Differences between revisions 13 and 14
Revision 13 as of 2018-12-17 22:22:57
Size: 3181
Editor: ?Stefan Saam
Comment:
Revision 14 as of 2018-12-20 15:45:23
Size: 3612
Editor: ?JakubFilo
Comment:
Deletions are marked like this. Additions are marked like this.
Line 40: Line 40:
# Match keys and domains
SigningTable file:/etc/postfix/dkim/signingtable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/postfix/dkim/signingtable
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/postfix/dkim/trustedhosts
Line 54: Line 56:
}}}

In the file /etc/postfix/dkim/trustedhosts, specify which hosts will have messages signed. If needed, include localhost as it is not implicit: {{{
127.0.0.1
10.1.0.0/16
1.2.3.4/24

Translation(s): English - Русский


Domain Keys Identified Mail (DKIM) combines several existing antiphishing and antispam methods to improve the quality of the classification and identification of legitimate e-mail. Instead of the traditional IP-address, to determine the message sender DKIM adds a digital signature associated with the domain name of the organization.

dkim

Postfix and opendkim

Install the package:

  apt-get install opendkim opendkim-tools

Add to the Postfix signature opendkim. For convenience, I keep all the settings in /etc/postfix/dkim/, you can choose a different directory.

  mkdir /etc/postfix/dkim/ 

Generate a key for mail.example.com server

  opendkim-genkey -D /etc/postfix/dkim/ -d example.com -s mail 

resulting in the directory /etc/postfix/dkim/ 2 files : mail.private and mail.txt (private and public key, respectively). The key file is necessary to allow read access for the group, which employs OpenDKIM :

  chgrp opendkim /etc/postfix/dkim/*
  chmod g+r /etc/postfix/dkim/*

Setup the /etc/opendkim.conf:

All the available options can be found on the page: http://www.opendkim.org/opendkim.conf.5.html

Syslog yes

# Signature mode and signature verification
Mode sv

# Specify the list of keys
KeyTable file:/etc/postfix/dkim/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/postfix/dkim/signingtable 
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/postfix/dkim/trustedhosts

Now in the file /etc/postfix/dkim/keytable, put information about the private key:

mail._domainkey.example.com example.com:mail:/etc/postfix/dkim/mail.private 

In the file /etc/postfix/dkim/signingtable, specify which key will sign a domain:

# Domain example.com
*@example.com mail._domainkey.example.com
# You can specify multiple domains
# Example.net www._domainkey.example.net 

In the file /etc/postfix/dkim/trustedhosts, specify which hosts will have messages signed. If needed, include localhost as it is not implicit:

127.0.0.1
10.1.0.0/16
1.2.3.4/24

In the file /etc/default/opendkim, specify daemon connection settings:

SOCKET="inet:8891@localhost" 

And add the line to the Postfix /etc/postfix/main.cf:

  milter_default_action = accept
  milter_protocol = 2
  smtpd_milters = inet:localhost:8891
  non_smtpd_milters = inet:localhost:8891 

The setup of opendkim and postfix is complete. Now we must configure the DNS.

DNS Configuration

Add a TXT record for your example.com domain

Record Name

Record Type

Text

mail._domainkey

TXT

v=DKIM1; k=rsa; p=MI.. (take it from /etc/postfix/dkim/mail.txt file; remove the >"< and connect the lines after p= to one key.)

Testing

You can test your installation with opendkim-testkey:

# opendkim-testkey -d example.com -s mail -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.example.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

See also


CategoryNetwork