電子メール認証技術のDomainKeys Identified Mail(DKIM)をrootlinks.netのメールサーバに導入してみました。
もともとはこの記事がキッカケで興味を持ったものです
「驚きの顛末、グーグルの脆弱性が採用メールから悪戯されるまで」
http://wired.jp/2012/10/27/dkim-vulnerability-widespread/
原文
http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/
内容としてはgoogleが使用していたDKIMの暗号化キーが512ビットであったために解読され、なりすましができたという話です
「DomainKeys Identified Mail(DKIM)」
http://www.dkim.org/
調べたら比較的簡単に導入できそうなので挑戦してみました。参考にさせて頂いたサイトは下記になります
「CentOS6.2でOpenDKIM(DomainKeys Identified Mail)のインストール、設定」
http://www.ohoclick.com/archives/38
「User Guide – OpenDKIM (Domain Keys)」
https://support.eapps.com/index.php?/Knowledgebase/Article/View/455/54/user-guide—opendkim-domain-keys
セットアップした環境はCentOS release 5.8 (Final)+Postfix-2.3.3でこれにopendkimを追加です。opendkimを利用するのにsendmail-develとopenssl-develが必要です
当方ではopenssl-develはすでにインストール済みえしたのでsendmail-develのインストールから開始します
- sendmail-develのインストール
- opendkimのインストール
- 暗号化キー保存用ディレクトリの作成
- 暗号化キーの作成
- Ownerの変更
- opendkim.confの設定
- KeyTableの設定
- TrustedHostsの設定
- SigningTableの設定
- DNSの設定
- postfixの設定
- サービス再起動
- opendkimを起動時に実行
- Testing opendkim
sendmail-develをインストールします
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
[root@host1 ~]# yum info sendmail-devel Loaded plugins: fastestmirror Determining fastest mirrors * base: ftp.iij.ad.jp * centosplus: ftp.iij.ad.jp * epel: ftp.iij.ad.jp * extras: ftp.iij.ad.jp * updates: ftp.iij.ad.jp addons | 1.9 kB 00:00 base | 1.1 kB 00:00 centosplus | 1.9 kB 00:00 dag | 1.9 kB 00:00 dag/primary_db | 7.1 MB 00:22 epel | 3.7 kB 00:00 epel/primary_db | 3.1 MB 00:01 extras | 1.9 kB 00:00 extras/primary_db | 172 kB 00:00 updates | 1.9 kB 00:00 updates/primary_db | 837 kB 00:00 Available Packages Name : sendmail-devel Arch : i386 Version : 8.13.8 Release : 8.1.el5_7 Size : 128 k Repo : base Summary : エキストラ開発 include ファイルと開発ファイル License : Sendmail Description: Include files and devel libraries for e.g. the milter addons as : part of sendmail. [root@host1 ~]# yum install sendmail-devel Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: ftp.iij.ad.jp * centosplus: ftp.iij.ad.jp * epel: ftp.jaist.ac.jp * extras: ftp.iij.ad.jp * updates: ftp.iij.ad.jp Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package sendmail-devel.i386 0:8.13.8-8.1.el5_7 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: sendmail-devel i386 8.13.8-8.1.el5_7 base 128 k Transaction Summary ================================================================================ Install 1 Package(s) Upgrade 0 Package(s) Total download size: 128 k Is this ok [y/N]: y Downloading Packages: sendmail-devel-8.13.8-8.1.el5_7.i386.rpm | 128 kB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : sendmail-devel 1/1 Installed: sendmail-devel.i386 0:8.13.8-8.1.el5_7 Complete! |
opendkimをインストールします。opendkimのインストールにはepelレポジトリを使用します
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
[root@host1 ~]# yum --enablerepo=epel info opendkim Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: ftp.iij.ad.jp * centosplus: ftp.iij.ad.jp * epel: ftp.iij.ad.jp * extras: ftp.iij.ad.jp * updates: ftp.iij.ad.jp Available Packages Name : opendkim Arch : i386 Version : 2.6.7 Release : 1.el5 Size : 240 k Repo : epel Summary : A DomainKeys Identified Mail (DKIM) milter to sign and/or verify : mail URL : http://opendkim.org/ License : BSD and Sendmail Description: OpenDKIM allows signing and/or verification of email through an : open source library that implements the DKIM service, plus a : milter-based filter application that can plug in to any : milter-aware MTA, including sendmail, Postfix, or any other MTA : that supports the milter protocol. [root@host1 ~]# yum --enablerepo=epel install opendkim Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: ftp.iij.ad.jp * centosplus: ftp.iij.ad.jp * epel: ftp.jaist.ac.jp * extras: ftp.iij.ad.jp * updates: ftp.iij.ad.jp Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package opendkim.i386 0:2.6.7-1.el5 set to be updated --> Processing Dependency: libopendkim = 2.6.7-1.el5 for package: opendkim --> Processing Dependency: libopendkim.so.7 for package: opendkim --> Running transaction check ---> Package libopendkim.i386 0:2.6.7-1.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: opendkim i386 2.6.7-1.el5 epel 240 k Installing for dependencies: libopendkim i386 2.6.7-1.el5 epel 68 k Transaction Summary ================================================================================ Install 2 Package(s) Upgrade 0 Package(s) Total download size: 308 k Is this ok [y/N]: y Downloading Packages: (1/2): libopendkim-2.6.7-1.el5.i386.rpm | 68 kB 00:00 (2/2): opendkim-2.6.7-1.el5.i386.rpm | 240 kB 00:00 -------------------------------------------------------------------------------- Total 511 kB/s | 308 kB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : libopendkim 1/2 Installing : opendkim 2/2 Installed: opendkim.i386 0:2.6.7-1.el5 Dependency Installed: libopendkim.i386 0:2.6.7-1.el5 Complete! [root@host1 ~]# rpm -lq opendkim /etc/opendkim /etc/opendkim.conf /etc/opendkim/KeyTable /etc/opendkim/SigningTable /etc/opendkim/TrustedHosts /etc/opendkim/keys /etc/rc.d/init.d/opendkim /etc/sysconfig/opendkim /etc/tmpfiles.d/opendkim.conf /usr/bin/opendkim-genkey /usr/bin/opendkim-genzone /usr/bin/opendkim-reportstats /usr/bin/opendkim-spam /usr/bin/opendkim-stats /usr/bin/opendkim-testadsp /usr/bin/opendkim-testkey /usr/bin/opendkim-testmsg /usr/sbin/opendkim /usr/share/doc/opendkim-2.6.7 /usr/share/doc/opendkim-2.6.7/FEATURES /usr/share/doc/opendkim-2.6.7/INSTALL /usr/share/doc/opendkim-2.6.7/KNOWNBUGS /usr/share/doc/opendkim-2.6.7/LICENSE /usr/share/doc/opendkim-2.6.7/LICENSE.Sendmail /usr/share/doc/opendkim-2.6.7/README /usr/share/doc/opendkim-2.6.7/README.opendkim-reportstats /usr/share/doc/opendkim-2.6.7/RELEASE_NOTES /usr/share/doc/opendkim-2.6.7/RELEASE_NOTES.Sendmail /usr/share/doc/opendkim-2.6.7/authheaders-check-setup-hook.lua /usr/share/doc/opendkim-2.6.7/convert_keylist.sh /usr/share/doc/opendkim-2.6.7/final.lua.sample /usr/share/doc/opendkim-2.6.7/opendkim.conf.sample /usr/share/doc/opendkim-2.6.7/opendkim.conf.simple /usr/share/doc/opendkim-2.6.7/opendkim.conf.simple-verify /usr/share/doc/opendkim-2.6.7/screen.lua.sample /usr/share/doc/opendkim-2.6.7/setup.lua.sample /usr/share/man/man1/opendkim-spam.1.gz /usr/share/man/man5/opendkim.conf.5.gz /usr/share/man/man8/opendkim-genkey.8.gz /usr/share/man/man8/opendkim-genzone.8.gz /usr/share/man/man8/opendkim-stats.8.gz /usr/share/man/man8/opendkim-testadsp.8.gz /usr/share/man/man8/opendkim-testkey.8.gz /usr/share/man/man8/opendkim-testmsg.8.gz /usr/share/man/man8/opendkim.8.gz /var/run/opendkim /var/spool/opendkim |
複数ドメイン運用を考慮してドメイン毎に暗号化キーの保存ディレクトリを作成します
[root@host1 ~]# mkdir /etc/opendkim/keys/rootlinks.net
/usr/bin/opendkim-genkeyを使用して公開鍵、秘密鍵を作成します
[opendkim-genkey]
http://www.opendkim.org/opendkim-genkey.8.html
[root@host1 ~]# /usr/bin/opendkim-genkey -D /etc/opendkim/keys/rootlinks.net/ -d rootlinks.net -s default
Ownerを変更します。またdefault.privateが秘密鍵、default.txtがDNSに設定する公開鍵になります
[root@host1 ~]# chown -R opendkim:opendkim /etc/opendkim/keys
[root@host1 ~]# ls -l /etc/opendkim/keys/rootlinks.net/
合計 8
-rw——- 1 opendkim opendkim 887 10月 31 14:16 default.private
-rw——- 1 opendkim opendkim 306 10月 31 14:16 default.txt
opendkimの設定ファイルの/etc/opendkim.confをサイトに合わせて変更します
[Default]
## BASIC OPENDKIM CONFIGURATION FILE
## See opendkim.conf(5) or /usr/share/doc/opendkim-2.6.7/opendkim.conf.sample for more## BEFORE running OpenDKIM you must:
## – make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
## – generate keys for your domain (if signing)
## – edit your DNS records to publish your public keys (if signing)## See /usr/share/doc/opendkim-2.6.7/INSTALL for detailed instructions.
## CONFIGURATION OPTIONS
# Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid# Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
Mode v# Log activity to the system log.
Syslog yes# Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes# If logging is enabled, include detailed logging about why or why not a message was
# signed or verified. This causes an increase in the amount of log data generated
# for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy yes# Attempt to become the specified user before starting operations.
UserID opendkim:opendkim# Create a socket through which your MTA can communicate.
Socket inet:8891@localhost# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
Umask 002# This specifies a text file in which to store DKIM transaction statistics.
#Statistics /var/spool/opendkim/stats.dat## SIGNING OPTIONS
# Selects the canonicalization method(s) to be used when signing messages.
Canonicalization relaxed/simple# Domain(s) whose mail should be signed by this filter. Mail from other domains will
# be verified rather than being signed. Uncomment and use your domain name.
# This parameter is not required if a SigningTable is in use.
#Domain example.com# Defines the name of the selector to be used when signing messages.
Selector default# Gives the location of a private key to be used for signing ALL messages.
KeyFile /etc/opendkim/keys/default.private# Gives the location of a file mapping key names to signing keys. In simple terms,
# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
# setting in the configuration file.
#KeyTable /etc/opendkim/KeyTable# Defines a table used to select one or more signatures to apply to a message based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM how to use your keys.
#SigningTable /etc/opendkim/SigningTable# Identifies a set of “external” hosts that may send mail through the server as one
# of the signing domains without credentials as such.
#ExternalIgnoreList refile:/etc/opendkim/TrustedHosts# Identifies a set internal hosts whose mail should be signed rather than verified.
#InternalHosts refile:/etc/opendkim/TrustedHosts
[変更]
## BASIC OPENDKIM CONFIGURATION FILE
## See opendkim.conf(5) or /usr/share/doc/opendkim-2.6.7/opendkim.conf.sample for more## BEFORE running OpenDKIM you must:
## – make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
## – generate keys for your domain (if signing)
## – edit your DNS records to publish your public keys (if signing)## See /usr/share/doc/opendkim-2.6.7/INSTALL for detailed instructions.
## CONFIGURATION OPTIONS
# Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid# Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
Mode sv# Log activity to the system log.
Syslog yes# Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes# If logging is enabled, include detailed logging about why or why not a message was
# signed or verified. This causes an increase in the amount of log data generated
# for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy yes# Attempt to become the specified user before starting operations.
UserID opendkim:opendkim# Create a socket through which your MTA can communicate.
Socket inet:8891@localhost# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
Umask 002# This specifies a text file in which to store DKIM transaction statistics.
#Statistics /var/spool/opendkim/stats.dat## SIGNING OPTIONS
# Selects the canonicalization method(s) to be used when signing messages.
Canonicalization relaxed/simple# Domain(s) whose mail should be signed by this filter. Mail from other domains will
# be verified rather than being signed. Uncomment and use your domain name.
# This parameter is not required if a SigningTable is in use.
#Domain example.com# Defines the name of the selector to be used when signing messages.
Selector default# Gives the location of a private key to be used for signing ALL messages.
#KeyFile /etc/opendkim/keys/default.private# Gives the location of a file mapping key names to signing keys. In simple terms,
# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
# setting in the configuration file.
KeyTable refile:/etc/opendkim/KeyTable# Defines a table used to select one or more signatures to apply to a message based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM how to use your keys.
SigningTable refile:/etc/opendkim/SigningTable# Identifies a set of “external” hosts that may send mail through the server as one
# of the signing domains without credentials as such.
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts# Identifies a set internal hosts whose mail should be signed rather than verified.
InternalHosts refile:/etc/opendkim/TrustedHosts
複数ドメイン運用の場合にはこのファイル/etc/opendkim/KeyTableに暗号化キー情報を追加していきます。
[Default]
[root@host1 named]# cat /etc/opendkim/KeyTable
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
[変更]
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.default._domainkey.rootlinks.net rootlinks.net:default:/etc/opendkim/keys/rootlinks.net/default.private
メールに署名を付加するメールサーバをこのファイル/etc/opendkim/TrustedHostsに指定します。おそらくデフォルトの127.0.0.1のみでもよさそうですが念の為に追加しました
[Default]
[root@host1 named]# cat /etc/opendkim/TrustedHosts
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be the first entry in this file.
127.0.0.1
[変更]
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be the first entry in this file.
127.0.0.1
localhost
host1.rootlinks.net
署名するドメイン情報を/etc/opendkim/SigningTableに追加します
[Default]
[root@host1 named]# cat /etc/opendkim/SigningTable
# The following wildcard will work only if
# refile:/etc/opendkim/SigningTable is included
# in /etc/opendkim.conf.#*@example.com default._domainkey.example.com
# If refile: is not specified in /etc/opendkim.conf, then full
# user@host is checked first, then simply host, then user@.domain (with all
# superdomains checked in sequence, so “foo.example.com” would first check
# “user@foo.example.com”, then “user@.example.com”, then “user@.com”), then
# .domain, then user@*, and finally *. See the opendkim.conf(5) man page
# under “SigningTable”.#example.com default._domainkey.example.com
[変更]
# The following wildcard will work only if
# refile:/etc/opendkim/SigningTable is included
# in /etc/opendkim.conf.*@rootlinks.net default._domainkey.rootlinks.net
# If refile: is not specified in /etc/opendkim.conf, then full
# user@host is checked first, then simply host, then user@.domain (with all
# superdomains checked in sequence, so “foo.example.com” would first check
# “user@foo.example.com”, then “user@.example.com”, then “user@.com”), then
# .domain, then user@*, and finally *. See the opendkim.conf(5) man page
# under “SigningTable”.#example.com default._domainkey.example.com
公開鍵をDNSのzoneファイルに設定します。当然外部からの問い合わせに応答するためにインターネット公開用Zoneファイルに/etc/opendkim/keys/rootlinks.net/default.txtの内容をそのままコピーすればOKです。またキーとは別にDKIMポリシーも追記します
default._domainkey IN TXT “v=DKIM1; k=rsa; p=MIGfM-(snip)” ; —– DKIM key default for rootlinks.net
_adsp._domainkey.rootlinks.net IN TXT “dkim=unknown”
設定の確認をしてみます。公開鍵が表示されればOKです。表示されない場合は時間を於いてテストしてみてください
[matsuoka@host2 ~]$ nslookup -q=txt default._domainkey.rootlinks.net
Server: xxx.xxx.xxx.xxx
Address: xxx.xxx.xxx.xxx#53Non-authoritative answer:
default._domainkey.rootlinks.net text = “v=DKIM1\; k=rsa\; p=MIG..(snip)
メールサーバpostfixにopendkimを使用するように設定追加します
[root@host1 ~]# vi /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
それぞれのサービスを起動、または再起動します
[root@host1 ~]# /etc/init.d/opendkim start
Generating default DKIM keys: [ OK ]
Default DKIM keys for rootlinks.net created in /etc/opendkim/keys.
Starting OpenDKIM Milter: [ OK ][root@host1 ~]# /etc/init.d/postfix reload
postfix を再読み込み中: [ OK ]
opendkimがサーバ起動時に自動実行されるように設定します
[root@host1 ~]# chkconfig –list | grep dkim
opendkim 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@host1 postfix]# chkconfig opendkim on
[root@host1 postfix]# chkconfig –list | grep dkim
opendkim 0:off 1:off 2:on 3:on 4:on 5:on 6:off
署名が正常に確認されるかテストを行います
autorespond+dkim@dk.elandsys.com
または
sa-test@sendmail.net
に対して空メールを送ると署名チェック後に返答メールが届きます
[sa-test@sendmail.netでDKIMが動作していない場合]
Authentication System: DomainKeys Identified Mail (DKIM)
Result: (no result present)
Reporting host:
More information: http://dkim.org/
Sendmail milter: http://opendkim.org/
[sa-test@sendmail.netで署名が正常に確認できない場合]
Authentication System: DomainKeys Identified Mail (DKIM)
Result: DKIM signature confirmed BAD
Description: Unrecoverable error during processing; signature data cannot be verified
Reporting host: services.sendmail.com
More information: http://dkim.org/
Sendmail milter: http://opendkim.org/
[sa-test@sendmail.netで署名が正常に確認できた場合]
Authentication System: DomainKeys Identified Mail (DKIM)
Result: DKIM signature confirmed GOOD
Description: Signature verified, message arrived intact
Reporting host: services.sendmail.com
More information: http://dkim.org/
Sendmail milter: http://opendkim.org/
[autorespond+dkim@dk.elandsys.comで署名が正常に確認できた場合]
The results are as follows:
DKIM Signature validation: pass
もしテストがpassしない場合は設定を修正してから20分以上時間を空けてから再テストを行なって見てください