			sendmail DNSSEC HOWTO
			=====================
			    (Version 0.2)

Introduction
============

This HOWTO describes the installation, configuration and execution steps for
adding DNSSEC validation to outbound email for sendmail. This patch has been 
tested for sendmail 8.14.1.


Installation
============

This patch requires the 'libval' library for DNSSEC validation.  This
library can be found at http://dnssec-tools.sourceforge.net/.  You must
install this library before compiling the patched sendmail source.

Note: Fedora based systems may want to consider the spec file patch for
building an updated RPM. Details in the next section.

To build from source, download sendmail-8.14.x.tar.gz from

	ftp://ftp.sendmail.org/pub/sendmail/.

Unzip and untar it by:

	tar -xvzf sendmail-8.14.x.tar.gz

Go to the sendmail-8.14.x directory:

	cd sendmail-8.14.x

Apply the sendmail-8.14.x_dnssec_patch.txt patch found in this directory by:

	patch -p 0 -b -z .orig </path/to/patch/sendmail-8.14.1_dnssec_patch.txt

This will apply the patch and store the original files with a .orig suffix.

Build and install sendmail as per the instructions given in the README and
INSTALL files with the sendmail distribution.


Rebuilding RPM package
======================

If you don't already have a rpmbuild environment set up, run
rpmdev-setuptree to create one.

Download the latest source RPM and install it:

	yumdownloader --source sendmail
	rpm -ivh sendmail*.srpm

Copy the sendmail patch to the SOURCE directory:

	cp /path/to/patch/sendmail-8.14.1_dnssec_patch.txt ~/rpmbuild/SOURCE

Patch the sendmail spec file:

	cd ~/rpmbuild/SPECS
	patch -p0 < /path/to/patch/sendmail-spec.patch

Build the RPM:

	rpmbuild -bb ~/rpmbuild/SPECS/sendmail.spec

Install the new RPMS:

	rpm -Fvh ~/rpmbuild/RPMS/i368/sendmail-*



To Test
=======

(I) Basic Scenarios: DNSSEC validation of outbound email
    ----------------------------------------------------

1. Start sendmail with the above patch applied

2. Send email to a user at a domain whose MX records can be DNSSEC
   validated.  Verify that the mail goes through properly.

3. Send email to a user at a domain whose MX records cannot be DNSSEC
   validated.  Verify that an SMTP error message is returned back to
   the sender. Note that this may take a while, as sendmail will first
   accept the message and then attempt to deliver it, possilbye including
   retries, before giving up and returning an error message to the sender.

4. Change the validator policy so that validation is ignored for the MTA.
   Run steps 2 and 3 above, and verify that mail goes through in both
   cases, since there is no DNSSEC validation.

-----------------------------------------------------------------------
