← cd ~/blog

less opendkim-install-and-simple-setup-for-multiple-domains.md

OpenDKIM: install and simple setup for multiple domains

#Debian & Sysadmin archive

# historical archive — written years ago, kept as it was. Some info is dated.

DomainKeys Identified Mail (DKIM) is a method for associating a domain name with an email message.

This is the hardest part for me, namely explaining to you what we’re talking about.

I’m sure not everyone has understood my explanation, but it’s also true that if you’ve ended up reading this post it’s because you’ve asked yourself the following problem: I’d like to certify that the server sending emails on behalf of my domain is authorized to do so.

To do this we’ll use opendkim!

Let’s stop postfix and install opendkim with its tools

/etc/init.d/postfix stop
apt-get install opendkim opendkim-tools

Now let’s create the structure of directories and files we need to get started

mkdir -p /etc/opendkim/keys
cd /etc/opendkim
touch keytable signingtable trustedhosts

Let’s take a look at the configuration file /etc/opendkim.conf . I’ll leave you mine as an example. If you need to know more, use the man pages.

# Log to syslog
Syslog			yes
LogWhy			yes
UMask			002

Mode			sv
OversignHeaders		From

KeyTable		refile:/etc/opendkim/keytable
SigningTable		refile:/etc/opendkim/signingtable
ExternalIgnoreList 	/etc/opendkim/trustedhosts
InternalHosts      	/etc/opendkim/trustedhosts

On-Default              accept
On-BadSignature         accept
On-DNSError             tempfail
On-InternalError        accept
On-NoSignature          accept
On-Security             tempfail
AutoRestart 		yes
AutoRestartRate 	5/1h

Now a look at and relevant changes to the file /etc/default/opendkim

...
SOCKET="inet:12345@localhost" # listen on loopback on port 12345

Now it’s easy to understand that our new service will be active on localhost on port 12345 .

Now all that’s left is to create the keys with which we’ll sign the emails for our domains. To this end, I create a directory for each domain I’m interested in under /etc/opendkim/keys

cd /etc/opendkim/keys
mkdir example.tld
opendkim-genkey -s 2013102300 -d example.tld

The last command generates two files : 2013102300.private 2013102300.txt

A few clarifications:

  • 2013102200 is the selector for the key of the domain example.tld: it is made up of year, month, day, and a serial if needed! A bit like the serial of a DNS zone!;
  • check the content of the .txt file, we’ll need it shortly.

Now we’re interested in creating a TXT-type DNS record for our domain that has as its hostname

2013102300._domainkey

and as its value the one contained within the quotes of the txt file mentioned above:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqg6k7sk/gwmsTEcGayMC5gMNfD/7V3m1F0GQog7Sj3MSG9qMNIzW4i5Cn+VYpEpj9alBK7jg2Jk/FcVzR4d3X8tNNYQkRYfPUU94tI639YSKTChlAoT2R4Ar8WTyKsPp9zkjV+YzRWgqAYhVZMdu5zKymaipHu0LkVmy8ngAQMQIDAQAB

How to create such a record for your domain will not be covered here. Here we only explain what it must contain!

At this point we communicate the content of our keys to opendkim through the first files we created. Let’s modify the file /etc/opendkim/keytable

2013102300._domainkey.example.tld example.tld:2013102300:/etc/opendkim/keys/example.tld/2013102300.private

The file /etc/opendkim/signingtable so that it contains something like this

*@example.tld 2013102300._domainkey.example.tld

finally we add to /etc/opendkim/trustedhosts at least the local addresses and the public IP of our server

127.0.0.1
localhost
example.tld
IPV4 ADDRESS OF THE SERVER

Now let’s make sure opendkim can read the files we created:

cd /etc/opendkim/
chown -R opendkim:opendkim *

Let’s restart the service and proceed with integrating opendkim with postfix

/etc/init.d/opendkim restart

as for postfix, we need to edit the file /etc/postfix/main.cf to add or appropriately modify the following lines

...
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

....

finally check that the receive_override_options= directive present in the file /etc/postfix/master.cf contains the value no_milters as in the following example

...
127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
 ...
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
        -o smtp_bind_address=127.0.0.1

once you’ve properly modified this last file you can finally restart postfix!

/etc/init.d/postfix restart

Now check that it works! If you have a google account, send yourself an email. In the source of the message you receive there will be something like this:

...

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=woeSTwYJxEwahkGNKqK8xReUvtoVZrsQrmlUtfAgG6Y=;
        b=P7xER4n0j8dqAnpVXDSVnn/c9g560DCYJVCWgvF+ijRLPFqhcAzMEWB/zuAPEzGrt5
         DfUVNKIvS/C1dvB9dASRLXtd0qZNv6OdoD9PLlKfCWOKy7cdd/2Iwo1IQCtGTPsGnWW7
         BFz/dwSe7+eQks0WUNYIe5wJ3iaywmxcX7tsmgUNaTsRfHJ/lcCXpdnCFtDu5hRlvsV4
         d9Ts1C5I97AVAKzYu/LdxwF4Qi5O/8OL953I4iH9bw32TJEpqtAccvVHtMrtE2b8xPAe
         eQ+eMc8NeokFbyOJvWtgBOxNUZpmLowO/kiKgatYlkE7lcgI6BQ/E4vDaJRl+ftMyHJ3
         YLhQ==

...

Now reply to the google account that just wrote to you, and if the recipient finds something like this in the source of their message

...
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.tld;
	s=2013102300; t=1382373996;
	bh=0q0pM2BM5QBc6UyIMnw9vqd31z00e4ACFZvuOH3pNq0=;
	h=Date:From:To:Subject:From;
	b=rBqR5yjhGbVf6f3QwzadyFJB9WKn+9iLNqdaQiVCZ7Xpb7ZWn2krfNwn0STuMa9c1
	 kW7PMx+nclSjR0YwYvqErAGD1rGUrcr4AgFSzFtZRAkTBbOyh4tT8XAncHxPXRWaMJ
	 0G15Cf7SEvnNIefMX4VN5Sp+drTgEyH9qkeoN5OM=

...

you’ll have succeeded and your configuration will be working!

And for the other domains? add a directory under keys for each domain, create the key and add a line in the files keytable and signingtable as for the domain example.tld.

Simple, right?!