`
cloudmail
  • 浏览: 271859 次
  • 来自: 广州
社区版块
存档分类
最新评论

使用libmilter和opendkim生成DKIM-Signature

阅读更多
1,下载libmilter
wget ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.5.tar.gz


2,编译libmilter
[root@localhost dkim]# mv sendmail.8.14.5.tar.gz sendmail-8.14.5.tar.gz
[root@localhost dkim]# tar zxf sendmail-8.14.5.tar.gz
[root@localhost dkim]# cd sendmail-8.14.5/libmilter/
[root@localhost libmilter]# ./Build
....
[root@localhost libmilter]# ./Build install
Configuration: pfx=, os=Linux, rel=2.6.18-194.el5, rbase=2, rroot=2.6.18-194, arch=x86_64, sfx=, variant=optimized
Making in /home/iedm/dkim/sendmail-8.14.5/obj.Linux.2.6.18-194.el5.x86_64/libmilter
if [ ! -d /usr/include/libmilter ]; then mkdir -p /usr/include/libmilter; else :; fi
install -c -o root -g bin -m 0444 ../../include/libmilter/mfapi.h /usr/include/libmilter/mfapi.h
install -c -o root -g bin -m 0444 ../../include/libmilter/mfdef.h /usr/include/libmilter/mfdef.h
install -c -o root -g bin -m 0444 libmilter.a /usr/lib
[root@localhost libmilter]# 


注:在编译opendkim前要编译libmilter,否则在opendkim执行configure会出错
checking for milter library and includes... configure: error: milter not found


3,下载opendkim
wget http://sourceforge.net/projects/opendkim/files/opendkim-2.6.2.tar.gz


4,编译opendkim
[root@localhost dkim]# tar zxf opendkim-2.6.2.tar.gz 
[root@localhost dkim]# cd opendkim-2.6.2
[root@localhost opendkim-2.6.2]# ./configure
....
[root@localhost opendkim-2.6.2]# make
....
[root@localhost opendkim-2.6.2]# make install
....
[root@localhost opendkim-2.6.2]#


5,使用openssl生成公钥和私钥
[root@localhost dkim]# openssl genrsa -out rsa.private 1024
Generating RSA private key, 1024 bit long modulus
...............................++++++
..................++++++
e is 65537 (0x10001)
[root@localhost dkim]# openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
writing RSA key
[root@localhost dkim]# ls -l rsa*
-rw-r--r-- 1 root root 887 07-04 10:53 rsa.private
-rw-r--r-- 1 root root 272 07-04 10:53 rsa.public
[root@localhost dkim]# cat rsa.public 
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5/9JMdcOkRvhfNRWXzKUuWypJ
oaLsL1jhZzZ535NYDEZTyUu8SUaZenY8+j84yzf8D/CiaLa6fQIE3ORD8rttdQAH
0P4Zvztak7k6UptojT/lFqEVAEgAcYrKbB4EGM0df1N7coSGDe6FBshRzgW4lI75
fThJnSxKbe5KrVyKUQIDAQAB
-----END PUBLIC KEY-----
[root@localhost dkim]# 


6,通过dns txt记录设置公钥
[root@localhost dkim]# host -t txt s120701._domainkey.iyoutui.com
s120701._domainkey.iyoutui.com descriptive text "k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5/9JMdcOkRvhfNRWXzKUuWypJoaLsL1jhZzZ535NYDEZTyUu8SUaZenY8+j84yzf8D/CiaLa6fQIE3ORD8rttdQAH0P4Zvztak7k6UptojT/lFqEVAEgAcYrKbB4EGM0df1N7coSGDe6FBshRzgW4lI75fThJnSxKbe5KrVyKUQIDAQAB"
[root@localhost dkim]#


其中s120701是selector,_domainkey固定,iyoutui.com是发信域名。比如gmail发出邮件的DKIM-Signature如下
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:cc:content-type;
        bh=hDX73a4kPsHa/h6++RPoq1865EevSf3TwGuZJ9ZDZdU=;
        b=X5GwgZLp5AEeSkswVMgPhpE0/f4r/+vzq/b4WK6ppNcE4VfvPk1aGNHWp/5tknMpGM
         hK80iNSl+IqyDWL5vEr9sUfCXOHpRas10X2jHeK+SPQS86Lq6qB2W2M9enrKFYRovuwk
         ZZ3Gv2w8GLIcRcvZ7GTuNem8Jkr3Vou6vAgg5zSpFFtsI/gOSsnmZcg0kUq+/bPTb8rg
         JM23yjvFkWWLJkxx5SuItBnJmWL9//yhRFuRKAs5iA3mgGu6JyP4XMTeWRP/kNi7d8Vo
         Jzmtz2mrJVfi3r2wyYws+4//C3uOCoBzKhR+i4WpXJH9ho554Tmhk6gnaI+eFSjAyU7P
         /bwQ==


可看到s=20120113;是selector,d=gmail.com;是域名,例如查询gmail.com的公钥方法如下
[root@localhost dkim]# host -t txt 20120113._domainkey.gmail.com
20120113._domainkey.gmail.com descriptive text "k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD0" "7y2+07wlNWwIt8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB"
[root@localhost dkim]# 


7,通过dns txt记录设置验证失败的操作策略
[root@localhost dkim]# host -t txt _adsp._domainkey.iyoutui.com
_adsp._domainkey.iyoutui.com descriptive text "dkim=all"
[root@localhost dkim]# 

dkim配置的值有unknown/all/discardable,查看各大ESP都没有配置策略,所以这步可以省略。验证失败时,收件方按自己的策略来执行。测试了,gmail会丢弃邮件,qq、163会正常收下邮件。

8,修改t-test16.c扫描邮件内容生成DKIM-Signature
if ( argc < 2 )
	{
		printf("Usage: %s $eml_file\n", argv[0]);
		return 1;
	}

while ( fgets(pEmlLine, 1024, fEmlFile) != NULL )
{
	nLine++;
	if ( bHeader )
	{
		if ( strncmp(pEmlLine, "\r\n", 2) == 0 || strncmp(pEmlLine, "\n", 1) == 0 )
		{
			status = dkim_eoh(dkim);
			assert(status == DKIM_STAT_OK);
			bHeader = 0;
			continue;
		}

		if ( strncasecmp(pEmlLine, "From:", 5) != 0
			&& strncasecmp(pEmlLine, "To:", 3) != 0
			&& strncasecmp(pEmlLine, "Subject:", 8) != 0
			&& strncasecmp(pEmlLine, "Date:", 5) != 0
			&& strncasecmp(pEmlLine, "Reply-To:", 9) != 0
			&& strncasecmp(pEmlLine, "X-mailer:", 9) != 0
			&& strncasecmp(pEmlLine, "Message-ID:", 11) != 0 )
			continue;
		status = dkim_header(dkim, pEmlLine, strlen(pEmlLine));
		printf("num:%d, header:%d, [%s] %u\n", nLine, bHeader, pEmlLine, strlen(pEmlLine));
	}
	else
	{
		status = dkim_body(dkim, pEmlLine, strlen(pEmlLine));
	} // if ( bHeader )
	assert(status == DKIM_STAT_OK);
	memset(pEmlLine, '\0', 1024);
}


[root@localhost dkim]# cd opendkim-2.6.2/libopendkim/tests/
[root@localhost tests]# make t-test16
[root@localhost tests]# ./t-test16
Usage: ../../opendkim-2.6.2/libopendkim/tests/.libs/lt-t-test16 $eml_file
[root@localhost tests]# ../../libopendkim/tests/.libs/lt-t-test16 plain.eml
...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iyoutui.com;
        s=s120701; t=1341298992;
        bh=0iceU5a2cO3bQhL4Os527y4UIwNUmDEbsrqJ8a30EUI=;
        h=From:To:Subject:Date:Reply-To:X-mailer:Message-ID;
        b=cgopPO7K54jr4ezxTXpN0i6oCmyt3aPJgDT4vxcZDY3WDf0QfSIEOUa7bDf8W6PTN
         4Gw/GEXdLzxSLVArYTnZ64ij/LwALKvjF+oDPgBnHbC3xTODgEvIvtWe9OhcAcPOeV
         4WuZRZgYQjp4VpCs7GuAxSFBClCY2XUxpnbuowQM=



9,在邮件信头加上DKIM-Signature,发邮件到gmail通过签名验证
Received-SPF: pass (google.com: domain of service@iyoutui.com designates 173.252.205.131 as permitted sender) client-ip=173.252.205.131;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of service@iyoutui.com designates 173.252.205.131 as permitted sender) smtp.mail=service@iyoutui.com; dkim=pass (test mode) header.i=@iyoutui.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iyoutui.com;
        s=s120701; t=1341298992;
        bh=0iceU5a2cO3bQhL4Os527y4UIwNUmDEbsrqJ8a30EUI=;
        h=From:To:Subject:Date:Reply-To:X-mailer:Message-ID;
        b=cgopPO7K54jr4ezxTXpN0i6oCmyt3aPJgDT4vxcZDY3WDf0QfSIEOUa7bDf8W6PTN
         4Gw/GEXdLzxSLVArYTnZ64ij/LwALKvjF+oDPgBnHbC3xTODgEvIvtWe9OhcAcPOeV
         4WuZRZgYQjp4VpCs7GuAxSFBClCY2XUxpnbuowQM=


在gmail查看邮件原文看到如上信息,表示通过了dkim验证。
至此,使用libmilter和opendkim生成DKIM-Signature成功。
2
1
分享到:
评论
1 楼 cloudmail 2013-03-29  
[root@localhost ~]$ host -t txt _dmarc.google.com      
_dmarc.google.com descriptive text "v=DMARC1\; p=quarantine\; rua=mailto:mailauth-reports@google.com"
[root@localhost ~]$ host -t txt _dmarc.163.com         
Host _dmarc.163.com not found: 3(NXDOMAIN)
[root@localhost ~]$ host -t txt _dmarc.paypal.com
_dmarc.paypal.com descriptive text "v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.com"
[root@localhost ~]$[/shell]

dmarc的拦截策略,163.com没有设置dmarc的处理策略

相关推荐

    libmilter++-开源

    综上所述,libmilter++ 为 C++ 开发者提供了一种高效、易用的途径来开发 Sendmail Milter 邮件过滤器,大大简化了邮件处理系统的构建过程,同时得益于开源社区的支持,libmilter++ 持续保持着活力和进步。...

    pymilter:libmilter API的Python绑定

    其他python模块提供了导航和修改MIME部分,发送DSN或执行CBV的功能。 要求 Python milter扩展名: ://pypi.python.org/pypi/pymilter/ Python: ://www.python.org Sendmail: : 快速安装 构建并安装Sendmail,...

    milter-limit安装指南

    3. **兼容性问题**:确认所使用的版本之间是否存在兼容性问题,尤其是 Postfix 与 milter-limit 之间的版本兼容性。 4. **性能问题**:若发现邮件处理速度变慢,可能需要调整 milter-limit 的配置以提高效率。 5. ...

    srs-milter:C SRS Milter(邮件过滤器)

    它已由 emsearcy 和 Driskell 更新和调整,并通过 GitHub 分发。 依赖关系 postfix 2.5 -- 支持 SMFIF_CHGFROM libmilter -- 与 sendmail 8.14.0 及更高版本兼容 libspf2 -- 能够仅重写可被最终 MTA 上的 SPF 检查...

    yatxmilter:用纯 python 编写的 milter 协议作为一种扭曲的协议

    在人们告诉我们使用和 libmilter 来实现我们的目标之后,它受到了启发。 由于我们喜欢按照 Twisted 的工作方式使用 Twisted 内部的东西,因此决定创建这个项目。 使用yatxmilter的目标是使用 Twisted 的异步调用...

    dnsblproxy-开源

    总结来说,DNSBLProxy是一个用Perl编写的开源软件,它作为DNSBL查询的代理,支持多种邮件系统集成,如sendmail和libmilter,且使用Berkeley DB存储数据。其目标是提高邮件系统的垃圾邮件过滤效率和准确性。开源特性...

    Spammer-开源

    Spammer是用于Sendmail和Postfix的反垃圾邮件过滤器。 它使用libmilter与MTA进行通信。 Spammer会根据DNSBL数据库检查客户端IP地址以及“ Received:”标头中的所有IP地址。

    milter-template:pymilter dockerized模板

    milter模板 安装: ...cd milter-template mkdir spams docker-compose up -d 获取一些.eml(原始电子邮件)并将其放入“垃圾邮件”目录。 运行测试: pip3 install iosmtplib python3 ./smtp_client.py ...

Global site tag (gtag.js) - Google Analytics