How To

How To Install and Configure DKIM with Postfix on UBUNTU 18.0

No Comments

DKIM is an Internet Standard that enables a person or organisation to associate a domain name with an email message. This, in effect, serves as a method of claiming responsibility for a message. At its core, DKIM is powered by asymmetric cryptography. The sender’s Mail Transfer Agent (MTA) signs every outgoing message with a private key. The recipient retrieves the public key from the sender’s DNS records and verifies if the message body and some of the header fields were not altered since the message signing took place.

Install OpenDKIM

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install opendkim opendkim-tools

Configure OpenDKIM

sudo nano /etc/opendkim.conf

Append the following lines to the end of the conf file

AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:12301@localhost

This simple configuration is meant to allow message signing, 

sudo nano /etc/default/opendkim

Add the following line, edit the port number only if a custom one is used:

SOCKET="inet:12301@localhost"

Configure postfix to use this milter:Configure postfix to use this milter:

sudo nano /etc/postfix/main.cf

Make sure that these two lines are present in the Postfix config file and are not commented out:

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Create a directory structure that will hold the trusted hosts, key tables, signing tables and crypto keys:

sudo mkdir /etc/opendkim
sudo mkdir /etc/opendkim/keys

Specify trusted hosts:

sudo nano /etc/opendkim/TrustedHosts

Customize and add the following lines to the newly created file. Multiple domains can be specified, do not edit the first three lines:

127.0.0.1
localhost
::1

*.jdk.co.ke

Create a key table:

sudo nano /etc/opendkim/KeyTable

A key table contains each selector/domain pair and the path to their private key. 

mail._domainkey.jdk.co.ke jdk.co.ke:mail:/etc/opendkim/keys/jdk.co.ke.com/mail.private

Create a signing table:

*@jdk.co.ke mail._domainkey.jdk.co.ke

Generate the public and private keys

cd /etc/opendkim/keys
sudo mkdir jdk.co.ke
cd jdk.co.ke
sudo opendkim-genkey -s mail -d jdk.co.ke
sudo chown opendkim:opendkim mail.private

Add the public key to the domain’s DNS records

sudo nano -$ mail.txt

Copy that key and add a TXT record to your domain’s DNS entries: i.e

Name: mail._domainkey.jdk.co.ke.

Text: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrYgPCRSoqn+awTpE+iGYcKBPpo8HHbcFfCIIV10Hwo4PhCoGZSaKVHOjDm4yefKXhQjM7iKzEPuBatE7O47hAx1CJpNuIdLxhILSbEmbMxJrJAG0HZVn8z6EAoOHZNaPHmK2h4UUrjOG8zA5BHfzJf7tGwI+K619fFUwIDAQAB"

Please note that the DNS changes may take a couple of hours to propagate.

Restart Postfix and OpenDKIM:

sudo service postfix restart
sudo service opendkim restart

reference

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy

Facebook Comments

You may also like