Support for E-mail Authorization/Anti-Forgery technologies in Ubuntu Server

Scott Kitterman ubuntu at kitterman.com
Tue Dec 18 18:27:27 UTC 2007


Preventing email abuse is a very complex issue.  One small piece of this is 
strengthening identity in email to give receivers a better idea of who is 
really sending mail.  This is not the same thing as strong identity 
technologies such as GPG or S/MIME signing.

There are two major technologies for domain level forgery protection that are 
at some reasonable level of deployment.  Sender Policy Framework (SPF - 
http://www.openspf.org) works to protect the message envelope.  Domain Keys 
(DK) and Domain Keys Identified Mail (DKIM) are cryptographic methods 
designed to protect the body of messages from spoofing.  DK is the original 
approach published by (and still used by) Yahoo!.  DKIM is the version 
standardized by the IETF and has been more broadly adopted.

There is a lot of complexity buried in these two technologies and I'm not 
going to try and explain them here.  The purpose of this message is to let 
you know they are both supported in Ubuntu Server.

With both of these, there is more than one way to do it.  I'll mention here 
the packages that I think are the most well developed today for use with 
Postfix (the standard MTA for Ubuntu).

For SPF, python-policyd-spf is available for Feisty and Gutsy in the regular 
release and for Dapper, Edgy, Feisty, and Gutsy in backports.  The released 
version of Postfix will work just fine with this package for all the 
releases.

https://launchpad.net/ubuntu/+source/pypolicyd-spf

For DKIM, the dkim-filter (dkim-milter) package works well in my experience.  
It is available for Gutsy in the regular release and in backports for Dapper, 
Feisty, and Gutsy.  For Dapper, use of the Postfix in backports is required.  
For Feisty, the released Postfix will work, but using the later version in 
backports is strongly recommended if you are going to run a milter.

https://launchpad.net/ubuntu/+source/dkim-milter

All of this is either in Universe or in Backports, so none of it is officially 
supported by Canonical.

Scott K




More information about the ubuntu-server mailing list