Mail Server : Set DKIM2024/07/17

Configure DKIM (Domain Keys Identified Mail) in Postfix.

In order to register the generated public key in DNS, you will need the DNS server that registers your email domain.

[1]

Install and configure OpenDKIM.

# install from EPEL, CRB

[root@mail ~]#

dnf --enablerepo=epel,crb -y install opendkim opendkim-tools

# create a directory for the domain you configure DKIM for

[root@mail ~]#

mkdir /etc/opendkim/keys/srv.world

# generate a key pair
# -D (directory in which to store keys)
# -d (domain name)
# -s (selector name) ⇒ any name you like

[root@mail ~]#

opendkim-genkey -D /etc/opendkim/keys/srv.world -d srv.world -s $(date "+%Y%m%d")

[root@mail ~]#

chown -R opendkim:opendkim /etc/opendkim/keys/srv.world

[root@mail ~]#

ll /etc/opendkim/keys/srv.world

total 8
-rw-------. 1 opendkim opendkim 916 Jul 17 09:45 20240717.private
-rw-------. 1 opendkim opendkim 315 Jul 17 09:45 20240717.txt

[root@mail ~]#

vi /etc/opendkim.conf

# line 39 : change
# Mode : s = sign
# Mode : v = verify
Mode    sv

# line 92, 99 : comment out
#Selector    default
#KeyFile    /etc/opendkim/keys/default.private

# line 104, 109, 113, 116 : uncomment
KeyTable    /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList    refile:/etc/opendkim/TrustedHosts
InternalHosts    refile:/etc/opendkim/TrustedHosts

[root@mail ~]#

vi /etc/opendkim/KeyTable

# add to last line
#
# (selector name)._domainkey.(domain name) (domain name):(selector name):(Private Key Path)
#
# if you are handling multiple domains, enter them in the same way

20240717._domainkey.srv.world srv.world:20240717:/etc/dkimkeys/srv.world/20240717.private

[root@mail ~]#

vi /etc/opendkim/SigningTable

# add to last line
#
# *@(domain name) (selector name)._domainkey.(domain name)
#
# if you are handling multiple domains, enter them in the same way

*@srv.world 20240717._domainkey.srv.world

[root@mail ~]#

vi /etc/opendkim/TrustedHosts

# possible to add trusted hosts
127.0.0.1
::1
#host.example.com
#192.168.1.0/24

[root@mail ~]#

systemctl enable --now opendkim

[2]	Configure Postfix.

[root@mail ~]#

vi /etc/postfix/main.cf

# add to last line
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

[root@mail ~]#

usermod -aG opendkim postfix

[root@mail ~]#

systemctl reload postfix

[3]	Verify the public key for the DNS server registration.

# public key contents

[root@mail ~]#

cat /etc/opendkim/keys/srv.world/20240717.txt

20240717._domainkey     IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpFnfbuSpyu5M4kL5zoS8UU5eXzTonS+6bqHMcRFCJTK2KQHCJF57M5f7l2woVAmKyAqXzLvnzKGMZjn6wXNCDSTJsrw7tBNV7tep++thE5KDMJ9o1khU857Ipv64LBUeet+w5NMuJUG6akJ4zGumjiT+NaZM1GCM3Q325xPoakwIDAQAB" )  ; ----- DKIM key 20240717 for srv.world

# the entry in the zone file should be on one line, excluding unnecessary characters

[root@mail ~]#

sed "s/^\t *//g" /etc/opendkim/keys/srv.world/20240717.txt | sed -z "s/\\n//g" | sed "s/( //g" | cut -d')' -f1

20240717._domainkey     IN      TXT     "v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpFnfbuSpyu5M4kL5zoS8UU5eXzTonS+6bqHMcRFCJTK2KQHCJF57M5f7l2woVAmKyAqXzLvnzKGMZjn6wXNCDSTJsrw7tBNV7tep++thE5KDMJ9o1khU857Ipv64LBUeet+w5NMuJUG6akJ4zGumjiT+NaZM1GCM3Q325xPoakwIDAQAB"

[4]	Register the public key on the DNS server. It will use the example of registering to a BIND zone file.

root@dns:~#

vi /var/named/srv.world.wan

.....
.....
# add to last line
20240717._domainkey     IN      TXT     "v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpFnfbuSpyu5M4kL5zoS8UU5eXzTonS+6bqHMcRFCJTK2KQHCJF57M5f7l2woVAmKyAqXzLvnzKGMZjn6wXNCDSTJsrw7tBNV7tep++thE5KDMJ9o1khU857Ipv64LBUeet+w5NMuJUG6akJ4zGumjiT+NaZM1GCM3Q325xPoakwIDAQAB"

root@dns:~#

rndc reload

[5]	Check on the mail server side.

[root@mail ~]#

dig 20240717._domainkey.srv.world. txt


.....
.....

# if the response matches what you registered, that's OK
;; ANSWER SECTION:
20240717._domainkey.srv.world. 86400 IN TXT     "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpFnfbuSpyu5M4kL5zoS8UU5eXzTonS+6bqHMcRFCJTK2KQHCJF57M5f7l2woVAmKyAqXzLvnzKGMZjn6wXNCDSTJsrw7tBNV7tep++thE5KDMJ9o1khU857Ipv64LBUeet+w5NMuJUG6akJ4zGumjiT+NaZM1GCM3Q325xPoakwIDAQAB"

.....
.....

[root@mail ~]#

opendkim-testkey -d srv.world -s 20240717 -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key '20240717._domainkey.srv.world'
opendkim-testkey: key not secure
opendkim-testkey: key OK
# If [key OK], that's OK
# * [key not secure] is a message about DNSSEC

[6]	Finally, send an email to Gmail and if the header of the received email shows [DKIM: 'PASS' (Domain: srv.world)], then everything is OK.

Matched Content