sendmail DNSSEC HOWTO
			=====================
			    (Version 0.1)

Introduction
============

This HOWTO describes the installation, configuration and execution steps for
adding DNSSEC validation to outbound email for sendmail. This patch has been 
tested for sendmail 8.14.1.


Installation
============

Download sendmail-8.14.x.tar.gz from ftp://ftp.sendmail.org/pub/sendmail/.

Unzip and untar it by:

	tar -xvzf sendmail-8.14.x.tar.gz

Go to the sendmail-8.14.x directory:

	cd sendmail-8.14.x

Apply the sendmail-8.14.x_dnssec_patch.txt patch found in this directory by:

	patch -p 0 -b -z .orig </path/to/patch/sendmail-8.14.x_dnssec_patch.txt

This will apply the patch and store the original files with a .orig suffix.

This patch requires the 'libval' library for DNSSEC validation.  This
library can be found at http://dnssec-tools.sourceforge.net/.  You must
install this library before compiling the patched sendmail source.

Add the following line to the sendmail-8.14.x/devtools/Site/site.config.m4
file, if it is not already present:

APPENDDEF(`confLIBS', `-lsres -lval -lcrypto')

Build and install sendmail as per the instructions given in the README and
INSTALL files with the sendmail distribution.



To Test
=======

(I) Basic Scenarios: DNSSEC validation of outbound email
    ----------------------------------------------------

1. Start sendmail with the above patch applied
2. Send email to a user at a domain whose MX records can be DNSSEC
   validated.  Verify that the mail goes through properly.
3. Send email to a user at a domain whose MX records cannot be DNSSEC
   validated.  Verify that an SMTP error message is returned back to
   the sender.
4. Change the validator policy so that validation is ignored for the MTA.
   Run steps 2 and 3 above, and verify that mail goes through in both
   cases, since there is no DNSSEC validation.

-----------------------------------------------------------------------