How to Setup DomainKeys (DKIM) with Postfix on EFA 4

[jamerson]

DKIM (DomainKeys Identified Mail) is a method of signing electronic emails using public-private key. DKIM is used by receiving mail server for identifying email, that they are sent by authorized mail servers. It also minimizes the possibility of getting emails SPAM.

This tutorial will provide you a quick and easy way to set up DomainKeys with your POSTFIX running on EFA V 4.XX

How DKIM Works ?
When we configured DKIM on sending servers. First, we generated a public/private key pair for signing outgoing messages. The public key is configured as TXT record on a domains name server, and the private key is configured in the outbound email server. When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normal.

Step 1 – Install DKIM-milter

install opendkim

Code: Select all

yum install postfix opendkim

Step 2 – Generate Key Pair

Now create DKIM key pair using dkim-genkey command line utility provided by dkim-milter package. For this tutorial we are using domain name “example.com”, Change this name with your actual names.

Code: Select all

MYDOMAIN=example.com
mkdir -p /etc/opendkim/keys/$MYDOMAIN
cd /etc/opendkim/keys/$MYDOMAIN
opendkim-genkey -r -d $MYDOMAIN

Above command will generate two files default.private and default.txt. You can created multiple DKIM keys for different-2 domains and configure with your postfix server.

Now set the proper permissions on Keys directory.
note: this is very important otherwise your efa would error out " permission denied: to load the private key

Code: Select all

chown -R opendkim:opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keys

Step 3 – Configure OpenDKIM

Edit the Opendkim configuration file and Add/Update following entries in file. i like nano

Code: Select all

nano /etc/opendkim.conf

Code: Select all

Mode     sv
Socket   inet:8891@localhost
Domain   example.com
#KeyFile        /etc/opendkim/keys/default.private  ### comment this line
KeyTable        /etc/opendkim/KeyTable
SigningTable   refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts

Then edit the domain keys lists setting file /etc/opendkim/KeyTable and add following entry.

Code: Select all

nano /etc/opendkim/KeyTable

Code: Select all

default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private

After that edit /etc/opendkim/SigningTable file and update following entry.

Code: Select all

nano /etc/opendkim/SigningTable

Code: Select all

*@example.com default._domainkey.example.com

And edit /etc/opendkim/TrustedHosts file and update following entry.
10.10.20.3 is the efa internal ip

Code: Select all

nano /etc/opendkim/TrustedHosts

Code: Select all

10.10.20.3
mail.example.com
example.com

Step 4 – Configure Postfix

Now edit POSTFIX configuration file /etc/postfix/main.cf and add following values at the end of file

Code: Select all

nano /etc/postfix/main.cf

Code: Select all

masquerade_domains = $mydomain
smtpd_milters = inet:localhost:8891, inet:localhost:8893, inet:127.0.0.1:33333
non_smtpd_milters = inet:localhost:8891, inet:localhost:8893
milter_default_action = accept
qmqpd_authorized_clients = 127.0.0.1 [::1]
message_size_limit = 133169152
mailbox_size_limit = 133169152
qmqpd_authorized_clients = 127.0.0.1 [::1]
enable_long_queue_ids = yes
error_notice_recipient = root
sender_canonical_maps = hash:/etc/postfix/sender_canonical
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical

start opendkim and restart postfix

Code: Select all

systemctl start opendkim ; systemctl enable opendkim ; systemctl restart postfix

Step 5 – Configure DNS Entry

After configuring private key in postfix server. there will be another file

Code: Select all

cat /etc/opendkim/keys/example.com/default.txt/

generated by opendkim-genkey. Edit your DNS zone file and add this as TXT record found in default.txt. In my case this is like below.

Code: Select all

default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; s=email; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdTtEqM8FqndiFYOderzljMMMqBdEp+wJKP+VUbhc9GigmK34ZjrSqqdKjIEWr2q9DvSVp1H1bZs4t050m0HZxJqknDz2yoDJ6W4mCaSCHesRde5V44V/L65Gqm/rvBz1d6CCp8A2515eveWrIAocOD6pKJ4tnXHz3uwV2ZtgQiQIDAQAB" )  ; ----- DKIM key default for example.com

Code: Select all

Step 6 – Verify DKIM

To verify that DKIM is working properly. Let’s send a test email through command line

Code: Select all

mail -vs "Test DKIM" jamerson@gmail.com < /dev/null

In the received email in our mailbox, open the source of the email and search for "DKIM-Signature". You will find something like below

Code: Select all

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
	s=default.private; t=1402388963;
	bh=fdkeB/A0FkbVP2k4J4pNPoe23AvqBm9+b0C3OY87Cw8=;
	h=Date:From:Message-Id:To:Subject;
	b=M6g0eHe3LNqURha9d73bFWlPfOERXsXxrYtN2qrSQ6/0WXtOxwkEjfoNTHPzoEOlD
	 i6uLLwV+3/JTs7mFmrkvlA5ZR693sM5gkVgVJmuOsylXSwd3XNfEcGSqFRRIrLhHtbC
	 mAXMNxJtih9OuVNi96TrFNyUJeHMRvvbo34BzqWY=

or try mail tester which is quick.

if you have any questions let us know.

[tesme33]

Hi
i would like to know if anybody has used this information and sucessfully setup DKIM on EFA ?

Just wondering as nobody seem to have questions on this post.


Or is there a better walk through ?


Greeting

[Aryfir]

Hi,

How many email domain (mail server) go through EFA?

Based on my experience, if you have created and set DKIM, SPF and even DMARC on your Authoritative DNS server, then you don't need to set DKIM on EFA box.

Moreover, if you have various email domains that pass through the EFA, then the reputation of your email server will decrease due to differences in domain records with the source mail server.

But of course you can create DKIM more than one domain by using CNAME (its a bit complicated)

My point here is, make simple record on DNS Authoritative and quick resolving to the world

BR

[_M_P]

Hi folks,
(@tesme33) I'm implementing DKIM, but, following jamerson' tutorial:

• Step 1 should be:

  Code: Select all

  yum install postfix opendkim opendkim-tools

• Step 5 should be:

  Code: Select all

  cat /etc/opendkim/keys/example.com/default.txt

  AND the content of the TXT record, named

  Code: Select all

  default._domainkey.example.com

  IMHO should be

  Code: Select all

  v=DKIM1; k=rsa; s=email; 
  p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdTtEqM8FqndiFYOderzljMMMqBdEp+wJKP+VUbhc9GigmK34ZjrSqqdKjIEWr2q9DvSVp1H1bZs4t050m0HZxJqknDz2yoDJ6W4mCaSCHesRde5V44V/L65Gqm/rvBz1d6CCp8A2515eveWrIAocOD6pKJ4tnXHz3uwV2ZtgQiQIDAQAB; n=DKIM key default for example.com

Finally, to do some testing,
one can issue a

Code: Select all

opendkim-testkey -vvv -d example.com -s default -k /etc/opendkim/keys/example.com/default.private

Best regards...