Mail Server : Set DKIM2024/07/12 |
Configure DKIM (Domain Keys Identified Mail) in Postfix. In order to register the generated public key in DNS, you will need the DNS server that registers your email domain. |
|
[1] | Install and configure OpenDKIM. |
root@mail:~#
apt -y install opendkim opendkim-tools # create a directory for the domain you configure DKIM for root@mail:~# mkdir /etc/dkimkeys/srv.world
# generate a key pair # -D (directory in which to store keys) # -d (domain name) # -s (selector name) ⇒ any name is OK root@mail:~# opendkim-genkey -D /etc/dkimkeys/srv.world -d srv.world -s $(date "+%Y%m%d") root@mail:~# chown -R opendkim:opendkim /etc/dkimkeys/srv.world root@mail:~# ll /etc/dkimkeys/srv.world total 16 drwxr-xr-x 2 opendkim opendkim 4096 Jul 12 05:22 ./ drwx------ 3 opendkim opendkim 4096 Jul 12 00:54 ../ -rw------- 1 opendkim opendkim 1704 Jul 12 05:22 20240712.private -rw------- 1 opendkim opendkim 507 Jul 12 05:22 20240712.txt
root@mail:~#
vi /etc/opendkim.conf # line 14,15 : uncomment # Mode : s = sign # Mode : v = verify Mode sv SubDomains no # line 22,23,24 : if you are handling one domain, # uncomment the following three lines and change the values of each # if you want to handle multiple domains, set it with different parameters #Domain example.com #Selector 2020 #KeyFile /etc/dkimkeys/example.private # line 37 : comment out # line 38 : uncomment #Socket local:/run/opendkim/opendkim.sock Socket inet:8891@localhost # line 50 : comment out if you do not have DNSSEC enabled on DNS server #TrustAnchorFile /usr/share/dns/root.key # line 51 : DNS server to register DKIM key # if the DNS server is not the localhost and also is not a server registered in resolv.conf, # uncomment it and specify the DNS server #Nameservers 127.0.0.1 # add to last line # if you are handling multiple domains, set the following # if you have only one domain, set lines 22-24 and the following is not necessary KeyTable /etc/dkimkeys/KeyTable SigningTable refile:/etc/dkimkeys/SigningTable ExternalIgnoreList refile:/etc/dkimkeys/TrustedHosts InternalHosts refile:/etc/dkimkeys/TrustedHosts
root@mail:~#
vi /etc/dkimkeys/KeyTable # create new file # # (selector name)._domainkey.(domain name) (domain name):(selector name):(Private Key Path) # # if you are handling multiple domains, enter them in the same way 20240712._domainkey.srv.world srv.world:20240712:/etc/dkimkeys/srv.world/20240712.private
root@mail:~#
vi /etc/dkimkeys/SigningTable # create new file # # *@(domain name) (selector name)._domainkey.(domain name) # # if you are handling multiple domains, enter them in the same way *@srv.world 20240712._domainkey.srv.world
root@mail:~#
vi /etc/dkimkeys/TrustedHosts # create new file # add trusted hosts 127.0.0.1 ::1 localhostroot@mail:~# chown opendkim:opendkim /etc/dkimkeys/{KeyTable,SigningTable,TrustedHosts} root@mail:~# chmod 600 /etc/dkimkeys/{KeyTable,SigningTable,TrustedHosts} root@mail:~# systemctl restart opendkim |
[2] | Configure Postfix. |
root@mail:~#
vi /etc/postfix/main.cf # add to last line smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = acceptroot@mail:~# systemctl reload postfix |
[3] | Verify the public key for the DNS server registration. |
# public key contents root@mail:~# cat /etc/dkimkeys/srv.world/20240712.txt 20240712._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zup/hnAFPCeeaTgrC7/WGcP4UtKHWpLpRS4xyIbuGKolfqk/YE+GZQlr2pSrXkapjjIJn829l/87GJVs7mwhmR6Sb4Ga7P+bNnuqJc/vejieuX6KL7cQ/GwUDOjomJ0nI0UEB4i02kF27HshudohMLK21rUQUn7eEP3Da6yj3Ud7z6qRH6kwOxGfgxoyO9E6D850sGOLoSY2" "iTuuC7+O5Px+FLJTL5JbrvAxFf10yrtatXLzUyYR1G9s+odQehYmYnA/Pk+7G8ee9tZQ1zWaVPQGLZirN08zkMzjDy9LK1nZnnCUTMrhjniHsg1NDpg3vJx/UWr0uQZvCuOeh3VwIDAQAB" ) ; ----- DKIM key 20240712 for srv.world # the entry in the zone file should be on one line, excluding unnecessary characters root@mail:~# sed "s/^\t *//g" /etc/dkimkeys/srv.world/20240712.txt | sed -z "s/\\n//g" | sed "s/( //g" | cut -d')' -f1 20240712._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zup/hnAFPCeeaTgrC7/WGcP4UtKHWpLpRS4xyIbuGKolfqk/YE+GZQlr2pSrXkapjjIJn829l/87GJVs7mwhmR6Sb4Ga7P+bNnuqJc/vejieuX6KL7cQ/GwUDOjomJ0nI0UEB4i02kF27HshudohMLK21rUQUn7eEP3Da6yj3Ud7z6qRH6kwOxGfgxoyO9E6D850sGOLoSY2""iTuuC7+O5Px+FLJTL5JbrvAxFf10yrtatXLzUyYR1G9s+odQehYmYnA/Pk+7G8ee9tZQ1zWaVPQGLZirN08zkMzjDy9LK1nZnnCUTMrhjniHsg1NDpg3vJx/UWr0uQZvCuOeh3VwIDAQAB" |
[4] | Register the public key on the DNS server. It will use the example of registering to a BIND zone file. |
root@dns:~#
vi /etc/bind/srv.world.wan ..... ..... # add to last line 20240712._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zup/hnAFPCeeaTgrC7/WGcP4UtKHWpLpRS4xyIbuGKolfqk/YE+GZQlr2pSrXkapjjIJn829l/87GJVs7mwhmR6Sb4Ga7P+bNnuqJc/vejieuX6KL7cQ/GwUDOjomJ0nI0UEB4i02kF27HshudohMLK21rUQUn7eEP3Da6yj3Ud7z6qRH6kwOxGfgxoyO9E6D850sGOLoSY2""iTuuC7+O5Px+FLJTL5JbrvAxFf10yrtatXLzUyYR1G9s+odQehYmYnA/Pk+7G8ee9tZQ1zWaVPQGLZirN08zkMzjDy9LK1nZnnCUTMrhjniHsg1NDpg3vJx/UWr0uQZvCuOeh3VwIDAQAB"root@dns:~# rndc reload
|
[5] | Check on the mail server side. |
root@mail:~# dig 20240712._domainkey.srv.world. txt
.....
.....
# if the response matches what you registered, that's OK
;; ANSWER SECTION:
20240712._domainkey.srv.world. 86400 IN TXT "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5zup/hnAFPCeeaTgrC7/WGcP4UtKHWpLpRS4xyIbuGKolfqk/YE+GZQlr2pSrXkapjjIJn829l/87GJVs7mwhmR6Sb4Ga7P+bNnuqJc/vejieuX6KL7cQ/GwUDOjomJ0nI0UEB4i02kF27HshudohMLK21rUQUn7eEP3Da6yj3Ud7z6qRH6kwOxGfgxoyO9E6D850sGOLoSY2" "iTuuC7+O5Px+FLJTL5JbrvAxFf10yrtatXLzUyYR1G9s+odQehYmYnA/Pk+7G8ee9tZQ1zWaVPQGLZirN08zkMzjDy9LK1nZnnCUTMrhjniHsg1NDpg3vJx/UWr0uQZvCuOeh3VwIDAQAB"
.....
.....
root@mail:~# opendkim-testkey -d srv.world -s 20240712 -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key '20240712._domainkey.srv.world'
opendkim-testkey: key not secure
opendkim-testkey: key OK
# If [key OK], that's OK
# * [key not secure] is a message about DNSSEC
|
[6] |
Finally, send an email to Gmail and if the header of the received email shows [DKIM: 'PASS' (Domain: srv.world)], then everything is OK. |
Sponsored Link |