Skip to content

Instantly share code, notes, and snippets.

@serweb-labs

serweb-labs/README.md

Last active August 29, 2015 14:15
Show Gist options
  • Save serweb-labs/3a2fa4c9f640256d5040 to your computer and use it in GitHub Desktop.
Save serweb-labs/3a2fa4c9f640256d5040 to your computer and use it in GitHub Desktop.
Download ZIP
Guía DKIM
Raw
README.md

This guide will show you how to install and configure the OpenDKIM on your centos 6.5 and Ubuntu server. Before we start, I would just like to put out from the wiki what DKIM is. Just in case anyone doesn't know.

http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail Wrote:DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators. A digital signature included with the message can be validated by the recipient using the signer's public key published in the DNS.

First things first, we always need to ensure our system is up to date. So lets do that first. (This guide also assumes that you are not using the root account, that you are using another account, that can get root permissions.

CentOS Code: sudo Yum update

Ubuntu Code: sudo apt-get update

In CentOS you need to enable the Epel repo, if you haven't already. Just do the following. Code: sudo wget -P /tmp http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm sudo rpm -Uvh /tmp/epel-release-6-8.noarch.rpm sudo rm -f /tmp/epel-release-6-8.noarch.rpm

Once you have done that you are ready to install the OpenDKIM and its dependencies. CentOS Code: sudo yum install opendkim

Ubuntu Code: sudo apt-get install opendkim opendkim-tools

Okay so now we are at the fun part Smile Configuring it and getting it all setup to run. So using your fav editor after your backup the default config, open OpenDKIM.conf found at /etc/opendkim.conf.

Code: sudo vim /etc/opendkim.conf

Now once this is open, I found it a lot easier just to delete all the comments and that around it, as we have a backup we can always go there or the opendkim for information. So either delete everything in the .conf or you can change the settings to like I have below;

Code: AutoRestart Yes AutoRestartRate 10/1h LogWhy Yes Syslog Yes SyslogSuccess Yes Mode sv Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable SignatureAlgorithm rsa-sha256 Socket inet:8891@localhost PidFile /var/run/opendkim/opendkim.pid UMask 022 UserID opendkim:opendkim TemporaryDirectory /var/tmp

Great, not we need to set up our private and public keys, to do that we just do the following, and change the yourdomain.com to the domain you are setting up the keys for. (If you have more domains you would like to sign, you can also do that here just repeat this step with the new domain.)

Code: sudo mkdir /etc/opendkim/keys/yourdomain.com sudo opendkim-genkey -D /etc/opendkim/keys/yourdomain.com/ -d yourdomain.com -s default sudo chown -R opendkim: /etc/opendkim/keys/yourdomain.com sudo mv /etc/opendkim/keys/yourdomain.com/default.private /etc/opendkim/keys/yourdomain.com/default

Okay so now we have to add this new key to the KeyTable. Again you will have to repeat this step depending on how many domains you are trying to set up with OpenDKIM. This file can be found at /etc/opendkim/KeyTable

Code: sudo vi /etc/opendkim/KeyTable

Paste in the following; Code: default._domainkey.yourdomain.com youdomain.com:default:/etc/opendkim/keys/yourdomain.com/default

Next we need to edit /etc/opendkim/SigningTable a new record in the DKIMsigning table. The * wildcards so that it will sign all emails coming from that domain, however if you only want some signed, you can change the * with the email account.

Code: *@yourdomain.com default._domainkey.yourdomain.com

The * wildcards so that it will sign all emails coming from that domain, however if you only want some signed, you can change the * with the email account. Code: [email protected] default._domainkey.yourdomain.com # This would only sign the support email.

Great so now we need to add our hostname, localhost and the domain(s) we are going to have signing for in the trusted hosts file located at, /etc/opendkim/TrustedHosts

However before doing this, as I also had some issues with this and not getting OpenDKIM to work, and truly it was a very simple fix. Type in hostname in your terminal, which will provide you with the hostname of you server.

So go ahead and run Code: sudo vi /etc/opendkim/TrustedHosts

Make it look something like this.

Code: 127.0.0.1 yourdomain.com host.yourdomain.com #This is your hostname.

Great almost finished now we just need to update some DNS. I use Cloudflare for my dns, you can use which ever you like or if your domain provider offers it, you can use theres. First we got to get the information we are going to be putting there, which would be found in /etc/opendkim/keys/yourdomain.com/default.txt

Code: sudo vi /etc/opendkim/keys/yourdomain.com/default.txt

You should see something like the following;

Code: default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv ​ /xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyq ​dHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" ) ; ----- DKIM key default for yourdomain.com

So now with this information we are going to make a new txt dns zone with the name default._domainkey and we are going to post the the following in the value.

Code: v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv ​ /xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyq ​dHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"

Yours will totally be different so don't just copy and paste this one. Below is a screen shot of how mine looks. [Image: Screen_Shot_2014_08_10_at_5_27_28_PM.png]

Okay so now we need to edit postfix and let it know that we have a new milter. Open /etc/postfix/main.cf and paste the following; Code: smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept milter_protocol = 2

Once that is done, you just have to restart the services.

Code: sudo service opendkim start sudo chkconfig opendkim on sudo service postfix restart

Once that has beed restarted and everything is up and running you just have to test and ensure you are sending signed emails. Which you can do by emailing say a gmail account that you own, and looking at the headers, you should see something like mailed-by; yourdomain.com signed-by: yourdomain.com

Or you can simply email [email protected] and you will get a email back with the information if it is signed, spam etc, in about 5-10 minutes.

You would get something like the following back;

Code: This message is an automatic response from Port25's authentication verifier service at verifier.port25.com. The service allows email senders to perform a simple check of various sender authentication mechanisms. It is provided free of charge, in the hope that it is useful to the email community. While it is not officially supported, we welcome any feedback you may have at [email protected].

Thank you for using the verifier,

The Port25 Solutions, Inc. team

========================================================== Summary of Results

SPF check: pass DomainKeys check: neutral DKIM check: pass DKIM check: pass Sender-ID check: pass SpamAssassin check: ham

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment