no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


opendkim [2018/10/30 07:18] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== opendkim ======
  
 +  * [[Mail Servers]]
 +  * [[postfix]]
 +
 +opendkim can sign outgoing email with your SMTP server to match DNS TXT DKIM records.
 +
 +The selector here, ''nx'' would match a TXT record of ''nx._domainkey.'' on ''beandog.org''. The value of the record would be the public key.
 +
 +A sample ''opendkim.conf'':
 +
 +<code>
 +Syslog                  yes
 +SyslogSuccess           yes
 +Canonicalization        relaxed/simple
 +Domain                  beandog.org
 +Selector                nx
 +KeyFile                 /etc/opendkim/beandog.org.private
 +Socket                  inet:8891@localhost
 +ReportAddress           [email protected]
 +SendReports             yes
 +PidFile /run/opendkim/opendkim.pid
 +UserID milter
 +Statistics /var/lib/opendkim/stats.dat
 +</code>
 +
 +Set the owner of the private key to ''milter'', and permissions to read-only for user (0600).
 +
 +Start the opendkim service, and configure Postfix to use it:
 +
 +<code>
 +smtpd_milters = inet:localhost:8891
 +non_smtpd_milters = inet:localhost:8891
 +</code>
 +
 +Outgoing email is then going to be signed. Setup the DNS records to use it for source verification.
 +
 +==== Multiple Domains ====
 +
 +OpenDKIM can sign for multiple domains at once. Instead of using ''Domain'', ''Selector'', and ''KeyFile'' for one domain, they are added to tables instead, one per domain.
 +
 +Create a KeyTable with this format:
 +
 +<code>
 +key-name                domain-name:domain-selector:/location/to/domain-keyfile
 +</code>
 +
 +The ''key-name'' is an identifier, and can be whatever you'd like, in this case, I'm using ''rsa-beandog''. Using the same configuration from above, here's what the entry would look like:
 +
 +<code>
 +rsa-beandog             beandog.org:nx:/etc/opendkim/beandog.org.private
 +</code>
 +
 +Save the contents to a file, and reference it in ''opendkim.conf'':
 +
 +<code>
 +KeyTable                /etc/opendkim/keytable
 +</code>
 +
 +**Note:** You can still have ''Domain'', ''Selector'' and ''KeyFile'' entries in ''opendkim.conf'' if you'd like, for whatever reason -- adding a ''KeyTable'' will simply override it.
 +
 +Next, create a signing table, that maps what domains to sign what key with. The contents are the email address or domain name (etc.) and what key you'd like to sign with.
 +
 +An example here would sign every email from beandog.org with the ''rsa-beandog'' entry from the keytable above:
 +
 +<code>
 +*@beandog.org           rsa-beandog
 +</code>
 +
 +Since the entry has regular expressions in it, we'll add ''refile'' (regular expression file) as a prefix to ''SingingTable'' and the file location of the signing contents. In ''opendkim.conf'':
 +
 +<code>
 +SigningTable             refile:/etc/opendkim/signingtable
 +</code>
 +
 +Restart opendkim, and send some emails. With logging enabled, in the temporary directory, you will see both the header added to the email, plus the contents of the message.
 +==== Logging ====
 +
 +If debugging, you can turn on lots of logging to see what is happening. Add to ''opendkim.conf'':
 +
 +<code>
 +KeepTemporaryFiles      yes
 +LogResults              yes
 +LogWhy                  yes
 +</code>
 +
 +If you want to specify a specific directory, use ''TemporaryDirectory''.

Trace:

Navigation
QR Code
QR Code opendkim (generated for current page)