How to Configure DomainKeys Signing and Verifying for Axigen

How to configure and enable DomainKeys for Axigen.

Solution

In order to setup DomainKeys in Axigen we require access to the DNS server hosting the domain for which we require DomainKeys signing.

We will start by generating the private and public keys required to sign a message. If otherwise mentioned all the commands will be run as the root user.
 

  • Navigate to the /var/opt/axigen/ or /var/axigen directory.
  • Issue the command: openssl genrsa -out key 2048 to generate the private key.
  • Issue the command: openssl rsa -in key -out key.public -pubout -outform PEM to generate the public key from the private one.
  • Issue the command: chown axigen:axigen key key.public.
  • Issue the command: chmod 600 key since the private key must not be read by any other user than axigen.


Now we will setup the DNS records for our domain. The instructions presented pertain to the BIND nameserver software. We will use in this article the domain name "example.org", please replace all the occurrences of this domain name with your domain name in the actual configuration.

First we need to obtain the public key on one line... the following command can be of help but requires the presence of the perl interpreter on the server.

While we are still in the /var/opt/axigen or /var/axigen directory issue the following command: grep -v ^- key.public | perl -e 'while(<>){chop;$l.=$_;}print "t=y; p=$l;\n";'
The output of the command will look similar to this:
t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMF7wA3voBYdzEtSDeP3bWLKAFP3qQk6K9US5/5dly4rPWMRxtV+D/5mlz8linCca/fKVyhyOoJIgEXp8TTF2PN3wBBvxIG2xBMdjucEUcLM4XFZQOApGgItjc2dnu4ZcwIDAQA;We need to copy the output and make sure all the text is selected even the parts that are out of the view.

Edit the zone file for the domain "example.org" and add the following line to it:
_domainkey.example.org  IN TXT "t=y; o=-";
Now we need a second line containing our selector:
default._domainkey.example.org    IN  TXT "output of the public key command"The above line should look similar to this:
default._domainkey.example.org  IN  TXT "t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMF7wA3voBYdzEtSDeP3bWLKAFP3qQk6K9US5/5dly4rPWMRxtV+D/5mlz8linCca/fKVyhyOoJIgEXp8TTF2PN3wBBvxIG2xBMdjucEUcLM4XFZQOApGgItjc2dnu4ZcwIDAQAB;"Now we need to save the zone file and restart the bind service.

We are done with the DNS system part.Now we will need to configure Axigen to sign outgoing messages and verify incoming ones.

For this purpose the axidkd and axidksd services are used. Before we start these services we need to configure the signing service. The selector (default) that we configured in the DNS system and the path to the private key file needs to be specified in the signing module's configuration file. This file is called axidksd.conf and can be found in the /etc/opt/axigen/ directory.

Edit the above mentioned file and modify the privateKeyPath and selector configuration variables to reflect the actual configuration. In our case the privateKeyPath variable's value is /var/opt/axigen/key and the selector variable's value is "default".

Starting with Axigen 5 the DomainKeys services are incorporated in the axigenfilters service. In order to start the DomainKeys signing and verifying daemon you need to start the axigenfilters service, issue the following command to do that:
/etc/init.d/axigenfilters startAt this moment we have our DomainKeys setup almost done. In this phase of our setup Axigen is allready configured to verify incoming message's signature all that remains to be done is activate the verifying service.

To activate the verifying service in Axigen 5 we will need to use the Webadmin interface, here are the required steps:

 

  • After logging in click the "Security&Filtering" drop-down button.
  • Afterwards, the "Additional AntiSpam Methods" link.
  • Scroll down to the "Domainkeys" section and enable the "Enable Domain Keys" checkbox.
  • Click the "Save Configuration" button at the bottom of the page to save and apply the new setting.

The next part will relate to the configuration changes needed to enable the signing service.

To enable the DomainKeys signer in Axigen we will use the WebAdmin interface like in the following steps:

 

 

  • After logging into the Webadmin interface click the "Security&Filtering" drop-down button.

 

  •  Click on the "AntiVirus and AntiSpam" link.
  •  From the list of filters enable the "DKSigner" filter.

After the signing service is enabled we need to make an additional configuration adjustment in order to ensure full functionality.

Edit the axigen configuration file axigen.cfg usually found in the /var/opt/axigen/run/ directory.

Look for the following text sequence inside the file:
serverActiveFilters = (
        {
        ....

            filterName = "DKSigner"
            filterType = socket
            priority = 2
            applyOn = (local relay)

        ....

        }
And adjust the DKSigner filters configuration section to resemble the following:
   serverActiveFilters = (
        {
        ....

            filterName = "DKSigner"
            filterType = socket
            priority = 2
            applyOn = (relay)

        ....

        }
Basically we needed to remove the local setting that controls what type of messages the DKSigner filter will process. Save the configuration file and restart the axigen service in order to apply the new configuration.

From this point on Axigen will sign outgoing messages for the configured domain and will verify all incoming messages.

Please note that the DomainKeys signer will fail to produce correctly signed messages in Trial versions of Axigen because of the "This is a trial version..." message that is appended after the message is signed.

OS: LinuxFreeBSDNetBSDOpenBSDSolaris
Distros: Windows