Dkim Setup on Postfix Mailserver – Centos 6/7
Date Posted:22-02-2017
Its a biggest challenge for a new mail server to reach popular mail provider user’s inbox. One of the best way is to sign the outgoing mail server using dkim. There are multiple ways to implement dkim signing. We are going to use opendkim
as a service to sign the mail and postfix as a mailserver.
Assumption:
- Centos operating system.
- PostFix Mailserver
Default installation of postfix would be sufficient.
Implementation:
Starts with installing epel repo to the server. Some server may have epel repo already enabled.
For Centos 6:
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm
For Centos 7:
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install epel-release-latest-7.noarch.rpm (or)
rpm -ivh epel-release-latest-7.noarch.rpm
Install opendkim application using yum
yum install opendkim
Delete all the content of /etc/opendkim.conf and add only the quoted text mentioned below.
vi /etc/opendkim.conf
AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode sv
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:8892@localhost
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /var/tmp
Create keys for the domain. Replace domain.tld with our domain name.
mkdir /etc/opendkim/keys/domain.tld
opendkim-genkey -D /etc/opendkim/keys/domain.tld/ -d domain.tld -s default
chown -R opendkim: /etc/opendkim/keys/domain.tld
mv /etc/opendkim/keys/domain.tld/default.private /etc/opendkim/keys/domain.tld/default
Open the file /etc/opendkim/KeyTable and add the following content.
vi /etc/opendkim/KeyTable
default._domainkey.domain.tld domain.tld:default:/etc/opendkim/keys/domain.tld/default
Open the file /etc/opendkim/SigningTable and add the below lines. * represents all the email accounts associated with domain.tld.
vi /etc/opendkim/SigningTable
*@domain.tld default._domainkey.domain.tld
Add the trusted hosts to the file /etc/opendkim/TrustedHosts
vi /etc/opendkim/TrustedHosts
domain.tld
Repeat the same steps if you want opendkim to sign the different domains.
Now, the final steps to add the DNS record on the Nameserver. We need to add TXT record on the nameserver of the domain.tld.
cat /etc/opendkim/keys/domain.tld/default.txt
default._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
“p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzkmrP3nbiXJNXU4UKAJAQX9JPtKhe5+EgfWkkc4mUsFfftGyKMW3oNkM40qldg4XhazCbW1BruQKaXwH/qWSGdFBQMem9ytF+xZwLDraNKVtRto9bPBpf+VEU34t3Pwarm179/anahErnSIWENfAeP/nWrf5qIHBjwsTtF59XgwIDAQAB” )
DNS changes normally requires 12 to 24 hours to reflect all over the world.
We can verify the DNS changes using the below commands.
host -ttxt default._domainkey.domain.tld
dig txt +short default._domainkey.tld
Configure Postfix:
So far, we have installed opendkim and now we are going to integrate opendkim with postfix application
Open the configuration /etc/postfix/main.cf and add the opendkim integration code.
vi /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8892
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
Restart the opendkim, postfix services.
service opendkim start
chkconfig opendkim on
service postfix restart
Verification:
Now, send mail from your domain.tld either using application and check the results on the log.
Feb 20 12:12:58 server opendkim[5644]: 5FF7E161215: DKIM-Signature field added (s=default, d=
domain.tld
)
We can send emails to check-auth@verifier.port25.com and you will receive a notification whether dkim signature added or not.
