dkim-install | dkim | dkim-source
This one is not trivial at all. We faced two major problems to set it up:
==> the solution is simply to avoid the chroot socket file hell and use network socket instead
see dkim-install
the selector can be anything, it is just a marker e.g. use month/year to remind yourself how old the key pair will become (and eventually renew it once a year or so)
domain=DOMAIN.TLD MONTHYEAR=`date +%b%Y | tr A-Z a-z` echo $MONTHYEAR # debian defaults mkdir -p /etc/dkimkeys/ chmod 700 /etc/dkimkeys/ cd /etc/dkimkeys/ opendkim-genkey -h opendkim-genkey --selector=$MONTHYEAR --domain=$domain chown opendkim. $MONTHYEAR.* chmod 400 $MONTHYEAR.*
add the DKIM text record to your zone
cat $MONTHYEAR.txt
and check
host -t txt $MONTHYEAR._domainkey.$domain
ls -lF /usr/share/dns/root.key cd /etc/ #cd /usr/pkg/etc/ mv -i opendkim.conf opendkim.conf.dist grep -vE '^[[:space:]]*#|^[[:space:]]*$' /etc/opendkim.conf.dist > /etc/opendkim.conf.clean grep -vE '^[[:space:]]*#|^[[:space:]]*$' /etc/opendkim.conf.dist > /etc/opendkim.conf vi /etc/opendkim.conf
https://pub.nethence.com/system/ansible/playbooks/postfix/opendkim.conf
more options
#SignatureAlgorithm rsa-sha256 #SignatureAlgorithm rsa-sha1 #AllowSHA1Only Yes
the default action here is “let the mail pass through” in case “application is unavailable or mis-configured”
vi /etc/postfix/main.cf
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to DKIM
systemctl restart opendkim systemctl status opendkim systemctl restart postfix systemctl status postfix
/etc/rc.d/milter-opendkim restart
start & enable
vi /etc/rc.local echo -n opendkim... rm -f /run/opendkim/opendkim.pid /usr/local/sbin/opendkim -x /etc/opendkim.conf && echo done || echo FAIL # -P -l -u
status
pgrep -a opendkim ps auxww | grep opendkim cat /run/opendkim/opendkim.pid
stop
pkill opendkim
eventually enable that as a weekly cron job
opendkim-stats /run/opendkim/stats
now send a mail from an SASL-capable MUA.
then watch the logs and look for DKIM-Signature header in the resulting message’s source.
you can also send a message to dkim validator
TODO - check that wrongly signed incoming messages are refused
warning: connect to Milter service unix:/run/opendkim/opendkim.sock: No such file or directory
==> postfix chroot goes /var/spool/postfix/, use network socket instead
dkim-milter https://sourceforge.net/projects/dkim-milter/
DomainKeys Identified Mail (DKIM) http://dkim.org/
OpenDKIM http://opendkim.org/
DKIM http://silas.net.br/tech/apps/netbsd-mailserver.html#dkim
Postfix before-queue Milter support http://www.postfix.org/MILTER_README.html
Postfix Configuration Parameters http://www.postfix.org/postconf.5.html
Configure DomainKeys (OpenDKIM) with Postfix on CentOS 7 https://www.linuxtechi.com/configure-domainkeys-with-postfix-on-centos-7/
Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM - Page 2 https://www.howtoforge.com/set-up-dkim-domainkeys-identified-mail-working-with-postfix-on-centos-using-opendkim-p2#-testing-your-setup
Configure SPF and DKIM With Postfix on Debian 8 https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/
Part 4: How to Set up SPF and DKIM with Postfix on Ubuntu Server https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
5 common mistakes to avoid when deploying DMARC https://www.dmarcanalyzer.com/common-mistakes-deploying-dmarc/
Understanding the SPF and DKIM Spam Filtering Mechanisms https://securityintelligence.com/understanding-the-spf-and-dkim-spam-filtering-mechanisms/
opendkim https://wiki.debian.org/opendkim
Postfix before-queue Milter support http://postfix.cs.utah.edu/MILTER_README.html –> warning about header_checks(5)
Postfix header_check cause dkim fail. https://takahisa.info/2020/09/10/postfix-header_check-cause-dkim-fail/
DKIM signing emails using Postfix with removed headers https://stackoverflow.com/questions/20151999/dkim-signing-emails-using-postfix-with-removed-headers
opendkim-stats - output opendkim statistics http://www.huge-man-linux.net/man8/opendkim-stats.html
Chapter 56 - Support for DKIM (DomainKeys Identified Mail) http://exim.org/exim-html-4.85/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html
Mail-DKIM and DKIMproxy http://dkimproxy.sourceforge.net/