Lately I’ve been playing with postfix and ways to validate my mail. That’s how I reached DKIM records. Something like ssh keys (a public and private key) but for mail. Installation in Debian GNU/Linux is pretty simple via apt-get as usual, we need to install opendkim and opendkim-tools.
dpkg -l | grep dkim ii libmail-dkim-perl 0.40-1 all cryptographically identify the sender of email - perl library ii libopendkim9 2.9.2-2+deb8u1 amd64 Library for signing and verifying DomainKeys Identified Mail signatures ii opendkim 2.9.2-2+deb8u1 amd64 Milter implementation of DomainKeys Identified Mail ii opendkim-tools 2.9.2-2+deb8u1 amd64 Set of command line tools for OpenDKIM
We need to open a port for opendkim (8891 in my case), we need to edit /etc/default/opendkim in order to do this as below.
grep -v "^#" /etc/default/opendkim SOCKET="inet:8891@localhost" # listen on loopback on port 8891
We need to edit /etc/opendkim.conf to something similar to below.
Syslog yes UMask 002 Domain mydomain.com Mode sv OversignHeaders From PidFile /var/run/opendkim/opendkim.pid SignatureAlgorithm rsa-sha256 UserID opendkim:opendkim KeyFile /etc/opendkim/keys/mail.private Selector mail AutoRestart Yes Canonicalization relaxed/simple AutoRestart Yes AutoRestartRate 10/1h
We then execute this small script that will create a dir where we will store the keys.
#!/bin/bash mkdir -p /etc/opendkim/keys cd /etc/opendkim/keys opendkim-genkey -s mail -b 2048 --domain mydomain.com --verbose
It’s important to set the bit rate to 2048, else it will create a key of 1024 bits by default. Once done we will have a private and a public in /etc/opendkim/keys.
ls -ltr /etc/opendkim/keys/; cat /etc/opendkim/keys/mail.txt total 8 -rw------- 1 opendkim opendkim 1679 Nov 25 00:14 mail.private -rw------- 1 root root 491 Nov 25 00:14 mail.txt mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=testingNBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XcAhtpsU3DtaWM0N2yiGs10Wh8wS7RpFWacv1lAk4EbxaGlHCdMpbpNQHqUWBu6Uikj+jadai2Bgyo1TvWGlUZs+JcCoQWcs6pDKkkvMK/xee7pzmhZCXdyuDbf9QH/7cNm7d7ZIYDRC92YCI9XNb/8ANxg0UcxNsGBxA00ksjShl/EPfCfdYpKODJbgubt+/bP/ZBguogHXT" "BPcEWTu6X2B41DKiRCt+LP5RJWzA0XsfukR3y8r712FuRkqSitZsasCqBRtEZmYnuID8yjP92B3JJ9jwOLnJ3MVTnIqMeRDdtJtwxbTsYgND+0S5Q59bonO2CAGoPoVOgqyeXHKtesting" ) ; ----- DKIM key mail for mydomain.com
We are almost done, we need to the public key part that’s between quotes to our DNS servers and create the record.
"v=DKIM1; k=rsa; p=testingNBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XcAhtpsU3DtaWM0N2yiGs10Wh8wS7RpFWacv1lAk4EbxaGlHCdMpbpNQHqUWBu6Uikj+jadai2Bgyo1TvWGlUZs+JcCoQWcs6pDKkkvMK/xee7pzmhZCXdyuDbf9QH/7cNm7d7ZIYDRC92YCI9XNb/8ANxg0UcxNsGBxA00ksjShl/EPfCfdYpKODJbgubt+/bP/ZBguogHXTBPcEWTu6X2B41DKiRCt+LP5RJWzA0XsfukR3y8r712FuRkqSitZsasCqBRtEZmYnuID8yjP92B3JJ9jwOLnJ3MVTnIqMeRDdtJtwxbTsYgND+0S5Q59bonO2CAGoPoVOgqyeXHKtesting"
Once uploaded and replied from the DNS servers, we can query the record. We should get an answer thats public key we just uploaded.
host -t TXT mail._domainkey.mydomain.com mail._domainkey.mydomain.com descriptive text "v=DKIM1; k=rsa; p=testingNBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XcAhtpsU3DtaWM0N2yiGs10Wh8wS7RpFWacv1lAk4EbxaGlHCdMpbpNQHqUWBu6Uikj+jadai2Bgyo1TvWGlUZs+JcCoQWcs6pDKkkvMK/xee7pzmhZCXdyuDbf9QH/7cNm7d7ZIYDRC92YCI9XNb/8ANxg0UcxNsGBxA00ksjShl/EPfCfdYpKODJbgubt+" "/bP/ZBguogHXTBPcEWTu6X2B41DKiRCt+LP5RJWzA0XsfukR3y8r712FuRkqSitZsasCqBRtEZmYnuID8yjP92B3JJ9jwOLnJ3MVTnIqMeRDdtJtwxbTsYgND+0S5Q59bonO2CAGoPoVOgqyeXHKtesting"
DKIM is almost done, but we need to let Postfix that we will use opendkim. We need to add below entries to postfix main.conf file.
egrep -B 1 -C 1 "(dkim|milter)" /etc/postfix/main.cf # Added for Opendkim milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = inet:127.0.0.1:8891
Once done we are good to restart postfix and opendkim for the changes to take effect. If there are no errors we will see something like below in mail.log file.
Oct 25 00:18:35 sd-129111 postfix/master[27345]: daemon started -- version 2.11.1, configuration /etc/postfix OCt 25 00:18:38 sd-129111 opendkim[26170]: OpenDKIM Filter: mi_stop=1 Oct 25 00:18:38 sd-129111 opendkim[26170]: OpenDKIM Filter v2.9.1 terminating with status 0, errno = 0 Oct 25 00:18:38 sd-129111 opendkim[27361]: OpenDKIM Filter v2.9.1 starting (args: -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p inet:8891@localhost)
Final confirmation will be sending an email to check-auth@verifier.port25.com and we shall receive a reply email that if all went well will look like below.
Thank you for using the verifier, The Port25 Solutions, Inc. team ========================================================== Summary of Results ========================================================== SPF check: pass "iprev" check: pass DKIM check: pass SpamAssassin check: ham
References: