less opendkim-install-and-simple-setup-for-multiple-domains.md
OpenDKIM: install and simple setup for multiple domains
# historical archive — written years ago, kept as it was. Some info is dated.
DomainKeys Identified Mail (DKIM) is a method for associating a domain name with an email message.
This is the hardest part for me, namely explaining to you what we’re talking about.
I’m sure not everyone has understood my explanation, but it’s also true that if you’ve ended up reading this post it’s because you’ve asked yourself the following problem: I’d like to certify that the server sending emails on behalf of my domain is authorized to do so.
To do this we’ll use opendkim!
Let’s stop postfix and install opendkim with its tools
/etc/init.d/postfix stop
apt-get install opendkim opendkim-tools
Now let’s create the structure of directories and files we need to get started
mkdir -p /etc/opendkim/keys
cd /etc/opendkim
touch keytable signingtable trustedhosts
Let’s take a look at the configuration file /etc/opendkim.conf . I’ll leave you mine as an example. If you need to know more, use the man pages.
# Log to syslog
Syslog yes
LogWhy yes
UMask 002
Mode sv
OversignHeaders From
KeyTable refile:/etc/opendkim/keytable
SigningTable refile:/etc/opendkim/signingtable
ExternalIgnoreList /etc/opendkim/trustedhosts
InternalHosts /etc/opendkim/trustedhosts
On-Default accept
On-BadSignature accept
On-DNSError tempfail
On-InternalError accept
On-NoSignature accept
On-Security tempfail
AutoRestart yes
AutoRestartRate 5/1h
Now a look at and relevant changes to the file /etc/default/opendkim
...
SOCKET="inet:12345@localhost" # listen on loopback on port 12345
Now it’s easy to understand that our new service will be active on localhost on port 12345 .
Now all that’s left is to create the keys with which we’ll sign the emails for our domains. To this end, I create a directory for each domain I’m interested in under /etc/opendkim/keys
cd /etc/opendkim/keys
mkdir example.tld
opendkim-genkey -s 2013102300 -d example.tld
The last command generates two files : 2013102300.private 2013102300.txt
A few clarifications:
- 2013102200 is the selector for the key of the domain example.tld: it is made up of year, month, day, and a serial if needed! A bit like the serial of a DNS zone!;
- check the content of the .txt file, we’ll need it shortly.
Now we’re interested in creating a TXT-type DNS record for our domain that has as its hostname
2013102300._domainkey
and as its value the one contained within the quotes of the txt file mentioned above:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqg6k7sk/gwmsTEcGayMC5gMNfD/7V3m1F0GQog7Sj3MSG9qMNIzW4i5Cn+VYpEpj9alBK7jg2Jk/FcVzR4d3X8tNNYQkRYfPUU94tI639YSKTChlAoT2R4Ar8WTyKsPp9zkjV+YzRWgqAYhVZMdu5zKymaipHu0LkVmy8ngAQMQIDAQAB
How to create such a record for your domain will not be covered here. Here we only explain what it must contain!
At this point we communicate the content of our keys to opendkim through the first files we created. Let’s modify the file /etc/opendkim/keytable
2013102300._domainkey.example.tld example.tld:2013102300:/etc/opendkim/keys/example.tld/2013102300.private
The file /etc/opendkim/signingtable so that it contains something like this
*@example.tld 2013102300._domainkey.example.tld
finally we add to /etc/opendkim/trustedhosts at least the local addresses and the public IP of our server
127.0.0.1
localhost
example.tld
IPV4 ADDRESS OF THE SERVER
Now let’s make sure opendkim can read the files we created:
cd /etc/opendkim/
chown -R opendkim:opendkim *
Let’s restart the service and proceed with integrating opendkim with postfix
/etc/init.d/opendkim restart
as for postfix, we need to edit the file /etc/postfix/main.cf to add or appropriately modify the following lines
...
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345
....
finally check that the receive_override_options= directive present in the file /etc/postfix/master.cf contains the value no_milters as in the following example
...
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
...
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o smtp_bind_address=127.0.0.1
once you’ve properly modified this last file you can finally restart postfix!
/etc/init.d/postfix restart
Now check that it works! If you have a google account, send yourself an email. In the source of the message you receive there will be something like this:
...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=woeSTwYJxEwahkGNKqK8xReUvtoVZrsQrmlUtfAgG6Y=;
b=P7xER4n0j8dqAnpVXDSVnn/c9g560DCYJVCWgvF+ijRLPFqhcAzMEWB/zuAPEzGrt5
DfUVNKIvS/C1dvB9dASRLXtd0qZNv6OdoD9PLlKfCWOKy7cdd/2Iwo1IQCtGTPsGnWW7
BFz/dwSe7+eQks0WUNYIe5wJ3iaywmxcX7tsmgUNaTsRfHJ/lcCXpdnCFtDu5hRlvsV4
d9Ts1C5I97AVAKzYu/LdxwF4Qi5O/8OL953I4iH9bw32TJEpqtAccvVHtMrtE2b8xPAe
eQ+eMc8NeokFbyOJvWtgBOxNUZpmLowO/kiKgatYlkE7lcgI6BQ/E4vDaJRl+ftMyHJ3
YLhQ==
...
Now reply to the google account that just wrote to you, and if the recipient finds something like this in the source of their message
...
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.tld;
s=2013102300; t=1382373996;
bh=0q0pM2BM5QBc6UyIMnw9vqd31z00e4ACFZvuOH3pNq0=;
h=Date:From:To:Subject:From;
b=rBqR5yjhGbVf6f3QwzadyFJB9WKn+9iLNqdaQiVCZ7Xpb7ZWn2krfNwn0STuMa9c1
kW7PMx+nclSjR0YwYvqErAGD1rGUrcr4AgFSzFtZRAkTBbOyh4tT8XAncHxPXRWaMJ
0G15Cf7SEvnNIefMX4VN5Sp+drTgEyH9qkeoN5OM=
...
you’ll have succeeded and your configuration will be working!
And for the other domains? add a directory under keys for each domain, create the key and add a line in the files keytable and signingtable as for the domain example.tld.
Simple, right?!