Home_greyopenFATE - openSUSE feature tracking > #310517
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

DKIM and DomainKeys support

Feature state

Rejected Information


Most of the large email service providers (gmail, yahoo, hotmail/live, aol, ...) are using DKIM checking as part of their anti-spam filtering systems. We should make it very easy for users to configure their mail server to sign mail as it goes out.

User benefit:

DKIM is now widely adopted by all major E-Mail providers and is considered a key check in anit-spam systems. While many people and organizations deploy one of the big integrated mail solutions or use a hosted solution, some just want good, old, plain SMTP. We should help these people, to get highest level of security directly with their operating system of choice.


packages: yast2-mail postfix


icons/user_comment.png M. S. wrote: (8 years ago)

It would be great to integrating DKIM and DomainKeys support into openSUSE.

icons/user_comment.png P. V. wrote: (7 years ago)

Now I've analyzed the possibilities how to integrate DKIM into our mail setup.
There is a big difference between using DKIM to verify incoming messages and using DKIM to sign outbound messages.
Furthermore there are different ways to implement both solutions.

1. amavisd-new uses the perl DKIM module for both incoming and outbound messages.

2. There is a dkim-proxy module which can be used as smtp proxy for both incoming and outbound messages.

3. There is a dkim-filter module wich can be used as smtpd_milters.

4. SpamAssassin can score DKIM signed mails.

The implementation of using DKIM to verify incoming messages is very simple using 4.:

  • Configuring postfix to use amavisd
  • Installing perl-Mail-DKIM
  • Set some rules in spamassassin

Implementation of signing outbound messages is very complex

  • Configuring postfix to provide a service for verified outbounding mails. This can be "submission" or a smtp port on a dedicated IP-address. This service must only accept autorized mails (sasl, mynetwork).
  • This service must bypass the authorized mails to a service which can sign this mail. The signing can be amavis, dkim-proxy or dkim-filter.
  • The signing service must be configured too. E.a. the domain key must be generated and the public key of the domain key must be published via dns.
  • In case of having DNS server on the same server or in ldap we can create the neccessary DNS TXT Record too via YaPI::DNSD
  • Having more mail domains we can define for each domain a separate key. In any case we have to define which key will be used for which domain.
  • It is also possible to define more secure keys which can assigned to user.

The modules perl-Mail-DKIM and dkimproxy are allready part of SLE11. Only if we'll use dkim-filter we need a ney package for SLE11.

Last change: 6 years ago
Loading tags...
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint