Onion Information

Page Clicks: 2

First Seen: 04/26/2024

Last Indexed: 10/23/2024

Domain Index Total: 54

Email is a lot like real-life mail. You can send email to anyone, but you can also write whatever return address you'd like. That is, it's pretty easy to pretend to be someone else via mail, and that was originally the case with email as well: email is just text, and you could just change your From: address to any email address you wanted! DKIM (Domain Keys Identified Mail) helps solve this issue. OpenDKIM will generate a public/private cryptographic key pair for your server. The public key will be made available publicly in your server's DNS records and the private key will be used to sign every single email that leaves the server. This means that people receiving mail from your server can now be absolutely sure that it originated from your server because their servers can check the cryptographic signature on the email with the public key! OpenDKIM ensures that email originated from the server it claims it did, but it does not ensure that it originated from the user account it claims it did. This easier problem is solved by server-side authorization settings. Installation apt install opendkim-tools The Keys and Files We have to generate the DKIM keys and create some secondary files that will be required for our configuration. Generate the DKIM key Here we create directories for the OpenDKIM keys, generate them, and ensure they have the right file permissions. mkdir -p /etc/postfix/dkim opendkim-genkey -D /etc/postfix/dkim/ -d example.org -s mail chgrp opendkim /etc/postfix/dkim/* chmod g+r /etc/postfix/dkim/* Create the key table Now we'll tell OpenDKIM where the newly generated keys are on the file system. echo "mail._domainkey.example.org example.org:mail:/etc/postfix/dkim/mail.private" > /etc/postfix/dkim/keytable Create the signing table echo "*@example.org mail._domainkey.example.org" > /etc/postfix/dkim/signingtable Adding trusted hosts echo "127.0.0.1 10.1.0.0/16 1.2.3.4/24" > /etc/postfix/dkim/trustedhosts Configuring opendkim.conf Now we have all the raw material, so open up /etc/opendkim.conf and we can finalize our server settings. First, add these lines that will source the files we just created. KeyTable file:/etc/postfix/dkim/keytable SigningTable refile:/etc/postfix/dkim/signingtable InternalHosts refile:/etc/postfix/dkim/trustedhosts Canonicalization relaxed/simple Socket inet:12301@localhost There will already be an uncommented Socket directive, so delete, comment out or replace it with the above. Interfacing with Postfix There are a couple things we must add to the Postfix SMTP server settings to interface it with OpenDKIM. Specifically, we have to set our OpenDKIM server, which will be running on port 12301 , as a milter (mail filter). This is easy to do with the four commands below: postconf -e "myhostname = $( cat /etc/mailname ) " postconf -e "milter_default_action = accept" postconf -e "milter_protocol = 6" postconf -e "smtpd_milters = inet:localhost:12301" postconf -e "non_smtpd_milters = inet:localhost:12301" Restart and reload Postfix and DKIM Now that we have all our settings in place: systemctl restart opendkim systemctl enable opendkim systemctl reload postfix Adding the DNS record! We are only one step away from having functioning OpenDKIM. We must add the DKIM public key to our server's DNS settings, so go ahead and open up your registrar's site or wherever your site's DNS settings are. The public key is found in the file /etc/postfix/dkim/mail.txt , but it will display as multiple lines and multiple quoted strings, which is annoying and hard to copy-and-paste into your registrar. To make things easier, run the following command to format the key in the way we need it for the DNS TXT entry: echo -e " v=DKIM1; k=rsa; $( tr -d " IP6= echo "v=spf1 mx a:mail.$(cat /etc/mailname) ip4:$IP4 ip6:$IP6 -all" Note : previous versions of this guide didn’t ask you to specify the ip4 and ip6 mechanisms. If you don’t include them, some email hosts (most notoriously gmail) will not accept mail from your server. The IP4 and IP6 values should be the same as what you set your PTR records to. The output of cat /etc/mailname is the Host field. The output of the second command is the TXT value. Again, you can check that site to make sure your DKIM, DMARC, and SPF entries are valid. That’s it! Contribution SPF mechanisms updated by Martin Chrzanowski -- website , donate Next: Setting up an E-mail Inbox Or Previous: Setup rDNS