Sendmail libmilter

This is the prerequisite for the DKIM package. Install Sendmail libmilter with poll option:

Add the line below into /etc/portage/package.use

mail-filter/libmilter poll

Now emerge the package

# emerge -v mail-filter/libmilter

dkim-milter

Download dkim-milter from http://sourceforge.net/projects/dkim-milter/. The current version is dkim-milter-2.8.2. Unpack the package, and cd into the package tree, and read the README and INSTALL. You should read these two files even if you are going to use portage to install the package. They contain some valuable information.

The same version is available through portage as well, though it is masked. If you plan to install it from portage, then add the line below into /etc/portage/package.keywords:

=mail-filter/dkim-milter-2.8.2

Then emerge the package

# emerge -v mail-filter/dkim-milter
* Messages for package mail-filter/dkim-milter-2.8.2:
 * If you want to sign your mail messages, you will have to run
 *   emerge --config mail-filter/dkim-milter
 * It will help you create your key and give you hints on how
 * to configure your DNS and MTA.
 * Make sure your MTA has r/w access to the socket file.
 * This can be done either by setting UMask to 002 and adding MTA's user
 * to milter group or you can simply set UMask to 000.

Now configure it

# emerge --config mail-filter/dkim-milter

When it asks for the "selector name", make sure you enter one word without space. Read carefully the message from the above command:

1. Edit the file /etc/mail/dkim-filter/dkim-filter.conf, and add or correct the following lines (replace the "selectorname" with the selector name you entered above). If you have multiple domains, list them in the line for "Domain" as comma separated:
   Keyfile full-path-to-selector-private-key-file
Selector selectorname
Domain domain.com,anotherdomain.com
Umask 000

2. Edit /etc/postfix/main.cf, and add the following lines:
   smtpd_milters     = unix:/var/run/dkim-filter/dkim-filter.sock
non_smtpd_milters = unix:/var/run/dkim-filter/dkim-filter.sock
milter_protocol = 6  # for postfix 2.5.x, the protocol version is 6

3. Open your domain's DNS setting, and enter another TXT record, with hostname being selectorname._domainkey (replace the "selectorname" with the selector name you entered above), and the TXT value being the value from the message of the above emerge command. For the complete list of DKIM TXT tags, see http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text.

Now start /etc/init.d/dkim-filter, and reload /etc/init.d/postfix.

Test

To test, send a piece of e-mail through the MTA doing signing for your domain to sa-test@sendmail.net.  It should be returned to you shortly showing your message in the body of a new message, including all of the header changes that were made in transit.  The message you generated should appear there with a DKIM-Signature: header added, containing the signature data your dkim-filter added, and an Authentication-Results: header which the testing machine's dkim-filter added after verifying the signature.  The value of this header should indicate a "pass".  If it isn't, something in between has altered your message in a way that invalidated the signature.  Perhaps you have other filters running which appended or modified a header.

The reply from the test machine will also itself be signed, and in the headers of the reply you should see its signature and another Authentication-Results: header, which should also read "pass".

Auto-start dkim-filter daemon

# rc-update add dkim-filter default

References

• Postfix before-queue Milter support
• Domainkeys and DKIM with Postfix - Gentoo