February 2012
M T W T F S S
« Jan   Mar »
 12345
6789101112
13141516171819
20212223242526
272829  
  1. We welcome any feedback, questions or comments

OpenDKIM : Configuring DKIM keys on Postfix

This is a email technology which signs each of your emails send through your SMTP. This signing process would help to identify genuinity of your emails since it was easy to verify by your receiver SMTP to have a valid DKIM check before classifying your mail either spam,phishing or impersonated one etc.

How DKIM key works

You SMTP server will attach a special header each of your email which is encrypted by a private key stored on the server and send it along with email. Once the email is reached at the other trusted/secured smtp server, they will

a. Identify the signing in the mail header.
b. Reading the domain key, domain name mentioned in the mail header

ie (DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.com;s=default; t=1329441832;) You will see the above entry in original source of DKIM singed emails.

c. Then the receiver SMTP server looking for the DNS entry associated with the signed email ( here mydomain.com)
d. Once the nslookup can found the DNS txt entry ( here default, ie default._domainkey ), they fetch the public key which can able to decrypt the keys in email header.

ie Those emails are correctly originated from the actual sender. So it’s a trusted mail and all of your domains emails get’s white listed in other’s third party SMTP servers and hence drop it in your INBOX finally :-)

How do I install openDKIM

stevejenkins.com website has an excellent tutorials and I adopted his guild lines. But got stuck at few attempts initially and has got it worked at the end.

Here we go,

1. Install openDKIM rpm package from EPEL repositories (http://fedoraproject.org/wiki/EPEL).

choose the correct build for your OS architecture.

#wget http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
 # rpm -ivh epel-release-5-4.noarch.rpm
 #yum clean all
 #yum install opendkim

2. Generate Singing Keys
create a folder storing keys for my domain

#mkdir /etc/opendkim/keys/mydomain.com
   #/usr/bin/opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default

Above command wil create two files under our domain folder as default.private and default.txt

Renaming default.private to default,

#chown -R opendkim:opendkim /etc/opendkim/keys/mydomain.com
#cp /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default

3. Configuration files of OpenDKIM

1. /etc/opendkim.conf – OpenDKIM’s main configuration file
2. /etc/opendkim/KeyTable – a list of keys available for signing
3. /etc/opendkim/SigningTable – a list of domains and accounts allowed to sign
4. /etc/init.d/opendkim — Service start up file.

4. Update the etc/opendkim.conf file
Now you need to edit the main config. file (etc/opendkim.conf) and update/un comment the few lines.

my file should look like this. You may need to edit the “KeyFile” to set correct path

PidFile /var/run/opendkim/opendkim.pid
Mode    sv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  inet:8891@localhost
Umask   002
Canonicalization        relaxed/simple
Selector        default
KeyFile /etc/opendkim/keys/mydomain.com/default.private
KeyTable        /etc/opendkim/KeyTable
SigningTable    /etc/opendkim/SigningTable


5. update the /etc/opendkim/KeyTable file

You may need to add you domain key name and private key file path of the domain in this file. My file looks like as shown below,

-sh-3.2# cat /etc/opendkim/KeyTable
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.
#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default
-sh-3.2#

you may use the same private key for multiple domain. It’s just like a domain- key mapping.

default._domainkey.mydomain1.com mydomain1.com:default:/etc/opendkim/keys/mydomain.com/default.private
default._domainkey.mydomain2.com mydomain2.com:default:/etc/opendkim/keys/mydomain.com/default.private

6. Update /etc/opendkim/SigningTable
This file is actually mapping domain names to a key file. On my setup my server is hosting 4 email domains and I want to use same signing certificate for all domains. File entry should look like this,

 #cat /etc/opendkim/SigningTable
domain1.com default._domainkey.mydomain.com
domain3.com default._domainkey.mydomain.com
domain2.com  default._domainkey.mydomain.com

Pls not I uses same domain key for all other domain. So that you will get an entry in email source “signed by mydomain.com”

See the mail below,

7.Check the ” /etc/opendkim/TrustedHosts” has loopback IP

-sh-3.2# cat  /etc/opendkim/TrustedHosts
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be the first entry in this file.
127.0.0.1
localhost

8. Edit postfix main configuration file
You need to open the postfix config file (/etc/postfix/main.cf) and add the following lines at the bottom of the file.

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol   = 2

9. Restart the opendkim and postfix service.

 -sh-3.2# service opendkim restart
Stopping OpenDKIM Milter:                                  [  OK  ]
Starting OpenDKIM Milter:                                  [  OK  ]
-sh-3.2# service postfix restart
stopping the Postfix mail system                           [  OK  ]
starting the Postfix mail system                            [  OK  ]
#chkconfig postfix on

Ensure that OpenDKIM logs has written on mail log file. This is the only file where you ca see any issue with the opendkim errors.

# tail -f /var/log/maillog
Feb 17 13:39:47 host opendkim[970]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)

10. Update the DNS records

This is the final part. You need to add a text entry “default._domainkey”. You will get the text value from the file “/etc/opendkim/keys/mydomain.com/default.txt”

-sh-3.2# cat /etc/opendkim/keys/mydomain.com/default.txt
default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3 EBAQUAA4GNADWw1fqTtobJHsQsJ/49XRJ7eK49MUAkhLB9zcwusSfvrWutvqWT4iWM979    YOAt/d4ZVtFn7Dio6rUiLp103TfJh3g0694jJAOQU0sb4VM/NHgCIknQ/cvLG/snGL/aI7YIkSH1bI0YTYayewIDAQAB" ; ----- DKIM default for mydomain.com

Copy all the value in between double quotes (starts from after TXT”). My Godaddy domain manager look likes as below after adding,

You should also add another TXT Record to your zone file
_adsp._domainkey.mydomain.com IN TXT “dkim=unknown”

There is not standardization to use the name “default” domain key. We can change it whatever we wish to use.
Don’t forget to add SPF record for your domain

imp : Don’t forget to set SPF record that may boost the email delivery.

Verifying whether Postfix sending signed emails,

I uses a test mail send from command line.

#echo " This is a test mail " | mail -s "OpenDKIM test mail" liju@serveridol.com

If everything goes well you see a messages “DKIM-Singnature header added” in mail log.

#tail -f /var/log/messages
Feb 17 14:12:52 host postfix/pickup[32549]: A5B56F717AC: uid=0 from=<root>
Feb 17 14:12:52 host postfix/cleanup[4092]: A5B56F717AC: message-id=<20120217191252.A5B56F717AC@mail.mydomain.com>
Feb 17 14:12:52 host opendkim[970]: A5B56F717AC: DKIM-Signature header added (s=default, d=mydomain.com)

It’s shows you have a trusted smtp server in place which may helpful to send bulk mails ;-) ..

For better trouble shooting restart opendkim service first then postfix and also check the mail server log to get detailed report.

Author: Liju Mathew
Visit Liju's Website - Email Liju
I'm Liju, one linux enthusiastic who have been playing with Linux for more than 7 years. I'm curious about to read blog, learning and implementing new technologies from my personal experience. Like to be play with burning head on busy schedule :-) This is a bookmark of all challenges that I'd faced which would be helpful to others sometimes as I'd learn it from the same way :-) Nothing more, I have to go miles, before I sleep

14 comments to OpenDKIM : Configuring DKIM keys on Postfix

  • disassembler

    Great post, very helpful. Thank you!

  • Tommix

    THE MOST complete tut i found! Really nice. Caus ein other tuts nobody even mentions to add TXT record to DNS!

  • Nishant

    Really useful article. request you that if possible post complete mail server setup tutorial.

    Thanks & Regards

  • rodrigo

    Many thanks for this!

  • Great post, very sample. Thanks!

  • Jim G

    Error:
    warning: connect to Milter service inet:127.0.0.1:8891: Connection refused

    Checked permissions and they are good. Any clues?

    Jim

  • Hi – I am running a VPS with CENTOS 6.4 using QMAIL. Will these instructions work? If not, how can I implement DKIM with QMAIL? Thanks!

  • Hi,

    I did step by step as instruction and installation was perfect. But the last step #tail -f /var/log/messages shows me something different. Also email header does not show dkim signature. my keys shows something like this..could you please help me.

    default._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
    “p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6+OxDB63NfoYxB70bzoKlCXI+Ec22hEDvTmDFWdNRvxHRIYb631iatGm6lECkv1fqbne8MCyOtJ8x5j0IWXKcioKg1LkFBBFUEqM/ZlJjefr80fWACHHbCrIB1ptLp+Weuhnz1d3/ZTtcAiZezNmTGPFs+NTv6fmx76hjNsmWEQIDAQAB” ) ;

    • Hello Bhavik

      It’s not /var/log/messages.

      You may look at the last entries of /var/log/maillog. You will get the exact error messages. You may see “header added” text if everything is working correctly.

      The SingingTable needed to be adjusted according to the domain name you used to send emails.

      best luck
      ~liju

  • chris

    great article, but have a quick question…. OpenDKIM is up and functioning properly on my domain. I added an additional Majordomo/Sendmail server to the mix but emails that are passed through my mail/opendkim server from this new server are not getting the DomainKey Signature added and thus failing on the outside. It seems that it only happens when emails are sent internally to this maillist server and then re-routed back out through our mailserver. Mailx emails from the new maillist server are signed with no issue. Is there any sort of setting that you know of that would cause this? It is possible that the emails, when reaching the opendkim mailserver to be sent out already have a domainkey signature in the header and could be causing the issue… but i can’t find how to strip out or manipulate the headers before sending to ensure that the mailserver signs them properly. I have other maillist servers doing this with no issue, so i was curious if there was anything you could think of that would effect this one server.

    thanks and keep up the good work

    • Hello Chris

      I think you are using new emaillist server configured as relay server for other domains too. If you want to enable Domain key signing for other domain, you may add those entries in SigningTable. An example is shown below

      #cat /etc/opendkim/SigningTable
      domain1.com default._domainkey.mydomain.com
      domain3.com default._domainkey.mydomain.com
      domain2.com default._domainkey.mydomain.com

      Best Regrds
      Liju

  • hytham

    Jan 3 16:15:46 server2 postfix/cleanup[899]: warning: connect to Milter service inet:127.0.0.1:8891: Connection timed out
    ?

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>