Difference between revisions of "User:Paul/sandbox/Install DKIM"
(Created page with "This article explains how to set up DomainKeys Identified Mail (DKIM) with the <code>opendkim</code> package on a UNPM server. This is part of a series of articles explaining ...") |
|||
| (15 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | '''WARNING:''' This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes. | ||
| + | |||
This article explains how to set up DomainKeys Identified Mail (DKIM) with the <code>opendkim</code> package on a UNPM server. This is part of a series of articles explaining how to set up a mail server. Most of the commands in this article require <code>root</code> privilege: | This article explains how to set up DomainKeys Identified Mail (DKIM) with the <code>opendkim</code> package on a UNPM server. This is part of a series of articles explaining how to set up a mail server. Most of the commands in this article require <code>root</code> privilege: | ||
| − | username@servername:~$ sudo | + | username@servername:~$ sudo -i |
== Install DKIM == | == Install DKIM == | ||
| Line 11: | Line 13: | ||
root@servername:~# opendkim-genkey -r -b 2048 -h sha256 -d mail.example.com -s selector -D /etc/opendkim/keys/example.com | root@servername:~# opendkim-genkey -r -b 2048 -h sha256 -d mail.example.com -s selector -D /etc/opendkim/keys/example.com | ||
| − | + | Replace <code>selector</code> desired, as it is only used to identify the key the server will call. Many admins will simply use the date the key was created (e.g. '20140510') or, when multiple servers are being used, the server name (e.g. 'mta05'), though none of this is standardized or required - some simply use 'mail', or don't specify anything when running the command, leaving the selector of 'default'. The command creates two files, <code>selector.private</code> and <code>selector.txt</code>. The <code>selector.private</code> file contains the private key while <code>selector.txt</code> contains the basis for the DNS TXT record that will be created in a later step. | |
| − | Note that the DKIM standard currently recommends a maximum key size of 2048 bits, so using a larger key size will likely cause the DKIM test to fail on many servers. | + | Note that the DKIM standard currently recommends a maximum key size of 2048 bits, so using a larger key size will likely cause the DKIM test to fail on many servers, while using a key smaller 1024 bits is not only not recommended, but has been demonstrated to be insecure. |
Create the tables that <code>opendkim</code> will use: | Create the tables that <code>opendkim</code> will use: | ||
| Line 28: | Line 30: | ||
Add: | Add: | ||
*@example.com mail.example.com | *@example.com mail.example.com | ||
| + | *@subdomain.example.com mail.example.com | ||
*@example.org mail.example.com | *@example.org mail.example.com | ||
| − | The second | + | The second and third entries demonstrate how additional domains served by the mail server would be added to the signing table. Note that <code>opendkim.conf</code> does not currently support signing for subdomains and would have to be modified to support such. |
root@servername:~# nano /etc/opendkim/TrustedHosts | root@servername:~# nano /etc/opendkim/TrustedHosts | ||
| Line 37: | Line 40: | ||
localhost | localhost | ||
mail.example.com | mail.example.com | ||
| + | |||
| + | Set permissions on the directory, archive the default <code>opendkim.conf</code> before creating a new one: | ||
root@servername:~# chown -R opendkim:opendkim /etc/opendkim | root@servername:~# chown -R opendkim:opendkim /etc/opendkim | ||
| Line 42: | Line 47: | ||
root@servername:~# nano /etc/opendkim.conf | root@servername:~# nano /etc/opendkim.conf | ||
| + | Add to the new file: | ||
# This is a basic configuration that can easily be adapted to suit a standard | # This is a basic configuration that can easily be adapted to suit a standard | ||
# installation. For more advanced options, see opendkim.conf(5) and/or | # installation. For more advanced options, see opendkim.conf(5) and/or | ||
| Line 83: | Line 89: | ||
Though most of the settings are fairly self-explanatory, it is a good idea to become familiar with the various settings to reduce the time spent troubleshooting why other mail servers are failing DKIM checks on mail sent from the server. One particular setting to note is <code>SubDomains</code> (everything after the @ symbol in an email address) being set to <code>no</code>. | Though most of the settings are fairly self-explanatory, it is a good idea to become familiar with the various settings to reduce the time spent troubleshooting why other mail servers are failing DKIM checks on mail sent from the server. One particular setting to note is <code>SubDomains</code> (everything after the @ symbol in an email address) being set to <code>no</code>. | ||
| − | Create the directory for domain socket specified in <code>opendkim.conf</code>, make the <code>postfix</code> user a member of the <code>opendkim</code> group so it can edit <code>opendkim.sock</code>, and restart the service: | + | Create the directory for the domain socket specified in <code>opendkim.conf</code>, make the <code>postfix</code> user a member of the <code>opendkim</code> group so it can edit <code>opendkim.sock</code>, and restart the service: |
root@servername:~# mkdir /var/spool/postfix/opendkim | root@servername:~# mkdir /var/spool/postfix/opendkim | ||
root@servername:~# chown opendkim:root /var/spool/postfix/opendkim | root@servername:~# chown opendkim:root /var/spool/postfix/opendkim | ||
| − | |||
root@servername:~# service opendkim restart | root@servername:~# service opendkim restart | ||
== DKIM DNS TXT record == | == DKIM DNS TXT record == | ||
| − | DKIM can only function with a valid DNS TXT record. In the DNS manager for your DNS server, make the following new TXT record | + | DKIM can only function with a valid DNS TXT record. In the DNS manager for your DNS server, make the following new TXT record: |
| + | Enter into the optional subdomain field: | ||
selector._domainkey | selector._domainkey | ||
| + | |||
| + | Enter the contents of <code>selector.txt</code> into the body of the record using the format below (i.e. only the contents between <code>"</code> and <code>"</code>): | ||
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuX4vPnLopTAIMFnnuP4CCEfE/FtQO0mi77voGsWSvHQfvFMIkQ3W3VmeAEiSJd6SVkL/Ojr30ag2i6wA3NTU+1ndfgL371zKx4gDAnewoRA4N2P05HPUNe10DE+m4xnwB6zsQnnPJ3EgKIW6W/v+fN/EzTfeJo5UmxiAoFRIq5hgyeHHCI8aKMQLCmWhb/Pz22MiqRHxV91xmTMLx/e3BIsplcOmQjlOyGagoIZJxpcTlf9OiSWks2a5kHXEN40eh99zkPGInqTrbhDog+cn/mvPgY0uIznx1i/ubRQFtYaH5t6vCu5uSMEQjcTQnWRLI9Qt7Mp15hOMrpkKv4SPzwIDAQAB | v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuX4vPnLopTAIMFnnuP4CCEfE/FtQO0mi77voGsWSvHQfvFMIkQ3W3VmeAEiSJd6SVkL/Ojr30ag2i6wA3NTU+1ndfgL371zKx4gDAnewoRA4N2P05HPUNe10DE+m4xnwB6zsQnnPJ3EgKIW6W/v+fN/EzTfeJo5UmxiAoFRIq5hgyeHHCI8aKMQLCmWhb/Pz22MiqRHxV91xmTMLx/e3BIsplcOmQjlOyGagoIZJxpcTlf9OiSWks2a5kHXEN40eh99zkPGInqTrbhDog+cn/mvPgY0uIznx1i/ubRQFtYaH5t6vCu5uSMEQjcTQnWRLI9Qt7Mp15hOMrpkKv4SPzwIDAQAB | ||
| − | Keys can be verified using tools such as the one at [http://dkimcore.org/tools/dkimrecordcheck.html DKIM Core]. | + | Keys can be verified using tools such as the one at [http://dkimcore.org/tools/dkimrecordcheck.html DKIM Core]. Some DNS servers may not like the length of the key string, so it may be necessary to use one of the record formatting methods recommended in the [http://www.opendkim.org/opendkim-README OpenDKIM README]. |
| + | |||
| + | == Next step == | ||
| + | |||
| + | [[User:Paul/sandbox/Install_DMARC|Install DMARC]]. | ||
== External links == | == External links == | ||
| + | |||
| + | [http://www.opendkim.org/ OpenDKIM.org] | ||
| + | |||
| + | [http://dkim.org/ DKIM.org] | ||
| + | |||
| + | [http://www.trusteddomain.org/ The Trusted Domain Project] | ||
[http://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ Taking e-mail back, part 3 | Ars Techinca] | [http://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ Taking e-mail back, part 3 | Ars Techinca] | ||
| + | |||
| + | [[Category:Mail server]][[Category:Fully-functional mail server]][[category:Transactional mail server]] | ||
Latest revision as of 00:31, 19 November 2018
WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.
This article explains how to set up DomainKeys Identified Mail (DKIM) with the opendkim package on a UNPM server. This is part of a series of articles explaining how to set up a mail server. Most of the commands in this article require root privilege:
username@servername:~$ sudo -i
Install DKIM
Install opendkim and its associated tools package, create a key directory, and create a server key:
root@servername:~# aptitude install opendkim opendkim-tools root@servername:~# mkdir -p /etc/opendkim/keys/example.com root@servername:~# opendkim-genkey -r -b 2048 -h sha256 -d mail.example.com -s selector -D /etc/opendkim/keys/example.com
Replace selector desired, as it is only used to identify the key the server will call. Many admins will simply use the date the key was created (e.g. '20140510') or, when multiple servers are being used, the server name (e.g. 'mta05'), though none of this is standardized or required - some simply use 'mail', or don't specify anything when running the command, leaving the selector of 'default'. The command creates two files, selector.private and selector.txt. The selector.private file contains the private key while selector.txt contains the basis for the DNS TXT record that will be created in a later step.
Note that the DKIM standard currently recommends a maximum key size of 2048 bits, so using a larger key size will likely cause the DKIM test to fail on many servers, while using a key smaller 1024 bits is not only not recommended, but has been demonstrated to be insecure.
Create the tables that opendkim will use:
root@servername:~# nano /etc/opendkim/KeyTable
Add:
mail.example.com mail.example.com:selector:/etc/opendkim/keys/example.com/selector.private
Since this server is being configured to have one domain serve mail for multiple domains, only one private key is being used.
root@servername:~# nano /etc/opendkim/SigningTable
Add:
*@example.com mail.example.com *@subdomain.example.com mail.example.com *@example.org mail.example.com
The second and third entries demonstrate how additional domains served by the mail server would be added to the signing table. Note that opendkim.conf does not currently support signing for subdomains and would have to be modified to support such.
root@servername:~# nano /etc/opendkim/TrustedHosts
127.0.0.1 localhost mail.example.com
Set permissions on the directory, archive the default opendkim.conf before creating a new one:
root@servername:~# chown -R opendkim:opendkim /etc/opendkim root@servername:~# mv /etc/opendkim.conf /etc/original.opendkim.conf root@servername:~# nano /etc/opendkim.conf
Add to the new file:
# This is a basic configuration that can easily be adapted to suit a standard # installation. For more advanced options, see opendkim.conf(5) and/or # /usr/share/doc/opendkim/examples/opendkim.conf.sample. # Log to syslog Syslog yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 002 # Commonly-used options SubDomains no AutoRestart yes Background yes Canonicalization relaxed/relaxed DNSTimeout 5 Mode sv SignatureAlgorithm rsa-sha256 # Additional OpenDKIM options ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable LogWhy Yes PidFile /var/run/opendkim/opendkim.pid Socket local:/var/spool/postfix/opendkim/opendkim.sock SyslogSuccess Yes TemporaryDirectory /var/tmp UserID opendkim:opendkim # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian package # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From
Though most of the settings are fairly self-explanatory, it is a good idea to become familiar with the various settings to reduce the time spent troubleshooting why other mail servers are failing DKIM checks on mail sent from the server. One particular setting to note is SubDomains (everything after the @ symbol in an email address) being set to no.
Create the directory for the domain socket specified in opendkim.conf, make the postfix user a member of the opendkim group so it can edit opendkim.sock, and restart the service:
root@servername:~# mkdir /var/spool/postfix/opendkim root@servername:~# chown opendkim:root /var/spool/postfix/opendkim root@servername:~# service opendkim restart
DKIM DNS TXT record
DKIM can only function with a valid DNS TXT record. In the DNS manager for your DNS server, make the following new TXT record:
Enter into the optional subdomain field:
selector._domainkey
Enter the contents of selector.txt into the body of the record using the format below (i.e. only the contents between " and "):
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuX4vPnLopTAIMFnnuP4CCEfE/FtQO0mi77voGsWSvHQfvFMIkQ3W3VmeAEiSJd6SVkL/Ojr30ag2i6wA3NTU+1ndfgL371zKx4gDAnewoRA4N2P05HPUNe10DE+m4xnwB6zsQnnPJ3EgKIW6W/v+fN/EzTfeJo5UmxiAoFRIq5hgyeHHCI8aKMQLCmWhb/Pz22MiqRHxV91xmTMLx/e3BIsplcOmQjlOyGagoIZJxpcTlf9OiSWks2a5kHXEN40eh99zkPGInqTrbhDog+cn/mvPgY0uIznx1i/ubRQFtYaH5t6vCu5uSMEQjcTQnWRLI9Qt7Mp15hOMrpkKv4SPzwIDAQAB
Keys can be verified using tools such as the one at DKIM Core. Some DNS servers may not like the length of the key string, so it may be necessary to use one of the record formatting methods recommended in the OpenDKIM README.