Main Menu

Search Site

Resources

Login Form

User Menu

×

Error

[OSpam-a-not] Joomlashack Framework not found

DKIM Setup with Sendmail Debian

Published: Wednesday, 14 January 2015 19:48 | Print | | Hits: 3553

DKIM, Sendmail, on Debian

Install & Configure

#aptitude install opendkim opendkim-tools

 

Generate Keys:

#mkdir /etc/mail/opendkim /etc/mail/opendkim/keys

#cd /etc/mail/opendkim/keys

#opendkim-genkey -t -s default -d fml.ro

 

At this point you should have a “default.private” and “default.txt” file in your current working directory (which is /etc/mail/dkim-milter/keys). default.txt contains the DNS TXT record you must add to your DNS entries. Here’s what it will look like:

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb..." ; ----- DKIM default for test

You’ll also need to set up one more TXT record:

_domainkey IN TXT "t=y; o=~;"

The t=y line lets consumers know you are in test mode, and o=~ denotes that some (but not all) of your emails will be signed. When you’re done testing be sure to remove t=y (and set o=- if you so desire).

Next let’s rename and chown the private key so dkim-milter can use it.

mv default.private default
chown opendkim:opendkim default

Now we’ll need to edit /etc/mail/opendkim/keys/keylist to add a line like this (substituting your domain):

*@whatever-your-domain-is.com:whatever-your-domain-is.com:/etc/mail/dkim-milter/keys/default
or
*:whatever-your-domain-is.com:/etc/mail/opendkim/keys/default

 

Milter Configuration:

/etc/opendkim.conf:

Domain

If a KeyList is used (as it is in this example), is not necessary to be specify this option; the signing-domain entries in the KeyList file infer the domains.

If you plan on only a single domain, set the value of this option to the name of the domain and omit the KeyList parameter.

Domain <yourdomain>

 

InternalHosts

This option specifies hosts (typcially on the local network) whose emails should be signed rather than verified. If an MTA is sitting behind this copy of sendmail (for example an Exchange server), that has this sendmail configured as its smart host, then those hosts need to be listed in this file. The localhost (127.0.0.1) should always be listed in this file.

Again, I recommend setting it to a file under the dkim-milter directory, such as /etc/mail/dkim-milter/internalhosts and remember to set the appropriate permissions.

not set

 

KeyList

The KeyList option specifies where to find the list of private keys for all the domains whose emails are to be signed. I recommend using /etc/mail/dkim-milter/keys/keylist and setting the permissions appropriately. Refer to the following section for the contents of this file.

If only a single domain is to be used, this option can be omitted and the Domain and Selector options used in its place.

KeyList etc/mail/dkim-milter/keys/keylist

KeyFile /etc/mail/dkim-milter/keys/default

 

MTA

Other sites have specified setting this value to MSA; I have left it alone. This limits which emails to sign based on the specified MTA; I choose to not limit signing based on the MTA.

MTA MTA, MSA, TLSMTA

 

Selector

If a KeyList is used (as it is in this example), is not necessary to be specify this option; the keypath entries in the KeyList file infer the selector per domain.

If you plan on only a single domain, set the value of this option to the name of the selector and omit the KeyList parameter. In this example, the selector should be set to nov2010.

Selector default

 

Socket

Many of the examples listed on various web pages specify a TCP port to use for communication. I have chosen to use a Unix domain socket that is created when the milter is started. By default the socket is created at /var/run/dkim-milter/dkim-milter.sock so the the value for this option is local:/var/run/dkim-milter/dkim-milter.sock. Again, note this dkim-filter daemon is not listening to requests on a TCP port in this example.

Socket inet:8891@localhost

 

Syslog

Make sure to set this to yes so that you can verify it is working. You may also choose to set the LogWhy parameter to yes to see more debugging information.

Syslog Yes

LogWhy yes (disable once everything is ok)

 

SyslogSuccess

Again, set this to yes to confirm the process has performed successfully. It is very useful in determining what has occurred. The output of the messages from the daemon will b written to the tail end of the /var/log/maillog file.

SyslogSuccess yes (disable once everything is ok)

 

UserID

Set this to the user that was created during the package installation: dkim-milter. This will ensure the dkim-filter daemon runs as that user and has limited access to other system files.

UserID dkim-milter

 

ADSP*

The following two options are used to make the MTA accountable to the ADSP TXT records. These are optional and can be left alone.

  • ADSPDiscard yes
  • ADSPNoSuchDomain yes

We’re all set configuring dkim-milter. Let’s restart it. In Debian it is configured it to start at boot.

systemctl start dkim-milter.service
systemctl enable dkim-milter.service


Sendmail Configuration

cd /etc/mail
/etc/mail/sendmail.mc:
INPUT_MAIL_FILTER(`dkim-filter', `S=inet:8891@localhost')dnl

#m4 sendmail.mc>sendmail.cf
#systemctl restart sendmail.service

Category: General