These instructions reference the howto article
Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM
1 Requirements
no change, skip
2 Preliminary Notes
no change, skip
3 Download and install OpenDKIM
Code: Select all
yum install openssl-devel opendkim
nothing else needs to be done as the opendkim package from the
rpmforge repository takes care of everything else. This repository is already configured in EFA
The opendkim dependencies install only the necessary sendmail packages needed. Installing sendmail-devel will result in sendmail being installed as well. Don't do that.
4 Create a new user
5 Create working directories
6 Copy the startup script to /etc/init.d/
skip these, already done
7 Generate keys for signing
remember to replace example.com with <YOURDOMAIN>, otherwise just follow the same instructions.
I named my key 'default' as they did in the example
Code: Select all
mkdir /etc/opendkim/keys/<YOURDOMAIN>
opendkim-genkey -D /etc/opendkim/keys/<YOURDOMAIN>/ -d <YOURDOMAIN> -s default
chown -R opendkim:opendkim /etc/opendkim/keys/<YOURDOMAIN>
mv /etc/opendkim/keys/<YOURDOMAIN>/default.private /etc/opendkim/keys/<YOURDOMAIN>/default
8 Edit configuration files
These are the settings I used. Some of them needed to be added, some uncommented and some altered from the installed default configuration file. Pay attention to the ones that start with a value of "refile"
/etc/opendkim.conf
Code: Select all
PidFile /var/run/opendkim/opendkim.pid
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
UserID opendkim:opendkim
Socket inet:8891@localhost
Umask 002
Canonicalization relaxed/simple
Selector default
KeyFile /etc/opendkim/keys/default.private
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
AutoRestart yes
AutoRestartRate 10/1h
/etc/opendkim/KeyTable
Code: Select all
default._domainkey.<YOURDOMAIN> <YOURDOMAIN>:default:/etc/opendkim/keys/<YOURDOMAIN>/default
/etc/opendkim/SigningTable
Code: Select all
*@<YOURDOMAIN> default._domainkey.<YOURDOMAIN>
/etc/opendkim/TrustedHosts
Code: Select all
127.0.0.1
<ip address of EFA appliance>
<ip address of internal mail server that uses efa as a smarthost>
<another internal ip address of another mail server>
<yet another internal mail server, etc, etc>
9 Edit your Postfix configuration
/etc/postfix/main.cf, append at the end
Code: Select all
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
10 Start OpenDKIM and restart Postfix
no need to "rehash"
no need to check for sendmail as we shouldn't have installed it.
start opendkim
if your opendkim.conf is correct, and your referenced keys are in the right place and named correctly, opendkim will start without a problem. Otherwise, the error messages were pretty self-explanatory.
restart mailscanner/postfix
12 Adding DNS Records
Strangely enough, this is the part that gave me the most trouble as I wasn't putting in the text records correctly.
Code: Select all
cat /etc/opendkim/keys/<YOURDOMAIN>/default.txt
assuming a value of
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=7k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQABMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp4" ; ----- DKIM default for example.com
your DNS TXT record name is
default._domainkey
your DNS record type is TXT
your DNS record value is
v=DKIM1; g=*; k=rsa; p=7k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQABMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp4
Don't keep the comment from the generated default.txt file. There is a limit on DNS records using UDP, and if the record is too big, the nameserver will have to make a TCP connection to get it all (slower)
While you are there, you should consider creating an SPF record as well. (you've already done that, right?)
Set the TTL to a low value (10 minutes?) until you are sure you've gotten it correct and everything tests properly. Then you can increase the TTL to something more reasonable, like a day or a week.
13 Testing your setup
as suggested - send one email addressed to both
autorespond+dkim@dk.elandsys.com and
check-auth@verifier.port25.com. Both will give you detailed information about the success/failure of your DKIM and SPF setup.
Lastly
You can also see from the SpamAssassin scoring if your DKIM is correct. Outgoing mail will show the following if it is correct
Code: Select all
0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.10 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.10 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
resulting in a slight -0.1 modification to your spam score.
If it's incorrect, you'll see a slight increase in the score for having an invalid DKIM setup.
Code: Select all
0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.10 T_DKIM_INVALID Message has at least one valid DKIM or DK signature
All in all, it's pretty straight forward. More complex signing requirements will require more careful attention paid to the opendkim configuration, but aside from that, it has minimal impact on the EFA installation - just the 4 line addition to the postfix main.cf file
PS: I've done this from memory from a day later. Hopefully I've not forgotten anything.