pasang dkim di qmail tanpa patch

1. install libdomainkeys. download dari sourceforge lalu

$ tar xzfv libdomainkeys-0.69.tar.gz
$ cd libdomainkeys-0.69
$ make

jika muncul error seperti berikut :

./libdomainkeys.a(dns_txt.o): In function `dns_text':
dns_txt.c:(.text+0x2d): undefined reference to `__res_query'
dns_txt.c:(.text+0xc0): undefined reference to `__dn_expand'
dns_txt.c:(.text+0x11e): undefined reference to `__dn_expand'
collect2: ld returned 1 exit status
make: *** [dktest] Error 1
solusinya :
$
echo -lresolv > dns.lib

lalu ulangi lagi proses diatas. kalo tidak ada error lanjut
$ su –
$ install -m 644 libdomainkeys.a /usr/local/lib/
$ install -m 644 domainkeys.h dktrace.h /usr/local/include/
$ install -m 755 dknewkey /usr/local/bin/
$ install -m 755 dktest /usr/local/bin/

2. install Mail::DKIM.  ada 2 cara yaitu melalui CPAN atau manual.

melalui CPAN :

$ perl -MCPAN -e shell

cpan> install Mail::DKIM

cara manual :

browse ke http://search.cpan.org lalu cari Mail::DKIM kemudian download lalu

$ tar xzfv Mail-DKIM-0.40.tar.gz
$ cd Mail-DKIM-0.40
$ perl Makefile.PL
$ make
$ make test
$ su –
$ make install

jika ada dependensi yang kurang ketika install Mail::DKIM, penuhi dengan cara manual untuk masing-masing dependensi hingga tidak ada komplain ketika install Mail::DKIM. Selanjutnya:

$ cd /usr/local/bin
$ wget http://www.memoryhole.net/qmail/dkimsign.pl
$ wget http://www.memoryhole.net/qmail/dkimverify.pl
$ chmod 755 dkimsign.pl
$ chmod 755 dkimverify.pl

3. bikin key pair dan seting DNS. untuk ini kita bisa minta bantuan dkimcore.
pertama, gunakan tool generate a dkim core key. ketik nama domain anda (misal: serverku.com) lalu klik generate.
catat selector yang berupa 10 digit angka (misal:1366597073).
copy link pada Download private key lalu

$ su –
$ mkdir -p /etc/domainkeys/serverku.com/
$ cd /etc/domainkeys/serverku.com/
$ wget yyy (ganti yyy dengan paste link yang tadi dicopy dari Download private key)
$ mv privatekey.txt 1366597073 (sesuaikan dengan selector yang tadi diperoleh diatas)
$ chown -R qmailq /etc/domainkeys
$ chgrp qmail 1366597073 (sesuaikan dengan selector yang tadi diperoleh diatas)
$ chmod 0640 1366597073 (sesuaikan dengan selector yang tadi diperoleh diatas)

selanjutnya seting DNS. Jika menggunakan Bind gunakan hasil dari tool generate a dkim core key bagian Bind 9 Format.
copy lalu
$ vi /var/named/ serverku.com.zone

setelah paste, hapus kata serverku setelah angka-angka selector sehingga hasilnya seperti berikut :

1366597073._domainkey.serverku.com. IN TXT (
“v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYrSCbfKerv5o6lht41H5EU3cy”
“lnUfx7i+uPnjTOtV2im1u5cHW63PwMrisfwTE6MdMK9wrUVHQO+dt+n+bkUArRg+”
“5FNMoHtbPbwuVYM2/BiU9FZNoRqz/ct6WVV6O2FTHeAL4SuldeOC0X+UgS+cDUb5”
“sGtDeTF2p0Ar/iPqUwIDAQAB”)
simpan lalu keluar dari dari editor vi dan restart Bind. Demikian juga jika menggunakan tinydns jangan lupa hapus kata serverku.

4. pasang qmail-remote wrapper

$ su –
$ cd /var/qmail/bin
$ mv qmail-remote qmail-remote.orig
$ vi qmail-remote-wrapper.sh isi dengan baris-baris berikut (atau download disini) :
#!/bin/bash
DOMAIN=”serverku.com”
DKREMOTE=”/var/qmail/bin/qmail-remote.orig”
DKSIGN=”/etc/domainkeys/$DOMAIN/1366597073″
tmp=`/bin/mktemp -t dk.sign.XXXXXXXXXXXXXXXXXXX`
/bin/cat – >”$tmp”
( /usr/local/bin/dktest -s “$DKSIGN” -c nofws -h <“$tmp” 2>/dev/null |
/bin/sed ‘s/; d=.*;/; d='”$DOMAIN”‘;/’ ;
/usr/local/bin/dkimsign.pl –type=dkim –selector=1366597073
–key=”$DKSIGN” –method=relaxed <“$tmp” |
/usr/bin/tr -d ‘r’ ;
/bin/cat “$tmp” ) |
“$DKREMOTE” “$@”
retval=$?
/bin/rm “$tmp”
exit $retval

penyesuaian yang harus dilakukan adalah pada :
a. DOMAIN
b. DKSIGN pada bagian akhir sesuaikan dengan selector yang tadi diperoleh diatas
c. –selector= sesuaikan dengan selector yang tadi diperoleh diatas

perhatikan juga path untuk file-file binary, pastikan bahwa path file tersebut sesuai (misal:/bin/mktemp). simpan lalu keluar dari editor vi.

$ chmod a+x qmail-remote-wrapper.sh
$ ln -s qmail-remote-wrapper.sh qmail-remote

untuk testing bisa gunakan tool dari www.appmaildev.com klik tombol next step lalu kirim email dari salah satu akun email @serverku.com ke email yang muncul (misal: AAAA3QcEFRcA@appmaildev.com )

akan ada balasan email yang berisi report. jika berhasil maka isi report ada cuplikan :

===========================================================DomainKey result: pass

===========================================================DKIM result: pass

Cara testing lainnya adalah kirim email kosong ke check-auth@verifier.port25.com dan tunggu sejenak untuk balasan email yang berisi info tentang status SPF, DKIM dan DomainKeys mail server anda.

modsecurity whitelist for pingdom servers

Pingdom provides free service to monitor status of a website. When the website is down, pingdom will send notification to a registered email. And also when the website is up again.

But if the website is protected by mod_security, pingdom will not be able to carry out it’s job. So we need to create a whitelist for pingdom’s server. First we need to go to directory where mod_security rules reside ( usually¬† in the same directory as modsecurity-crs). Copy the following lines and then

$ vi whitelist.conf

change to write mode and then paste and then save and exit. And then don’t forget to restart apache.

To make sure the ip address are valid, check here. You need to have an accout at pingdom. It’s free.

SecRule REMOTE_ADDR “^95.211.198.87” phase:1,nolog,allow,id:445000,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^95.211.87.85” phase:1,nolog,allow,id:445001,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^85.17.156.76” phase:1,nolog,allow,id:445002,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^85.17.156.11” phase:1,nolog,allow,id:445003,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^85.17.156.99” phase:1,nolog,allow,id:445004,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^95.211.217.68” phase:1,nolog,allow,id:445005,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^174.34.162.242” phase:1,nolog,allow,id:445006,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^64.141.100.136” phase:1,nolog,allow,id:445007,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^174.34.224.167” phase:1,nolog,allow,id:445008,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^69.59.28.19” phase:1,nolog,allow,id:445009,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^174.34.156.130” phase:1,nolog,allow,id:445010,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^82.103.128.63” phase:1,nolog,allow,id:445011,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^173.248.147.18” phase:1,nolog,allow,id:445012,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^46.20.45.18” phase:1,nolog,allow,id:445013,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^78.31.69.179” phase:1,nolog,allow,id:445014,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^94.247.174.83” phase:1,nolog,allow,id:445015,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^46.165.195.139” phase:1,nolog,allow,id:445016,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^72.46.140.186” phase:1,nolog,allow,id:445017,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^76.164.194.74” phase:1,nolog,allow,id:445018,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^208.64.28.194” phase:1,nolog,allow,id:445019,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^72.46.153.26” phase:1,nolog,allow,id:445020,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^72.46.140.106” phase:1,nolog,allow,id:445021,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^72.46.130.42” phase:1,nolog,allow,id:445022,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^91.109.115.41” phase:1,nolog,allow,id:445023,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^94.46.4.1” phase:1,nolog,allow,id:445024,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^83.170.113.210” phase:1,nolog,allow,id:445025,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^204.152.200.42” phase:1,nolog,allow,id:445026,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^94.46.240.121” phase:1,nolog,allow,id:445027,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^212.84.74.156” phase:1,nolog,allow,id:445028,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^158.58.173.160” phase:1,nolog,allow,id:445029,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^95.141.32.46” phase:1,nolog,allow,id:445030,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^178.255.155.2” phase:1,nolog,allow,id:445031,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^67.205.67.76” phase:1,nolog,allow,id:445032,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^70.32.40.2” phase:1,nolog,allow,id:445033,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^64.237.55.3” phase:1,nolog,allow,id:445034,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^78.40.124.16” phase:1,nolog,allow,id:445035,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^76.72.171.180” phase:1,nolog,allow,id:445036,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^76.72.172.208” phase:1,nolog,allow,id:445037,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^76.72.167.90” phase:1,nolog,allow,id:445038,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^108.62.115.226” phase:1,nolog,allow,id:445039,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^199.87.228.66” phase:1,nolog,allow,id:445040,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^178.255.154.2” phase:1,nolog,allow,id:445041,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^46.105.119.18” phase:1,nolog,allow,id:445042,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^176.31.228.137” phase:1,nolog,allow,id:445043,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^173.204.85.217” phase:1,nolog,allow,id:445044,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^50.23.94.74” phase:1,nolog,allow,id:445045,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^64.120.6.122” phase:1,nolog,allow,id:445046,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^67.228.213.178” phase:1,nolog,allow,id:445047,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^69.64.56.47” phase:1,nolog,allow,id:445048,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^188.138.118.184” phase:1,nolog,allow,id:445049,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^188.138.124.110” phase:1,nolog,allow,id:445050,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^188.138.118.144” phase:1,nolog,allow,id:445051,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^85.25.176.167” phase:1,nolog,allow,id:445052,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^96.31.66.245” phase:1,nolog,allow,id:445053,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^184.75.209.18” phase:1,nolog,allow,id:445054,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^184.75.208.210” phase:1,nolog,allow,id:445055,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^184.75.210.90” phase:1,nolog,allow,id:445056,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^184.75.210.226” phase:1,nolog,allow,id:445057,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^184.75.210.186” phase:1,nolog,allow,id:445058,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^178.255.152.2” phase:1,nolog,allow,id:445059,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^208.43.68.59” phase:1,nolog,allow,id:445060,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^178.255.153.2” phase:1,nolog,allow,id:445061,ctl:ruleEngine=off

If you copy paste from the list above, make sure it’s double quote before and after the ip address. Otherwise it won’t work. I’ve been there. I had to copy paste in gedit and then used it’s find replace tool.

Also make sure that whitelist.conf is included in httpd.conf just like this :

<IfModule security2_module>
Include /usr/local/apache2/modsecurity-crs/*.conf
Include /usr/local/apache2/modsecurity-crs/base_rules/*.conf
</IfModule>