Debian 12 bookworm
Sponsored Link

Mail Server : Set DKIM2024/07/17
 

Configure DKIM (Domain Keys Identified Mail) in Postfix.

In order to register the generated public key in DNS, you will need the DNS server that registers your email domain.

[1] Install and configure OpenDKIM.
root@mail:~#
apt -y install opendkim opendkim-tools
# create a directory for the domain you configure DKIM for

root@mail:~#
mkdir /etc/dkimkeys/srv.world
# generate a key pair
# -D (directory in which to store keys)
# -d (domain name)
# -s (selector name) ⇒ any name is OK

root@mail:~#
opendkim-genkey -D /etc/dkimkeys/srv.world -d srv.world -s $(date "+%Y%m%d")

root@mail:~#
chown -R opendkim:opendkim /etc/dkimkeys/srv.world

root@mail:~#
ll /etc/dkimkeys/srv.world 

total 16
drwxr-xr-x 2 opendkim opendkim 4096 Jul 12 05:22 ./
drwx------ 3 opendkim opendkim 4096 Jul 12 00:54 ../
-rw------- 1 opendkim opendkim 1704 Jul 12 05:22 20240712.private
-rw------- 1 opendkim opendkim  507 Jul 12 05:22 20240712.txt
root@mail:~#
vi /etc/opendkim.conf 
# line 14,15 : uncomment
# Mode : s = sign
# Mode : v = verify
Mode                    sv
SubDomains              no

# line 22,23,24 : if you are handling one domain,
# uncomment the following three lines and change the values ​​of each
# if you want to handle multiple domains, set it with different parameters
#Domain                 example.com
#Selector               2020
#KeyFile                /etc/dkimkeys/example.private

# line 37 : comment out
# line 38 : uncomment
#Socket                 local:/run/opendkim/opendkim.sock
Socket                  inet:8891@localhost

# line 50 : comment out if you do not have DNSSEC enabled on DNS server
#TrustAnchorFile        /usr/share/dns/root.key

# line 51 : DNS server to register DKIM key
# if the DNS server is not the localhost and also is not a server registered in resolv.conf,
# uncomment it and specify the DNS server
#Nameservers            127.0.0.1

# add to last line
# if you are handling multiple domains, set the following
# if you have only one domain, set lines 22-24 and the following is not necessary
KeyTable                /etc/dkimkeys/KeyTable
SigningTable            refile:/etc/dkimkeys/SigningTable
ExternalIgnoreList      refile:/etc/dkimkeys/TrustedHosts
InternalHosts           refile:/etc/dkimkeys/TrustedHosts
root@mail:~#
vi /etc/dkimkeys/KeyTable 
# create new file
#
# (selector name)._domainkey.(domain name) (domain name):(selector name):(Private Key Path)
#
# if you are handling multiple domains, enter them in the same way

20240712._domainkey.srv.world srv.world:20240712:/etc/dkimkeys/srv.world/20240712.private
root@mail:~#
vi /etc/dkimkeys/SigningTable 
# create new file
#
# *@(domain name) (selector name)._domainkey.(domain name)
#
# if you are handling multiple domains, enter them in the same way

*@srv.world 20240712._domainkey.srv.world
root@mail:~#
vi /etc/dkimkeys/TrustedHosts 
# create new file
# add trusted hosts
127.0.0.1
::1
root@mail:~#
chown opendkim:opendkim /etc/dkimkeys/{KeyTable,SigningTable,TrustedHosts}

root@mail:~#
chmod 600 /etc/dkimkeys/{KeyTable,SigningTable,TrustedHosts}

root@mail:~#
systemctl restart opendkim

[2] Configure Postfix.
root@mail:~#
vi /etc/postfix/main.cf 
# add to last line
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
root@mail:~#
systemctl reload postfix

[3] Verify the public key for the DNS server registration.
# public key contents

root@mail:~#
cat /etc/dkimkeys/srv.world/20240712.txt 

20240712._domainkey     IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zup/hnAFPCeeaTgrC7/WGcP4UtKHWpLpRS4xyIbuGKolfqk/YE+GZQlr2pSrXkapjjIJn829l/87GJVs7mwhmR6Sb4Ga7P+bNnuqJc/vejieuX6KL7cQ/GwUDOjomJ0nI0UEB4i02kF27HshudohMLK21rUQUn7eEP3Da6yj3Ud7z6qRH6kwOxGfgxoyO9E6D850sGOLoSY2"
          "iTuuC7+O5Px+FLJTL5JbrvAxFf10yrtatXLzUyYR1G9s+odQehYmYnA/Pk+7G8ee9tZQ1zWaVPQGLZirN08zkMzjDy9LK1nZnnCUTMrhjniHsg1NDpg3vJx/UWr0uQZvCuOeh3VwIDAQAB" )  ; ----- DKIM key 20240712 for srv.world
# the entry in the zone file should be on one line, excluding unnecessary characters

root@mail:~#
sed "s/^\t *//g" /etc/dkimkeys/srv.world/20240712.txt | sed -z "s/\\n//g" | sed "s/( //g" | cut -d')' -f1 

20240712._domainkey     IN      TXT     "v=DKIM1; h=sha256; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zup/hnAFPCeeaTgrC7/WGcP4UtKHWpLpRS4xyIbuGKolfqk/YE+GZQlr2pSrXkapjjIJn829l/87GJVs7mwhmR6Sb4Ga7P+bNnuqJc/vejieuX6KL7cQ/GwUDOjomJ0nI0UEB4i02kF27HshudohMLK21rUQUn7eEP3Da6yj3Ud7z6qRH6kwOxGfgxoyO9E6D850sGOLoSY2""iTuuC7+O5Px+FLJTL5JbrvAxFf10yrtatXLzUyYR1G9s+odQehYmYnA/Pk+7G8ee9tZQ1zWaVPQGLZirN08zkMzjDy9LK1nZnnCUTMrhjniHsg1NDpg3vJx/UWr0uQZvCuOeh3VwIDAQAB"
[4] Register the public key on the DNS server.
It will use the example of registering to a BIND zone file.
root@dns:~#
vi /etc/bind/srv.world.wan 
.....
.....
# add to last line
20240712._domainkey     IN      TXT     "v=DKIM1; h=sha256; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zup/hnAFPCeeaTgrC7/WGcP4UtKHWpLpRS4xyIbuGKolfqk/YE+GZQlr2pSrXkapjjIJn829l/87GJVs7mwhmR6Sb4Ga7P+bNnuqJc/vejieuX6KL7cQ/GwUDOjomJ0nI0UEB4i02kF27HshudohMLK21rUQUn7eEP3Da6yj3Ud7z6qRH6kwOxGfgxoyO9E6D850sGOLoSY2""iTuuC7+O5Px+FLJTL5JbrvAxFf10yrtatXLzUyYR1G9s+odQehYmYnA/Pk+7G8ee9tZQ1zWaVPQGLZirN08zkMzjDy9LK1nZnnCUTMrhjniHsg1NDpg3vJx/UWr0uQZvCuOeh3VwIDAQAB"
root@dns:~#
rndc reload
[5] Check on the mail server side.
root@mail:~#
dig 20240712._domainkey.srv.world. txt 

.....
.....

# if the response matches what you registered, that's OK
;; ANSWER SECTION:
20240712._domainkey.srv.world. 86400 IN TXT     "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zup/hnAFPCeeaTgrC7/WGcP4UtKHWpLpRS4xyIbuGKolfqk/YE+GZQlr2pSrXkapjjIJn829l/87GJVs7mwhmR6Sb4Ga7P+bNnuqJc/vejieuX6KL7cQ/GwUDOjomJ0nI0UEB4i02kF27HshudohMLK21rUQUn7eEP3Da6yj3Ud7z6qRH6kwOxGfgxoyO9E6D850sGOLoSY2" "iTuuC7+O5Px+FLJTL5JbrvAxFf10yrtatXLzUyYR1G9s+odQehYmYnA/Pk+7G8ee9tZQ1zWaVPQGLZirN08zkMzjDy9LK1nZnnCUTMrhjniHsg1NDpg3vJx/UWr0uQZvCuOeh3VwIDAQAB"

.....
.....
root@mail:~#
opendkim-testkey -d srv.world -s 20240712 -vvv 

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key '20240712._domainkey.srv.world'
opendkim-testkey: key not secure
opendkim-testkey: key OK
# If [key OK], that's OK
# * [key not secure] is a message about DNSSEC
[6]

Finally, send an email to Gmail and if the header of the received email shows [DKIM: 'PASS' (Domain: srv.world)], then everything is OK.

Matched Content