Mail Server : Set DKIM2024/07/18 |
Configure DKIM (Domain Keys Identified Mail) in Postfix. In order to register the generated public key in DNS, you will need the DNS server that registers your email domain. |
|
[1] | Install and configure OpenDKIM. |
root@mail:~ #
pkg install -y opendkim # create a directory for the domain you configure DKIM for root@mail:~ # mkdir -p /usr/local/etc/mail/keys/srv.world
# generate a key pair # -D (directory in which to store keys) # -d (domain name) # -s (selector name) ⇒ any name you like root@mail:~ # opendkim-genkey -D /usr/local/etc/mail/keys/srv.world -d srv.world -s $(date "+%Y%m") root@mail:~ # chown -R mailnull:mailnull /usr/local/etc/mail/keys/srv.world root@mail:~ # ls -l /usr/local/etc/mail/keys/srv.world total 9 -rw------- 1 mailnull mailnull 920 Jul 18 14:22 202407.private -rw------- 1 mailnull mailnull 311 Jul 18 14:22 202407.txt
root@mail:~ #
mv /usr/local/etc/mail/opendkim.conf /usr/local/etc/mail/opendkim.conf.org root@mail:~ # vi /usr/local/etc/mail/opendkim.conf # create new file # Mode : s = sign # Mode : v = verify Mode sv Socket inet:8891@localhost Syslog Yes # name server where public key is registered # to specify multiple entries, separate them with commas Nameservers 10.0.0.30 KeyTable /usr/local/etc/mail/keys/KeyTable SigningTable refile:/usr/local/etc/mail/keys/SigningTable ExternalIgnoreList refile:/usr/local/etc/mail/keys/TrustedHosts InternalHosts refile:/usr/local/etc/mail/keys/TrustedHosts
root@mail:~ #
vi /usr/local/etc/mail/keys/KeyTable # create new file # # (selector name)._domainkey.(domain name) (domain name):(selector name):(Private Key Path) # # if you are handling multiple domains, enter them in the same way 202407._domainkey.srv.world srv.world:202407:/usr/local/etc/mail/keys/srv.world/202407.private
root@mail:~ #
vi /usr/local/etc/mail/keys/SigningTable # create new file # # *@(domain name) (selector name)._domainkey.(domain name) # # if you are handling multiple domains, enter them in the same way *@srv.world 202407._domainkey.srv.world
root@mail:~ #
vi /usr/local/etc/mail/keys/TrustedHosts # create new file # add trusted hosts 127.0.0.1 ::1root@mail:~ # chown mailnull:mailnull /usr/local/etc/mail/keys/KeyTable \ /usr/local/etc/mail/keys/SigningTable \ /usr/local/etc/mail/keys/TrustedHosts root@mail:~ # chmod 600 /usr/local/etc/mail/keys/KeyTable \ /usr/local/etc/mail/keys/SigningTable \ /usr/local/etc/mail/keys/TrustedHosts root@mail:~ # service milter-opendkim enable milteropendkim enabled in /etc/rc.conf root@mail:~ # service milter-opendkim start Starting milteropendkim. |
[2] | Configure Postfix. |
root@mail:~ #
vi /usr/local/etc/postfix/main.cf # add to last line smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = acceptroot@mail:~ # pw groupmod mailnull -m postfix root@mail:~ # service postfix reload |
[3] | Verify the public key for the DNS server registration. |
# public key contents root@mail:~ # cat /usr/local/etc/mail/keys/srv.world/202407.txt 202407._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFeK91Tel9nVcbMfltqWJNIm907AcXBVm/kf+zFE5LDES5wjJTdOB2CEaIuyvLq3xUzVb6FXnEjJBOOy9uAvBABe6dI96DEilFZB8U7LubRmIz4LZ+bTEffp4+ma+txtdjLYA1kdRO6KYFtxDK96aK/P1rJEm6IVnHL+JaBMs5OQIDAQAB" ) ; ----- DKIM key 202407 for srv.world # the entry in the zone file should be on one line, excluding unnecessary characters root@mail:~ # sed "s/^\t *//g" /usr/local/etc/mail/keys/srv.world/202407.txt | perl -pe 's/\n//g' | sed "s/( //g" | cut -d')' -f1 202407._domainkey IN TXT "v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFeK91Tel9nVcbMfltqWJNIm907AcXBVm/kf+zFE5LDES5wjJTdOB2CEaIuyvLq3xUzVb6FXnEjJBOOy9uAvBABe6dI96DEilFZB8U7LubRmIz4LZ+bTEffp4+ma+txtdjLYA1kdRO6KYFtxDK96aK/P1rJEm6IVnHL+JaBMs5OQIDAQAB" |
[4] | Register the public key on the DNS server. It will use the example of registering to a BIND zone file. |
root@dns:~ #
vi /usr/local/etc/namedb/primary/srv.world.wan ..... ..... # add to last line 202407._domainkey IN TXT "v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFeK91Tel9nVcbMfltqWJNIm907AcXBVm/kf+zFE5LDES5wjJTdOB2CEaIuyvLq3xUzVb6FXnEjJBOOy9uAvBABe6dI96DEilFZB8U7LubRmIz4LZ+bTEffp4+ma+txtdjLYA1kdRO6KYFtxDK96aK/P1rJEm6IVnHL+JaBMs5OQIDAQAB"root@dns:~ # rndc reload
|
[5] | Check on the mail server side. |
root@mail:~ # dig 202407._domainkey.srv.world. txt
.....
.....
# if the response matches what you registered, that's OK
;; ANSWER SECTION:
202407._domainkey.srv.world. 86400 IN TXT "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFeK91Tel9nVcbMfltqWJNIm907AcXBVm/kf+zFE5LDES5wjJTdOB2CEaIuyvLq3xUzVb6FXnEjJBOOy9uAvBABe6dI96DEilFZB8U7LubRmIz4LZ+bTEffp4+ma+txtdjLYA1kdRO6KYFtxDK96aK/P1rJEm6IVnHL+JaBMs5OQIDAQAB"
.....
.....
root@mail:~ # opendkim-testkey -d srv.world -s 202407 -x /usr/local/etc/mail/opendkim.conf -vvv
opendkim-testkey: checking key '202407._domainkey.srv.world'
opendkim-testkey: key not secure
opendkim-testkey: key OK
# If [key OK], that's OK
# * [key not secure] is a message about DNSSEC
|
[6] |
Finally, send an email to Gmail and if the header of the received email shows [DKIM: 'PASS' (Domain: srv.world)], then everything is OK. |
Sponsored Link |
|