sendmail DNSSEC HOWTO ===================== (Version 0.1) Introduction ============ This HOWTO describes the installation, configuration and execution steps for adding DNSSEC validation to outbound email for sendmail. This patch has been tested for sendmail 8.14.1. Installation ============ Download sendmail-8.14.x.tar.gz from ftp://ftp.sendmail.org/pub/sendmail/. Unzip and untar it by: tar -xvzf sendmail-8.14.x.tar.gz Go to the sendmail-8.14.x directory: cd sendmail-8.14.x Apply the sendmail-8.14.x_dnssec_patch.txt patch found in this directory by: patch -p 0 -b -z .orig </path/to/patch/sendmail-8.14.x_dnssec_patch.txt This will apply the patch and store the original files with a .orig suffix. This patch requires the 'libval' library for DNSSEC validation. This library can be found at http://dnssec-tools.sourceforge.net/. You must install this library before compiling the patched sendmail source. Add the following line to the sendmail-8.14.x/devtools/Site/site.config.m4 file, if it is not already present: APPENDDEF(`confLIBS', `-lsres -lval -lcrypto') Build and install sendmail as per the instructions given in the README and INSTALL files with the sendmail distribution. To Test ======= (I) Basic Scenarios: DNSSEC validation of outbound email ---------------------------------------------------- 1. Start sendmail with the above patch applied 2. Send email to a user at a domain whose MX records can be DNSSEC validated. Verify that the mail goes through properly. 3. Send email to a user at a domain whose MX records cannot be DNSSEC validated. Verify that an SMTP error message is returned back to the sender. 4. Change the validator policy so that validation is ignored for the MTA. Run steps 2 and 3 above, and verify that mail goes through in both cases, since there is no DNSSEC validation. -----------------------------------------------------------------------