Differences between revisions 21 and 22
Revision 21 as of 2019-11-11 14:29:42
Size: 6142
Editor: ?JudicaelCourant
Comment: Fixing swapped arguments for /usr/bin/service
Revision 22 as of 2020-01-06 07:52:47
Size: 7848
Editor: ?DavidBürgin
Comment: Add quickstart
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
## If your page gets really long, uncomment this Table of Contents
## <<TableOfContents(2)>>

== dkim ==

=== Postfix and opendkim ===

Install the package: {{{
  apt-get install opendkim opendkim-tools
{{{#!wiki caution
Page is being revised.

(January 2020)
}}}

<<TableOfContents()>>

= Quickstart =

This section has everything to set up to a fully functional, minimal
installation of opendkim for signing and verifying integrated with [[Postfix]].

This is the quick, five-minute version of opendkim setup. For a fuller
discussion of the different setup options available please refer to the
subsequent sections.

Let’s go! First, install opendkim.

{{{
sudo apt install opendkim opendkim-tools
}}}

Next, generate the private key for your domain and selector:

{{{
sudo opendkim-genkey -D /etc/dkimkeys -d yourdomain.com -s 2020 -S
}}}

Now, edit /etc/opendkim.conf. At a minimum, four parameters need to be adapted:
the domain/selector/key file triple, and the socket. For the socket, the easiest
option is to use a TCP socket listening on a local port.

{{{
Domain yourdomain.com
Selector 2020
KeyFile /etc/dkimkeys/2020.private

Socket inet:8891@localhost
}}}

That’s it for opendkim. Restart:

{{{
sudo systemctl restart opendkim
}}}

The final step is integrating the new opendkim service with Postfix. Edit
/etc/postfix/main.cf to connect the two:

{{{
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
}}}

And finally reload the Postfix configuration with
{{{sudo systemctl reload postfix}}}.

That’s it. Your mail is now being signed and verified. However, to let others
verify your signatures don’t forget to publish the public key as a TXT record at
{{{2020._domainkey.yourdomain.com}}}. The generated file /etc/dkimkeys/2020.txt
contains that record for your convenience.

= Configuration =

The following sections discuss opendkim configuration options in more detail.

{{{#!wiki caution
Under revision.
}}}

== Postfix and opendkim ==

Install the package:

{{{
apt-get install opendkim opendkim-tools
Line 118: Line 186:
=== Troubleshooting === == Troubleshooting ==
Line 133: Line 201:

=
== DNS Configuration ===
== DNS Configuration ==
Line 141: Line 208:

=
== Testing ===
== Testing ==
Line 153: Line 219:
== See also == = See also =

Translation(s): English - Русский


Domain Keys Identified Mail (DKIM) combines several existing antiphishing and antispam methods to improve the quality of the classification and identification of legitimate e-mail. Instead of the traditional IP-address, to determine the message sender DKIM adds a digital signature associated with the domain name of the organization.

Page is being revised.

(January 2020)

Quickstart

This section has everything to set up to a fully functional, minimal installation of opendkim for signing and verifying integrated with Postfix.

This is the quick, five-minute version of opendkim setup. For a fuller discussion of the different setup options available please refer to the subsequent sections.

Let’s go! First, install opendkim.

sudo apt install opendkim opendkim-tools

Next, generate the private key for your domain and selector:

sudo opendkim-genkey -D /etc/dkimkeys -d yourdomain.com -s 2020 -S

Now, edit /etc/opendkim.conf. At a minimum, four parameters need to be adapted: the domain/selector/key file triple, and the socket. For the socket, the easiest option is to use a TCP socket listening on a local port.

Domain   yourdomain.com
Selector 2020
KeyFile  /etc/dkimkeys/2020.private

Socket   inet:8891@localhost

That’s it for opendkim. Restart:

sudo systemctl restart opendkim

The final step is integrating the new opendkim service with Postfix. Edit /etc/postfix/main.cf to connect the two:

smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters

And finally reload the Postfix configuration with sudo systemctl reload postfix.

That’s it. Your mail is now being signed and verified. However, to let others verify your signatures don’t forget to publish the public key as a TXT record at 2020._domainkey.yourdomain.com. The generated file /etc/dkimkeys/2020.txt contains that record for your convenience.

Configuration

The following sections discuss opendkim configuration options in more detail.

Under revision.

Postfix and opendkim

Install the package:

apt-get install opendkim opendkim-tools

Add to the Postfix signature opendkim. In Debian stretch, the recommended place for the private key is /etc/dkimkeys (it already exists with owner opendkim, group opendkim, and rwx permissions for user only).

Generate a key for mail.example.com server

  opendkim-genkey -D /etc/dkimkeys/ -d example.com -s mail 

resulting in the directory /etc/dkimkeys/ 2 files : mail.private and mail.txt (private and public key, respectively). Ensure that only the opendkim user can read them as that is enough:

chgrp opendkim /etc/dkimkeys/*
chmod go-rwx /etc/dkimkeys/*

Postfix and opendkim will communicate through a unix socket (faster and more secure than a tcp socket). The default configuration of postfix in debian runs under a chroot (/var/spool/postfix) so the socket must be created there :

sockdir=/var/spool/postfix/var/run/opendkim
mkdir -p $sockdir
chown opendkim. $sockdir
chmod go-rwx $sockdir
chmod g+x $sockdir

Setup the /etc/opendkim.conf:

All the available options can be found on the page: http://www.opendkim.org/opendkim.conf.5.html

Syslog yes

# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   007

# Signature mode and signature verification
Mode sv # not needed as this is the default

# DO NOT BELIEVE that /etc/default/opendkim overrides the following :
# (In stretch, it does not on 2019-08-13)
Socket                  local:/var/spool/postfix/var/run/opendkim/opendkim.sock

# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable 
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts

Now in the file /etc/dkimkeys/keytable, put information about the private key:

mail._domainkey.example.com example.com:mail:/etc/dkimkeys/mail.private 

In the file /etc/dkimkeys/signingtable, specify which key will sign a domain:

# Domain example.com
*@example.com mail._domainkey.example.com
# You can specify multiple domains
# Example.net www._domainkey.example.net 

In the file /etc/dkimkeys/trustedhosts, specify which hosts will have messages signed. If needed, include localhost as it is not implicit:

127.0.0.1
10.1.0.0/16
1.2.3.4/24

You do not need to modify /etc/default/opendkim.

Now restart opendkim and check that everything is ok:

# service opendkim restart
# service opendkim status
# ls -ld /var/run/opendkim
drwxr-x--- 2 opendkim opendkim 60 Aug 13 13:57 /var/run/opendkim
# ls -l /var/run/opendkim
total 4
-rw-rw---- 1 root root 6 Aug 13 13:57 opendkim.pid
# ls -ld /var/spool/postfix/var/run/opendkim 
drwx--x--- 2 opendkim opendkim 4096 Aug 13 13:57 /var/spool/postfix/var/run/opendkim
# ls -l /var/spool/postfix/var/run/opendkim
total 0
srwxrwx--- 1 opendkim opendkim 0 Aug 13 13:57 opendkim.sock
root@serveur:~/config# 

Now, add postfix to the group opendkim so that it can communicate with opendkim:

adduser postfix opendkim

And add the following lines to /etc/postfix/main.cf:

  milter_default_action = accept
  milter_protocol = 6
  # from inside the chroot, the socket will be in /var/run/opendkim 
  smtpd_milters = unix:/var/run/opendkim/opendkim.sock
  non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

The setup of opendkim and postfix is complete.

Restart postfix

service postfix restart
service postfix status

Troubleshooting

Try to send a mail. If you see in /var/log/mail.log something like

Aug 13 13:18:00 yourhostname opendkim[15765]: OpenDKIM Filter: Unable to bind to port local:/var/spool/postfix/var/run/opendkim/opendkim.sock: No such file or directory
Aug 13 13:18:00 yourhostname opendkim[15765]: OpenDKIM Filter: Unable to create listening socket on conn local:/var/spool/postfix/var/run/opendkim/opendkim.sock

then that probably means that you did not create the directory for the socket (see above) or you gave it the wrong permissions. Double-check!

If you see

Aug 13 13:46:19 yourhostname postfix/cleanup[17588]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory

then that means postfix could not read the socket. Did you put postfix in group opendkim? Are the permissions on /var/spool/postfix/var/run/opendkim/opendkim.sock correct?

If everything is correct, that does not mean your configuration of DKIM is complete: you must configure the DNS.

DNS Configuration

Add a TXT record for your example.com domain

Record Name

Record Type

Text

mail._domainkey

TXT

v=DKIM1; k=rsa; p=MI.. (take it from /etc/dkimkeys/mail.txt file; remove the >"< and connect the lines after p= to one key.)

Testing

You can test your installation with opendkim-testkey:

# opendkim-testkey -d example.com -s mail -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.example.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

See also


CategoryNetwork