2015-02-12 13:41:29 +01:00
# DKIM
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Please note that :
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
This is the revision 2 of this Work In Progress How-To.
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Until this is natively integrated in YunoHost core apps, it will mean to that Postfix configuration will be blocked (or each time there is a change some configuration lines will need to be added to the end of /etc/postfix/main.cf).
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
To be fully functionnal DKIM requires a modification of the DNS, which propagantion can take up to 24h.
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Source: This tutorial has been initially based on the DKMI section of: http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/ from Drew Crawford.
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Source: This tutorial has been reviewed based on https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy from Popute Sebastian Armin
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Replace DOMAIN.TLD by your own domain name.
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Changes in rev 2:
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Much easier to manage more than one DOMAIN.TLD (future proof).
Updated configuration as it seemed that the previous one was based on old software.
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
So, here is the thing:
### With a script
Fully automatic script: (single domain)
```bash
git clone https://github.com/polytan02/yunohost_auto_config_basic
sudo ./yunohost_auto_config_basic/5_opendkim.sh
```
### Manually
We start by installing the right software:
```bash
sudo aptitude install opendkim opendkim-tools
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Then we configure opendkim
```bash
2015-01-28 13:51:54 +01:00
sudo nano /etc/opendkim.conf
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Text to be placed in the text file:
```bash
2015-01-28 13:51:54 +01:00
AutoRestart Yes
AutoRestartRate 10/1h
UMask 022
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:8891@127.0.0.1
Selector mail
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Connect the milter to Postfix:
```bash
2015-01-28 13:51:54 +01:00
sudo nano /etc/default/opendkim
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Text to be placed in the text file:
```bash
2015-01-28 13:51:54 +01:00
SOCKET="inet:8891@localhost"
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Configure Postfix to use this milter:
```bash
2015-01-28 13:51:54 +01:00
sudo nano /etc/postfix/main.cf
2015-02-12 13:41:29 +01:00
```
Text to be placed **at the end** in the text file:
```bash
# OpenDKIM milter
2015-01-28 13:51:54 +01:00
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Create a directory structure that will hold the trusted hosts, key tables, signing tables and crypto keys:
```bash
2015-01-28 13:51:54 +01:00
sudo mkdir -pv /etc/opendkim/keys/DOMAIN.TLD
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Specify trusted hosts:
```bash
2015-01-28 13:51:54 +01:00
sudo nano /etc/opendkim/TrustedHosts
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Text to be placed in the text file:
```bash
2015-01-28 13:51:54 +01:00
127.0.0.1
localhost
192.168.0.1/24
*.DOMAIN.TLD
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Create a key table:
```bash
2015-01-28 13:51:54 +01:00
sudo nano /etc/opendkim/KeyTable
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Text to be placed in the text file: be very careful, it needs to be on a **single line** for each domain.
```bash
2015-01-28 13:51:54 +01:00
mail._domainkey.DOMAIN.TLD DOMAIN.TLD:mail:/etc/opendkim/keys/DOMAIN.TLD/mail.private
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Create a signing table:
```bash
2015-01-28 13:51:54 +01:00
sudo nano /etc/opendkim/SigningTable
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Text to be placed in the text file:
```bash
2015-01-28 13:51:54 +01:00
*@DOMAIN.TLD mail._domainkey.DOMAIN.TLD
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Now we generate the keys! smile
```bash
2015-01-28 13:51:54 +01:00
sudo cd /etc/opendkim/keys/DOMAIN.TLD
sudo opendkim-genkey -s mail -d DOMAIN.TLD
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Output the DKIM DNS line to the terminal. Then, we install it on our DNS server. My ZONE file looks like this. (Be very careful with the formatting, the "p=...." needs to be in a single line.)
```bash
2015-01-28 13:51:54 +01:00
cat mail.txt
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=AAAKKUHGCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFrBM54eXlZPXLJ7EFphiA8qGAcgu4lWuzhzxDDcIHcnA/fdklG2gol1B4r27p87rExxz9hZehJclaiqlaD8otWt8r/UdrAUYNLKNBFGHJ875467jstoAQAB" ; ----- DKIM key mail for DOMAIN.TLD
2015-02-12 13:41:29 +01:00
```
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
And we don't forget to put the right rights otherwise opendkim will get grumpy...
```bash
2015-01-28 13:51:54 +01:00
chown -Rv opendkim:opendkim /etc/opendkim*
2015-02-12 13:41:29 +01:00
```
And finally, we restart everything:
```bash
sudo service opendkim restart
sudo service postfix restart
```
To test if it is all working well (don't forget that the DNS propagation can take a bit of take…) you can simply send an email to check-auth@verifier.port25.com and a reply will be received. If everything works correctly you should see DKIM check: pass under Summary of Results.
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
You can also go to http://www.mail-tester.com
2015-01-28 13:51:54 +01:00
2015-02-12 13:41:29 +01:00
Lastly, don't forget to add a SPF key in your DNS such as:
```bash
DOMAIN.TLD 300 TXT "v=spf1 a:DOMAIN.TLD mx ?all"
```
2015-01-28 13:51:54 +01:00