6092
Comment: How to configure unix socket properly (wrt to permissions and chroot).
|
6090
Switch "service" to "systemctl"
|
Deletions are marked like this. | Additions are marked like this. |
Line 82: | Line 82: |
# service opendkim restart | # systemctl restart opendkim |
Line 135: | Line 135: |
|| mail._domainkey || TXT || v=DKIM1; k=rsa; p=MI.. (take it from /etc/postfix/dkim/mail.txt file; remove the >"< and connect the lines after p= to one key.) || | || mail._domainkey || TXT || v=DKIM1; k=rsa; p=MI.. (take it from /etc/dkimkeys/mail.txt file; remove the >"< and connect the lines after p= to one key.) || |
Translation(s): English - Русский
Domain Keys Identified Mail (DKIM) combines several existing antiphishing and antispam methods to improve the quality of the classification and identification of legitimate e-mail. Instead of the traditional IP-address, to determine the message sender DKIM adds a digital signature associated with the domain name of the organization.
dkim
Postfix and opendkim
Install the package:
apt-get install opendkim opendkim-tools
Add to the Postfix signature opendkim. In Debian stretch, the recommended place for the private key is /etc/dkimkeys (it already exists with owner opendkim, group opendkim, and rwx permissions for user only).
Generate a key for mail.example.com server
opendkim-genkey -D /etc/dkimkeys/ -d example.com -s mail
resulting in the directory /etc/dkimkeys/ 2 files : mail.private and mail.txt (private and public key, respectively). Ensure that only the opendkim user can read them as that is enough:
chgrp opendkim /etc/dkimkeys/* chmod go-rwx /etc/dkimkeys/*
Postfix and opendkim will communicate through a unix socket (faster and more secure than a tcp socket). The default configuration of postfix in debian runs under a chroot (/var/spool/postfix) so the socket must be created there :
sockdir=/var/spool/postfix/var/run/opendkim mkdir -p $sockdir chown opendkim. $sockdir chmod go-rwx $sockdir chmod g+x $sockdir
Setup the /etc/opendkim.conf:
All the available options can be found on the page: http://www.opendkim.org/opendkim.conf.5.html
Syslog yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 007 # Signature mode and signature verification Mode sv # not needed as this is the default # DO NOT BELIEVE that /etc/default/opendkim overrides the following : # (In stretch, it does not on 2019-08-13) Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock # Specify the list of keys KeyTable file:/etc/dkimkeys/keytable # Match keys and domains. To use regular expressions in the file, use refile: instead of file: SigningTable refile:/etc/dkimkeys/signingtable # Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host. InternalHosts refile:/etc/dkimkeys/trustedhosts
Now in the file /etc/dkimkeys/keytable, put information about the private key:
mail._domainkey.example.com example.com:mail:/etc/dkimkeys/mail.private
In the file /etc/dkimkeys/signingtable, specify which key will sign a domain:
# Domain example.com *@example.com mail._domainkey.example.com # You can specify multiple domains # Example.net www._domainkey.example.net
In the file /etc/dkimkeys/trustedhosts, specify which hosts will have messages signed. If needed, include localhost as it is not implicit:
127.0.0.1 10.1.0.0/16 1.2.3.4/24
You do not need to modify /etc/default/opendkim.
Now restart opendkim and check that everything is ok:
# systemctl restart opendkim # ls -ld /var/run/opendkim drwxr-x--- 2 opendkim opendkim 60 Aug 13 13:57 /var/run/opendkim # ls -l /var/run/opendkim total 4 -rw-rw---- 1 root root 6 Aug 13 13:57 opendkim.pid # ls -ld /var/spool/postfix/var/run/opendkim drwx--x--- 2 opendkim opendkim 4096 Aug 13 13:57 /var/spool/postfix/var/run/opendkim # ls -l /var/spool/postfix/var/run/opendkim total 0 srwxrwx--- 1 opendkim opendkim 0 Aug 13 13:57 opendkim.sock root@serveur:~/config#
Now, add postfix to the group opendkim so that it can communicate with opendkim:
adduser postfix opendkim
And add the following lines to /etc/postfix/main.cf:
milter_default_action = accept milter_protocol = 6 # from inside the chroot, the socket will be in /var/run/opendkim smtpd_milters = unix:/var/run/opendkim/opendkim.sock non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock
The setup of opendkim and postfix is complete.
Restart postfix
service postfix restart
Troubleshooting
Try to send a mail. If you see in /var/log/mail.log something like
Aug 13 13:18:00 yourhostname opendkim[15765]: OpenDKIM Filter: Unable to bind to port local:/var/spool/postfix/var/run/opendkim/opendkim.sock: No such file or directory Aug 13 13:18:00 yourhostname opendkim[15765]: OpenDKIM Filter: Unable to create listening socket on conn local:/var/spool/postfix/var/run/opendkim/opendkim.sock
then that probably means that you did not create the directory for the socket (see above) or you gave it the wrong permissions. Double-check!
If you see
Aug 13 13:46:19 yourhostname postfix/cleanup[17588]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
then that means postfix could not read the socket. Did you put postfix in group opendkim? Are the permissions on /var/spool/postfix/var/run/opendkim/opendkim.sock correct?
If everything is correct, that does not mean your configuration of DKIM si complete: you must configure the DNS.
DNS Configuration
Add a TXT record for your example.com domain
Record Name |
Record Type |
Text |
mail._domainkey |
TXT |
v=DKIM1; k=rsa; p=MI.. (take it from /etc/dkimkeys/mail.txt file; remove the >"< and connect the lines after p= to one key.) |
Testing
You can test your installation with opendkim-testkey:
# opendkim-testkey -d example.com -s mail -vvv opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: checking key 'mail._domainkey.example.com' opendkim-testkey: key not secure opendkim-testkey: key OK
See also
http://www.opendkim.org/ : Official website