A standard called DomainKeys Identified Mail (DKIM) has been developed to solve parts of the problem with email authentication and integrity. It makes a cryptographic hash of the email header and body and signs it with a private key. This signature is attached to the email header and then the message is delivered to recipient. The recipient verifies the header and the body by comparing it with the hash value and the sender's public key, which is stored in the sender's domain as a Domain Name System (DNS) record. This solution has been developed into a mail filter called DKIM Milter that can be plugged into Sendmail and Postfix.
DKIM relies on the security of the DNS system, but there are known attacks that can create fake DNS replies. .SE has responded to this weakness of the DNS system by developing the DKIM Milter even further, by creating a patch to DKIM Milter that verifies the DNS records by using the functionality of DNS Security Extension (DNSSEC) to protect the DKIM public key.
The following patch will extend DKIM Milter with DNSSEC capabilities: dkim-milter-dnssec-07.patch
Follow the guide from Eland Systems to install DKIM Milter, but adjust the installation process according to the list below.
wget http://www.unbound.net/downloads/unbound-1.0.2.tar.gz tar -xzf unbound-1.0.2.tar.gz cd unbound-1.0.2 ./configure make sudo make install cd ..
wget http://downloads.sourceforge.net/dkim-milter/dkim-milter-2.6.0.tar.gz wget http://opensource.iis.se/dkim/dkim-milter-dnssec-07.patch tar -xzf dkim-milter-2.6.0.tar.gz patch -p0 < dkim-milter-dnssec-07.patch
Edit the installation configuration file (site.config.m4) for DKIM Milter. Adjust the paths to match the locations of libmilter, libunbound and OpenSSL.
APPENDDEF('bld_dkim_filter_INCDIRS', '-I/usr/include/libmilter ')
APPENDDEF('bld_dkim_filter_LIBDIRS', '-L/usr/lib ')
define('bld_USE_UNBOUND', 'true')
APPENDDEF('confINCDIRS', '-I/usr/local/include ')
APPENDDEF('confLIBDIRS', '-L/usr/local/lib ')
APPENDDEF('confLIBDIRS', '-L/usr/local/ssl/lib ')
APPENDDEF('confINCDIRS', '-I/usr/local/ssl/include/openssl ')
DKIM Milter can be started with a configuration file. Add the path to trust anchor file containing the secure entry points to the different DNSSEC zones.
TAFile /var/cache/dkim/dkim-ta
Create the trust anchor file (/var/cache/dkim/dkim-ta) and add one domain per line.
se. IN DNSKEY 257 3 5 AwEAAdKc1sGsbv5jjeJ141IxNSTdR+nbtFn+JKQpvFZETaY5iMutoyWHa+jCp0TBBAzB2trGHzdi7E55FFzbeG0r+G6SJbJ4DXYSpiiELPiu0i+jPp3C3kNwiqpPpQHWaYDS9MTQMu/QZHR/sFPbUnsK30fuQbKKkKgnADms0aXalYUuCgDyVMjdxRLz5yzLoaSO9m5ii5cI0dQNCjexvj9M4ec6woi6+N8v1pOmQAQ9at5Fd8A6tAxZI8tdlEUnXYgNwb8eVZEWsgXtBhoyAru7Tzw+F6ToYq6hmKhfsT+fIhFXsYso7L4nYUqTnM4VOZgNhcTv+qVQkHfOOeJKUkNB8Qc=
The current trust anchor for .SE can be found at http://iis.se/domains/sednssec/publickey.