Weblog entry #240 for simonw
See all weblog entries made by simonw.
#240
Best way to implement DKIM with Postfix?
Posted by simonw on Tue 22 Apr 2008 at 03:20
Dear Lazyweb,
I'm an experience email admin, although I've avoided content based filtering.
DKIM seems a reasonably sensible way to attempt to validate email, although I expect a significant non-zero error rate if I apply it to all email.
My main interest is in verifying messages sent to my server, especially from named domain names (Paypal will do for starters).
I'm not particular interested in signing emails at this point.
I should be able to attempt to verify an email with DKIM before queuing to disk.
I need to be able to easily and clearly exempt certain servers (such as mailing list servers), and possible certain recipients (which can probably be done in the Postfix config, but a nice simple config like Postgrey has would be good).
I'd like to be able to use "warn_if_reject" or similar so I can test before rejecting everyones email.
Some of the servers still have Sarge (i.e. Postfix 2.1).
I don't want to deploy other filtering at the same time I just want to verify email with DKIM.
So I searched the web, and came up with;
"DKIM-milter" which was designed for sendmail, requires new versions of Postfix, and seems under documented.
"Spam Assassin" which would probably work fine, and seems my best bet so far, but I would have to disable other features in order just to use the DKIM.
Roll my own using the Perl DKIM libraries, and the Postfix Before Queue Content filter. This doesn't look too challenging, even for my limited Perl skills, but I prefer code written by Perl gurus and not me for critical tasks like filtering email.
So far I'm thoroughly depressed by what I've seen in terms of documentation and successes with DKIM, so although I'm prepared to give it a try I'm looking for straight forward and easy.
What is an email admin to do?
I'm an experience email admin, although I've avoided content based filtering.
DKIM seems a reasonably sensible way to attempt to validate email, although I expect a significant non-zero error rate if I apply it to all email.
My main interest is in verifying messages sent to my server, especially from named domain names (Paypal will do for starters).
I'm not particular interested in signing emails at this point.
I should be able to attempt to verify an email with DKIM before queuing to disk.
I need to be able to easily and clearly exempt certain servers (such as mailing list servers), and possible certain recipients (which can probably be done in the Postfix config, but a nice simple config like Postgrey has would be good).
I'd like to be able to use "warn_if_reject" or similar so I can test before rejecting everyones email.
Some of the servers still have Sarge (i.e. Postfix 2.1).
I don't want to deploy other filtering at the same time I just want to verify email with DKIM.
So I searched the web, and came up with;
"DKIM-milter" which was designed for sendmail, requires new versions of Postfix, and seems under documented.
"Spam Assassin" which would probably work fine, and seems my best bet so far, but I would have to disable other features in order just to use the DKIM.
Roll my own using the Perl DKIM libraries, and the Postfix Before Queue Content filter. This doesn't look too challenging, even for my limited Perl skills, but I prefer code written by Perl gurus and not me for critical tasks like filtering email.
So far I'm thoroughly depressed by what I've seen in terms of documentation and successes with DKIM, so although I'm prepared to give it a try I'm looking for straight forward and easy.
What is an email admin to do?
Comments on this Entry
Posted by Anonymous (194.109.xx.xx) on Thu 24 Apr 2008 at 13:31
[ Parent | Reply to this comment ]
Thanks Anonymous
[ Parent | Reply to this comment ]