Identify your mail service with OpenDKIM and Postfix

Signing your emails with Domainkeys Identified Mail (DKIM) technology provide anti-spam and anti-phishing opportunity and best security experience. In this post I show how to configure OpenDKIM and Postfix.

Overview

As usual I make all configurations on CentOS 6 and Postfix 2.6.6 and OpenDKIM 2.10.3.

Install

The installation process is pretty easy

yum install epel-release  
yum install opendkim  

Configuration

The configuration can be splitted into two parts: opendkim and postfix configuration and DNS configuration. All my clients come from a local subnet 10.10.254.0/24.

Lets start from OpenDKIM.

base configuration

Just update yours opendkim.conf file.

cat << EOF > /etc/opendkim.conf  
PidFile            /var/run/opendkim/opendkim.pid  
Mode               sv  
Syslog             yes  
SyslogSuccess      yes  
LogWhy             yes  
UserID             opendkim:opendkim  
Socket             inet:8891@localhost  
Umask              002  
Canonicalization   relaxed/relaxed  
MinimumKeyBits     1024  
KeyTable           /etc/opendkim/KeyTable  
SigningTable       refile:/etc/opendkim/SigningTable  
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts  
InternalHosts      refile:/etc/opendkim/TrustedHosts  
EOF  

As you can see I use the same ExternalIgnoreList and InternalHosts lists, because I planned to use this service only from my private mail sever (relay).

Signing table

Signing table is a table used to select one or more signatures to apply to a message based on the address found in the From: header field.

Lets create Signing table for domain zombig.name with selector mail.

cat << EOF > /etc/opendkim/SigningTable  
*@zombig.name mail._domainkey.zombig.name
EOF  

This rule told to OpenDKIM to add signing to all emails from domain zombig.name.

Key table

Key table is told to OpenDKIM witch key will be used to signing for specific domain. For example.

cat << EOF > /etc/opendkim/KeyTable  
mail._domainkey.zombig.name zombig.name:mail:/etc/opendkim/keys/zombig.name/mail.private  
EOF  

Trusted hosts

Then we create TrustedHosts list. As you can remember this list using by ExternalIgnoreList and InternalHosts.

As I says before -- my trusted private network is 10.10.254.0/24 so I add all this subnet to TrustedHosts file.

cat << EOF > /etc/opendkim/TrustedHosts  
127.0.0.0/8  
10.10.254.0/24  

Note that you can specify as IP address or as CIDR address.

Generate keys

Now we need to generate our RSA key.

mkdir /etc/opendkim/keys/zombig.name  
opendkim-genkey --restrict --bits=1024 --directory=/etc/opendkim/keys/zombig.name --domain=zombig.name --selector=mail  

As you can see we are generate 1024 bit key length for domain zombig.name. Also we are set restrictions to use this key only with email service.

For this moment we are finish OpenDKIM configuration and can process to configuring out DNS record sets.

Add DNS record

Right DNS record set you can find near yours domain private key file.

cat /etc/opendkim/keys/zombig.name/mail.txt  
mail._domainkey IN      TXT     ( "v=DKIM1; k=rsa; s=email; "  
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNVHEgWJ4tIjd52lePqWdtr1jhgxKJkuFpcy6oDMOrcWWxn2lACJF5MN2DdQsZM8KS9y1NHDqaQTESqBDXJfO5peoRxWqrkj9OcHcM+Er6vg2W4SKqIdzsoWeA2jk/nvZpInI4gbvBaIRMu98T5pKhZet/2xTzXOu/w9rgo6eokwIDAQAB" )  ; ----- DKIM key mail for zombig.name

Update postfix configuration

To enable signing of our outbound email we should edit Postfix config too.

cat << EOF >> /etc/postfix/mail.cf  
smtpd_milters = inet:localhost:8891  
non_smtpd_milters = inet:localhost:8891  
milter_default_action = accept  
EOF  
service postfix reload  
service opendkim reload  

Test how identify service works

You can send a test email via your Postfix and should see into log the following message:

Nov 13 03:35:14 zombig.name opendkim[7324]: 4C1641A80D80: DKIM-Signature field added (s=mail, d=zombig.name)  

That is mean is everything works fine.


See more