Centos – email signing with postfix


from:    Facebook notification+kr4myw5ewe5n@facebookmail.com

reply-to:    noreply <noreply@facebookmail.com>

to:  Achal Tomar <achal.tomar58@gmail.com>

date:    Wed, Jul 11, 2012 at 6:57 PM

subject:     Abhishek Awasthi tagged a photo of you on Facebook

>mailed-by:  facebookmail.com

>signed-by:  facebookmail.com

This is details of mail i received from facebook,here mailed-by: and signed-by: headers are same this is important for mail authentication.
I also want to implement this in my postfix mail server is there any method to achieve this.
My scenario is as following:-
I have a centOs 5 server which uses postfix as an MTA,this server uses round robin load balancing technique to balance mails which are sent to other servers for relaying.
All the servers are on the same domain suppose "example.com" now what i need is when the mails are sent to the load balancer for relaying then it sends all the mails signed by the same domain that is signed by: header must contain "example.com".
Also the mails relayed to the destinations by the relaying servers also must have the same signed by: header of "example.com".

Best Answer

What you're seeing in GMail is a combination of DKIM and SPF validation. SPF is relatively simple, and is a DNS record specifying which mail servers are designated to send mail from your domain. I believe this is how Gmail presents the "mailed-by" tag. DKIM is a bit more complicated, as you will be cryptographically signing outgoing mail, primarily using a Postfix filter. There is also a DNS entry, to publish the DKIM public key. The DKIM validation is presented in GMail as the "signed-by" tag.

Take a look at here for the official documention on the "signed-by" and "mailed-by" tags.

For a DKIM primer, here's the wiki page. You're using CentOS, but the Ubuntu documentation on setting up DKIM with Postfix is relatively clear. You can search more specifically for CentOS-orientated documentation.

In general, you will be installing the OpenDKIM package (you will need the EPEL repo enabled) and configuring it (e.g., generating the key pair, tell OpenDKIM which key to use when signing a given domain, etc.). There will be an opendkim daemon listening on a port on the loopback interface. Postfix will be configured to process mail through that daemon as a smtpd_milter in main.cf. Once that's done, you will add a TXT record to the DNS for your domain that specifies the public key.

Related Topic