Differences between revisions 15 and 17 (spanning 2 versions)
Revision 15 as of 2019-08-13 14:15:28
Size: 6092
Editor: ?JudicaelCourant
Comment: How to configure unix socket properly (wrt to permissions and chroot).
Revision 17 as of 2019-11-10 22:51:48
Size: 6090
Editor: AlbanVidal
Comment: Switch "service" to "systemctl"
Deletions are marked like this. Additions are marked like this.
Line 82: Line 82:
# service opendkim restart # systemctl restart opendkim
Line 135: Line 135:
|| mail._domainkey || TXT || v=DKIM1; k=rsa; p=MI.. (take it from /etc/postfix/dkim/mail.txt file; remove the >"< and connect the lines after p= to one key.) || || mail._domainkey || TXT || v=DKIM1; k=rsa; p=MI.. (take it from /etc/dkimkeys/mail.txt file; remove the >"< and connect the lines after p= to one key.) ||

Translation(s): English - Русский


Domain Keys Identified Mail (DKIM) combines several existing antiphishing and antispam methods to improve the quality of the classification and identification of legitimate e-mail. Instead of the traditional IP-address, to determine the message sender DKIM adds a digital signature associated with the domain name of the organization.

dkim

Postfix and opendkim

Install the package:

  apt-get install opendkim opendkim-tools

Add to the Postfix signature opendkim. In Debian stretch, the recommended place for the private key is /etc/dkimkeys (it already exists with owner opendkim, group opendkim, and rwx permissions for user only).

Generate a key for mail.example.com server

  opendkim-genkey -D /etc/dkimkeys/ -d example.com -s mail 

resulting in the directory /etc/dkimkeys/ 2 files : mail.private and mail.txt (private and public key, respectively). Ensure that only the opendkim user can read them as that is enough:

chgrp opendkim /etc/dkimkeys/*
chmod go-rwx /etc/dkimkeys/*

Postfix and opendkim will communicate through a unix socket (faster and more secure than a tcp socket). The default configuration of postfix in debian runs under a chroot (/var/spool/postfix) so the socket must be created there :

sockdir=/var/spool/postfix/var/run/opendkim
mkdir -p $sockdir
chown opendkim. $sockdir
chmod go-rwx $sockdir
chmod g+x $sockdir

Setup the /etc/opendkim.conf:

All the available options can be found on the page: http://www.opendkim.org/opendkim.conf.5.html

Syslog yes

# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   007

# Signature mode and signature verification
Mode sv # not needed as this is the default

# DO NOT BELIEVE that /etc/default/opendkim overrides the following :
# (In stretch, it does not on 2019-08-13)
Socket                  local:/var/spool/postfix/var/run/opendkim/opendkim.sock

# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable 
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts

Now in the file /etc/dkimkeys/keytable, put information about the private key:

mail._domainkey.example.com example.com:mail:/etc/dkimkeys/mail.private 

In the file /etc/dkimkeys/signingtable, specify which key will sign a domain:

# Domain example.com
*@example.com mail._domainkey.example.com
# You can specify multiple domains
# Example.net www._domainkey.example.net 

In the file /etc/dkimkeys/trustedhosts, specify which hosts will have messages signed. If needed, include localhost as it is not implicit:

127.0.0.1
10.1.0.0/16
1.2.3.4/24

You do not need to modify /etc/default/opendkim.

Now restart opendkim and check that everything is ok:

# systemctl restart opendkim
# ls -ld /var/run/opendkim
drwxr-x--- 2 opendkim opendkim 60 Aug 13 13:57 /var/run/opendkim
# ls -l /var/run/opendkim
total 4
-rw-rw---- 1 root root 6 Aug 13 13:57 opendkim.pid
# ls -ld /var/spool/postfix/var/run/opendkim 
drwx--x--- 2 opendkim opendkim 4096 Aug 13 13:57 /var/spool/postfix/var/run/opendkim
# ls -l /var/spool/postfix/var/run/opendkim
total 0
srwxrwx--- 1 opendkim opendkim 0 Aug 13 13:57 opendkim.sock
root@serveur:~/config# 

Now, add postfix to the group opendkim so that it can communicate with opendkim:

adduser postfix opendkim

And add the following lines to /etc/postfix/main.cf:

  milter_default_action = accept
  milter_protocol = 6
  # from inside the chroot, the socket will be in /var/run/opendkim 
  smtpd_milters = unix:/var/run/opendkim/opendkim.sock
  non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

The setup of opendkim and postfix is complete.

Restart postfix

service postfix restart

Troubleshooting

Try to send a mail. If you see in /var/log/mail.log something like

Aug 13 13:18:00 yourhostname opendkim[15765]: OpenDKIM Filter: Unable to bind to port local:/var/spool/postfix/var/run/opendkim/opendkim.sock: No such file or directory
Aug 13 13:18:00 yourhostname opendkim[15765]: OpenDKIM Filter: Unable to create listening socket on conn local:/var/spool/postfix/var/run/opendkim/opendkim.sock

then that probably means that you did not create the directory for the socket (see above) or you gave it the wrong permissions. Double-check!

If you see

Aug 13 13:46:19 yourhostname postfix/cleanup[17588]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory

then that means postfix could not read the socket. Did you put postfix in group opendkim? Are the permissions on /var/spool/postfix/var/run/opendkim/opendkim.sock correct?

If everything is correct, that does not mean your configuration of DKIM si complete: you must configure the DNS.

DNS Configuration

Add a TXT record for your example.com domain

Record Name

Record Type

Text

mail._domainkey

TXT

v=DKIM1; k=rsa; p=MI.. (take it from /etc/dkimkeys/mail.txt file; remove the >"< and connect the lines after p= to one key.)

Testing

You can test your installation with opendkim-testkey:

# opendkim-testkey -d example.com -s mail -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.example.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

See also


CategoryNetwork