dns entries for kolab

Christian Tardif christian.tardif at servinfo.ca
Sun Dec 29 23:11:56 CET 2013 

I'm using SPF and DKIM (DMARC is just, if I understand correctly, the 
standardization of DKIM + SPF use.

Two things to denote here. SPF is used as a way to specify to a 
SPF-enabled MTA which servers / subnets / etc  that are allowed to send 
mail for a particular domain, in this case: example.com and example.net 
DKIM is a cryptographic signature of a mail in the form of 
public/private key. The private key resides in the originating server 
(or, to be more specific, the server which "sign" the email, while the 
public key resides in a TXT record for the mail originating domain. It 
is out of this actual list, but may be worth explaining a bit how I do that.

SPF: Rather simple. It's a TXT record for the mail originating domain. 
For example, let's say you want to add SPF support for example.com and 
you have only one single server which sends mail for example.com to the 
internet. You will then specify, in the example.com DNS, something like:

example.com. IN TXT "v=spf1 mx a ip4:162.43.22.162 ~all"

This means that, for domain example.com, the server(s) specified in the 
MX entry of the DNS are allowed to send mail for example.com, the server 
specified in the A record example.com is also allowed, and 162.43.22.162 
is allowed as well. The last field is a recommandation when this list is 
not met (here, it says not compliant, but accept and mark it (other 
options are -all (reject) and ?all (accept)). The accept feature is 
somewhat strange as if you recommand to the destination server to 
unconditionnaly accept emails not following the rules, why should you 
even bother at setting SPF records (maybe for some MTA that would reject 
emails from domain that does not have SPF at all ???)   So, strictly DNS 
based, and nothing to do with Kolab (I'm not discussing checking SPF for 
incoming mails).

If you want to easily create a SPF record that you can COPY/PASTE in 
your domain, go to http://www.spfwizard.net/

DKIM: This is a little more tricky, as you need to have a signature 
server somewhere. Can easily coexist with Kolab. Go to OpenDKIM project 
(http://www.opendkim.org/) for more infos. But described really fast, 
this means that you have to install opendkim daemon on your server, 
comfigure it, and end up with two files (example.com.private and 
example.com.txt. The first one contains the DKIM private key file, and 
the second one, the TXT record that you will need to copy/paste to your 
example.com DNS.

The private key will look like:

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCgyQ4eH9U46BOvvACahHRhPevjLSPHnuCXQuw+w7LLaAFJma+Q
94C1NVz8/4jGnKOGjvlYsdpcjgDk8hSzcLMMwbK1PaTae6AherPGiQIST0nvQnw+
1p+nFsmFgyCqZoa+GgT4Bo27vtlaM+/Qovo2oLVklyHU7tSfnKJIF2C8zwIDAQAB
AoGAR0ZZV8lMwBlBANoaemTVInZMpzxPbCJl9SfZikk+bSUBzRqv1VeiWrH5Mr4k
Z8bwRqoCpurQnc7lXphhzNncxMr+ukxGghyaxgj/WjQyVN+8VTObvG/QQVdviyX4
...
py+zB0c7JZBMr0f7o+PzRQIeoHbbK+6JCMIR+ZEnHHvW
-----END RSA PRIVATE KEY-----

and the DNS entry will look like:

mail._domainkey IN TXT "v=DKIM1\; k=rsa\; 
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgyQ...+/Qovo2oLVklyHU7tSfnKJIF2C8zwIDAQAB"

A signed mail will have a DKIM-Signature header that will specify which 
key to use (in this case, mail), and the signature itself crypted with 
the originating private key.

Now, to integrate this with Kolab, the dkim daemon may sit and wait on 
port 8891, for example, and then add this to main.cf config file:

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891


to let postfix know that it must communicate with opendkim.

It's rather short, I know. Look at 
https://help.ubuntu.com/community/Postfix/DKIM for additional help with 
Postfix and DKIM. You'll also learn how to create the keys for your domains.

What's left to be done on my side is multi-domain integration to 
automate the creation of the keys in OpenDKIM.

Hope this helps a bit.

Christian...


On 2013-12-17 08:12, Gaurav Malik wrote:
> Hi All,
>
> I want to make a record of DKIM, DMARC in my DNS. I have multiple 
> domain like example.com <http://example.com>, example.net 
> <http://example.net> setup.
>
> Can anyone help me out what parameter should be enable in records 
> without interrupting mail server for my domain?
>
> Is anyone using SPF,DKIM & DMARC records?
>
> -- 
>  Regards
> Gaurav Malik
>
>
>
>
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20131229/e46e90b7/attachment-0001.html>

More information about the users mailing list