Mail Server : Set DKIM2024/11/13

Configure DKIM (Domain Keys Identified Mail) in Postfix.

In order to register the generated public key in DNS, you will need the DNS server that registers your email domain.

[1]

Install and configure OpenDKIM.

[root@mail ~]#

dnf -y install opendkim opendkim-tools

# create a directory for the domain you configure DKIM for

[root@mail ~]#

mkdir /etc/opendkim/keys/srv.world

# generate a key pair
# -D (directory in which to store keys)
# -d (domain name)
# -s (selector name) ⇒ any name you like

[root@mail ~]#

opendkim-genkey -D /etc/opendkim/keys/srv.world -d srv.world -s $(date "+%Y%m%d")

[root@mail ~]#

chown -R opendkim:opendkim /etc/opendkim/keys/srv.world

[root@mail ~]#

ll /etc/opendkim/keys/srv.world

total 8
-rw-------. 1 opendkim opendkim 916 Nov 13 10:12 20241113.private
-rw-------. 1 opendkim opendkim 315 Nov 13 10:12 20241113.txt

[root@mail ~]#

vi /etc/opendkim.conf

# line 39 : change
# Mode : s = sign
# Mode : v = verify
Mode    sv

# line 92, 99 : comment out
#Selector    default
#KeyFile    /etc/opendkim/keys/default.private

# line 104, 109, 113, 116 : uncomment
KeyTable    /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList    refile:/etc/opendkim/TrustedHosts
InternalHosts    refile:/etc/opendkim/TrustedHosts

[root@mail ~]#

vi /etc/opendkim/KeyTable

# add to last line
#
# (selector name)._domainkey.(domain name) (domain name):(selector name):(Private Key Path)
#
# if you are handling multiple domains, enter them in the same way

20241113._domainkey.srv.world srv.world:20241113:/etc/dkimkeys/srv.world/20241113.private

[root@mail ~]#

vi /etc/opendkim/SigningTable

# add to last line
#
# *@(domain name) (selector name)._domainkey.(domain name)
#
# if you are handling multiple domains, enter them in the same way

*@srv.world 20241113._domainkey.srv.world

[root@mail ~]#

vi /etc/opendkim/TrustedHosts

# possible to add trusted hosts
127.0.0.1
::1
#host.example.com
#192.168.1.0/24

[root@mail ~]#

systemctl enable --now opendkim

[2]	Configure Postfix.

[root@mail ~]#

vi /etc/postfix/main.cf

# add to last line
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

[root@mail ~]#

usermod -aG opendkim postfix

[root@mail ~]#

systemctl reload postfix

[3]	Verify the public key for the DNS server registration.

# public key contents

[root@mail ~]#

cat /etc/opendkim/keys/srv.world/20241113.txt

20241113._domainkey     IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2FDt4e8t57VVayeGU/yclkwDj1+cA3FdBbpvwrHXnGQW6uKJOQYDhRyDozBjRIVsuzoc/XiHiNWG6tlrSdLmUc0c5OTOPdq3QWQ6bWCAY0sfXt6xtKYC8eQ/vZkSgR2wrCsGLf9PSYplb6OgmYv3cudx6R9X8fz6jvnAnAqDN6wIDAQAB" )  ; ----- DKIM key 20241113 for srv.world

# the entry in the zone file should be on one line, excluding unnecessary characters

[root@mail ~]#

sed "s/^\t *//g" /etc/opendkim/keys/srv.world/20241113.txt | sed -z "s/\\n//g" | sed "s/( //g" | cut -d')' -f1

20241113._domainkey     IN      TXT     "v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2FDt4e8t57VVayeGU/yclkwDj1+cA3FdBbpvwrHXnGQW6uKJOQYDhRyDozBjRIVsuzoc/XiHiNWG6tlrSdLmUc0c5OTOPdq3QWQ6bWCAY0sfXt6xtKYC8eQ/vZkSgR2wrCsGLf9PSYplb6OgmYv3cudx6R9X8fz6jvnAnAqDN6wIDAQAB"

[4]	Register the public key on the DNS server. It will use the example of registering to a BIND zone file.

root@dns:~#

vi /var/named/srv.world.wan

.....
.....
# add to last line
20241113._domainkey     IN      TXT     "v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2FDt4e8t57VVayeGU/yclkwDj1+cA3FdBbpvwrHXnGQW6uKJOQYDhRyDozBjRIVsuzoc/XiHiNWG6tlrSdLmUc0c5OTOPdq3QWQ6bWCAY0sfXt6xtKYC8eQ/vZkSgR2wrCsGLf9PSYplb6OgmYv3cudx6R9X8fz6jvnAnAqDN6wIDAQAB"

root@dns:~#

rndc reload

[5]	Check on the mail server side.

[root@mail ~]#

dig 20241113._domainkey.srv.world. txt


.....
.....

# if the response matches what you registered, that's OK
;; ANSWER SECTION:
20241113._domainkey.srv.world. 86400 IN TXT     "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2FDt4e8t57VVayeGU/yclkwDj1+cA3FdBbpvwrHXnGQW6uKJOQYDhRyDozBjRIVsuzoc/XiHiNWG6tlrSdLmUc0c5OTOPdq3QWQ6bWCAY0sfXt6xtKYC8eQ/vZkSgR2wrCsGLf9PSYplb6OgmYv3cudx6R9X8fz6jvnAnAqDN6wIDAQAB"

.....
.....

[root@mail ~]#

opendkim-testkey -d srv.world -s 20241113 -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key '20241113._domainkey.srv.world'
opendkim-testkey: key not secure
opendkim-testkey: key OK
# If [key OK], that's OK
# * [key not secure] is a message about DNSSEC

[6]	Finally, send an email to Gmail and if the header of the received email shows [DKIM: 'PASS' (Domain: srv.world)], then everything is OK.

Matched Content