Loading postfix _with_opendkim 0 → 100644 +273 −0 Original line number Diff line number Diff line Update Package Lists (for Debian/Ubuntu): sudo apt-get update Install OpenDKIM and OpenDKIM-Tools: sudo apt-get install opendkim opendkim-tools Step 2: Configure OpenDKIM Create Directories for Keys and Configuration: sudo mkdir /etc/opendkim sudo mkdir /etc/opendkim/keys Edit the OpenDKIM Configuration File: Open the configuration file in a text editor, like nano: sudo nano /etc/opendkim.conf Add or modify the following lines: /etc/opendkim/opendkim.conf # This is a basic configuration that can easily be adapted to suit a standard # installation. For more advanced options, see opendkim.conf(5) and/or # /usr/share/doc/opendkim/examples/opendkim.conf.sample. # Log to syslog Syslog yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 002 # Sign for example.com with key in /etc/dkimkeys/dkim.key using # selector '2007' (e.g. 2007._domainkey.example.com) #Domain example.com #KeyFile /etc/dkimkeys/dkim.key #Selector 2007 # Commonly-used options; the commented-out versions show the defaults. #Canonicalization simple Mode sv SubDomains no # Socket smtp://localhost # # ## Socket socketspec # ## # ## Names the socket where this filter should listen for milter connections # ## from the MTA. Required. Should be in one of these forms: # ## # ## inet:port@address to listen on a specific interface # ## inet:port to listen on all interfaces # ## local:/path/to/socket to listen on a UNIX domain socket # #Socket inet:8892@localhost Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock #Socket inet:12301@localhost ## PidFile filename ### default (none) ### ### Name of the file where the filter should write its pid before beginning ### normal operations. # PidFile /var/run/opendkim/opendkim.pid # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian pacakge # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From ## ResolverConfiguration filename ## default (none) ## ## Specifies a configuration file to be passed to the Unbound library that ## performs DNS queries applying the DNSSEC protocol. See the Unbound ## documentation at http://unbound.net for the expected content of this file. ## The results of using this and the TrustAnchorFile setting at the same ## time are undefined. ## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested ## unbound package # ResolverConfiguration /etc/unbound/unbound.conf ## TrustAnchorFile filename ## default (none) ## ## Specifies a file from which trust anchor data should be read when doing ## DNS queries and applying the DNSSEC protocol. See the Unbound documentation ## at http://unbound.net for the expected format of this file. TrustAnchorFile /usr/share/dns/root.key ## Userid userid ### default (none) ### ### Change to user "userid" before starting normal operation? May include ### a group ID as well, separated from the userid by a colon. # UserID opendkim AutoRestart Yes AutoRestartRate 10/1h SyslogSuccess Yes LogWhy Yes Canonicalization relaxed/simple SignatureAlgorithm rsa-sha256 KeyTable refile:/etc/opendkim/keytable SigningTable refile:/etc/opendkim/signingtable # Hosts to ignore when verifying signatures ExternalIgnoreList refile:/etc/opendkim/trusted.hosts InternalHosts refile:/etc/opendkim/trusted.hosts # Commonly-used options; the commented-out versions show the defaults. #ADSPAction continue Background yes DNSTimeout 5 Create a KeyTable File: echo "mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.private" | sudo tee -a /etc/opendkim/KeyTable Create a SigningTable File: echo "*@example.com mail._domainkey.example.com" | sudo tee -a /etc/opendkim/SigningTable Create a TrustedHosts File: List localhost and your domain: echo -e "127.0.0.1\nlocalhost\nexample.com" | sudo tee -a /etc/opendkim/TrustedHosts Step 3: Generate DKIM Keys Generate the Keys for Your Domain: sudo opendkim-genkey -b 2048 -h rsa-sha256 -r -s mail -d example.com -v sudo mv mail.private mail.txt /etc/opendkim/keys/example.com/ Adjust Permissions: sudo chown -R opendkim:opendkim /etc/opendkim sudo chmod -R go-rwx /etc/opendkim/keys Step 4: Configure DNS Add the DKIM Record to Your DNS: Display the public key: sudo cat /etc/opendkim/keys/example.com/mail.txt Copy the TXT record displayed and add it to your DNS zone as a TXT record. Step 5: Configure Postfix to Use OpenDKIM Edit Postfix Configuration (/etc/postfix/main.cf): sudo nano /etc/postfix/main.cf Add these lines: milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters Restart Postfix and OpenDKIM: sudo service postfix restart sudo service opendkim restart Step 6: Test Your Configuration Send a Test Email to a service like Mail-Tester or to a Gmail account and check the headers for a valid DKIM signature. Notes: Replace example.com with your actual domain. Ensure your firewall allows traffic on the port used by OpenDKIM (in this case, 8891). DNS changes might take some time to propagate. Verify all paths and file names are correct, especially in the OpenDKIM configuration files. Check logs for any errors (/var/log/mail.log for Postfix and /var/log/opendkim.log for OpenDKIM). No newline at end of file Loading
postfix _with_opendkim 0 → 100644 +273 −0 Original line number Diff line number Diff line Update Package Lists (for Debian/Ubuntu): sudo apt-get update Install OpenDKIM and OpenDKIM-Tools: sudo apt-get install opendkim opendkim-tools Step 2: Configure OpenDKIM Create Directories for Keys and Configuration: sudo mkdir /etc/opendkim sudo mkdir /etc/opendkim/keys Edit the OpenDKIM Configuration File: Open the configuration file in a text editor, like nano: sudo nano /etc/opendkim.conf Add or modify the following lines: /etc/opendkim/opendkim.conf # This is a basic configuration that can easily be adapted to suit a standard # installation. For more advanced options, see opendkim.conf(5) and/or # /usr/share/doc/opendkim/examples/opendkim.conf.sample. # Log to syslog Syslog yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 002 # Sign for example.com with key in /etc/dkimkeys/dkim.key using # selector '2007' (e.g. 2007._domainkey.example.com) #Domain example.com #KeyFile /etc/dkimkeys/dkim.key #Selector 2007 # Commonly-used options; the commented-out versions show the defaults. #Canonicalization simple Mode sv SubDomains no # Socket smtp://localhost # # ## Socket socketspec # ## # ## Names the socket where this filter should listen for milter connections # ## from the MTA. Required. Should be in one of these forms: # ## # ## inet:port@address to listen on a specific interface # ## inet:port to listen on all interfaces # ## local:/path/to/socket to listen on a UNIX domain socket # #Socket inet:8892@localhost Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock #Socket inet:12301@localhost ## PidFile filename ### default (none) ### ### Name of the file where the filter should write its pid before beginning ### normal operations. # PidFile /var/run/opendkim/opendkim.pid # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian pacakge # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From ## ResolverConfiguration filename ## default (none) ## ## Specifies a configuration file to be passed to the Unbound library that ## performs DNS queries applying the DNSSEC protocol. See the Unbound ## documentation at http://unbound.net for the expected content of this file. ## The results of using this and the TrustAnchorFile setting at the same ## time are undefined. ## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested ## unbound package # ResolverConfiguration /etc/unbound/unbound.conf ## TrustAnchorFile filename ## default (none) ## ## Specifies a file from which trust anchor data should be read when doing ## DNS queries and applying the DNSSEC protocol. See the Unbound documentation ## at http://unbound.net for the expected format of this file. TrustAnchorFile /usr/share/dns/root.key ## Userid userid ### default (none) ### ### Change to user "userid" before starting normal operation? May include ### a group ID as well, separated from the userid by a colon. # UserID opendkim AutoRestart Yes AutoRestartRate 10/1h SyslogSuccess Yes LogWhy Yes Canonicalization relaxed/simple SignatureAlgorithm rsa-sha256 KeyTable refile:/etc/opendkim/keytable SigningTable refile:/etc/opendkim/signingtable # Hosts to ignore when verifying signatures ExternalIgnoreList refile:/etc/opendkim/trusted.hosts InternalHosts refile:/etc/opendkim/trusted.hosts # Commonly-used options; the commented-out versions show the defaults. #ADSPAction continue Background yes DNSTimeout 5 Create a KeyTable File: echo "mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.private" | sudo tee -a /etc/opendkim/KeyTable Create a SigningTable File: echo "*@example.com mail._domainkey.example.com" | sudo tee -a /etc/opendkim/SigningTable Create a TrustedHosts File: List localhost and your domain: echo -e "127.0.0.1\nlocalhost\nexample.com" | sudo tee -a /etc/opendkim/TrustedHosts Step 3: Generate DKIM Keys Generate the Keys for Your Domain: sudo opendkim-genkey -b 2048 -h rsa-sha256 -r -s mail -d example.com -v sudo mv mail.private mail.txt /etc/opendkim/keys/example.com/ Adjust Permissions: sudo chown -R opendkim:opendkim /etc/opendkim sudo chmod -R go-rwx /etc/opendkim/keys Step 4: Configure DNS Add the DKIM Record to Your DNS: Display the public key: sudo cat /etc/opendkim/keys/example.com/mail.txt Copy the TXT record displayed and add it to your DNS zone as a TXT record. Step 5: Configure Postfix to Use OpenDKIM Edit Postfix Configuration (/etc/postfix/main.cf): sudo nano /etc/postfix/main.cf Add these lines: milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters Restart Postfix and OpenDKIM: sudo service postfix restart sudo service opendkim restart Step 6: Test Your Configuration Send a Test Email to a service like Mail-Tester or to a Gmail account and check the headers for a valid DKIM signature. Notes: Replace example.com with your actual domain. Ensure your firewall allows traffic on the port used by OpenDKIM (in this case, 8891). DNS changes might take some time to propagate. Verify all paths and file names are correct, especially in the OpenDKIM configuration files. Check logs for any errors (/var/log/mail.log for Postfix and /var/log/opendkim.log for OpenDKIM). No newline at end of file
