OpenDKIM and SPF (fight the spammers)
Here I introduce antispam mechanisms that are meant to make our day to day emails a bit more safe and a bit less likely to be forged.
How OpenDKIM works
The idea of DK (Domainkeys, developed at Yahoo! Inc during my days at the place) and later OpenDKIM is to have a signing mechanism for mails. It basically makes the signing of outgoing emails a 2 - part process. You keep a secret key that is used for signing outgoing mails accessible on your server while the public part of the key is added to your domain. Practically it makes it very safe because neither the private part nor the public part of your key are accessible to anyone besides you. If someone maliciously fakes emails to originate at your domain (an easy thing to do and nothing can prevent that sort of thing from happening) they won't come with your signature. Any legitimate mail from you at your domain is verified by others on the internet against the public key saved in your domainfile.
The tools necessary to work with OpenDKIM
Sendmail Milter - enabled by default these day. What is necessary though is to make Sendmail aware of the local socket I would like to use for the connection to opendkim.
sendmail.mc
INPUT_MAIL_FILTER(`opendkim',`S=local:/var/run/dkim/opendkim.socket')dnl
Build and install the config. Restart Sendmail and see if it correctly connects to OpenDKIM. There are a few test commands further down in this text.
OpenDKIM - You need a place for the opendkim socket file. In this example I'll use a local socket for the connection between the milter and opendkim. So the socket goes in /var/run/dkim and and key files go into /var/db/dkim. Chown them according to the userid used in the confg file.
opendkim.conf
BaseDirectory /var/run/dkim
Domain srick.org
ExternalIgnoreList /var/db/dkim/TrustedHosts
InternalHosts /var/db/dkim/TrustedHosts
KeyFile /var/db/dkim/default.private
Selector default
Socket local:/var/run/dkim/opendkim.socket
UserID mailnull:mailnull
Everything else is mostly left to default settings.
DNS TXT record in srick.org
default._domainkey TXT k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwP39jL1nlGPZJoN8bMZhEbw5obLCKHkHOcn+K9J6rUg+/mknwYz4x5A8FU6hpwL4Nm4+MsMz0Bx3bQwLBDQlnby9g19oMwExTwdL6kUSZt27VqEYeR5JVhr7b9//hEs+9SOp19f3uBLWLmYZ1NzmA4A/fqsEtIgJgrj8MBi3ugwIDAQAB
TrustedHosts - file
localhost
127.0.0.1
::1
mta.hzn.srick.org
jail5.ipv6.srick.org
It contains all the hostnames that signing should be done for.
The basic opendkim commands
# generate your key(s)
opendkim-genkey -D /var/db/dkim/ -b 1024 -d srick.org -s default
# trace your dns record
dig -t TXT default._domainkey.srick.org
# verify your config
opendkim-testkey -vvvv -x /usr/local/etc/mail/opendkim.conf
# test mail signing
echo foobar | opendkim-testmsg -d srick.org -k /var/db/dkim/default.private -s default
How SPF works
You use SPF records to allow ip addresses to be mail relays for a domain. I'll use the srick.org domain as an example. There is a txt - record setup that identifies the mx records of my domain as legitimate senders.
# allow mx record ip addresses and fail all others (-all)
$ dig -t TXT srick.org +short
"v=spf1 mx -all"
# the mx records for the domain
$ dig -t MX srick.org +short
10 jail5.ipv6.srick.org.
10 mta.hzn.srick.org.
The emails that use jail5.ipv6.srick.org or mta.hzn.srick.org as relay on the way to the mail recipient get the flag spf=pass by major mail providers. If they don't they simply fail the check. That's what it looks like when they pass
Received-SPF: pass (google.com: domain of srick@srick.org designates 188.40.60.245 as permitted sender) client-ip=188.40.60.245;
# 188.40.60.245 is the address of mta.hzn.srick.org
$ dig mta.hzn.srick.org +short
188.40.60.245