Support for E-mail Authorization/Anti-Forgery technologies in Ubuntu Server
Scott Kitterman
ubuntu at kitterman.com
Tue Dec 18 18:27:27 UTC 2007
Preventing email abuse is a very complex issue. One small piece of this is
strengthening identity in email to give receivers a better idea of who is
really sending mail. This is not the same thing as strong identity
technologies such as GPG or S/MIME signing.
There are two major technologies for domain level forgery protection that are
at some reasonable level of deployment. Sender Policy Framework (SPF -
http://www.openspf.org) works to protect the message envelope. Domain Keys
(DK) and Domain Keys Identified Mail (DKIM) are cryptographic methods
designed to protect the body of messages from spoofing. DK is the original
approach published by (and still used by) Yahoo!. DKIM is the version
standardized by the IETF and has been more broadly adopted.
There is a lot of complexity buried in these two technologies and I'm not
going to try and explain them here. The purpose of this message is to let
you know they are both supported in Ubuntu Server.
With both of these, there is more than one way to do it. I'll mention here
the packages that I think are the most well developed today for use with
Postfix (the standard MTA for Ubuntu).
For SPF, python-policyd-spf is available for Feisty and Gutsy in the regular
release and for Dapper, Edgy, Feisty, and Gutsy in backports. The released
version of Postfix will work just fine with this package for all the
releases.
https://launchpad.net/ubuntu/+source/pypolicyd-spf
For DKIM, the dkim-filter (dkim-milter) package works well in my experience.
It is available for Gutsy in the regular release and in backports for Dapper,
Feisty, and Gutsy. For Dapper, use of the Postfix in backports is required.
For Feisty, the released Postfix will work, but using the later version in
backports is strongly recommended if you are going to run a milter.
https://launchpad.net/ubuntu/+source/dkim-milter
All of this is either in Universe or in Backports, so none of it is officially
supported by Canonical.
Scott K
More information about the ubuntu-server
mailing list