Dkfilter: Proxy SMTP (Signature Mails) Made by Yahoo
Introduction
DomainKeys is an anti-spam software application in development at Yahoo that uses a form of public key cryptography to authenticate the sender's domain. dkfilter is an SMTP-proxy designed for Postfix. It implements DomainKeys message signing and verification. It comprises two separate filters, an "outbound" filter for signing outgoing email on port 587, and an "inbound" filter for verifying signatures of incoming email on port 25. This document is to describe step by step how to install dkfilter for postfix to deploy domainkeys signing and verification.
Insert above lines at the end of the file. Here we define that mail will be received after smtp for verification on 127.0.0.1 with port 10026. You can define your own desired IP address on which you want to listen for signature checking.
Outbound filter
The outbound filter needs access to the private key used for signing messages. In addition, it needs to know the name of the key selector being used, and what domain it should sign messages for. This information is specified with command-line arguments to dkfilter.out.
Key pair
Generate a private/public key pair and publish the public key in DNS:
This creates the files private.key and public.key in the current directory, containing the private key and public key. Make sure private.key is not world-readable, but still readable by the dkfilter user.
Pick a selector name... e.g. m1
Bind
Put the public-key data in DNS, in your domain, using the selector name you picked. Copy the contents of the public.key file and remove the PEM header and footer, and paste it in dns zone file by creating a TXT entry, like this:
where m1 is the name of the selector chosen in the last step and the p= parameter contains the public-key as one long string of characters.
Postfix
Finally, configure Postfix to filter outgoing, authorized messages only through the dkfilter.out service on port 10027. In the following example, messages sent via SMTP on port 587 (the submission port) will go through an After-Queue content filter that signs messages with DomainKeys.