Home_greyopenFATE - openSUSE feature tracking > #310517
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

DKIM and DomainKeys support

Feature state

openSUSE-11.4
Rejected Information

Description

Most of the large email service providers (gmail, yahoo, hotmail/live, aol, ...) are using DKIM checking as part of their anti-spam filtering systems. We should make it very easy for users to configure their mail server to sign mail as it goes out.

User benefit:

DKIM is now widely adopted by all major E-Mail providers and is considered a key check in anit-spam systems. While many people and organizations deploy one of the big integrated mail solutions or use a hosted solution, some just want good, old, plain SMTP. We should help these people, to get highest level of security directly with their operating system of choice.

References

packages: yast2-mail postfix

Discussion


icons/user_comment.png M. S. wrote: (3 years ago)

It would be great to integrating DKIM and DomainKeys support into openSUSE.

icons/user_comment.png P. V. wrote: (3 years ago)

Now I've analyzed the possibilities how to integrate DKIM into our mail setup.
There is a big difference between using DKIM to verify incoming messages and using DKIM to sign outbound messages.
Furthermore there are different ways to implement both solutions.

1. amavisd-new uses the perl DKIM module for both incoming and outbound messages.

2. There is a dkim-proxy module which can be used as smtp proxy for both incoming and outbound messages.

3. There is a dkim-filter module wich can be used as smtpd_milters.

4. SpamAssassin can score DKIM signed mails.

The implementation of using DKIM to verify incoming messages is very simple using 4.:

  • Configuring postfix to use amavisd
  • Installing perl-Mail-DKIM
  • Set some rules in spamassassin

Implementation of signing outbound messages is very complex

  • Configuring postfix to provide a service for verified outbounding mails. This can be "submission" or a smtp port on a dedicated IP-address. This service must only accept autorized mails (sasl, mynetwork).
  • This service must bypass the authorized mails to a service which can sign this mail. The signing can be amavis, dkim-proxy or dkim-filter.
  • The signing service must be configured too. E.a. the domain key must be generated and the public key of the domain key must be published via dns.
  • In case of having DNS server on the same server or in ldap we can create the neccessary DNS TXT Record too via YaPI::DNSD
  • Having more mail domains we can define for each domain a separate key. In any case we have to define which key will be used for which domain.
  • It is also possible to define more secure keys which can assigned to user.

The modules perl-Mail-DKIM and dkimproxy are allready part of SLE11. Only if we'll use dkim-filter we need a ney package for SLE11.

Last change: 2 years ago
Voting
Score: 3
  • Negative: 1
  • Neutral: 0
  • Positive: 4
Tags

No tags yet.

Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint