[CentOS] Setting Up DKIM

LawrenceLawrence Member


Introduction


DKIM (DomainKeys Identified Mail) should be instead considered a method to verify that the messages' content are trustworthy, meaning that they weren't changed from the moment the message left the initial mail server. This additional layer of trustability is achieved by an implementation of the standard public/private key signing process. Once again the owners of the domain add a DNS entry with the public DKIM key which will be used by receivers to verify that the message DKIM signature is correct, while on the sender side the server will sign the entitled mail messages with the corresponding private key.
  • when sending an outgoing message, the last server within the domain infrastructure checks against its internal settings if the domain used in the "From:" header is included in its "signing table". If not the process stops here
  • a new header, called "DKIM-Signature", is added to the mail message by using the private part of the key on the message content
  • from here on the message *main* content cannot be modified otherwise the DKIM header won't match anymore
  • upon reception the receiving server will make a TXT DNS query to retrieve the key used in the DKIM-Signature field
  • the DKIM header check result can be then used when deciding if a message is fraudulent or trustworthy

Update System

First things first. Like always, first of all, we recommend to update your server. Also make sure you’re in a screen session:
screen -U -S opendkim-screen
yum update -y

Enabling EPEL Repository

OpenDKIM is available in the EPEL repository, so we need to enable it on the system before we can install OpenDKI:
wget -P /tmp http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh /tmp/epel-release-6-8.noarch.rpm
rm -f /tmp/epel-release-6-8.noarch.rpm


Installing OpenDKIM

Install the package using yum:

yum install opendkim -y


Configuring OpenDKIM

Next thing to do is to configure OpenDKIM. Its main configuration file is located in /etc/opendkim.conf, so before making any changes create a backup:

cp /etc/opendkim.conf{,.orig}
nano /etc/opendkim.conf

and add/edit the following:

AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:[email protected]
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

Setting Up Public/Private Keys

Generate set of keys for your "your_domain.com" domain name:
mkdir /etc/opendkim/keys/your_domain.com
opendkim-genkey -D /etc/opendkim/keys/your_domain.com/ -d your_domain.com -s default
chown -R opendkim: /etc/opendkim/keys/your_domain.com
mv /etc/opendkim/keys/your_domain.com/default.private /etc/opendkim/keys/your_domain.com/default
add your_domain.com to OpenDKIM’s key table:
nano /etc/opendkim/KeyTable
by adding the following record:
default._domainkey.your_domain.com your_domain.com:default:/etc/opendkim/keys/your_domain.com/default
next, edit /etc/opendkim/SigningTable:
nano /etc/opendkim/SigningTable
and add the following record to OpenDKIM’s signing table:
*@your_domain.com default._domainkey.your_domain.com
and in /etc/opendkim/TrustedHosts:
nano /etc/opendkim/TrustedHosts
add your domain and your hostname as trusted hosts:
127.0.0.1
your_domain.com
your_servers_hostname.com

Adding the Public Key to The Domain's DNS Records


Next up is the DNS record setup. How you do this is again completely dependent on how you manage DNS or how it is managed for you - everyone's tools are different. Note that some registrars do not let you create raw TXT records with specific subdomains, which will prevent you from creating DKIM TXT records. If this is the case, then you will have to transfer your domain to a real registrar that lets you play with all the toys. Or you can simple use our DNS management system!

You can find information about your public key in /etc/opendkim/keys/your_domain.com/default.txt file:

cat /etc/opendkim/keys/your_domain.com/default.txt
Here is how it looks on our DNS management system:



If Using Postfix

In order to integrate OpenDKIM with Postfix we need to add the following few lines:
smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2
in /etc/postfix/main.cf:
nano /etc/postfix/main.cf
Add OpenDKIM to your system’s start-up and start opendkim and restart Postfix using the following commands:
service opendkim start
chkconfig opendkim on
service postfix restart

If Using EXIM

Set-up Exim to use OpenDKIM for signing the emails by editing /etc/exim/exim.conf:
nano /etc/exim/exim.conf
and adding the following to the remote_smtp transport:
remote_smtp:
        driver = smtp
        dkim_domain = $sender_address_domain
        dkim_selector = default
        dkim_private_key = ${if exists{/etc/opendkim/keys/$sender_address_domain/default}{/etc/opendkim/keys/$sender_address_domain/default}{0}}
        dkim_canon = relaxed
        dkim_strict = 0
restart Exim and Opendkim for the changes to take effect using:
service opendkim start
chkconfig opendkim on
service exim restart

Testing

First of all give the DNS changes a chance to propagate before using it. A decent testing service is Mail Tester.
Tagged:

Comments

  • Hello,
    While tried to install opendkim face following error:

    Error: Package: opendkim-2.11.0-0.1.el6.x86_64 (epel)
               Requires: libmilter.so.1.0()(64bit)
     You could try using --skip-broken to work around the problem
    ** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
    sendmail-cf-8.14.4-9.el6_8.1.noarch has missing requires of sendmail = ('0', '8.14.4', '9.el6_8.1')
  • RomanRoman Administrator
    Hello,

    Try this command to install OpenDKIM:

    yum install opendkim opendkim-tools --enablerepo=clearos-centos
Sign In or Register to comment.