tested on netbsd and slackware
this one pissed me off because of unix permissions on the unix socket — one could also discard DKIM and only rely on SPF — it was finally solved using umask 0007 and adding postfix to the opendkim group — oops it should be the inverse, adding opendkim to the postfix group
See dkim-install.
the selector can be anything, it is just a marker e.g. use month/year to remind yourself how old the key pair will become (and eventually renew it once a year or so)
MONTHYEAR=`date +%b%Y | tr A-Z a-z` mkdir -p ~/certs/dkim/ cd ~/certs/dkim/ opendkim-genkey -h opendkim-genkey --selector=$MONTHYEAR --domain=nethence.com ls -lF $MONTHYEAR.private $MONTHYEAR.txt cat $MONTHYEAR.txt
add this record to your zone and check
host -t txt $MONTHYEAR._domainkey.nethence.com
note the UID vs GID difference here
#vi /usr/pkg/etc/opendkim.conf vi /etc/opendkim.conf Domain nethence.com KeyFile /root/certs/dkim/MONTHYEAR.private Selector MONTHYEAR Socket local:/var/opendkim/dkim-socket Syslog Yes UMask 0007 UserID opendkim:postfix PidFile /var/opendkim/opendkim.pid Mode sv #SignatureAlgorithm rsa-sha256 SignatureAlgorithm rsa-sha1 AllowSHA1Only Yes
fix that folder permissions so the socket gets shared AND BECOMES WRITABLE BY POSTFIX
usermod -aG postfix opendkim #exists on Slackware after install from source #mkdir /var/opendkim/ #netbsd #/var/db/opendkim/ chmod 770 /var/opendkim/ chown -R opendkim:postfix /var/opendkim/
make sure the user and group exist
ls -lhF /usr/local/sbin/opendkim opendkim -V ls -alF /var/opendkim/ grep postfix /etc/group grep dkim /etc/group grep dkim /etc/passwd
start & enable
vi /etc/rc.local echo -n opendkim... /usr/local/sbin/opendkim -x /etc/opendkim.conf && echo done || echo FAIL #-P -l -u
status
ps auxww | grep dkim cat /var/opendkim/opendkim.pid #ls -alF /var/db/opendkim/ ls -alF /var/opendkim/
stop
pkill opendkim
See the DKIM section from the Postfix guide.
Now send a mail an MUA. For some reason, it does not even try to DKIM here when trying to send it locally.
#date | mail -s `uname -n` root
then watch the logs and look for DKIM-Signature header in the resulting message’s source.
TODO - try to check if wrongly signed incoming messages are refused
#39 Impossible to install OpenDkim : milter not found https://sourceforge.net/p/opendkim/support-requests/39/?limit=25
#9 ./configure –without-milter –disable-filter doesn’t work https://sourceforge.net/p/opendkim/bugs/9/
OpenSSL missing during ./configure. How to fix? https://superuser.com/questions/371901/openssl-missing-during-configure-how-to-fix
ld: /usr/local/ssl/lib/libcrypto.a(ecp_mont.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC ...
==> --disable-shared
postfix/cleanup[15894]: warning: connect to Milter service unix:/var/opendkim/dkim-socket: Permission denied
==> several issues need to be considered but in short, postfix needs write access to the socket
Postfix - Opendkim - Unable to connect to local socket https://serverfault.com/questions/724584/postfix-opendkim-unable-to-connect-to-local-socket
postfix/smtpd: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendki
oh and the other way around, when opendkim got added to postfix group
postfix/sasl/smtpd[1809]: warning: connect to Milter service unix:/var/opendkim/dkim-socket: Permission denied
==> 770 / 660
dkim-milter https://sourceforge.net/projects/dkim-milter/
DomainKeys Identified Mail (DKIM) http://dkim.org/
OpenDKIM http://opendkim.org/
DKIM http://silas.net.br/tech/apps/netbsd-mailserver.html#dkim
Postfix before-queue Milter support http://www.postfix.org/MILTER_README.html
Postfix Configuration Parameters http://www.postfix.org/postconf.5.html
Configure DomainKeys (OpenDKIM) with Postfix on CentOS 7 https://www.linuxtechi.com/configure-domainkeys-with-postfix-on-centos-7/
Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM - Page 2 https://www.howtoforge.com/set-up-dkim-domainkeys-identified-mail-working-with-postfix-on-centos-using-opendkim-p2#-testing-your-setup
Configure SPF and DKIM With Postfix on Debian 8 https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/
Part 4: How to Set up SPF and DKIM with Postfix on Ubuntu Server https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
5 common mistakes to avoid when deploying DMARC https://www.dmarcanalyzer.com/common-mistakes-deploying-dmarc/
https://securityintelligence.com/understanding-the-spf-and-dkim-spam-filtering-mechanisms/
Chapter 56 - Support for DKIM (DomainKeys Identified Mail) http://exim.org/exim-html-4.85/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html
Mail-DKIM and DKIMproxy http://dkimproxy.sourceforge.net/