Menu
Reply
  • 3
  • 0
  • 0
DaveWP
Joining in
521 Views
Message 1 of 7
Flag for a moderator

Preventing spoofed emails - add private DKIM key

Hi

Does anyone know how to add a private DKIM key into the virginmedia environment so that I can send emails using my third-party domain via the virginmedia SMTP servers with DKIM authentication applied?

Use case

I have a third party domain (eg mydomain.com).  I want to send emails from the virginmedia webmail environment using the email address "me@mydomain.com" which has DKIM security applied.  I realise I need to add the public DKIM key record to the mydomain.com DNS record, but I do not how to register the private DKIM key in the virginmedia SMTP environment.

Thanks

Dave

Rationale to this request is that SPF records allow a domain to register authorised SMTP servers, but it does not prevent other users of the SMTP servers spoofing emails using my domain.

0 Kudos
Reply
  • 17.69K
  • 968
  • 7.31K
Very Insightful Person
Very Insightful Person
503 Views
Message 2 of 7
Flag for a moderator

Re: Preventing spoofed emails - add private DKIM key

Easy answer is - you can't do it - at least not that way.

Virgin Media is not in the business of providing email services for other domains.  While you can send using your own domain, only mail coming from Virgin Media domains is signed with DKIM.  They don't have the ability to sign mail from other domains.

There are a number of possibilities.  Ranging from setting up a mail server on your home network and having that sign your mails before relaying via Virgin Media's outbound relays to using a professional hosted service.

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
  • 17.69K
  • 968
  • 7.31K
Very Insightful Person
Very Insightful Person
456 Views
Message 3 of 7
Flag for a moderator

Re: Preventing spoofed emails - add private DKIM key

It IS POSSIBLE to sign a mail with DKIM and then relay it via Virgin Media's servers.

To do this you need your own mail server.  You can run this on your home network but if you do so you MUST relay the outbound mail via smtp.virginmedia.com (or another well known mail provider).

Why? because most home connections are allocated dynamically and thus are not suited to running mail servers.  As spammers have tended to abuse this virtually all home IP addresses SHOULD appear on either Spamhaus' PBL or SORBS DUHL - or a number of other similar lists intended to stop mail from dynamic addresses being delivered directly to mail exchangers.

Virgin Media IP addresses are actually very long lived almost to the point of behaving like a statically allocated IP address - but are still allocated via DHCP and while they can and do stay the same for years at a time, they can occasionally change.

The server I used was hMailserver.  This is a server that can be used on Windows Machines.  It's completely free, but please consider donating so that the developers can continue to support it.  This supports DKIM out of the box all you need to do is create the private and public keypairs and point the server at the private key so it can sign your mail.  I used their latest stable build 5.6.7

Disclaimer - I have no personal links with the makers of hMailserver.  Nor do I have any financial links, I've used their product myself previously and found it to be a capable mail server and it is relatively painless to administer compared to having to manipulate the config files in Postfix/Exim etc.  There are other possibilities but I do consider this one of the easiest to use.

Because I'm using the server in effect as my own submission server rather than a full fledged email server, I closed down the following.

Inbound Port 25 SMTP
Inbound Port 110 POP3
Inbound Port 143 IMAP

I also closed down inbound connections from anywhere except the computer that the server was running on so it only listened on the localhost address 127.0.0.1 on Port 587

Finally I also unticked the POP3 and IMAP modules so that only the SMTP module was left running.

I did this as I wanted to to be able to prevent hackers from seeing the mail server.  For the purposes of testing I set up a single outbound mail account.  Also for my purposes I only want authenticated users to be able to use my server but I did not want to worry about provisioning a TLS certificate as this was merely testing.  Should I want to make the server accessible to the internet then I would need to enforce TLS encryption to avoid usernames and passwords being sent across the internet in the clear.

Here's the server set up to  relay mail via smtp.virginmedia.com

smtp-delivery.PNG

Note the SMTP relayer options.

Remote Host name: - smtp.virginmedia.com
Remote TCP/IP port - 465
Server requires authentication - ticked
Username - Your FULL Virgin Media email address.  (e.g. richardbranson@virginmedia.com) blueyonder/ntlworld and virgin.net emails can also be used here.
Password - Your email password
Encryption type - SSL/TLS

Once I'd done this I added one of my domains and created a user.

Domains.PNG

I set up Outlook to use localhost as my outbound mail server for this account. and then tried sending.  The mail ended up in my spam folder but I expected this as I hadn't yet set up DKIM and my SPF record for this domain didn't include Virgin Media's relays.  However the important thing was to check the headers to make sure that it was Virgin Media talking to the inbound servers.

Received: from know-smtprelay-omd-4.server.virginmedia.net ([81.104.62.36])
	by mx2.mnd.ukmail.iss.as9143.net with ESMTP
	id LIX0hphMr6OooLIX1hhNXn; Tue, 30 Apr 2019 04:30:07 +0200

The above is what I wanted to see so now it's time to set up DKIM.

Setting up DKIM key - two methods.

There are a number of ways of generating the cryptographic keypair used by DKIM however we'll use PuttyGen

Using PuttyGen

Putty is a tool used for making SSH connections to remote terminals, but it also comes with a number of utilities including PuttyGen which is a GUI used to create Private and Public key pairs which are used to verify client and server.  While Putty uses it's own format for the private key, this can still be saved out as a standard private key which hMailserver can then read.

Putty can be found here - https://www.putty.org/

Once downloaded and installed type PuTTYgen into the search bar and hit enter to launch the program.

Putty initial.PNG

Hit Generate and move your mouse over the box as instructed, you'll see a green bar fill up as the key is generated by the mouse movements.

Note: Not all DNS providers have the ability to upload a public key for a 2048 bit DKIM signature.  Check with your provider and if necessary change the 2048 in the bottom right box to 1024 before clicking Generate.

Once enough mouse movements have been registered the Key will be generated and you'll see the public key in the top window.

Puttygen finished.PNG

To save the Private Key in a standard format we need to use the Conversions menu More specifically

Conversions -> Export OpenSSH Key - One suggestion for saving is to use the domain initials and the date the key was generated in order to keep track of your DKIM keys with that in mind I saved the key as td020519.prv  This is the key that will be used to sign the outgoing mails.

Before we start signing our mails though we need to upload the public key.

For a basic DKIM record with no frills only one field is needed and that is the p=<public key> field.  This is uploaded as a TXT record to your DNS provider.  This is identified by the following method. <selector>._domainkey.<domain>

I'll use the same date format for the selector name as the filename - just out of convenience. td020519  So my DNS record will be found at td020519_domainkey.timothydutton.uk.

However we hit a snag when it comes to the Public Key.  The Public Key shown in PuttyGen can't be used for DKIM validation.  To get a suitable key I had to use OpenSSL to generate a public Key from the Private Key we saved earlier.

The command used to generate the Public Key is:

openssl rsa -in td020519.prv -pubout -out td020519.pub

When we look at the file in notepad we get this.

-----BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAqRtEbxxJ6JfmydDYNTtl
BbnEmj+JKkCjpf/8GKanh6U5kno26Ur9EmGuC7Mly88lxBV/bJ5DHDpovNhD9smw
bs3XdbCclVGcysfQ2KZFXWeZcx6NertBADBx7y3ySH6B0Fa12leCm/n/9SX4qlkT
9xfbyiEpkZFrOmMMqIl+m6L3Ix5gpiU0BwHoCtSnqVzFFwkoUZvBJHs5HNddJbYu
Lfjpam/SycAM0F70+FijUPqXu9jDlyeClfrrH7YdskUppovNiPVELk2RR86SKI6D
TRKlmSKO7HViCXYgskrnagYgrVFevkBT9qkr6oUPn9yTcY5are8yyvrphLgwrlbG
MwIBJQ==
-----END PUBLIC KEY-----

However what we need for our record is the Text between the Begin and End Public Key Lines WITHOUT any line feeds.  So we have to manually remove them so we get one long line.  We then add p= to the beginning of the line to make our DKIM record.

Here's what it looks like when adding it to my DNS

notekey.PNG

 

Once that's done it's time to set up DKIM in hMailserver

DKIMsettings.PNG

Finally after sending a test message I checked the Authentication Headers and here's what I see.

Authentication-Results: ukmail.iss.as9143.net;
 spf=pass (80.0.253.70;timothydutton.uk); - Note I added Virgin Media's servers to my SPF record
 dkim=pass header.d=timothydutton.uk; - Signature passes
 dmarc=pass header.from=timothydutton.uk (p=quarantine sp=quarantine dis=pass); - DMARC passes as DKIM or SPF passes.

So it is possible to sign the mail yourself and THEN send the mail through Virgin Media's servers.

HTH

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
  • 3
  • 0
  • 0
DaveWP
Joining in
441 Views
Message 4 of 7
Flag for a moderator

Re: Preventing spoofed emails - add private DKIM key

Thanks for the very detailed response, but it does not really solve my problem as my wife wants to be able to send emails using the Virgin Media webmail environment when travelling away from home!

Perhaps Virgin Media could add it to their development path as a fraud prevent measure and claim the Kudos!

0 Kudos
Reply
  • 17.69K
  • 968
  • 7.31K
Very Insightful Person
Very Insightful Person
438 Views
Message 5 of 7
Flag for a moderator

Re: Preventing spoofed emails - add private DKIM key


@DaveWP wrote:

Thanks for the very detailed response, but it does not really solve my problem as my wife wants to be able to send emails using the Virgin Media webmail environment when travelling away from home!

Perhaps Virgin Media could add it to their development path as a fraud prevent measure and claim the Kudos!


What you want can still be done.  Remember that Webmail connects to third party servers in the same way a program like Outlook does.  So assuming that you can leave the PC with hMailserver running The next step is to enable encryption on the server.  You can get free certificates from Lets Encrypt, although they do need updating every 3 months.  Then you can open up the server to either the internet as a whole - or just the webmail platform.  Then you just point the smtp server to your server. - Job done.

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
  • 17.69K
  • 968
  • 7.31K
Very Insightful Person
Very Insightful Person
424 Views
Message 6 of 7
Flag for a moderator

Re: Preventing spoofed emails - add private DKIM key

BTW Virgin Media won't put this in as a development path.  This is something that proper email hosts do as they have an agreement with you to send out your mails.

Remember ISP's aren't in the email business.  Email is provided yes.  But only for as long as you have a broadband account.  If you truly want to protect your Domain with DKIM then you either go with a professional email provider.  Or you learn how to do it yourself.

I've now added a certificate with SSLforFree and have set up my server to be able to receive from outside my network.

The hardest part of getting the certificate was dealing with proof I owned the domain.  Essentially they asked that I create a TXT record so they could verify I controlled the Domain.  Once this was verified I was given a set of files to download.

Server Certificate
Private Key
CA Bundle which includes the Intermediate certificate.

Loading up hMailserver and going to Advanced I clicked SSL Certificates and Add Then I put in the paths to the certificate and key

hMailserver SSL Certs.PNG

Next I opened up the server to the Internet by adding another IP range.

IP2.PNG

Notice the following:  Because the servers only meant to sign my mail I've allowed local to local addresses and local to external addresses, but the server won't allow sending from a third party address that it doesn't know about.  In addition I've enforced SMTP Authentication.

Now it's time to add the TCP IP binding as well.  By binding to 0.0.0.0 we listen to all connections coming in from the internet.  But only on port 587

ports2.PNG

For connection security I've set it up as StartTLS Required.  This means that the client MUST upgrade to a secure connection BEFORE the server will accept any AUTH methods.

I set up an A record in my DNS to point smtp.timothydutton.uk at my public IP

Finally I had to go to Windows Firewall and add an entry to allow incoming connections to reach hMailserver as the installer did not automatically do this.  I also set up Port forwarding on the Hub to Forward Port 587 TCP to my PC running the mail server.

Once this was done all I had to do was to log into webmail and add the account.  For the Inbound mail I used my IMAP server, box.timothydutton.co.uk  However for the Outbound mail pointed the smtp server to smtp.timothydutton.uk with connection security as StartTLS and the password being the one for my hMailserver account.

Again if we look at the Authentication results.

 

Authentication-Results: ukmail.iss.as9143.net;
 spf=pass (80.0.253.70;timothydutton.uk);
 dkim=pass header.d=timothydutton.uk;
 dmarc=pass header.from=timothydutton.uk (p=quarantine sp=quarantine dis=pass);

And in the headers we can see the point where Virgin Media's webmail platform passes the mail to my server.

 

Received: from oxbe2.tb.ukmail.iss.as9143.net (outbound2.tb.ukmail.iss.as9143.net [212.54.57.5])
	by localhost with ESMTPSA
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256)
	; Thu, 2 May 2019 20:34:12 +0100

As well as my DKIM Signature header.

dkim-signature: v=1; a=rsa-sha256; d=timothydutton.uk; s=td020519;
	c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type;
	bh=vz0dFIw+6RNFU6GJYbq56Ymnv27NsJnPQbji4edNqKM=;
	b=iLiVTjOqIcA0s6wnk0akRwNGlAqK6aFhPO30xQOrES46/YH4+IkjXIt3VlLQ6LHPMGU1QyNRko70TNv78zkCma1mNuYDnWoVcA/RJpIU6c/XfENm96yq02baGmEaev2/ymmprrpyvzbOYyuVqHikFbdlXFLo/5y4l7oS8XTpmr2JWIJ0aHRJZoqTRHBTb5T92yFPEJwFMtxMLLs/2r9qVa/+A7Vj01dw2kLX2FselNsbyh1WbkhR59dcGB
	rvNrI9EX8RS5Nki7H3ikATaykm+ZXqG8zewKQEtHCckZFKs+EciYrJUHBlvLZ3paiRWiaBywCEIq1hQTgEVAwM34Ujlw==

Tim

P.S.  I could probably lock the IP range down to only accept connections from Virgin Media's Webmail Platform.  Certainly looking at the DNS name for the server I could work out the range of their outgoing connections and lock down the range to only allow connections from those IP's

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
  • 17.69K
  • 968
  • 7.31K
Very Insightful Person
Very Insightful Person
404 Views
Message 7 of 7
Flag for a moderator

Re: Preventing spoofed emails - add private DKIM key

I also wanted to clear up a misconception.

DKIM itself DOES NOT stop other people spoofing your mail.

DKIM merely does two things:

  • Signs your outbound mail with a signature for your domain.
  • Provides a check that the mail body and specified headers have not been altered.

So it only proves that a mail is authentic.  It does not stop spammers sending unsigned mail claiming to be from your domain.

This is why DKIM is best used in conjunction with both SPF and DMARC.

With DMARC a mail passes if one of the following conditions is met.

SPF passes - Mail has come from a server approved to deliver mail from that domain.
DKIM passes - Mail has been signed with a signature from that domain, and has not been changed en route

It's important to understand that even with all three in use, DMARC while making spammer's jobs harder, cannot 100% protect against spoofed mails reaching your inbox.

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply