How to configure OpenDKIM with Postfix

-
article1

In this HowTo, you will find out how we configured OpenDKIM and Postfix(3.1.0) to sign our @postfix.io emails with DKIM. I will not talk about what is DKIM and settings like hash algorithms, DKIM Identity, Selectors etc.

Install OpenDKIM and tools.

apt-get install opendkim opendkim-tools

Add the following settings to /etc/opendkim.conf after “UserID” directive.

Map AuthorDomains to RSA keys.KeyTable /etc/dkimkeys/rsakeys.tableSigningTable refile:/etc/dkimkeys/signingdomains.table# "simple" recommended by DKIMCoreCanonicalization simpleMode svSubDomains noAutoRestart yesAutoRestartRate 10/1MBackground yesDNSTimeout 5SignatureAlgorithm rsa-sha256OversignHeaders From

Generate RSA key for @postfix.io

cd /etc/dkimkeys/opendkim-genkey --bits=1024 --selector=key1 --domain=postfix.io --append-domain

It will create two files. “key1.private” which is for server side and “key1.txt” which contain the following DNS record that needs to be created in @postfix.io zone. You can lookup my existing record with _dig key1.domainkey.postfix.io TXT +short

key1._domainkey.postfix.io. IN TXT ( "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVgaYb2qaO92yF1DuoSIWybPgiwQ3dfjN1XhzstnEqfi/GroqtN87BrjEr9BGTTiisocbMZOtfErgfCSq+sCjHohEySdngfnxPUqLYqco+Xe3RlESYngKFU9YUUKXE9OcT3dt3v921h1pZ9BJwQ2RyJ+xANYR5DivfRT2gPCdIWwIDAQAB" )  ; ----- DKIM key key1 for postfix.iomv key1.private key1.postfix.io.rsa

Add RSAkey reference to KeyTable file in /etc/dkimkeys/rsakeys.table

postfixdkim postfix.io:key1:/etc/dkimkeys/key1.postfix.io.rsa

Add AuthorDomain and RSAKey reference in /etc/dkimkeys/signingdomains.table

*@postfix.io postfixdkim

“*@postfix.io” says domain with any local-part should be signed with this key. “postfixdkim” is reference to RSA key in KeyTable.

Connect OpenDKIM to Postfix. Since Postfix runs in jail environment so its better to keep OpenDKIM also inside Postfix spool directory.

mkdir /var/spool/postfix/opendkim

Update opendkim.sock path to new location in /etc/default/opendkim

SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"

Configure opendkim in /etc/postfix/main.cf

# Connect OpenDKIMmilter_default_action = acceptmilter_protocol = 6smtpd_milters = local:/opendkim/opendkim.socknon_smtpd_milters = local:/opendkim/opendkim.sock

Setup proper permissions.

chown -R opendkim:opendkim /etc/opendkim.conf /etc/dkimkeyschown opendkim:postfix /var/spool/postfix/opendkim

Restart opendkim and postfix

systemctl restart opendkim.servicesystemctl restart postfix.service

Comments

Post a Comment

Popular posts from this blog

StatusDnsQueryFailed resolving domain

-
Welcome file If you are seeing the following error in PowerMTA or Postfix logs : StatusDnsQueryFailed resolving domain It’s likely caused by 3 reasons : The requested domain does not exist. It doesn’t have neither MX nor A record. The upstream DNS provider is throttling excessive queries from your mail server. You are hitting bandwidth limits on either WAN(if the dns resolver request is going out via internet interface). As always, i highly recommend to use dedicated recursive DNS server on LAN for your mailing infrastructure or use unthrottled upstream DNS resolver.
Read more

How to include Gmail's Feedback-ID header in DKIM signature

-
article1 Feedback-ID is an additional header required by Gmail Feedback Loop to see aggregated data in Google Postmaster tools . Gmail requires it to include in DKIM-Signature. The following guide explains how it can be configured in OpenDKIM : Edit opendkim.conf vim /etc/opendkim.conf Add the following line : SignHeaders Feedback-ID Reload openkdim : systemctl reload opendkim.service Reload postfix : systemctl reload postfix.service Send a test email with swaks to gmail : swaks --from postmaster@postfix.io --to xxxx@gmail.com --h-Feedback-ID 123:asd:123 --server 127.0.0.1:25 My test mail results : Authentication-Results: mx.google.com;dkim=pass header.i=@postfix.io header.s=key1 header.b=oY1NVInb;spf=pass (google.com: domain of postmaster@postfix.io designates 45.55.57.182 as permitted sender) smtp.mailfrom=postmaster@postfix.io;dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=postfix.io Date: Sun, 12 Nov 2017 11:04:42 +0000 DKIM-Signature: v=1
Read more

How to send emails over IPv4 with Postfix

-
article1 “inet_protocols” directive is used to configure what Protocols Postfix should use to accept or make network connections. It also controls what DNS lookups Postfix will use. On Ubuntu 16.10, we found Postfix(3.1.0) was configured to use both IPv6 and IPv4. See below : inet_protocols = all (enable IPv4, and IPv6 if supported) IPv6 is always tried first and when it fails, it would try to deliver emails over IPv4. You can reconfigure it to listen on ipv4 IPs only : vim /etc/postfix/main.cf Replace “ all ” with “ ipv4 ” inet_protocols = ipv4 Restart postfix systemctl restart postfix.service
Read more