Geekly Articles each Day
⬆️ ⬇️

OpenDKIM + Postfix = just





At the end of 2011, the developers of the dkim-milter project discontinued its support and development. Fortunately, OpenDKIM came to replace the dkim-milter project , with which it’s just as easy to add a DKIM signature to the letters.



tl; dr: nowadays without DKIM signatures
A DKIM signature is a digital signature that is added to the message headers by the sender server, by which the recipient server can verify that the sender of the letter matches the From field in the message headers. If the recipient's server verifies this signature, then based on the results of the verification, the server can decide how to deal with the letter: accept, send to the Spam folder, send for additional verification, or refuse to accept it at all. DKIM signatures are checked and used by all leading postal services themselves, including Yandex and Mail.ru. The latter openly requires letters to be signed with DKIM.


')



Instructions for configuring Postfix and OpenDKIM



To do this, we need Postfix itself and the OpenDKIM packages. Install all necessary components using your batch manager: 



aptitude install opendkim opendkim-tools


Now we need to get the keys that we will use to sign letters.



Signature keys



We will get the key for the server domain and for the selector, equal to the name of the server without a domain, so as not to invent anything: 



 mkdir /etc/opendkim/ opendkim-genkey -D /etc/opendkim/ -d $(hostname -d) -s $(hostname)


If it happens on the mail.example.com server, then the last command will create the /etc/opendkim/mail.private and /etc/opendkim/mail.txt , with private and public keys, respectively. The public key must be added to the appropriate TXT record of your domain.



The key files must be given read access to the group in which OpenDKIM is running, and postfix itself postfix added to the same group so that it can sign letters connecting to the OpenDKIM daemon through its socket: 



 chgrp opendkim /etc/opendkim/* chmod g+r /etc/opendkim/* gpasswd -a postfix opendkim




Where to find the keys?



/etc/opendkim.conf /etc/opendkim.conf and add our settings: 



 tee -a /etc/opendkim.conf <<EOF Canonicalization relaxed/relaxed SyslogSuccess yes KeyTable file:/etc/opendkim/keytable SigningTable file:/etc/opendkim/signingtable X-Header yes #      : LogWhy yes #       : #ExternalIgnoreList file:/etc/opendkim/trusted #   ,    : #InternalHosts file:/etc/opendkim/internal EOF


A detailed description of all directives is available in the documentation.



What keys to sign?



The list of available keys will be /etc/opendkim/keytable in the /etc/opendkim/keytable in the format " ::/// ". If you created the keys with the command above, then you can register the key according to the FQDN of the server in this file as follows: 



 echo $(hostname -f | sed s/\\./._domainkey./) $(hostname -d):$(hostname):$(ls /etc/opendkim/*.private) | tee -a /etc/opendkim/keytable


For mail.example.com there will be the following line in the file: 



 mail._domainkey.example.com example.com:mail:/etc/opendkim/mail.private


There can be any number of keys in this file for any number of domains. Also, keys can be stored in the database - in more detail in the documentation.



Whose mail to sign?



Now let us explain OpenDKIM mail of which domains with which keys to sign in the /etc/opendkim/signingtable in the format " - ": 



 echo $(hostname -d) $(hostname -f | sed s/\\./._domainkey./) | tee -a /etc/opendkim/signingtable


For the mail.example.com host, the file will be example.com mail._domainkey.example.com . If you want to sign all outgoing mail at all, you can specify * instead of a domain.



Other files specified in the ExternalIgnoreList and InternalHosts directives contain simply a list of hosts and / or IP addresses each on a new line, the signatures of letters for which will either be ignored or added. If your mail is answered by a single server, then you don’t need to do anything with them.



Configure Postfix



Finally, we ask Postfix to send all the letters for signature: 



 postconf -e milter_default_action=accept postconf -e milter_protocol=2 postconf -e smtpd_milters=unix:/var/run/opendkim/opendkim.sock postconf -e non_smtpd_milters=unix:/var/run/opendkim/opendkim.sock




If Postfix is ​​in chroot ...



If you use Postfix without chroot, then nothing else needs to be done to configure it. Otherwise, most likely, you need to explain to OpenDKIM where it should create a socket and give appropriate rights for everything: 



 echo 'SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"' | tee -a /etc/default/opendkim mkdir -p /var/spool/postfix/var/run/opendkim chown opendkim:opendkim /var/spool/postfix/var/run/opendkim




Done!



We restart Postfix and OpenDKIM using standard tools, send a test letter somewhere to Yandex , and enjoy the successful result of the signature verification:







Do not forget to add a TXT record and check that it is in place: 



 dig txt mail._domainkey.example.com




Another way to verify the signature is to send an email to check-auth@verifier.port25.com .



We will forbid letters without signature



If the check was successful, then it is necessary to formally prohibit other servers to receive letters with your domain, but without a signature, by adding the ADSP entry : 



 _adsp._domainkey IN TXT "dkim=all"




the end



Read to the end, but want more? Much shorter instructions on how to configure OpenDKIM with one domain and correctly configured hostname.

Source: https://habr.com/ru/post/151904/

More articles:



All Articles