DKIM Postfix Setup


DKIM Postfix Setup

Introduction

OpenDKIM is an open source implementation of the DKIM (Domain Keys Identified Mail) sender authentication system proposed by the E-mail Signing Technology Group (ESTG), now standardized by the IETF (RFC6376). Basically DKIM means digitally signing all messages on the server to verify the message actually was sent from the domain in question and is not spam or phishing (and has not been modified). Check DKIM Email Security Standard for more details. On we go with DKIM Postfix Setup.

OpenDKIM Setup

First of all, let’s install opendkim. Adjust values to match your domain:

# apt-get install opendkim opendkim-tools
# mkdir -pv /etc/opendkim/
# chown -Rv opendkim:opendkim /etc/opendkim
# chmod go-rwx /etc/opendkim/*
# cd /etc/opendkim/
# opendkim-genkey -r -h rsa-sha256 -d mail.cyberpunk.rs -s mail
# mv -v mail.private mail
# cat mail.txt
mail._domainkey IN TXT ( "v=DKIM1; h=rsa-sha256; k=rsa; s=email; "
"p=MIGfMA0GCSqGSIb3DQEBASQWASD4GNADCBiQKBgQDB1MasdWA2L7RSirVQQ73tYl3wE6u86wpy1xERZ3pGSDFWEh4snU/0WEFjUT/D+z4AGFDSGParL/DDSFWEFWEFWEF/WEFWEFWEFWEF" ) ; ----- DKIM key mail for mail.cyberpunk.rs

Apparently “h=rsa-sha256” is wrong, change it to h=sha256. Also, be sure you have that subdomain and all necessary fields:

mail._domainkey.cyberpunk.rs. 3596 IN TXT "v=DKIM1;h=sha256;k=rsa;s=email;p=MIGf...

Set that in your DNS server. Than configure postfix to use that key:

# nano /etc/opendkim/KeyTable
mail.cyberpunk.rs mail.cyberpunk.rs:mail:/etc/opendkim/mail
# nano /etc/opendkim/SigningTable
*@mail.cyberpunk.rs mail.cyberpunk.rs
# nano /etc/opendkim/TrustedHosts
127.0.0.1
# nano /etc/opendkim.conf
##
## opendkim.conf -- configuration file for OpenDKIM filter
##
Canonicalization relaxed/relaxed
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy Yes
MinimumKeyBits 1024
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:8891@localhost
Syslog Yes
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UMask 022
UserID opendkim:opendkim
# nano /etc/postfix/main.cf 
#add to the bottom
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

To set fields used in signing, use SignHeaders and OversignHeaders:

SignHeaders From,Sender,To,CC,Subject,Date
OversignHeaders From,Sender,To,CC,Subject,Date

Edit default opendkim:

nano /etc/default/opendkim
SOCKET="inet:8891@localhost"

Restart everything:

service opendkim restart
service postfix restart

That’s it on DKIM Postfix Setup. Everything should be up and running. Use some mailbox provider that uses DKIM, like GMail, to test. Send an email, look for “Authentication-Results”. You should be able to find “dkim=pass”. If it’s missing, re-check your configuration.

Conclusion

Aside SPF, DKIM is a common authentication method used worldwide, a standard. You can survive without it, but setting DKIM up will increase your Security, domain reputation and furthermore probability that the email is going to get delivered successfully.