Install DomainKeys Identified Mail (DKIM)

Facebooktwittermail

電子メール認証技術のDomainKeys Identified Mail(DKIM)をrootlinks.netのメールサーバに導入してみました。

もともとはこの記事がキッカケで興味を持ったものです
「驚きの顛末、グーグルの脆弱性が採用メールから悪戯されるまで」
http://wired.jp/2012/10/27/dkim-vulnerability-widespread/
原文
http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/
内容としてはgoogleが使用していたDKIMの暗号化キーが512ビットであったために解読され、なりすましができたという話です

「DomainKeys Identified Mail(DKIM)」
http://www.dkim.org/

調べたら比較的簡単に導入できそうなので挑戦してみました。参考にさせて頂いたサイトは下記になります
「CentOS6.2でOpenDKIM(DomainKeys Identified Mail)のインストール、設定」
http://www.ohoclick.com/archives/38

「User Guide – OpenDKIM (Domain Keys)」
https://support.eapps.com/index.php?/Knowledgebase/Article/View/455/54/user-guide—opendkim-domain-keys


セットアップした環境はCentOS release 5.8 (Final)+Postfix-2.3.3でこれにopendkimを追加です。opendkimを利用するのにsendmail-develとopenssl-develが必要です
当方ではopenssl-develはすでにインストール済みえしたのでsendmail-develのインストールから開始します

  1. sendmail-develのインストール
  2. sendmail-develをインストールします

  3. opendkimのインストール
  4. opendkimをインストールします。opendkimのインストールにはepelレポジトリを使用します

  5. 暗号化キー保存用ディレクトリの作成
  6. 複数ドメイン運用を考慮してドメイン毎に暗号化キーの保存ディレクトリを作成します

    [root@host1 ~]# mkdir /etc/opendkim/keys/rootlinks.net

  7. 暗号化キーの作成
  8. /usr/bin/opendkim-genkeyを使用して公開鍵、秘密鍵を作成します
    [opendkim-genkey]
    http://www.opendkim.org/opendkim-genkey.8.html

    [root@host1 ~]# /usr/bin/opendkim-genkey -D /etc/opendkim/keys/rootlinks.net/ -d rootlinks.net -s default

  9. Ownerの変更
  10. Ownerを変更します。またdefault.privateが秘密鍵、default.txtがDNSに設定する公開鍵になります

    [root@host1 ~]# chown -R opendkim:opendkim /etc/opendkim/keys

    [root@host1 ~]# ls -l /etc/opendkim/keys/rootlinks.net/
    合計 8
    -rw——- 1 opendkim opendkim 887 10月 31 14:16 default.private
    -rw——- 1 opendkim opendkim 306 10月 31 14:16 default.txt

  11. opendkim.confの設定
  12. opendkimの設定ファイルの/etc/opendkim.confをサイトに合わせて変更します
    [Default]

    ## BASIC OPENDKIM CONFIGURATION FILE
    ## See opendkim.conf(5) or /usr/share/doc/opendkim-2.6.7/opendkim.conf.sample for more

    ## BEFORE running OpenDKIM you must:

    ## – make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
    ## – generate keys for your domain (if signing)
    ## – edit your DNS records to publish your public keys (if signing)

    ## See /usr/share/doc/opendkim-2.6.7/INSTALL for detailed instructions.

    ## CONFIGURATION OPTIONS

    # Specifies the path to the process ID file.
    PidFile /var/run/opendkim/opendkim.pid

    # Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
    Mode v

    # Log activity to the system log.
    Syslog yes

    # Log additional entries indicating successful signing or verification of messages.
    SyslogSuccess yes

    # If logging is enabled, include detailed logging about why or why not a message was
    # signed or verified. This causes an increase in the amount of log data generated
    # for each message, so set this to No (or comment it out) if it gets too noisy.
    LogWhy yes

    # Attempt to become the specified user before starting operations.
    UserID opendkim:opendkim

    # Create a socket through which your MTA can communicate.
    Socket inet:8891@localhost

    # Required to use local socket with MTAs that access the socket as a non-
    # privileged user (e.g. Postfix)
    Umask 002

    # This specifies a text file in which to store DKIM transaction statistics.
    #Statistics /var/spool/opendkim/stats.dat

    ## SIGNING OPTIONS

    # Selects the canonicalization method(s) to be used when signing messages.
    Canonicalization relaxed/simple

    # Domain(s) whose mail should be signed by this filter. Mail from other domains will
    # be verified rather than being signed. Uncomment and use your domain name.
    # This parameter is not required if a SigningTable is in use.
    #Domain example.com

    # Defines the name of the selector to be used when signing messages.
    Selector default

    # Gives the location of a private key to be used for signing ALL messages.
    KeyFile /etc/opendkim/keys/default.private

    # Gives the location of a file mapping key names to signing keys. In simple terms,
    # this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
    # setting in the configuration file.
    #KeyTable /etc/opendkim/KeyTable

    # Defines a table used to select one or more signatures to apply to a message based
    # on the address found in the From: header field. In simple terms, this tells
    # OpenDKIM how to use your keys.
    #SigningTable /etc/opendkim/SigningTable

    # Identifies a set of “external” hosts that may send mail through the server as one
    # of the signing domains without credentials as such.
    #ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

    # Identifies a set internal hosts whose mail should be signed rather than verified.
    #InternalHosts refile:/etc/opendkim/TrustedHosts

    [変更]

    ## BASIC OPENDKIM CONFIGURATION FILE
    ## See opendkim.conf(5) or /usr/share/doc/opendkim-2.6.7/opendkim.conf.sample for more

    ## BEFORE running OpenDKIM you must:

    ## – make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
    ## – generate keys for your domain (if signing)
    ## – edit your DNS records to publish your public keys (if signing)

    ## See /usr/share/doc/opendkim-2.6.7/INSTALL for detailed instructions.

    ## CONFIGURATION OPTIONS

    # Specifies the path to the process ID file.
    PidFile /var/run/opendkim/opendkim.pid

    # Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
    Mode sv

    # Log activity to the system log.
    Syslog yes

    # Log additional entries indicating successful signing or verification of messages.
    SyslogSuccess yes

    # If logging is enabled, include detailed logging about why or why not a message was
    # signed or verified. This causes an increase in the amount of log data generated
    # for each message, so set this to No (or comment it out) if it gets too noisy.
    LogWhy yes

    # Attempt to become the specified user before starting operations.
    UserID opendkim:opendkim

    # Create a socket through which your MTA can communicate.
    Socket inet:8891@localhost

    # Required to use local socket with MTAs that access the socket as a non-
    # privileged user (e.g. Postfix)
    Umask 002

    # This specifies a text file in which to store DKIM transaction statistics.
    #Statistics /var/spool/opendkim/stats.dat

    ## SIGNING OPTIONS

    # Selects the canonicalization method(s) to be used when signing messages.
    Canonicalization relaxed/simple

    # Domain(s) whose mail should be signed by this filter. Mail from other domains will
    # be verified rather than being signed. Uncomment and use your domain name.
    # This parameter is not required if a SigningTable is in use.
    #Domain example.com

    # Defines the name of the selector to be used when signing messages.
    Selector default

    # Gives the location of a private key to be used for signing ALL messages.
    #KeyFile /etc/opendkim/keys/default.private

    # Gives the location of a file mapping key names to signing keys. In simple terms,
    # this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
    # setting in the configuration file.
    KeyTable refile:/etc/opendkim/KeyTable

    # Defines a table used to select one or more signatures to apply to a message based
    # on the address found in the From: header field. In simple terms, this tells
    # OpenDKIM how to use your keys.
    SigningTable refile:/etc/opendkim/SigningTable

    # Identifies a set of “external” hosts that may send mail through the server as one
    # of the signing domains without credentials as such.
    ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

    # Identifies a set internal hosts whose mail should be signed rather than verified.
    InternalHosts refile:/etc/opendkim/TrustedHosts

  13. KeyTableの設定
  14. 複数ドメイン運用の場合にはこのファイル/etc/opendkim/KeyTableに暗号化キー情報を追加していきます。
    [Default]

    [root@host1 named]# cat /etc/opendkim/KeyTable
    # To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
    # then uncomment the following line and replace example.com with your domain
    # name, then restart OpenDKIM. Additional keys may be added on separate lines.

    #default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private

    [変更]

    # To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
    # then uncomment the following line and replace example.com with your domain
    # name, then restart OpenDKIM. Additional keys may be added on separate lines.

    default._domainkey.rootlinks.net rootlinks.net:default:/etc/opendkim/keys/rootlinks.net/default.private

  15. TrustedHostsの設定
  16. メールに署名を付加するメールサーバをこのファイル/etc/opendkim/TrustedHostsに指定します。おそらくデフォルトの127.0.0.1のみでもよさそうですが念の為に追加しました
    [Default]

    [root@host1 named]# cat /etc/opendkim/TrustedHosts
    # To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
    # option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
    # may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
    # The localhost IP (127.0.0.1) should be the first entry in this file.
    127.0.0.1

    [変更]

    # To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
    # option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
    # may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
    # The localhost IP (127.0.0.1) should be the first entry in this file.
    127.0.0.1
    localhost
    host1.rootlinks.net

  17. SigningTableの設定
  18. 署名するドメイン情報を/etc/opendkim/SigningTableに追加します
    [Default]

    [root@host1 named]# cat /etc/opendkim/SigningTable
    # The following wildcard will work only if
    # refile:/etc/opendkim/SigningTable is included
    # in /etc/opendkim.conf.

    #*@example.com default._domainkey.example.com

    # If refile: is not specified in /etc/opendkim.conf, then full
    # user@host is checked first, then simply host, then user@.domain (with all
    # superdomains checked in sequence, so “foo.example.com” would first check
    # “user@foo.example.com”, then “user@.example.com”, then “user@.com”), then
    # .domain, then user@*, and finally *. See the opendkim.conf(5) man page
    # under “SigningTable”.

    #example.com default._domainkey.example.com

    [変更]

    # The following wildcard will work only if
    # refile:/etc/opendkim/SigningTable is included
    # in /etc/opendkim.conf.

    *@rootlinks.net default._domainkey.rootlinks.net

    # If refile: is not specified in /etc/opendkim.conf, then full
    # user@host is checked first, then simply host, then user@.domain (with all
    # superdomains checked in sequence, so “foo.example.com” would first check
    # “user@foo.example.com”, then “user@.example.com”, then “user@.com”), then
    # .domain, then user@*, and finally *. See the opendkim.conf(5) man page
    # under “SigningTable”.

    #example.com default._domainkey.example.com

  19. DNSの設定
  20. 公開鍵をDNSのzoneファイルに設定します。当然外部からの問い合わせに応答するためにインターネット公開用Zoneファイルに/etc/opendkim/keys/rootlinks.net/default.txtの内容をそのままコピーすればOKです。またキーとは別にDKIMポリシーも追記します

    default._domainkey IN TXT “v=DKIM1; k=rsa; p=MIGfM-(snip)” ; —– DKIM key default for rootlinks.net

    _adsp._domainkey.rootlinks.net IN TXT “dkim=unknown”

    設定の確認をしてみます。公開鍵が表示されればOKです。表示されない場合は時間を於いてテストしてみてください

    [matsuoka@host2 ~]$ nslookup -q=txt default._domainkey.rootlinks.net
    Server: xxx.xxx.xxx.xxx
    Address: xxx.xxx.xxx.xxx#53

    Non-authoritative answer:
    default._domainkey.rootlinks.net text = “v=DKIM1\; k=rsa\; p=MIG..(snip)

  21. postfixの設定
  22. メールサーバpostfixにopendkimを使用するように設定追加します

    [root@host1 ~]# vi /etc/postfix/main.cf
    smtpd_milters = inet:127.0.0.1:8891
    non_smtpd_milters = $smtpd_milters
    milter_default_action = accept

  23. サービス再起動
  24. それぞれのサービスを起動、または再起動します

    [root@host1 ~]# /etc/init.d/opendkim start
    Generating default DKIM keys: [ OK ]
    Default DKIM keys for rootlinks.net created in /etc/opendkim/keys.
    Starting OpenDKIM Milter: [ OK ]

    [root@host1 ~]# /etc/init.d/postfix reload
    postfix を再読み込み中: [ OK ]

  25. opendkimを起動時に実行
  26. opendkimがサーバ起動時に自動実行されるように設定します

    [root@host1 ~]# chkconfig –list | grep dkim
    opendkim 0:off 1:off 2:off 3:off 4:off 5:off 6:off
    [root@host1 postfix]# chkconfig opendkim on
    [root@host1 postfix]# chkconfig –list | grep dkim
    opendkim 0:off 1:off 2:on 3:on 4:on 5:on 6:off

  27. Testing opendkim
  28. 署名が正常に確認されるかテストを行います
    autorespond+dkim@dk.elandsys.com
    または
    sa-test@sendmail.net
    に対して空メールを送ると署名チェック後に返答メールが届きます
    [sa-test@sendmail.netでDKIMが動作していない場合]

    Authentication System: DomainKeys Identified Mail (DKIM)
    Result: (no result present)
    Reporting host:
    More information: http://dkim.org/
    Sendmail milter: http://opendkim.org/

    [sa-test@sendmail.netで署名が正常に確認できない場合]

    Authentication System: DomainKeys Identified Mail (DKIM)
    Result: DKIM signature confirmed BAD
    Description: Unrecoverable error during processing; signature data cannot be verified
    Reporting host: services.sendmail.com
    More information: http://dkim.org/
    Sendmail milter: http://opendkim.org/

    [sa-test@sendmail.netで署名が正常に確認できた場合]

    Authentication System: DomainKeys Identified Mail (DKIM)
    Result: DKIM signature confirmed GOOD
    Description: Signature verified, message arrived intact
    Reporting host: services.sendmail.com
    More information: http://dkim.org/
    Sendmail milter: http://opendkim.org/

    [autorespond+dkim@dk.elandsys.comで署名が正常に確認できた場合]

    The results are as follows:
    DKIM Signature validation: pass

もしテストがpassしない場合は設定を修正してから20分以上時間を空けてから再テストを行なって見てください

Leave a Reply