diff --git a/dkim_spf b/dkim_spf new file mode 100644 index 00000000..9caff281 --- /dev/null +++ b/dkim_spf @@ -0,0 +1,119 @@ + + +Hi, + +Please note that : + + This is the revision 2 of this Work In Progress How-To + Until this is natively integrated in YnH core apps, it will mean to that postfix conf will be blocked (or each time there is a change some configuration lines will need to be added to the end of /etc/postfix/main.cf) + To be fully functionnal DKIM requires a modification of the DNS, which propagantion can take up to 24h + CREDIT : This tutorial has been initially based on the DKMI section of : http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/ from Drew Crawford + CREDIT : This tutorial has been reviewed based on https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy from Popute Sebastian Armin + Replace DOMAIN.TLD by your own domain name + +Changes in rev 2 : + + Much easier to manage more than one DOMAIN.TLD (future proof) + Updated configuration as it seemed that the previous one was based on old software + +So, here is the thing : + + We start by installing the right software : + +sudo aptitude install opendkim opendkim-tools + + Then we configure opendkim + +sudo nano /etc/opendkim.conf +(Text to be placed in the text file: ) + +AutoRestart Yes +AutoRestartRate 10/1h +UMask 022 +Syslog yes +SyslogSuccess Yes +LogWhy Yes + +Canonicalization relaxed/simple + +ExternalIgnoreList refile:/etc/opendkim/TrustedHosts +InternalHosts refile:/etc/opendkim/TrustedHosts +KeyTable refile:/etc/opendkim/KeyTable +SigningTable refile:/etc/opendkim/SigningTable + +Mode sv +PidFile /var/run/opendkim/opendkim.pid +SignatureAlgorithm rsa-sha256 + +UserID opendkim:opendkim + +Socket inet:8891@127.0.0.1 + +Selector mail + + Connect the milter to Postfix: + +sudo nano /etc/default/opendkim + +(Text to be placed in the text file: ) +SOCKET="inet:8891@localhost" + + Configure postfix to use this milter: + +sudo nano /etc/postfix/main.cf + +(Text to be placed AT THE END in the text file: ) +milter_protocol = 2 +milter_default_action = accept +smtpd_milters = inet:127.0.0.1:8891 +non_smtpd_milters = inet:127.0.0.1:8891 + + Create a directory structure that will hold the trusted hosts, key tables, signing tables and crypto keys: + +sudo mkdir -pv /etc/opendkim/keys/DOMAIN.TLD + + Specify trusted hosts: + +sudo nano /etc/opendkim/TrustedHosts + +(Text to be placed in the text file: ) +127.0.0.1 +localhost +192.168.0.1/24 +*.DOMAIN.TLD + + Create a key table: + +sudo nano /etc/opendkim/KeyTable + +(Text to be placed in the text file: Be very careful, it needs to be on a SINGLE LINE for each domain ) +mail._domainkey.DOMAIN.TLD DOMAIN.TLD:mail:/etc/opendkim/keys/DOMAIN.TLD/mail.private + + Create a signing table: + +sudo nano /etc/opendkim/SigningTable + +(Text to be placed in the text file: ) +*@DOMAIN.TLD mail._domainkey.DOMAIN.TLD + + Now we generate the keys ! smile + +sudo cd /etc/opendkim/keys/DOMAIN.TLD +sudo opendkim-genkey -s mail -d DOMAIN.TLD + + Output the DKIM DNS line to the terminal. Then, we install it on our DNS server. My ZONE file looks like this. (Be very careful with the formatting, the "p=...." needs to be in a single line. + +cat mail.txt + +mail._domainkey IN TXT "v=DKIM1; k=rsa; p=AAAKKUHGCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFrBM54eXlZPXLJ7EFphiA8qGAcgu4lWuzhzxDDcIHcnA/fdklG2gol1B4r27p87rExxz9hZehJclaiqlaD8otWt8r/UdrAUYNLKNBFGHJ875467jstoAQAB" ; ----- DKIM key mail for DOMAIN.TLD + + And we don't forget to put the right rights otherwise opendkim will get grumpy... + +chown -Rv opendkim:opendkim /etc/opendkim* + + And finally, we restart everything : + sudo service opendkim restart + sudo service postfix restart + + To test if it is all working well (don't forget that the DNS propagation can take a bit of take....) you can simply send an email to check-auth@verifier.port25.com and a reply will be received. If everything works correctly you should see DKIM check: pass under Summary of Results. +