Postfix/DKIM

From Gentoo Wiki
Jump to: navigation, search

This guide will show you how to configure Postfix to use DKIM and DomainKeys.

Notes

DomainKeys has been obsoleted by DKIM. However I have decided to show you how to use it should you wish too.

On Fri May 11 09:19:30 2012 UTC mail-filter/dkim-milter was removed from the Gentoo tree, replaced by mail-filter/opendkim. Nontheless, instructions for setting up both packages are retained below.

OpenDKIM

Install mail-filter/opendkim:

root # emerge --ask opendkim
root # emerge --ask --config opendkim

Set selector name to "mydkim" (without the quotes), select "[2] 1024 bits" for your key. Your key will be created now. Copy it now and we will paste it into your Bind file later.

Edit the following file. Defaults are fine except for the following.

Edit the following and note the port in the socket configuration

File/etc/opendkim/opendkim.conf

   Mode                    s
   Selector                mydkim
   KeyFile                 /etc/opendkim/mydkim.private

Now edit your bind configuration:

File/var/bind/domain.tld.hosts

   mydkim._domainkey.domain.tld. IN TXT "v=DKIM1; g=*; k=rsa; p=yourkeyhere;"

Now edit your Postfix configuration. The following is two separate lines. Your port may be different:

File/etc/postfix/main.cf

   smtpd_milters     = inet:localhost:8891
   non_smtpd_milters = inet:localhost:8891

The maximum size for all txt records in a DNS cannot exceed 512 bytes. This means that you cannot use 1024 bit for both DKIM and DomainKeys. If you need to use both DKIM and DomainKeys you will have to choose one 1024 bit and the other one 512 bit so that it can fit in the 512 bytes.

DKIM

Install mail-filter/dkim-milter:

root # emerge --ask dkim-milter
root # emerge --config mail-filter/dkim-milter

Set selector name to "mydkim" (without the quotes),select "[2] 1024 bits" for your key. Your key will be created now. Copy it now and we will paste it into your Bind file later.

Edit the following file. Defaults are fine except for the following:

File/etc/mail/dkim-filter/dkim-filter.conf

   Domain                  domain.tld
   KeyFile                 /etc/mail/dkim-filter/mydkim.private
   Selector                mydkim
   UMask                   000
   Mode                    s

Now edit your bind configuration:

File/var/bind/domain.tld.hosts

   mydkim._domainkey.domain.tld. IN TXT "v=DKIM1; g=*; k=rsa; p=yourkeyhere;"

Now edit your Postfix configuration. The following is two separate lines:

File/etc/postfix/main.cf

   smtpd_milters     = unix:/var/run/dkim-filter/dkim-filter.sock
   non_smtpd_milters = unix:/var/run/dkim-filter/dkim-filter.sock

Domainkeys

Install mail-filter/dk-milter:

root # emerge --ask dk-milter
root # emerge --config mail-filter/dk-milter

Set selector name to "mydk" (without the quotes), select "[1] 512 bits" for your key. Your key will be created now. Copy it now and we will paste it into your Bind file later.

Edit the following file making sure to replace domain.tld with your domain. The v option below is to verify incoming mail. You can remove it if you don't want that feature.

File/etc/conf.d/dk-filter

ADDITIONAL_OPTS="-l -b sv -d domain.tld -H -s /etc/mail/dk-filter/mydk.private -S mydk \
-C badsignature=reject,dnserror=tempfail,internal=tempfail,nosignature=accept,signaturemissing=reject"

Now edit your bind configuration. The following is two separate lines:

File/var/bind/domain.tld.hosts

domainkey.domain.tld. IN TXT "o=-"
mydk._domainkey.domain.tld. IN TXT "k=rsa; p=yourkeyhere;"

Now edit your Postfix configuration. The following is two separate lines. We just append the DomainKeys to the DKIM line:

File/etc/postfix/main.cf

smtpd_milters     = unix:/var/run/dkim-filter/dkim-filter.sock, unix:/var/run/dk-filter/dk-filter.sock 
non_smtpd_milters = unix:/var/run/dkim-filter/dkim-filter.sock, unix:/var/run/dk-filter/dk-filter.sock

Services

Start up all the services:

root # /etc/init.d/dk-filter start
root # /etc/init.d/dkim-filter start
root # /etc/init.d/postfix start
root # /etc/init.d/named start

You may want to configure these services to start at boot:

root # rc-update add dk-filter default
root # rc-update add dkim-filter default
root # rc-update add postfix default
root # rc-update add named default

That's it, you should now have DKIM and DomainKey signed emails.

Testing

You can test your Domainkey/DKIM setup by sending a blank email to check-auth@verifier.port25.com. You will receive an email within about 30 seconds letting you know if your Domainkey/DKIM passes the test.