Weldon Whipple <firstname.lastname@example.org>
DomainKeys is a technology proposed by Yahoo! to "prove and protect email sender identity." You can read more about it at their site http://antispam.yahoo.com/domainkeys. Sendmail, Inc. has released an open source implementation, which is available in FreeBSD ports at /usr/ports/mail/dk-milter/.
This document describes how to install Sendmail, Inc.'s implementation available at SourceForge.net. (I tried building from FreeBSD ports initially, but the make system kept trying to install the ports version of sendmail as a dependency, so I opted for the "official" implementation.)
My setup at the time of this writing runs sendmail 8.13.4 (installed from the standard sendmail.org distribution) on the 5.3-RELEASE version of FreeBSD. I have built and installed the version of libmilter that ships with sendmail 8.13.4. (My setup includes the "usual" static libmilter.a, as well as a shared version libmilter.so. [Another document describes how I build the shared library version of libmilter.]) The version of dk-milter is 0.3.0.
FreeBSD's sendmail executable is compiled to support milters by default. There should be no need to recompile sendmail to support milters unless you are using a non-standard executable for some reason.
To verify that your sendmail supports MILTERS, issue the following command as root:# sendmail -d0.1 -bt < /dev/null | grep MILTER
You should see a line of output that includes the word "MILTER".
Visit http://sourceforge.net/projects/dk-milter/ and download the dk-milter tarball.
(I downloaded the copy at http://easynews.dl.sourceforge.net/sourceforge/dk-milter/dk-milter-0.3.0.tar.gz)
Create a directory (or use an existing one) and place the file dk-milter-0.3.0.tar.gz there. Change to that directory and issue a command something like
% tar xvzf dk-milter-0.3.0.tar.gzThe contents of the tarball should appear in a new subdirectory dk-milter-0.3.0.
The ./INSTALL file begins with instructions for downloading and unpacking the distribution (described above). We "join" the instructions at step 4, "Edit dk-filter/Makefile.m4 ..."
Actually, I found it unnecessary to edit any Makefile.m4 files. I noticed that the dk-milter build system is virtually identical to sendmail's build system, where the easiest way to change build behavior (the only way I do it for sendmail, actually) is through a "site configuration file," located in the directory ./devtools/Site (beneath the dk-milter-0.3.0 base source directory).
I name my site configuration file site.FreeBSD.m4, in case I ever want to build dk-milter for other operating systems. If you don't need to differentiate between OSes, you can name the file site.config.m4.)
My site configuration file (at ./devtools/Site/site.FreeBSD.m4) looks like this (after a little trial and error--I'm still not 100% certain that it is optimally correct):
APPENDDEF(`confENVDEF',`-DSTARTTLS -DSM_CONF_SHM=0 -DSM_CONF_SEM=0') APPENDDEF(`confLIBS', `-lssl -lcrypto')
The dk-milter builds the same way as the standard sendmail distribution. Change to the base dk-milter-0.3.0 directory and issue the command:
% sh Build
Actually, I often use "./Build" ... out of habit, I suppose.If all goes well, output will be placed in the directory ./obj.FreeBSD.5.3-RELEASE.i386 (or something similar that corresponds to your OS, version and architecture).
This step is omitted from the ./INSTALL file. It should be inserted as either the last step of the COMPILING section or the first step of the INSTALLING section.
Remaining in the dk-milter source directory of the previous step, switch to the root user (if you aren't already root) and install dk-milter:
% su # sh Build install
With the dk-filter executable (man pages, etc.) in place, we continue with the INSTALLING section of the ./INSTALL file in the base directory of the dk-milter distribution.
To make this milter parallel other milters in my configuration, I used a slightly different (from what is in the instructions) INPUT_MAIL_FILTER macro in my mc file:
Since I'm doing this on FreeBSD, I follow these instructions when I change my sendmail.cf file.
I created a directory to hold the socket file:
# mkdir /var/dk-filter # chown smmsp:wheel /var/dk-filter
I'm not certain about the second command above. However, the directory that holds my milter-greylist socket is owned by smmsp, with group wheel ...
I followed INSTALLING step 2 (in the ./INSTALL file) by choosing "gabriel" as my selector name. (The complete host name of the server is gabriel.whipple.org.)
Being lazy, I chose step 3a and ran the script gentxt.csh. (The gentext.csh script is located at ./dk-filter/gentxt.csh.) The script uses the csh (C shell) language, which works great on FreeBSD. (If your *nix distribution doesn't have csh, you will have to deal with it some way.)
I issued the following commands:
# cd dk-filter # ./gentxt.csh gabriel whipple.org
The resulting public and private keys were named gabriel.public and gabriel.private in the ./dk-filter subdirectory.
I followed the recommendation and moved gabriel.public to /var/db/domainkeys/gabriel.key.pem. I issued these commands:
# mkdir -p /var/db/domainkeys # mv ./dk-filter/gabriel.private /var/db/domainkeys/gabriel.key.pem # chmod 400 /var/db/domainkeys/gabriel.key.pem # chown root:wheel /var/db/domainkeys/gabriel.key.pem # dhmod 600 /var/db/domainkeys
Here is my command:
# /usr/bin/dk-filter -l -p /var/dk-filter/dk-filter.sock -d whipple.org -s /var/db/domainkeys/gabriel.key.pem -S gabriel
On FreeBSD, I issue the commands:
# cd /etc/mail; make restart
Though this isn't mentioned in the ./INSTALL file, I created a FreeBSD startup script (to start dk-filter when the OS is restarted) named /usr/local/etc/rc.d/dk-filter.sh. It is very rudimentary:
#!/bin/sh # rm /var/dk-filter/dk-filter.sock /usr/bin/dk-filter -l -p /var/dk-filter/dk-filter.sock -d whipple.org -s /var/db/domainkeys/gabriel.key.pem -S gabrielI made it executable with the command:
# chmod +x /usr/local/etc/rc.d/dk-filter.sh
I have tried the tests described in the TESTING section of the ./INSTALL file. So far, every e-mail I send to my server from my Yahoo! e-mail address succeeds, but those sent to email@example.com from my server don't seem to work.
This document is very much a work in progress. Please feel free to send suggestions!