This is an old revision of the document!
Table of Contents
opendkim
opendkim can sign outgoing email with your SMTP server to match DNS TXT DKIM records.
The selector here, nx
would match a TXT record of nx._domainkey.
on beandog.org
. The value of the record would be the public key.
A sample opendkim.conf
:
Syslog yes SyslogSuccess yes Canonicalization relaxed/simple Domain beandog.org Selector nx KeyFile /etc/opendkim/beandog.org.private Socket inet:8891@localhost ReportAddress [email protected] SendReports yes PidFile /run/opendkim/opendkim.pid UserID milter Statistics /var/lib/opendkim/stats.dat
Set the owner of the private key to milter
, and permissions to read-only for user (0600).
Start the opendkim service, and configure Postfix to use it:
smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
Outgoing email is then going to be signed. Setup the DNS records to use it for source verification.
Multiple Domains
OpenDKIM can sign for multiple domains at once. Instead of using Domain
, Selector
, and KeyFile
for one domain, they are added to tables instead, one per domain.
Create a KeyTable with this format:
key-name domain-name:domain-selector:/location/to/keyfile
The key-name
is an identifier, and can be whatever you'd like, in this case, I'm using rsa-beandog
. Using the same configuration from above, here's what the entry would look like:
rsa-beandog beandog.org:nx:/etc/opendkim/beandog.org.private
Save the contents to a file, and reference it in opendkim.conf
:
KeyTable /etc/opendkim/keytable
Note: You can still have Domain
, Selector
and KeyFile
entries in opendkim.conf
if you'd like, for whatever reason – adding a KeyTable
will simply override it.
Next, create a signing table, that maps what domains to sign what key with. The contents are the email address or domain name (etc.) and what key you'd like to sign with.
An example here would sign every email from beandog.org with the rsa-beandog
entry from the keytable above:
*@beandog.org rsa-beandog
Since the entry has regular expressions in it, we'll add refile
(regular expression file) as a prefix to SingingTable
and the file location of the signing contents. In opendkim.conf
:
SigningTable refile:/etc/opendkim/signingtable
Restart opendkim, and send some emails. With logging enabled, in the temporary directory, you will see both the header added to the email, plus the contents of the message.
Logging
If debugging, you can turn on lots of logging to see what is happening. Add to opendkim.conf
:
KeepTemporaryFiles yes LogResults yes LogWhy yes
If you want to specify a specific directory, use TemporaryDirectory
.