Introduction
OpenDKIM is an open source implementation of the DKIM (Domain Keys Identified Mail) sender authentication system proposed by the E-mail Signing Technology Group (ESTG), now standardized by the IETF (RFC6376). Basically DKIM means digitally signing all messages on the server to verify the message actually was sent from the domain in question and is not spam or phishing (and has not been modified). Check DKIM Email Security Standard for more details. On we go with DKIM Postfix Setup.
OpenDKIM Setup
First of all, let’s install opendkim. Adjust values to match your domain:
# apt-get install opendkim opendkim-tools # mkdir -pv /etc/opendkim/ # chown -Rv opendkim:opendkim /etc/opendkim # chmod go-rwx /etc/opendkim/* # cd /etc/opendkim/ # opendkim-genkey -r -h rsa-sha256 -d mail.cyberpunk.rs -s mail # mv -v mail.private mail
# cat mail.txt mail._domainkey IN TXT ( "v=DKIM1; h=rsa-sha256; k=rsa; s=email; " "p=MIGfMA0GCSqGSIb3DQEBASQWASD4GNADCBiQKBgQDB1MasdWA2L7RSirVQQ73tYl3wE6u86wpy1xERZ3pGSDFWEh4snU/0WEFjUT/D+z4AGFDSGParL/DDSFWEFWEFWEF/WEFWEFWEFWEF" ) ; ----- DKIM key mail for mail.cyberpunk.rs
Apparently “h=rsa-sha256” is wrong, change it to h=sha256. Also, be sure you have that subdomain and all necessary fields:
mail._domainkey.cyberpunk.rs. 3596 IN TXT "v=DKIM1;h=sha256;k=rsa;s=email;p=MIGf...
Set that in your DNS server. Than configure postfix to use that key:
# nano /etc/opendkim/KeyTable mail.cyberpunk.rs mail.cyberpunk.rs:mail:/etc/opendkim/mail
# nano /etc/opendkim/SigningTable *@mail.cyberpunk.rs mail.cyberpunk.rs
# nano /etc/opendkim/TrustedHosts 127.0.0.1
# nano /etc/opendkim.conf ## ## opendkim.conf -- configuration file for OpenDKIM filter ## Canonicalization relaxed/relaxed ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable LogWhy Yes MinimumKeyBits 1024 Mode sv PidFile /var/run/opendkim/opendkim.pid SigningTable refile:/etc/opendkim/SigningTable Socket inet:8891@localhost Syslog Yes SyslogSuccess Yes TemporaryDirectory /var/tmp UMask 022 UserID opendkim:opendkim
# nano /etc/postfix/main.cf #add to the bottom smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept
To set fields used in signing, use SignHeaders and OversignHeaders:
SignHeaders From,Sender,To,CC,Subject,Date OversignHeaders From,Sender,To,CC,Subject,Date
Edit default opendkim:
nano /etc/default/opendkim SOCKET="inet:8891@localhost"
Restart everything:
service opendkim restart service postfix restart
That’s it on DKIM Postfix Setup. Everything should be up and running. Use some mailbox provider that uses DKIM, like GMail, to test. Send an email, look for “Authentication-Results”. You should be able to find “dkim=pass”. If it’s missing, re-check your configuration.
Conclusion
Aside SPF, DKIM is a common authentication method used worldwide, a standard. You can survive without it, but setting DKIM up will increase your Security, domain reputation and furthermore probability that the email is going to get delivered successfully.
