Hello, today we install DKIM in Centos 7 with Postfix.
# yum install opendkim
Next step to do is to configure OpenDKIM.
# cp /etc/opendkim.conf /etc/opendkim.conf.orig
# vim /etc/opendkim.conf
Options should be like this:
PidFile /var/run/opendkim/opendkim.pidMode svSyslog yesSyslogSuccess yesLogWhy yesUserID opendkim:opendkimSocket inet:8891@localhostUmask 002Canonicalization relaxed/relaxedSelector defaultMinimumKeyBits 1024KeyTable refile:/etc/opendkim/KeyTableSigningTable refile:/etc/opendkim/SigningTableExternalIgnoreList refile:/etc/opendkim/TrustedHostsInternalHosts refile:/etc/opendkim/TrustedHosts
Next step we have to edit /etc/opendkim/TrustedHosts
# vim /etc/opendkim/TrustedHosts
127.0.0.1
::1
mail.ceae.info
Now we edit /etc/opendkim/KeyTable
vim /etc/opendkim/KeyTable
default._domainkey.ceae.info ceae.info:default:/etc/opendkim/keys/ceae.info.private
Now opendkim needs to know relation between mail adress and domains whe should configure SigningTable file.
vim /etc/opendkim/SigningTable
*@ceae.info default._domainkey.ceae.info
Now we generate one keypair for each domain
cd /etc/opendkim/keys opendkim-genkey -D /etc/opendkim/keys/ -d ceae.info -s ceae.info
You will get:
[root@mail keys]# ls -l total 8 -rw------- 1 root root 891 apr 25 22:02 ceae.info.private -rw------- 1 root root 344 apr 25 22:02 ceae.info.txt
We have to change private keys owner.
[root@mail keys]# chown -R opendkim. /etc/opendkim/keys/
Restart opendkim and enable
systemctl restart opendkim.service systemctl enable opendkim.service
Integrate opendkim with postfix:
vim /etc/postfix/main.cf
and append these lines
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:8891
Finally the most important step is publish your public keys in DNS.
cat ceae.info.txt
default._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
“p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh1hbzE5Ae83qLXL/DKAhTmOYXzLG3+RfdjG9nbv+zH/STABdYpU7kQKAs0M9X1bdIe8We8Bs//vKqqtgOB/j/jwcH+VMou3wBEULshzQK6qoBSb413qdGEnXIHUP3e9p4VttlebSp5w/3dLaOpNFNUMKz6Xb2Pa8xlxn5DgNrYQIDAQAB” ) ; —– DKIM key ceae.info for ceae.info
Restart Postfix:
systemctl restart postfix.service
How we test if works ?
dig default._domainkey.ceae.info TXT +short
P.S. in dns we start with default._domainkey IN TXT ……
Nice write up, however the article doesn’t explain the reasoning behind any of the steps. I find this really helps overall understanding of the explained steps and why something is happening as opposed to it should just be this.
The reason of this post it’s just to show steps! Why ? You have to learn or ask in a comment !
Nice!.
I am wondering how to reject messages with no signature – per domain. For example, I am signing mails from mydomain.org so I need the DKIM validation to fail if the message claims to be from mydomain.org, but has no signature.
Does anyone know?
You have to use in your server a spf and/or DKIM filter for any mail did you receive !
Not working! Please explain in details, step by step!
How did you know not working ? Did you see your log from /var/log/maillog ?
There is something wrong in your public key example.. The selector is not default when you generated the keys, it was ceae.info
Instead of:
default._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
“p=MIGfMA….DAQAB” ) ; —– DKIM key ceae.info for ceae.info
It should be
ceae.info._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
“p=MIGfMA….DAQAB” ) ; —– DKIM key ceae.info for ceae.info
You should also change the
“dig ceae.info._domainkey.ceae.info TXT +short”
to be coherent with
“opendkim-genkey -D /etc/opendkim/keys/ -d ceae.info -s ceae.info”
🙂
For CentOS 7.7, we had to add the following lines in configuration to get it work.
——
#OpenDKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
——-