Table of Contents

4. Mail Server Security

4.1. Authentication and Encryption

4.1.1. Kerberos Authentication within Active Directory

4.2. SPF and DomainKeys

4.2.1. AXIGEN Signing Module Usage and Configuration

4.3. Mail Filtering

4.3.1. Message Acceptance Rules

4.3.2. Routing Rules

4.3.3. Antivirus / Antispam Filters

4.3.4. Message Rules

4.3.4.1. SIEVE Overview and Implementation in AXIGEN

4.3.5. The AXIGEN Filtering Module

4.3.5.1. Filtering Module Implementation in AXIGEN

4.3.5.2. Configuring the AXIGEN Filtering Module

4.3.5.3. AXIGEN Filtering Module Commands

4.3.6. Activating and Prioritising Filters and Rules

4.3.7. Language Specifications for Policy Configuration

4.3.7.1. SMTP Functionalities (I)

4.3.7.2. SMTP Functionalities (II)

4.3.7.3. SMTP Functionalities (III)

Previous | Next | Up | Table of Contents

4.2.1. AXIGEN Signing Module Usage and Configuration

AXIGEN Signing Module is a module that provides AXIGEN with a tool to prevent forgery and possible repudiation. It implements the Yahoo DomainKeys concept that basically works by signing the contents of an email and allows mail servers to verify that signature.

The DomainKeys module is composed of two daemons that run independently of AXIGEN and of each other: the DomainKeys Signer and the DomainKeys Verifier. Each of them has a configuration file and communicates with AXIGEN using an AFSL connector.

The signer's role is to sign emails that come from AXIGEN and the verifier’s role is to verify the mail which applies only if the mails were previously signed.

In order to activate the DomainKeys filters, first make sure that the AxigenFilters service is started. For more information on this see
Starting/Stopping/Restarting the Server.

The DomainKeys Signing filter can be activated from Webadmin in the 'Security & Filtering' menu, go to 'AntiVirus and AntiSpam' context, 'Supported Applications' tab, click the 'ENABLE' button for Application named 'DKSigner'.
The DomainKeys Verifier can be enabled from Webadmin in the 'Security & Filtering' menu, go to 'Additional AntiSpam Methods' context and click the 'Enable Domain Keys' check-box under 'Domain Keys'. Also, under this check-box some configurable actions for DK Verifier can be found.

We strongly recommend that the DomainKeys Verifier AV/AS configuration filter to be activated with the highest priority and the signer with the lowest.


Command line parameters

The below listed command line parameters are to be used both for the signer and the verifier.
  • -h displays this help message
  • -v displays the version
  • -f run in foreground
  • -u <user> run as user. DEFAULT: 'AXIGEN'
  • -g <group> run as group. DEFAULT: 'AXIGEN'
  • -c <path>: path to the configuration file; the default paths are as follows:
    • /etc/opt/AXIGEN/axidkd.conf for DomainKeys Verifier
    • /etc/opt/AXIGEN/axidksd.conf for DomainKeys Signer

DomainKeys Verifier configuration

  • bindIp <ip> - The address used to listen for connections from AXIGEN.
  • bindPort <port> - The port used for connections from AXIGEN. - DEFAULT: 1982
  • logType <type> - This parameter defines where to log messages. It can be "system","file" or "stdout". The "system" value means that messages will be logged to the system log, "file" that they will be logged in a file and "stdout" that messages will be logged at standard output. WARNING: if "file" is selected for this property, the logFile must also be set. - DEFAULT "system"
  • logFile <file> - In case that logType has the value "file", this defines the file where messages are logged. - DEFAULT: "none"
  • logLevel <level> - The level at which messages will be logged. Possible values are:
    • 0 - only error messages will be logged
    • 1 - error and warning message will be logged
    • 2 - all messages will be logged
    • DEFAULT: 2
  • addAuthHeader - This options enables/disables adding the "Authentication-Results" header to the message after verification. It can take the values: yes or no. - DEFAULT: "yes"
  • actionOnPass - This option specifies what action should be sent to AXIGEN when the domainkeys verification yields a pass action (details on the actions that can be sent to AXIGEN in the AFSL documentation). The possible values are pass|match|discard|error. - DEFAULT: "pass"
  • actionOnFail - This option specifies what action should be sent to AXIGEN when the domainkeys verification yelds a fail action. Possible values are: pass|match|discard|error. - DEFAULT: "match"
  • actionOnSoftFail - This option specifies what action should be sent to AXIGEN when the domainkeys verification yelds a softfail action. Possible values: pass|match|discard|error. - DEFAULT: "match"
  • actionOnNeutral - This option specifies what action should be sent to AXIGEN when the domainkeys verification yelds a neutral action. Possible values: pass|match|discard|error. - DEFAULT: "pass"
  • actionOnTempError - This option specifies what action should be sent to AXIGEN when the domainkeys verification yelds a temperror action. Possible values: pass|match|discard|error. - DEFAULT: "error"
  • actionOnPermError - This option specifies what action should be sent to AXIGEN when the domainkeys verification yelds a permerror action. Possible values: pass|match|discard|error. - DEFAULT: "match"
  • rwTimeout <value> - This option specifies the timeout used when communicating with AXIGEN and with the Milter Implementation (in milisecconds). The range for this value is 1 - 65535. - DEFAULT: 400
  • processingThreads <threads> - The number of processing threads which also reflects the maximum number of connections made to the milter implementation. The range for this value is 1 - 128. - DEFAULT: 16

DomainKeys Signer configuration

  • bindIp <ip> - The address used to listen for connections from AXIGEN.
  • bindPort <port> - The port used for connections from AXIGEN. - DEFAULT: 1982
  • logType <type> - This parameter defines where to log messages. It can be "system","file" or "stdout". The "system" value means that messages will be logged to the system log, "file" that they will be logged in a file and "stdout" that messages will be logged at standard output. WARNING: if "file" is selected for this property, the logFile must also be set. - DEFAULT "system"
  • logFile <file> - In case that logType has the value "file", this defines the file where messages are logged. - DEFAULT: "none"
  • logLevel <level> - The level at which messages will be logged. Possible values are:
    • 0 - only error messages will be logged
    • 1 - error and warning message will be logged
    • 2 - all messages will be logged
    • DEFAULT: 2
  • rwTimeout <value> - This option specifies the timeout used when communicating with AXIGEN and with the Milter Implementation (in milliseconds). The range for this value is 1 - 65535. - DEFAULT: 400
  • privateKeyPath - This path to the private key used for signing. This parameter is required.
  • selector - The selector used to form the query for the public-key. This parameter is required
  • canonicalization - The canonicalization algorithm type. Possible values: simple|nofws. - DEFAULT: "nofws"
  • removeHeaders - This option, if yes removes duplicate headers from the signature. Possible values: yes|no. - DEFAULT: "no"
  • processingThreads <threads> - The number of processing threads which also reflects the maximum number of connections made to the milter implementation. The range for this value is 1 - 128. - DEFAULT: 16

Starting/Stopping/Restarting the Domain Keys Daemons


Slackware:
  • To start the deamons, issue the following command:
    /etc/rc.d/rc.axigendk start
  • To stop the deamons, you can issue:
    /etc/rc.d/rc.axigendk stop
  • In order to restart the deamons, issue the command:
    /etc/rc.d/rc.axigendk restart
Others (rmp-based, Ubuntu, Gentoo, Debian)
  • To start the deamons, issue the following command:
    /etc/init.d/axigendk start
  • To stop the deamons, you can issue:
    /etc/init.d/axigendk stop
  • In order to restart the deamons, issue the command:
    /etc/init.d/axigendk restart

Top | Previous | Next | Up | Table of Contents