User:Paul/sandbox/Install DKIM

From UNPM.org Wiki
< User:Paul
Revision as of 23:35, 19 May 2014 by Paul (talk | contribs) (Paul moved page User:Paul/sandbox/Install SPF to User:Paul/sandbox/Install DKIM without leaving a redirect)
Jump to navigation Jump to search

This article explains how to set up DomainKeys Identified Mail (DKIM) with the opendkim package on a UNPM server. This is part of a series of articles explaining how to set up a mail server. Most of the commands in this article require root privilege: 

username@servername:~$ sudo /bin/bash

Install DKIM

Install opendkim and its associated tools package, create a key directory, and create a server key: 

root@servername:~# aptitude install opendkim opendkim-tools
root@servername:~# mkdir -p /etc/opendkim/keys/example.com
root@servername:~# opendkim-genkey -r -b 2048 -h sha256 -d mail.example.com -s selector -D /etc/opendkim/keys/example.com

The selector can be anything the admin desires, as it is only used to identify the key the server will call. Many admins will simply use the date the key was created (e.g. '20140510') or, when multiple servers are being used, the server name (e.g. 'mta05'), though none of this is standardized or required - some simply use 'mail', or don't specify anything when running the command, leaving the selector of 'defualt'. The command creates two files, selector.private and selector.txt. The selector.private file contains the private key while selector.txt contains the basis for the DNS TXT record that will be created in a later step.

Note that the DKIM standard currently recommends a maximum key size of 2048 bits, so using a larger key size will likely cause the DKIM test to fail on many servers.

Create the tables that opendkim will use: 

root@servername:~# nano /etc/opendkim/KeyTable

Add: 

mail.example.com mail.example.com:selector:/etc/opendkim/keys/example.com/selector.private

Since this server is being configured to have one domain serve mail for multiple domains, only one private key is being used. 

root@servername:~# nano /etc/opendkim/SigningTable

Add: 

*@example.com mail.example.com
*@example.org mail.example.com

The second entry is to illustrate how an additional domain served by the mail server would be added to the signing table. 

root@servername:~# nano /etc/opendkim/TrustedHosts

127.0.0.1
localhost
mail.example.com

root@servername:~# chown -R opendkim:opendkim /etc/opendkim
root@servername:~# mv /etc/opendkim.conf /etc/original.opendkim.conf
root@servername:~# nano /etc/opendkim.conf

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   002

# Commonly-used options
SubDomains              no
AutoRestart             yes
Background              yes
Canonicalization        relaxed/relaxed
DNSTimeout              5
Mode                    sv
SignatureAlgorithm      rsa-sha256

# Additional OpenDKIM options

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
LogWhy                  Yes
PidFile                 /var/run/opendkim/opendkim.pid
Socket                  local:/var/spool/postfix/opendkim/opendkim.sock
SyslogSuccess           Yes
TemporaryDirectory      /var/tmp
UserID                  opendkim:opendkim

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian package
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

Though most of the settings are fairly self-explanatory, it is a good idea to become familiar with the various settings to reduce the time spent troubleshooting why other mail servers are failing DKIM checks on mail sent from the server. One particular setting to note is SubDomains (everything after the @ symbol in an email address) being set to no.

Create the directory for domain socket specified in opendkim.conf, make the postfix user a member of the opendkim group so it can edit opendkim.sock, and restart the service: 

root@servername:~# mkdir /var/spool/postfix/opendkim
root@servername:~# chown opendkim:root /var/spool/postfix/opendkim
root@servername:~# usermod -G opendkim postfix
root@servername:~# service opendkim restart

DKIM DNS TXT record

DKIM can only function with a valid DNS TXT record. In the DNS manager for your DNS server, make the following new TXT record, with the first section being entered into the optional subdomain field, and the second section being the contents of selector.txt: 

selector._domainkey

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuX4vPnLopTAIMFnnuP4CCEfE/FtQO0mi77voGsWSvHQfvFMIkQ3W3VmeAEiSJd6SVkL/Ojr30ag2i6wA3NTU+1ndfgL371zKx4gDAnewoRA4N2P05HPUNe10DE+m4xnwB6zsQnnPJ3EgKIW6W/v+fN/EzTfeJo5UmxiAoFRIq5hgyeHHCI8aKMQLCmWhb/Pz22MiqRHxV91xmTMLx/e3BIsplcOmQjlOyGagoIZJxpcTlf9OiSWks2a5kHXEN40eh99zkPGInqTrbhDog+cn/mvPgY0uIznx1i/ubRQFtYaH5t6vCu5uSMEQjcTQnWRLI9Qt7Mp15hOMrpkKv4SPzwIDAQAB

Keys can be verified using tools such as the one at DKIM Core. Note that some DNS servers may not like the size of the key, so it may be necessary to use one of the record formatting methods recommended in the OpenDKIM README.

External links

Taking e-mail back, part 3 | Ars Techinca

Retrieved from "http://www.unpm.org/wiki/index.php?title=User:Paul/sandbox/Install_DKIM&oldid=187"