<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000">
<div class="moz-cite-prefix">I'm using SPF and DKIM (DMARC is just,
if I understand correctly, the standardization of DKIM + SPF use.<br>
<br>
Two things to denote here. SPF is used as a way to specify to a
SPF-enabled MTA which servers / subnets / etc that are allowed to
send mail for a particular domain, in this case: example.com and
example.net DKIM is a cryptographic signature of a mail in the
form of public/private key. The private key resides in the
originating server (or, to be more specific, the server which
"sign" the email, while the public key resides in a TXT record for
the mail originating domain. It is out of this actual list, but
may be worth explaining a bit how I do that.<br>
<br>
SPF: Rather simple. It's a TXT record for the mail originating
domain. For example, let's say you want to add SPF support for
example.com and you have only one single server which sends mail
for example.com to the internet. You will then specify, in the
example.com DNS, something like:<br>
<br>
example.com. IN TXT "v=spf1 mx a ip4:162.43.22.162 ~all"<br>
<br>
This means that, for domain example.com, the server(s) specified
in the MX entry of the DNS are allowed to send mail for
example.com, the server specified in the A record example.com is
also allowed, and 162.43.22.162 is allowed as well. The last field
is a recommandation when this list is not met (here, it says not
compliant, but accept and mark it (other options are -all (reject)
and ?all (accept)). The accept feature is somewhat strange as if
you recommand to the destination server to unconditionnaly accept
emails not following the rules, why should you even bother at
setting SPF records (maybe for some MTA that would reject emails
from domain that does not have SPF at all ???) So, strictly DNS
based, and nothing to do with Kolab (I'm not discussing checking
SPF for incoming mails).<br>
<br>
If you want to easily create a SPF record that you can COPY/PASTE
in your domain, go to <a href="http://www.spfwizard.net/">http://www.spfwizard.net/</a><br>
<br>
DKIM: This is a little more tricky, as you need to have a
signature server somewhere. Can easily coexist with Kolab. Go to
OpenDKIM project (<a href="http://www.opendkim.org/">http://www.opendkim.org/</a>)
for more infos. But described really fast, this means that you
have to install opendkim daemon on your server, comfigure it, and
end up with two files (example.com.private and example.com.txt.
The first one contains the DKIM private key file, and the second
one, the TXT record that you will need to copy/paste to your
example.com DNS.<br>
<br>
The private key will look like:<br>
<br>
-----BEGIN RSA PRIVATE KEY-----<br>
MIICXQIBAAKBgQCgyQ4eH9U46BOvvACahHRhPevjLSPHnuCXQuw+w7LLaAFJma+Q<br>
94C1NVz8/4jGnKOGjvlYsdpcjgDk8hSzcLMMwbK1PaTae6AherPGiQIST0nvQnw+<br>
1p+nFsmFgyCqZoa+GgT4Bo27vtlaM+/Qovo2oLVklyHU7tSfnKJIF2C8zwIDAQAB<br>
AoGAR0ZZV8lMwBlBANoaemTVInZMpzxPbCJl9SfZikk+bSUBzRqv1VeiWrH5Mr4k<br>
Z8bwRqoCpurQnc7lXphhzNncxMr+ukxGghyaxgj/WjQyVN+8VTObvG/QQVdviyX4<br>
...<br>
py+zB0c7JZBMr0f7o+PzRQIeoHbbK+6JCMIR+ZEnHHvW<br>
-----END RSA PRIVATE KEY-----<br>
<br>
and the DNS entry will look like:<br>
<br>
mail._domainkey IN TXT "v=DKIM1\; k=rsa\;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgyQ...+/Qovo2oLVklyHU7tSfnKJIF2C8zwIDAQAB"<br>
<br>
A signed mail will have a DKIM-Signature header that will specify
which key to use (in this case, mail), and the signature itself
crypted with the originating private key.<br>
<br>
Now, to integrate this with Kolab, the dkim daemon may sit and
wait on port 8891, for example, and then add this to main.cf
config file:<br>
<br>
<pre style="margin: 0px 0px 8px; padding: 4pt; border: 1px dashed rgb(193, 180, 150); font-weight: normal; font-style: normal; font-size: 13px; line-height: 16px; font-family: UbuntuMono, courier, monospace; text-align: left; vertical-align: baseline; background-color: rgb(243, 243, 243); white-space: pre-wrap; word-wrap: break-word; color: rgb(51, 51, 51); font-variant: normal; letter-spacing: normal; orphans: auto; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"># DKIM
<span class="anchor" id="line-2-4" style="margin: 0px; padding: 0px; border: 0px; font-weight: inherit; font-style: inherit; font-size: 13px; line-height: 1; font-family: inherit; text-align: left; vertical-align: baseline;"></span>milter_default_action = accept
<span class="anchor" id="line-3-2" style="margin: 0px; padding: 0px; border: 0px; font-weight: inherit; font-style: inherit; font-size: 13px; line-height: 1; font-family: inherit; text-align: left; vertical-align: baseline;"></span>milter_protocol = 2
<span class="anchor" id="line-4-2" style="margin: 0px; padding: 0px; border: 0px; font-weight: inherit; font-style: inherit; font-size: 13px; line-height: 1; font-family: inherit; text-align: left; vertical-align: baseline;"></span>smtpd_milters = inet:localhost:8891
<span class="anchor" id="line-5-2" style="margin: 0px; padding: 0px; border: 0px; font-weight: inherit; font-style: inherit; font-size: 13px; line-height: 1; font-family: inherit; text-align: left; vertical-align: baseline;"></span>non_smtpd_milters = inet:localhost:8891</pre>
<br>
to let postfix know that it must communicate with opendkim.<br>
<br>
It's rather short, I know. Look at <a
href="https://help.ubuntu.com/community/Postfix/DKIM">https://help.ubuntu.com/community/Postfix/DKIM</a>
for additional help with Postfix and DKIM. You'll also learn how
to create the keys for your domains.<br>
<br>
What's left to be done on my side is multi-domain integration to
automate the creation of the keys in OpenDKIM. <br>
<br>
Hope this helps a bit.<br>
<br>
Christian...<br>
<span style="color: rgb(76, 76, 76); font-family: Arial,
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: bold; letter-spacing: normal; line-height:
19px; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(239, 239, 239); display: inline
!important; float: none;"><br>
</span><br>
On 2013-12-17 08:12, Gaurav Malik wrote:<br>
</div>
<blockquote
cite="mid:CANNtCFYf8Rsm6NDZ2y4qgYZEZCN_z2oacMC5uG72fTJFm9HO3Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hi All,<br>
<br>
</div>
I want to make a record of DKIM, DMARC in my DNS. I have
multiple domain like <a moz-do-not-send="true"
href="http://example.com">example.com</a>, <a
moz-do-not-send="true" href="http://example.net">example.net</a>
setup.<br>
<div>
<div>
<div><br>
</div>
<div>Can anyone help me out what parameter should be enable
in records without interrupting mail server for my domain?<br>
</div>
<div><br>
</div>
<div>Is anyone using SPF,DKIM & DMARC records?<br>
</div>
<div><br>
-- <br>
<div dir="ltr"><span style="color:rgb(255,0,0)"> Regards</span><br>
<span style="color:rgb(51,0,51)">Gaurav Malik</span><br
style="color:rgb(51,0,51)">
<br>
<br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:users@lists.kolab.org">users@lists.kolab.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kolab.org/mailman/listinfo/users">https://lists.kolab.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
</body>
</html>