This article applies to:
- Trustwave SEG 7.3 through 7.5.X
- (For 8.0 and above, see article Q20841)
- DKIM functionality
Question:
- How can I generate and use DKIM keys to sign messages in SEG?
- What setup is required before creating DKIM signing rules?
Procedure:
The steps in this article provide a suggested way to complete the basic configuration required before you can create rules to use DKIM signing with SEG:
- Generate a RSA key for use with DKIM
- Import the private key into SEG
- Create a matching DNS TXT record with the public key.
- To sign messages, enable a Content Analysis rule with the action "Apply DKIM Signature."
Many other options are available. A starting place for resources is dkim.org. The Internet RFC that describes the standard for DKIM is RFC 6376.
The instructions assume you have an installation of OpenSSL on any server or workstation. For a Windows version, you could use Shining Light Productions' Win32 OpenSSL.
Generating keys
- Open a command window and navigate to the OpenSSL binary folder.
- Generate a private key:
openssl genrsa -out myKey.pem 1024
- Create a public key from the private key:
openssl rsa -in myKey.pem -out myPublicKey.txt -pubout -outform PEM
You will use the encoded key data (the part between the BEGIN and END tags) to construct the DNS record.
- Create a PKCS#8 DER file of the private key for import to SEG:
openssl pkcs8 -topk8 -in myKey.pem -outform DER -out myKey.der -v1 PBE-SHA1-RC4-128
- Enter a password when prompted
- The -v1 parameter is the algorithm used when encrypting the key. SEG only supports -v1 (or -nocrypt, not recommended). For a list of tested algorithms see Notes below.
- Important: Save the DER file in a secure location. If you later restore configuration on a different system you will need to re-import this file (it is NOT stored in the SEG configuration backup).
Creating the DNS record(s)
A DNS Resource Record is required for each local domain from which you are planning to send DKIM signed messages.
The record name is like:
selector._domainkey.domain.TLD
Where the "selector" is any text, such as a date string (the selector permits versioning of the record if you want to change the key later).
For example:
20140813._domainkey.example.com
The only required content of the record is the p section (public key data formatted like "p=data" )
- For example, in Windows DNS Manager, expand the zone for the desired local domain, and then add a resource record of type TEXT:
- Looking up the record with NSLookup returns a result as shown below:
Importing the key to SEG
In the SEG Configurator, open the properties for the local domain.
- To import the key, click Import Key and select the DER file you created above. If you encrypted the key, enter the encryption password.
- In the DKIM Selector field, enter the selector value that you configured as part of the DNS record.
Notes:
- You can use the same key for all domains.
- Add a DNS record and local domain information for each local domain where you want to use DKIM to sign outgoing messages.
- Ensure that DNS and local domain configuration is in place before creating any signing rules for a domain.
- You must create rules to sign messages.
Key encryption algorithms
- The following algorithms have been tested for creation of the PKCS#8 DER file (the -v1 parameter):
- PBE-SHA1-RC4-128
- PBE-SHA1-3DES
- PBE-SHA1-2DES
- PBE-SHA1-RC2-128
- PBE-SHA1-RC2-40
- This algorithm is used to encode the private key in the DER file. -v1 algorithms are used for interoperability with the Windows key store.
- This algorithm is not used for signing of email messages. Message signing uses the DKIM algorithm you select for the domain (SHA-256 is recommended).
Key Storage and replication
- DKIM key storage depends on the Windows CNG Key Isolation service to store the keys and provide them to the SEG services. This service should be running on both the Array Manager and processing servers.
- Keys are transmitted over secure RPC between the Array Manager and node Controller.
- If you see "failed to update DKIM keys" messages in the Event Log or text logs, verify that the CNG Key Isolation service is running and then restart the Array Manager and Controller services.