What is OpenDKIM?
It is a digital email signing/verification technology, which is already supported by some common mail providers. In general, DKIM means digitally signing all messages on the mail-server to verify the message was actually sent from the domain in question and was not spam
UPDATE THE SYSTEM
Before going any further, make sure you’re in a screen session and your system is fully up-to-date by running:
## screen -U -S opendkim-screen
## yum update
ENABLE EPEL REPOSITORY
OpenDKIM is available in the EPEL repository, so we need to enable it on the system before we can install OpenDKIM
CentOS 6.x
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/ius-release-1.0-13.ius.centos6.noarch.rpm
sudo rpm -Uvh ius-release*.rpm
CentOS 7.x
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/ius-release-1.0-13.ius.centos7.noarch.rpm
sudo rpm -Uvh ius-release*.rpm
INSTALL OPENDKIM
Install the package using yum:
## yum install opendkim
CONFIGURE OPENDKIM
Next thing to do is to configure OpenDKIM. Its main configuration file is located in /etc/opendkim.conf, so before making any changes create a backup and add/edit the following:
## cp /etc/opendkim.conf{,.orig}
## vim /etc/opendkim.conf
AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode s
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:8891@localhost
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /var/tmp
SET-UP PUBLIC/PRIVATE KEYS
Generate set of keys for your mydomain.com domain name:
## mkdir /etc/opendkim/keys/mydomain.com
## opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default
## chown -R opendkim: /etc/opendkim/keys/mydomain.com
## mv /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default
add mydomain.com to OpenDKIM’s key table by adding the following record in /etc/opendkim/KeyTable
default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default
next, edit /etc/opendkim/SigningTable and add the following record to OpenDKIM’s signing table:
*@mydomain.com default._domainkey.mydomain.com
and add your domain and your hostname as trusted hosts in /etc/opendkim/TrustedHosts:
127.0.0.1
mydomain.com
host.mydomain.com
assuming the domain in question is ‘mydomain.com’ and server’s hostname is set to ‘host.mydomain.com’
finally, edit your mydomain.com DNS zone and add the TXT record from /etc/opendkim/keys/mydomain.com/default.txt
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" ) ; ----- DKIM key default for mydomain.com
it is also a good idea to add an SPF record if you haven’t already
mydomain.com. 14400 IN TXT "v=spf1 a mx ~all"
you can verify your dkim TXT record is valid using dig for example:
## dig +short default._domainkey.mydomain.com TXT
"v=DKIM1\; k=rsa\; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"
CONFIGURE POSTFIX
In order to integrate OpenDKIM with Postfix we need to add the following few lines in /etc/postfix/main.cf:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
(RE)START SERVICES
Add OpenDKIM to your system’s start-up and start opendkim and restart postfix using the following commands:
## service opendkim start
## chkconfig opendkim on
## service postfix restart
TEST THE SET-UP
To test the set-up simply send an email to check-auth@verifier.port25.com and you should receive back an email containing something like this:
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
DKIM check: pass
It is a digital email signing/verification technology, which is already supported by some common mail providers. In general, DKIM means digitally signing all messages on the mail-server to verify the message was actually sent from the domain in question and was not spam
UPDATE THE SYSTEM
Before going any further, make sure you’re in a screen session and your system is fully up-to-date by running:
## screen -U -S opendkim-screen
## yum update
ENABLE EPEL REPOSITORY
OpenDKIM is available in the EPEL repository, so we need to enable it on the system before we can install OpenDKIM
CentOS 6.x
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/ius-release-1.0-13.ius.centos6.noarch.rpm
sudo rpm -Uvh ius-release*.rpm
CentOS 7.x
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/ius-release-1.0-13.ius.centos7.noarch.rpm
sudo rpm -Uvh ius-release*.rpm
INSTALL OPENDKIM
Install the package using yum:
## yum install opendkim
CONFIGURE OPENDKIM
Next thing to do is to configure OpenDKIM. Its main configuration file is located in /etc/opendkim.conf, so before making any changes create a backup and add/edit the following:
## cp /etc/opendkim.conf{,.orig}
## vim /etc/opendkim.conf
AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode s
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:8891@localhost
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /var/tmp
SET-UP PUBLIC/PRIVATE KEYS
Generate set of keys for your mydomain.com domain name:
## mkdir /etc/opendkim/keys/mydomain.com
## opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default
## chown -R opendkim: /etc/opendkim/keys/mydomain.com
## mv /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default
add mydomain.com to OpenDKIM’s key table by adding the following record in /etc/opendkim/KeyTable
default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default
next, edit /etc/opendkim/SigningTable and add the following record to OpenDKIM’s signing table:
*@mydomain.com default._domainkey.mydomain.com
and add your domain and your hostname as trusted hosts in /etc/opendkim/TrustedHosts:
127.0.0.1
mydomain.com
host.mydomain.com
assuming the domain in question is ‘mydomain.com’ and server’s hostname is set to ‘host.mydomain.com’
finally, edit your mydomain.com DNS zone and add the TXT record from /etc/opendkim/keys/mydomain.com/default.txt
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" ) ; ----- DKIM key default for mydomain.com
it is also a good idea to add an SPF record if you haven’t already
mydomain.com. 14400 IN TXT "v=spf1 a mx ~all"
you can verify your dkim TXT record is valid using dig for example:
## dig +short default._domainkey.mydomain.com TXT
"v=DKIM1\; k=rsa\; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"
CONFIGURE POSTFIX
In order to integrate OpenDKIM with Postfix we need to add the following few lines in /etc/postfix/main.cf:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
(RE)START SERVICES
Add OpenDKIM to your system’s start-up and start opendkim and restart postfix using the following commands:
## service opendkim start
## chkconfig opendkim on
## service postfix restart
TEST THE SET-UP
To test the set-up simply send an email to check-auth@verifier.port25.com and you should receive back an email containing something like this:
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
DKIM check: pass
No comments:
Post a Comment