrite rules from the the generic map (examined for outgoing mail), to the canonical map (examined for incoming mail). Amazingly, it worked! Always use the simplest solution first. ^_^

(Note: Gmail and Yahoo support DKIM but Hotmail does not. Surprised? I'm not.)

No comments:

Post a Comment