3537
Comment: Spaces mistakes
|
3125
Remove ADSP because ADSP is "Historic" since 2013, see https://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/
|
Deletions are marked like this. | Additions are marked like this. |
Line 76: | Line 76: |
==== ADSP ==== Add an ADSP record in your DNS to specify if mails must be signed or not. ||<#80FF80>'''Record name'''||<#80FF80>'''Record Type'''||<#80FF80>'''Text'''|| || _adsp._domainkey || TXT || dkim=all || dkim can take the following values: * '''all''' = All messages must be signed. * '''discardable''' = not reject signed messages. * '''unknown''' = similarly to the absence of records. |
Translation(s): English - Русский
Domain Keys Identified Mail (DKIM) combines several existing antiphishing and antispam methods to improve the quality of the classification and identification of legitimate e-mail. Instead of the traditional IP-address, to determine the message sender DKIM adds a digital signature associated with the domain name of the organization.
dkim
Postfix and opendkim
Install the package:
apt-get install opendkim opendkim-tools
Add to the Postfix signature opendkim. For convenience, I keep all the settings in /etc/postfix/dkim/, you can choose a different directory.
mkdir /etc/postfix/dkim/
Generate a key for mail.example.com server
opendkim-genkey -D /etc/postfix/dkim/ -d example.com -s mail
resulting in the directory /etc/postfix/dkim/ 2 files : mail.private and mail.txt (private and public key, respectively). The key file is necessary to allow read access for the group, which employs OpenDKIM :
chgrp opendkim /etc/postfix/dkim/* chmod g+r /etc/postfix/dkim/*
Setup the /etc/opendkim.conf:
All the available options can be found on the page: http://www.opendkim.org/opendkim.conf.5.html
Syslog yes # Signature mode and signature verification Mode sv # Specify the list of keys KeyTable file:/etc/postfix/dkim/keytable # Match keys and domains SigningTable file:/etc/postfix/dkim/signingtable
Now in the file /etc/postfix/dkim/keytable, put information about the private key:
mail._domainkey.example.com example.com:mail:/etc/postfix/dkim/mail.private
In the file /etc/postfix/dkim/signingtable, specify which key will sign a domain:
# Domain example.com example.com mail._domainkey.example.com # You can specify multiple domains # Example.net www._domainkey.example.net
In the file /etc/default/opendkim, specify daemon connection settings:
SOCKET="inet:8891@localhost"
And add the line to the Postfix /etc/postfix/main.cf:
milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
The setup of opendkim and postfix is complete. Now we must configure the DNS.
DNS Configuration
Add a TXT record for your example.com domain
Record Name |
Record Type |
Text |
mail._domainkey |
TXT |
v=DKIM1;g=*;k=rsa;p=MI***** (take it from /etc/postfix/dkim/mail.txt file) |
Testing
You can test your installation with opendkim-testkey:
# opendkim-testkey -d example.com -s mail -vvv opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: checking key 'mail._domainkey.example.com' opendkim-testkey: key not secure opendkim-testkey: key OK
See also
http://www.opendkim.org/ : Official website