Friday, March 8, 2013

Guide to Install OpenDKIM for multiple domains with Postfix and Ubuntu 12.04

# apt-get install opendkim opendkim-tools

Append these lines to /etc/postfix/

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

Make sure OpenDKIM is listening at port 12345 for Postfix to connect in /etc/default/opendkim. For some reasons I wasn't able to make Postfix connect through a unix socket.
SOCKET="inet:12345@localhost" # listen on loopback on port 12345

Also, the DKIM hosts keys should be in place and permissions (especially on the private keys) must be restricted as follows, for security purposes:
/etc/postfix# ls -l /etc/opendkim/keys/*
total 8
-rw-r----- 1 root opendkim 887 Mar  8 08:10 auth.private
-rw------- 1 root root     270 Mar  8 08:12 auth.txt

total 8
-rw-r----- 1 root opendkim 887 Mar  8 08:12 auth.private
-rw------- 1 root root     270 Mar  8 08:12 auth.txt

Add these rows to /etc/opendkim.conf:

KeyTable           /etc/opendkim/KeyTable
SigningTable       /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts      /etc/opendkim/TrustedHosts

In /etc/opendkim/TrustedHosts add domains, hostnames and/or ip’s that should be handled by OpenDKIM (at least localhost):

Add domains to /etc/opendkim/SigningTable
host1 auth._domainkey.host1
host2 auth._domainkey.host2

and /etc/opendkim/KeyTable: host1:default:/etc/opendkim/keys/host1/auth.private host2:default:/etc/opendkim/keys/host2/auth.private

Restart both opendkim and postfix.

Check DKIM

Since gmail (also yahoo) supports the DKIM signature verification, you can just send an email locally from this server to any Gmail account, keeping an eye open to /var/log/mail.log meanwhile:

# mail -s "dkim test"
Just a test.

Then open the email in Gmail, show the original message text and you should see the DKIM signature and that it is acknowledged by the recipient MTA (dkim=pass):

       spf=pass ( domain of root@host1 designates XX.XX.XX.XX as permitted sender);
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;
 s=default; t=1362751620;
You may also want to make sure that DKIM signatures are added when you send a message from a remote host using SMTP.

No comments: