Sophie: libdnssec-tools-devel-1.5-2mdv2010.0 i586

libdnssec-tools-devel-1.5-2mdv2010.0.i586.rpm

			postfix DNSSEC HOWTO
			=====================
			    (Version 0.1)

Introduction
============

This HOWTO describes the installation, configuration and execution
steps for adding DNSSEC validation to outbound email for
postfix. The 2.5.1 patch have been tested with postfix version
2.5.1.  It will likely work, with some patch warnings, with versions
down to and including postfix 2.3.8, but this hasn't been tested
extensively.  This patch may work with versions of postfix newer
than 2.5.1.


Installation
============

Download postfix-2.5.1.tar.gz from
http://www.postfix.org/download.html

Unzip and untar it by:

   tar -xvzf postfix-2.5.1.tar.gz

Go to the postfix-2.5.1 directory:

   cd postfix-2.5.1/

Apply the postfix-2.5.1_dnssec_patch.txt patch found in this
directory by:

   patch -p 1 -b -z .orig </path/to/patch/postfix-2.5.1_dnssec_patch.txt

This will apply the patch and store the original files with a .orig
suffix.

This patch requires the 'libval' library for DNSSEC validation.
This library can be found at http://dnssec-tools.sourceforge.net/.
You must install this library before compiling the patched postfix
source.

Remember to run 'make -f Makefile.init makefiles' in the
postfix-2.5.1/ directory before following the rest of the postfix
build instructions

Note, if 'make -f Makefile.init makefiles' has already been run in
the postfix source code, it will be necessary to run it again in
order to apply the patch properly (a 'make clean' and 'make tidy'
beforehand may also be necessary).

Build and install postfix as per the instructions given in the
INSTALL files within the postfix source code.


Configuration
=============

All DNS queries are now checked using the dnssec-tools libval
libraries.  Attempts to send mail to untrusted sites will fail and
bounce with an applicable message.  Configuration of site trust is
done by editing the dnssec-tools' dnsval.conf file.  The default
location of this file is /usr/local/etc/dnssec-tools/dnsval.conf on
linux distributions, but this path is dependent on how dnssec-tools
was built.

Execution
=========

Start and run postfix as normal.


To Test
=======

(I) Basic Scenarios: DNSSEC validation of outbound email
    ----------------------------------------------------

1. Start postfix with the above patch applied.

2. Send email to a user at a domain whose MX records can be DNSSEC
   validated and where validation is required.  Verify that the mail
   goes through properly.

3. Send email to a user at a domain whose MX records cannot be
   DNSSEC validated and where validation is required.  Verify that
   an SMTP error message is returned back to the sender.

-----------------------------------------------------------------------


Note: Postfix Failure to Start
------------------------------

If the libval installation is not configured and working properly,
postfix may fail at startup (obviously the configuration affects the
sending of mail during runtime).  If this happen, a first step in
diagnosing the problem is trying the executable 'validate' provided
by the libval package.  If 'validate' does not work properly when
looking up DNSSEC information on your server, neither will Postfix.