Install DKIM on Postfix under Debian
en:Install DKIM on Postfix under Debian
he:להתקין DKIM Postfix תחת דביאן
ro:Instalaţi DKIM pe Postfix sub Debian
ru:Установить DKIM на Postfix под Debian
pl:Zainstalować DKIM na Postfix w Debianie
ja:Debian に DKIM をインストールします。
ar:تثبيت DKIM على Postfix تحت ديبيان
zh:在 Debian 下后缀上安装 DKIM
de:DKIM auf Postfix unter Debian installieren
nl:DKIM op Postfix onder Debian installeren
it:Installare Postfix sotto Debian DKIM
pt:Instalar o DKIM no Postfix no Debian
es:Instalar DKIM en Postfix en Debian
fr:Installer DKIM sur Postfix sous Debian
This article has been created by an automatic translation software. You can view the article source here.
Introduction
In order to avoid ending up his mails in the spam folder it may be interesting to sand up a DKIM in its emails.
DKIM or DomainKeys Identified Mail DKIM is an email authentication method. This method allows to sign an email with one identifier field transmitter, useful to know who is responsible for the shipment in the event of claims. You can find more information on the DKIM on the Wikipedia page available to this address
This article is intended to introduce the installation d 'OpenDKIM and its configuration. This article is not exhaustive on the configuration settings of the service, it is your responsibility to check the consistency of the configuration with your system.
Prerequisites
One of the prerequisite essential is to preserve its system as up-to-date as possible.
apt-get update
apt-get upgrade
Keeping your Debian system up-to-date, make sure you have a list of the official repositories. You can find a list of the available at Ikoula repositories and installation instructions a this address.
On a production server, be sure to perform these operations during off-peak hours to minimize the impact of your actions.
Implementation
Installation of OpenDKIM
- First installations OpenDKIM
apt-get install opendkim opendkim-tools
Configuration of OpenDKIM
The OpenDKIM configured through two files : /etc/opendkim.conf et /etc/default/opendkim.
/etc/opendkim.conf
The main configuration file d 'OpenDKIM.
- Open file
vi /etc/opendkim.conf
- Add the following lines to the file /etc/opendkim.conf
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:12301@localhost
Here are the different parameters :
| AutoRestart | Automatically restart the service in case of error. |
| AutoRestartRate | The number of maximum restarts in a given time. For example 10 reboots per hour : 10/1h. |
| UMAsk | Give the total permissions for the user specified in his userID, and grant permissions read and execute for other users. |
| Syslog / SyslogSuccess / LogWhy | Activate the logs for the service. |
| Canonicalization | Canonical formatting of log messages. |
| ExternalIgnoreList | External hosts authorized to send mail from this server without authentication. |
| InternalHosts | The internal hosts to which outbound emails must be signed. |
| KeyTable | Liaison of the names of keys with key files. |
| SigningTable | The list of signatures that will be used for a message. The choice is based on the sender address. |
| Mode | The operating mode d 'OpenDKIM. (s) signature and (v) verification. |
| PidFile | Location of the pid containing file ID service process. |
| SignatureAlgorithm | The encryption algorithm chosen to encode the signatures. |
| UserID | The user and group that will run the service OpenDKIM |
| Socket | The listening on which port Postifx and OpenDKIM Exchange messages. For listening locally on port 12301: 12301@localhost. |
This is a sample configuration, you must match the parameters in your current configuration and depending on the needs. You can find more information about the d configuration file 'OpenDKIM à cette address.
/etc/default/opendkim
- Open file
vi /etc/default/opendkim
- Add the following line
SOCKET="inet:12301@localhost"
Need to change the port if it differs in the preceding configuration file.
Configuration of Postfix
- Edit the configuration file for Postifx
vi /etc/postfix/main.cf
- Verify that the following lines are present and de-commentees
milter_protocol = 2
milter_default_action = accept
- If anti-spam filters are installed must be added OpenDKIM to the list
smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301
non_smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301
- If not add OpenDKIM
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
Create folders
We will now create the folders that will contain all the data d 'OpenDKIM as the hosts, signatures, etc...
- Create the structure
mkdir /etc/opendkim
mkdir /etc/opendkim/keys
Allow hosts
We now specify the hosts allowed to sign emails with OpenDKIM.
- Create the file /etc/opendkim/TrustedHosts
vi /etc/opendkim/TrustedHosts
- We can, in order to declare the areas, use of wildwards (*)
#Ne pas toucher les 3 premieres lignes
127.0.0.1
localhost
192.168.0.1/24
*.example.com
This file is a sample configuration for the domain *.example.com
- Save and close the TrustedHosts file
Dictionary of keys
The dictionary file is there to provide a link in each domain to its corresponding key.
- Create dictionary key
vi /etc/opendkim/KeyTable
- Add the following line
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private
In this example the @example.com domain should go get her key in /etc/opendkim/keys/example.com/mail.private
It is important that you adapt this configuration to your domain.
Signature dictionary
The signature dictionary file is there for liaison of each mail address to its corresponding domain.
- Create the signature dictionary
vi /etc/opendkim/SigningTable
- Add the following line ( the use of wildcards is permitted )
*@example.com mail._domainkey.example.com
In this example the address in @@example.com should be redirected to the selector mail._domainkey.example.com.
It is important that you adapt this configuration to your domain.
Public and private key generation
We now generate our pairs of public and private keys.
- Move to the folder that will receive the keys
cd /etc/opendkim/keys
- Create a folder for our new domain @example.com
mkdir example.com
- Move the folder of the domain
cd example.com
- Generate the keys for our @example.com domain
opendkim-genkey -s mail -d example.com
The option -s to specify a selector and -(d) the field. This command will create two files mail.private the private key and mail.txt the public key.
- Change the owner of the private key
chown opendkim:opendkim mail.private
Addition of the public keys in the DNS records
We now have our public keys, we must now add the DNS records.
- Grab our public key
vi /etc/opendkim/keys/example.com/mail.private
You should retrieve a line similar to this example line :
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrYgPCRSoqn+awTpE+iGY" ; ----- DKIM key mail for example.com
- Copy the key, part "v=DKIM1 ... +iGY", in our example
- Add a DNS TXT record containing the key
The DNS propagation may take a few hours to be effective ( de 24h à 48h ).
- Restart Postfix and OpenDKIM
service postfix restart
service opendkim restart
Conclusion
Use d 'OpenDKIM is now effective for mails sent from the addresses of the domain @example.com
This article is not exhaustive on the Setup 'OpenDKIMIt is appropriate to adapt these examples with the configuration of your server.
Enable comment auto-refresher