Setting up an outbound DKIM provider

tested on netbsd-8,9

this one pissed me off because of unix permissions on the unix socket — one could also discard DKIM and only rely on SPF — it was finally solved using UMask 0007 and adding postfix to the opendkim group

Install

install opendkim with pkgsrc or somehow

pkg_info | grep dkim
pkg_info | grep libmilter
/usr/libexec/locate.updatedb
locate libmilter.h
locate libmilter.a

./configure --with-openssl=/usr/local/ssl --with-milter=/usr/pkg --disable-shared

make clean
make -j8 > ../opendkim.log && echo BUILT
make install

ls -lF /usr/bin/perl #noexist?
ln -s /usr/pkg/bin/perl /usr/bin/perl

Da key pair

the selector can be anything, it is just a marker e.g. use month/year to remind yourself how old the key pair will become (and eventually renew it once a year or so)

MONTHYEAR=`date +%b%Y | tr A-Z a-z`
mkdir -p ~/certs/dkim/
cd ~/certs/dkim/
opendkim-genkey -h
opendkim-genkey --selector=$MONTHYEAR --domain=nethence.com
ls -lF $MONTHYEAR.private $MONTHYEAR.txt
cat $MONTHYEAR.txt

Da DNS record

add this record to your zone and check

host -t txt oct2019._domainkey.nethence.com

Setup

now proceed with the daemon’s configuration

#ls -lF /usr/pkg/etc/opendkim.conf
ls -lF /etc/opendkim.conf #noexist
cat > /etc/opendkim.conf <<EOF9
Domain                  nethence.com
KeyFile                 /root/certs/dkim/$MONTHYEAR.private     
Selector                $MONTHYEAR
Socket                  local:/var/opendkim/dkim-socket
Syslog                  Yes
UMask                   0007
UserID                  opendkim:opendkim
PidFile                 /var/opendkim/opendkim.pid
EOF9
vi /etc/opendkim.conf

make sure the user and group exist (netbsd example)

/etc/passwd
opendkim:*:<UID>:<GID>:opendkim user:/nonexistent:/sbin/nologin

/etc/group
opendkim:*:<GID>:postfix

fix that folder permissions so the socket gets shared

mkdir -p /var/opendkim/
chown opendkim:opendkim /var/opendkim/
chmod 750 /var/opendkim/

Ready to go

start & enable

vi /etc/rc.local

echo DKIM...
/usr/local/sbin/opendkim -x /etc/opendkim.conf && echo done
#-P -l -u

status

ps auxww | grep dkim
cat /var/opendkim/opendkim.pid
#ls -alF /var/db/opendkim/
ls -alF /var/opendkim/

stop

pkill opendkim

Postfix // DKIM

then point to the unix socket. the default action here is “let’s mail pass through” in case “application is unavailable or mis-configured”

vi /etc/postfix/main.cf

#default:6
#milter_protocol = 2
milter_default_action = accept
smtpd_milters = unix:/var/opendkim/dkim-socket
non_smtpd_milters = unix:/var/opendkim/dkim-socket

postfix reload

or in case you just added postfix to that opendkim group, eventually restart it?

postfix stop
postfix start

Acceptance

outgoing

Now send a mail either locally or using an MUA

date | mail -s `uname -n` root

then watch the logs (no permission issue on socket?) and look for that header in the resulting message’s source e.g.

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nethence.com;
    s=oct2019; t=1583039197;
    bh=AVRY7E9KdnjcrwF6YqrgkKhDkTPG19hIFcIuosV8lgU=;
    h=To:From:Subject:Date;
    b=WtG7k4AxN/4Bq4YTP4iY0QDc7GA5VvuyORbZHhSa5ajJbEWd1xxdLT91in20xiTWv
     vpyzheTocQz54zdiFQNhJhKVHNp39dhgBFs/qT3H4xbqz/CF0TT9FUgQyhs6E9UDGp
     K72vkzRMT3o7JzKth0V8xmy8wzkL2hWjMeuNPOLg=

incoming

…try to check if wrongly signed incoming messages are refused? (TODO)

Troubleshooting

compilation time issues

#39 Impossible to install OpenDkim : milter not found https://sourceforge.net/p/opendkim/support-requests/39/?limit=25

#9 ./configure –without-milter –disable-filter doesn’t work https://sourceforge.net/p/opendkim/bugs/9/

OpenSSL missing during ./configure. How to fix? https://superuser.com/questions/371901/openssl-missing-during-configure-how-to-fix

shared object

ld: /usr/local/ssl/lib/libcrypto.a(ecp_mont.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
...

==> --disable-shared

unix socket perms

postfix/cleanup[15894]: warning: connect to Milter service unix:/var/opendkim/dkim-socket: Permission denied

==> several issues need to be considered but in short, postfix needs write access to the socket

Postfix - Opendkim - Unable to connect to local socket https://serverfault.com/questions/724584/postfix-opendkim-unable-to-connect-to-local-socket

postfix/smtpd: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendki

Resources

dkim-milter https://sourceforge.net/projects/dkim-milter/

DomainKeys Identified Mail (DKIM) http://dkim.org/

OpenDKIM http://opendkim.org/

INSTALLING OPENDKIM http://www.opendkim.org/INSTALL http://opendkim.org/INSTALL

DKIM http://silas.net.br/tech/apps/netbsd-mailserver.html#dkim

Postfix before-queue Milter support http://www.postfix.org/MILTER_README.html

Postfix Configuration Parameters http://www.postfix.org/postconf.5.html

Configure DomainKeys (OpenDKIM) with Postfix on CentOS 7 https://www.linuxtechi.com/configure-domainkeys-with-postfix-on-centos-7/

Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM - Page 2 https://www.howtoforge.com/set-up-dkim-domainkeys-identified-mail-working-with-postfix-on-centos-using-opendkim-p2#-testing-your-setup

Configure SPF and DKIM With Postfix on Debian 8 https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/

Part 4: How to Set up SPF and DKIM with Postfix on Ubuntu Server https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf


NETHENCE | PUB | LAB