DKIM and DomainKeys with Postfix
This guide will show you how to configure Postfix to use DKIM and DomainKeys
Contents |
Notes
DomainKeys has been obsoleted by DKIM. However I have decided to show you how to use it should you wish too. Alternatively you can use mail-filter/opendkim instead of mail-filter/dkim-milter
OpenDKIM
root # emerge --ask mail-filter/opendkimroot # emerge --config mail-filter/opendkimSet selector name to "mydkim" (without the quotes),select "[2] 1024 bits" for your key. Your key will be created now. Copy it now and we will paste it into your Bind file later.
Edit the following file. Defaults are fine except for the following.
Edit the following and note the port in the socket configuration
Mode s Selector mydkim KeyFile /etc/opendkim/mydkim.private
Now edit your bind configuration.
mydkim._domainkey.domain.tld. IN TXT "v=DKIM1; g=*; k=rsa; p=yourkeyhere;"
Now edit your postfix configuration. The following is two separate lines. Your port may be different
smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
The maximum size for all txt records in a DNS cannot exceed 512 bytes. This means that you cannot use 1024 bit for both DKIM and DomainKeys. If you need to use both DKIM and DomainKeys you will have to choose one 1024 bit and the other one 512 bit so that it can fit in the 512 bytes.
DKIM
root # emerge --ask mail-filter/dkim-milterroot # emerge --config mail-filter/dkim-milterSet selector name to "mydkim" (without the quotes),select "[2] 1024 bits" for your key. Your key will be created now. Copy it now and we will paste it into your Bind file later.
Edit the following file. Defaults are fine except for the following.
Domain domain.tld KeyFile /etc/mail/dkim-filter/mydkim.private Selector mydkim UMask 000 Mode s
Now edit your bind configuration.
mydkim._domainkey.domain.tld. IN TXT "v=DKIM1; g=*; k=rsa; p=yourkeyhere;"
Now edit your postfix configuration. The following is two separate lines.
smtpd_milters = unix:/var/run/dkim-filter/dkim-filter.sock non_smtpd_milters = unix:/var/run/dkim-filter/dkim-filter.sock
Domainkeys
root # emerge --ask mail-filter/dk-milterroot # emerge --config mail-filter/dk-milterSet selector name to "mydk" (without the quotes), select "[1] 512 bits" for your key. Your key will be created now. Copy it now and we will paste it into your Bind file later.
Edit the following file making sure to replace domain.tld with your domain. The v option below is to verify incoming mail. You can remove it if you don't want that feature
ADDITIONAL_OPTS="-l -b sv -d domain.tld -H -s /etc/mail/dk-filter/mydk.private -S mydk \ -C badsignature=reject,dnserror=tempfail,internal=tempfail,nosignature=accept,signaturemissing=reject"
Now edit your bind configuration. The following is two separate lines.
domainkey.domain.tld. IN TXT "o=-" mydk._domainkey.domain.tld. IN TXT "k=rsa; p=yourkeyhere;"
Now edit your postfix configuration. The following is two separate lines. We just append the DomainKeys to the DKIM line.
smtpd_milters = unix:/var/run/dkim-filter/dkim-filter.sock, unix:/var/run/dk-filter/dk-filter.sock non_smtpd_milters = unix:/var/run/dkim-filter/dkim-filter.sock, unix:/var/run/dk-filter/dk-filter.sock
Services
Start up all the services...
root # /etc/init.d/dk-filter startroot # /etc/init.d/dkim-filter startroot # /etc/init.d/postfix startroot # /etc/init.d/named startYou may want to configure these services to start at boot
root # rc-update add dk-filter defaultroot # rc-update add dkim-filter defaultroot # rc-update add postfix defaultroot # rc-update add named defaultThat's it, you should now have DKIM and DomainKey signed emails.
Testing
You can test your Domainkey/DKIM setup by sending a blank email to check-auth@verifier.port25.com. You will receive an email within about 30 seconds letting you know if your Domainkey/DKIM passes the test.
