Setting up an outbound DKIM provider

dkim-install | dkim | dkim-source

Warning // lessons learned

This one is not trivial at all. We faced two major problems to set it up:

==> the solution is simply to avoid the chroot socket file hell and use network socket instead

Install

see dkim-install

Setup

key-pair

the selector can be anything, it is just a marker e.g. use month/year to remind yourself how old the key pair will become (and eventually renew it once a year or so)

domain=DOMAIN.TLD

MONTHYEAR=`date +%b%Y | tr A-Z a-z`
echo $MONTHYEAR

# debian defaults
mkdir -p /etc/dkimkeys/
chmod 700 /etc/dkimkeys/
cd /etc/dkimkeys/

opendkim-genkey -h
opendkim-genkey --selector=$MONTHYEAR --domain=$domain
chown opendkim. $MONTHYEAR.*
chmod 400 $MONTHYEAR.*

dns record

add the DKIM text record to your zone

cat $MONTHYEAR.txt

and check

host -t txt $MONTHYEAR._domainkey.$domain

milter network socket

ls -lF /usr/share/dns/root.key

cd /etc/
#cd /usr/pkg/etc/

mv -i opendkim.conf opendkim.conf.dist
grep -vE '^[[:space:]]*#|^[[:space:]]*$' /etc/opendkim.conf.dist > /etc/opendkim.conf.clean
grep -vE '^[[:space:]]*#|^[[:space:]]*$' /etc/opendkim.conf.dist > /etc/opendkim.conf

echo $domain
echo $MONTHYEAR

cat > /etc/opendkim.conf <<EOF
Syslog                  yes
SyslogSuccess           yes
Canonicalization        relaxed/simple
OversignHeaders         From
UserID                  opendkim
UMask                   007
TrustAnchorFile         /usr/share/dns/root.key

#Socket                 local:/var/spool/postfix/run//opendkim/opendkim.sock
#Socket                 local:/run//opendkim/opendkim.sock
Socket                  inet:8891@[127.0.0.1]
PidFile                 /run/opendkim/opendkim.pid

Mode            sv
Domain                  $domain
KeyFile                 /etc/dkimkeys/$MONTHYEAR.private
Selector                $MONTHYEAR
Statistics              /run/opendkim/stats
EOF

more options

#SignatureAlgorithm rsa-sha256
#SignatureAlgorithm rsa-sha1
#AllowSHA1Only      Yes

Postfix setup

the default action here is “let the mail pass through” in case “application is unavailable or mis-configured”

vi /etc/postfix/main.cf

## DKIM

milter_default_action = tempfail
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters

Ready to go

debian

systemctl restart opendkim
systemctl status opendkim # enabled

systemctl restart postfix
systemctl status postfix # enabled

from source

start & enable

vi /etc/rc.local

echo -n opendkim...
rm -f /run/opendkim/opendkim.pid
/usr/local/sbin/opendkim -x /etc/opendkim.conf && echo done || echo FAIL
# -P -l -u

status

pgrep -a opendkim
ps auxww | grep opendkim
cat /run/opendkim/opendkim.pid

stop

pkill opendkim

Operations

eventually enable that as a weekly cron job

opendkim-stats /run/opendkim/stats

Acceptance

outgoing

now send a mail from an SASL-capable MUA. then watch the logs and look for DKIM-Signature header in the resulting message’s source.

you can also send a message to dkim validator

incoming

TODO - check that wrongly signed incoming messages are refused

Troubleshooting

warning: connect to Milter service unix:/run/opendkim/opendkim.sock: No such file or directory

==> postfix chroot goes /var/spool/postfix/, use network socket instead

Resources

dkim-milter https://sourceforge.net/projects/dkim-milter/

DomainKeys Identified Mail (DKIM) http://dkim.org/

OpenDKIM http://opendkim.org/

DKIM http://silas.net.br/tech/apps/netbsd-mailserver.html#dkim

Postfix before-queue Milter support http://www.postfix.org/MILTER_README.html

Postfix Configuration Parameters http://www.postfix.org/postconf.5.html

Configure DomainKeys (OpenDKIM) with Postfix on CentOS 7 https://www.linuxtechi.com/configure-domainkeys-with-postfix-on-centos-7/

Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM - Page 2 https://www.howtoforge.com/set-up-dkim-domainkeys-identified-mail-working-with-postfix-on-centos-using-opendkim-p2#-testing-your-setup

Configure SPF and DKIM With Postfix on Debian 8 https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/

Part 4: How to Set up SPF and DKIM with Postfix on Ubuntu Server https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf

5 common mistakes to avoid when deploying DMARC https://www.dmarcanalyzer.com/common-mistakes-deploying-dmarc/

Understanding the SPF and DKIM Spam Filtering Mechanisms https://securityintelligence.com/understanding-the-spf-and-dkim-spam-filtering-mechanisms/

opendkim https://wiki.debian.org/opendkim

received

Postfix before-queue Milter support http://postfix.cs.utah.edu/MILTER_README.html –> warning about header_checks(5)

Postfix header_check cause dkim fail. https://takahisa.info/2020/09/10/postfix-header_check-cause-dkim-fail/

DKIM signing emails using Postfix with removed headers https://stackoverflow.com/questions/20151999/dkim-signing-emails-using-postfix-with-removed-headers

misc

opendkim-stats - output opendkim statistics http://www.huge-man-linux.net/man8/opendkim-stats.html

alternatives

Chapter 56 - Support for DKIM (DomainKeys Identified Mail) http://exim.org/exim-html-4.85/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html

Mail-DKIM and DKIMproxy http://dkimproxy.sourceforge.net/

https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendki

https://serverfault.com/questions/796742/connect-to-milter-service-unix-var-run-opendkim-opendkim-sock-no-such-file-or


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun