DomainKeys in XWALL

DomainKeys in XWALL

7/9/2009
Eric Low

We are using the XWall SPAM filter, currently version 3.44g. Recently, they finally implemented DomainKeys support to sign outgoing messages. Here is how I set it up (following this HowTo and this excellent guide):

First, I needed to choose a selector name. It seems that you have the option of choosing different selector names so that you can have different signatures for different purposes. Anyhow, I decided to call my selector default. Creative, I know!

Now, on a separate Linux machine, I generated the rsa keypair:

#For the private key:
openssl genrsa -out default.private.pem 1024

#For the public key:
openssl rsa -in default.private.pem -out default.public.pem -pubout -outform PEM

#Get the DNS TXT record:
echo "k=rsa; p=`cat default.public.pem | grep -v "^----" | tr -d "\n"`" >default._domainkey.datastat.com

The contents of default._domainkey.datastat.com then get put into DNS as a TXT record under default._domainkey.datastat.com.

Here is what that DNS entry looks like for us (default._domainkey.datastat.com):

k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZGdOoEtZXD1VO9Owq0/5Vlbl8M8Yk7stew/B5hUw68+HP71PcBzvqfULlq8cK+e7ltQ4kSaRaiSWoWs3TnetMFKg1LMD30IfBypoymfTo1Dk1zeVXRXYMAiEBAbFiIdyrzO+eALcPoDC77cBN4fuplEJEKFvKdVvyq33X4ZD75wIDAQAB

The policy for DomainKeys for our domain then goes in a TXT record under _domainkey.datastat.com:

t=y; o=~

So, it says that we sign *some* email, and that unsigned and therefore unverified email should still be accepted.

Here are some possible tag values for your domain's DomainKey policy:

Tag	Value
o	- (domain signs ALL email) ~ (domain signs some email)
t	y (domain is in test mode. This means that unsigned and unverified email should not be treated differently from verified email. Yahoo even uses this flag.)
n	comment (ignored by DomainKeys)

Now if you look at the headers on an email signed with DomainKeys, you will see a DomainKey-Signature header. In this header is a selector tag, designated by s=selector , which is then used to look up the public key and, in turn, verify the signature of the message. This is done by the receiving email server by looking up the TXT record for selector._domainkey.domain.com and grabbing the public key from the p=BLAHBLAHBLAH tag.

Now, I copied our private key (in PEM format), default.private.pem, to xwall's private certificate directory. This is C:\Program Files\xwall\CERT\PRIV and may not be located anywhere else. I also copied our public key (also in PEM format) to c:\Program Files\xwall\cert, but this is not necessary and really just in case I need it later. I then configured Xwall to use the key as follows:

In Xwall, from Xwall Admin -> Options -> DomainKeys, I clicked New from the DomainKeys Sign tab and entered the following options:

Comment	default@_domainkey.datastat.com
For messages from e-mail address	*@datastat.com
to e-mail address	*
use this certificate (file in PEM format)	default.private.pem
and this selector	default

Notice that I did *not* have to put the path on the certificate name. It knows to look in the CERT\PRIV directory.

After Xwall restarts itself, you should see the following entry start to appear in the logs for outgoing messages: DKIM: Sign using default.private.pem.

I also tested it by sending mail out to some auto-responders, as listed at the bottom of this page. The most useful auto-responder proved to be the one at Port 25: check-auth (at) verifier (dot) port25 (dot) com. Xwall passed on my first try! Woot! Woot! :)

Enjoy!!

Yahoo's domain key policy DNS record: dig txt _domainkey.yahoo.com

To check your DomainKey DNS records: http://domainkeys.sourceforge.net/policycheck.html

Public key record fields

http://domainkeys.sourceforge.net/

Downloads:

openvpn-2.0.5-gui-1.0.3-install.exe