Friday, March 8, 2013

Guide to Install OpenDKIM for multiple domains with Postfix and Ubuntu 12.04 

# apt-get install opendkim opendkim-tools

Append these lines to /etc/postfix/main.cf:






# DKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345







Make
 sure OpenDKIM is listening at port 12345 for Postfix to connect in 
/etc/default/opendkim. For some reasons I wasn't able to make Postfix 
connect through a unix socket.




 


SOCKET="inet:12345@localhost" # listen on loopback on port 12345







Also,
 the DKIM hosts keys should be in place and permissions (especially on 
the private keys) must be restricted as follows, for security purposes:




 


/etc/postfix# ls -l /etc/opendkim/keys/*
/etc/opendkim/keys/host1.com:
total 8
-rw-r----- 1 root opendkim 887 Mar  8 08:10 auth.private
-rw------- 1 root root     270 Mar  8 08:12 auth.txt

/etc/opendkim/keys/host2.com:
total 8
-rw-r----- 1 root opendkim 887 Mar  8 08:12 auth.private
-rw------- 1 root root     270 Mar  8 08:12 auth.txt






Add these rows to /etc/opendkim.conf:






KeyTable           /etc/opendkim/KeyTable
SigningTable       /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts      /etc/opendkim/TrustedHosts







In /etc/opendkim/TrustedHosts add domains, hostnames and/or ip’s that should be handled by OpenDKIM (at least localhost):




 


127.0.0.1
localhost






Add domains to /etc/opendkim/SigningTable




host1 auth._domainkey.host1
host2 auth._domainkey.host2







and /etc/opendkim/KeyTable:




 


auth._domainkey.host1.com host1:default:/etc/opendkim/keys/host1/auth.private
auth._domainkey.host2.com host2:default:/etc/opendkim/keys/host2/auth.private







Restart both opendkim and postfix.



Check DKIM



Since gmail (also yahoo) supports the DKIM 
signature verification, you can just send an email locally from this 
server to any Gmail account, keeping an eye open to /var/log/mail.log 
meanwhile:






# mail -s "dkim test" your_address@gmail.com
Cc: 
Just a test.







Then open the email 
in Gmail, show the original message text and you should see the DKIM 
signature and that it is acknowledged by the recipient MTA (dkim=pass):






Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of root@host1 designates XX.XX.XX.XX as permitted sender) smtp.mail=root@host1.com;
       dkim=pass header.i=@host1.com
...
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=host1.com;
 s=default; t=1362751620;
 bh=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=;
 h=Subject:To:Date:From;
 b=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY


          YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY=





You
 may also want to make sure that DKIM signatures are added when you send
 a message from a remote host using SMTP.









Posted by



at





















Labels:
,
,


















No comments:











Post a Comment













        

      









Subscribe to:
Post Comments (Atom)