Domain Keys Identified Mail (DKIM) allow the receiver of an e-mail to verify that the message was sent by the sending domain. Furthermore, DKIM is also able to determine whether the e-mail was tampered with between transferring MTAs. Compared to, say, Pretty Good Privacy (PGP), DKIM is a solution that covers the communication between MTAs rather than individuals. This tutorial will cover installing and configuring OpenDKIM to work with the Postfix MTA.
On Debian-like systems, two packages have to be installed:
opendkimopendkim-toolswhich can be accomplished with:
aptitude install opendkim opendkim-tools
To generate keys for your domain, issue:
opendkim-genkey -t -s mail -d domain.net
where:
domain.net is the domain to generate the key for and should be replaced by your domain.The command will generate two files:
mail.private, the private keymail.txt that is an automatically generated TXT DNS record.For consistency, you can move these two files in the postfix directory:
mv mail.private mail.text /etc/postfix/
Taking a look at mail.txt, the output of the generator is a bit unconventional. If you run a DNS server then you will have to edit the content a little to match the standard DNS format:
mail._domainkey IN TXT "v=DKIM1; k=rsa; g=*; p=z2ucTITz1/PKL/OAYQ..."
since the tool seems to generate unbalanced quotes.
Since we are here, let us add another domain that should help the verifier determine whether it should expect e-mail with the From: address to be signed. Add another TXT record:
_adsp._domainkey IN TXT "dkim=discardable"
where discardable means the signing practice. Three such practices are possible:
unknown means that the domain might sign some, most or all e-mail.all means that all e-mail is signed.discardable says that all e-mail from the domain is signed and if such a signature is missing or invalid, then the e-mail should be dropped (silently discarded).
To configure OpenDKIM, open up the file /etc/opendkim.conf and locate the lines:
Domain domain.net KeyFile /etc/postfix/mail.private Selector mail
and change them accordingly:
domain.net should be changed to the domain of your e-mail server./etc/postfix/mail.private is the private key file that was generated in the previous sections with opendkim-toolsmail should be set to the value passed to the -s parameter when opendkim-tools was used in the previous sections.You can add some other useful settings, for example:
# Whether the filter should restart itself automatically if it crashes AutoRestart yes # Whether the filter should run in the background Background yes # The canonicalizations to use when signing e-mails (simple or relaxed). Canonicalization relaxed/relaxed
After that the /etc/default/opendkim file must be used in order to set-up a socket on which opendkim will listen on in order to talk to Postfix. You will need to add a line in /etc/default/opendkim like:
SOCKET="inet:9475@localhost"
where:
9475 is the port that OpenDKIM will listen on,localhost is the IP address or host name that OpenDKIM will listen on.
Now we have to edit postfix to set-up a milter by editing /etc/postfix/main.cf and adding the lines:
milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:9475 non_smtpd_milters = inet:localhost:9475
- n.b. you can chain other milters by separating them with a comma.
Two known tools are good for testing:
TXT record is set-up correctly.autorespond+dkim@dk.elandsys.com which should send you an e-mail back telling you whether DKIM is set-up successfully.