How to Configure DKIM | Multiple Domains

[jamerson]

Dear all,
hierby i will explain how to get your EFA configured to check the DKIM signature of out /incoming emails.
lets assune your domain is efa.org
make a folder on the opendkim

Code: Select all

mkdir -p /etc/opendkim/keys/efa.org/

browse to

Code: Select all

cd /etc/opendkim/keys/efa.org/

run the below to generate the private and txt key

Code: Select all

opendkim-genkey -s efa

open the below with nano or vi

Code: Select all

 /etc/opendkim.conf

first line to check:
Mode sv
if it is just v change to sv

than look for word Socket inet= if it does exisit than its looks good
now move to

Code: Select all

SendReports     yes   

ReportAddress "efa.org Postmaster <postmaster@efa.org>"
SoftwareHeader  yes
 Canonicalization        relaxed/simple

find the

Code: Select all

KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
xternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts

save the file now

next, edit /etc/opendkim/KeyTable

so open the the file /etc/opendkim/KeyTable with nano or vi

Code: Select all

 add this line to the end:
 efa._domainkey.efa.org efa.org:efa:/etc/opendkim/keys/efa.org/efa.private

save file

now edit /etc/opendkim/SigningTable

again open the file /etc/opendkim/SigningTable with nano or vi

add this at the end of the file

Code: Select all

*@efa.org efa._domainkey.efa.org

Save the file we are almost done

edit /etc/opendkim/TrustedHosts
so open the file /etc/opendkim/TrustedHosts with vi or nano
and add this to the end

Code: Select all

mail.efa.org
192.168.4.5/32

mail.efa.org is your mx record
192.168.4.5/32 is your exchange ip


edit /etc/postfix/main.cf

again open the file edit /etc/postfix/main.cf with nano or vi
go to very end of the file

Code: Select all

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

save the file

now start opendkim

Code: Select all

service opendkim start

reload post fix

Code: Select all

service postfix reload

in your public DNS important add this DMRAC
v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@efa.org

the tutorial is finshied,
if you have any questions let me know.

[bvess]

At the end of your tutorial you stated to add the below to your DNS. Is this just a text record like for spf? What would the hostname be? The efa hostname or the sending domain?

in your public DNS important add this DMRAC
v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@efa.org

[jamerson]

At the end of your tutorial you stated to add the below to your DNS. Is this just a text record like for spf? What would the hostname be? The efa hostname or the sending domain?

in your public DNS important add this DMRAC
v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@efa.org

its just your postmaster domain you will get the daily reports.

[ZimboKraut]

While this thread is already quite old, and in general, the information is very good.
I am just missing a few details:
Maybe it's just me being a little difficult.

IT is specifically stated, that it is for multiple domains.
Could someone (just to put my mind at ease )
possibly highlight where the entries for multiple domains need to be made?
I do believe I know and understand, but just would like to be certain.
for instance in the /etc/opendkim.conf

Code: Select all

SendReports     yes   
ReportAddress "domain1.net Postmaster <postmaster@domain1.net>"
ReportAddress "domain2.net Postmaster <postmaster@domain2.net>"
ReportAddress "domain3.net Postmaster <postmaster@domain3.net>"
SoftwareHeader  yes
 Canonicalization        relaxed/simple

Then for the file:
KeyTable /etc/opendkim/KeyTable

Code: Select all

 domain1._domainkey.domain1.net domain1.net:domain1:/etc/opendkim/keys/domain1.net/domain1.private
 domain1._domainkey.domain2.net domain2.net:domain2:/etc/opendkim/keys/domain2.net/domain2.private
 domain1._domainkey.domain3.net domain3.net:domain3:/etc/opendkim/keys/domain3.net/domain3.private
 

/etc/opendkim/SigningTable

Code: Select all

*@domain1.net domain1._domainkey.domain1.net
*@domain2.net domain2._domainkey.domain2.net
*@domain3.net domain3._domainkey.domain3.net

/etc/opendkim/TrustedHosts

Code: Select all

mx01.mydomain.net # 1st mail exchanger (MX-Record)
mx02.mydomain.net # 2nd mail exchanger (MX-Record)
192.168.4.5/32 (Mailhost/Exchange Server)

can someone confirm/correct this?

Thank you

[pdwalker]

for "ReportAddress" in /etc/opendkim.conf, only use 1 email address.

your /etc/opendkim/KeyTable is correct.

your /etc/opendkim/SigningTable is correct.

your /etc/opendkim/TrustedHosts looks correct.

My own multidomain configuration matches yours and it works for me.

Did you test your dkim from the 3 domains individually?

Hope that helps.

[ZimboKraut]

Thank you very much for confirming.
I will test it out now.
The challenge is, that I have more than 60 active domains running.
Any one have experience with running DKIM on two mail exchangers?

Should I create a separate DKIM record for each MTA (EFA instance ) or can the same keypair be used (yes, I am aware that it wouldn't be good practice )

Thank you

[pdwalker]

My first reaction would be to say "create a separate dkim record for each signing mta".

Each dns txt record would need to be unique to each mta.
e.g.
efa1: KeyTable
mta1._domainkey.example.com...

efa2: KeyTable
nta2._domainkey.example.com...

However if both machines are serving mail for all the same 60 domains, I guess it won't hurt to use the same keypairs. It does simplify configuration and management somewhat.

[ZimboKraut]

Thats great!
I agree with you, that it would be good practise to have two keys, at the same time, it is also double the work having to add the keys for each and every domain.
My main thought was, if it would cause problems have the same pub-key for two hostnames.

It does make life significanlty easier, as I could otherwise just update the second MTA by syncing the keys.
As the transport between the two MTAs is completely encrypted and within an isolated infrastructure, the risk does exist, but is exceptable.

I would for instance not even think about it, if the keys had to be transported over a non-secured connection.

Thank you for the help.
I hope that the questions (and of course answers ) will also help others.
eFa just rocks. And I have yet to come across an decent mail relay, that on one hand has reasonable security settings, while still maintaining an easy setup.
As a consultant I have recomended it to many companies.
The biggest challenge is, that specially large corporates have very complicated and convoluted process.
But, on a positive note, I know that one of the two largest banks in Germany, is currently testing it, and from what I have been told, they find it very promising .
If all goes well and they do implement it, I will aks if we can mentione their name as users.
I belive this would be great advertising.
Paraticularly because they have centralised relays for all their email globally.

[pdwalker]

a compromised dkim key are not the end of the world because it is only 1 part of the entire verification/authentication process. There is still the SPF record, the dmarc settings for verifying whether the message is legitimate or not.

Just the same, change the keys occassionally. Office365 creates two keys during setup of a custom domain so you can switch anytime. There is no reason why you cannot create several keys and several DNS records. The extra keys can be kept in secure storage and distributed when you need them.

Also, using rsync/scp to sync the keys over a private network should be secure enough.

[pdwalker]

If all goes well and they do implement it, I will aks if we can mentione their name as users.
I belive this would be great advertising.
Paraticularly because they have centralised relays for all their email globally.

Banks are touchy about exposing information. Don't worry about it too much.

On the other hand, if they use EFA and they like how it works, they could aid in the development/support by sending some money to Shawn Iverson, or even setting up a service contract.

That's a private discussion you should have with Shawn if it ever comes to pass.

[ZimboKraut]

I had several contracts with them, and while I agree with you that financial institutions can be a little tightlipped, they tend to be quite open (excuse the pun ) towards opensource.
Lots of Linux, KVW/Qemu and also Postfix.

The idea of trying to get some funds for Shawn sounds a like a great idea. I will get in touch with Shawn once things get to a stage where it is possible to see where they are going.

If eFa is viable for them instead of a (for instance) a CISCO ESA, this might truly be a great promotion for eFa.

Anyhow. We will see

All the best everyone.

Marco

[ZimboKraut]

While a lot of this has been written already, I would like to present this as a little How-To for DKIM in a multidomain environment:

There are a few bits that need to be looked out for:
for one ownership:

Make sure that all files and folders under /etc/opendkim/ have the ownership:

opendkim:opendkim

if you have (like myself) many (email) domains being used, here is a way to reasonably quickly create the keys:
First of all, create a textfile with all the domains (mine is /etc/opendkim/domains.txt):

once you have all the domains in the file, then run the following:

Code: Select all

# while IFS= read -r name; do mkdir -- "/etc/opendkim/keys/$name"; done </etc/opendkim/domains.txt

this will create a subdirectory for each domain

next create the keys:

Code: Select all

# while IFS= read -r name; do opendkim-genkey -D /etc/opendkim/keys/$name -s $name ; done </etc/opendkim/domains.txt

this will create all the keys in their respective folder:
to list the keys that have been created you can run the following:

Code: Select all

# while IFS= read -r name; do cat /etc/opendkim/keys/$name/$name.txt ; done </etc/opendkim/domains.txt

Now that you have all the keys created, you need to do the configuration:

specifically for the creation of a large number of domains, here are a few basic scripts to make life a little easier:

This is the content for the /etc/opendkim.conf file

Code: Select all

SendReports     yes   
ReportAddress "domain1.net Postmaster <postmaster@domain1.net>"
ReportAddress "domain2.net Postmaster <postmaster@domain1.net>"
ReportAddress "domain3.net Postmaster <postmaster@domain1.net>"
SoftwareHeader  yes
Canonicalization        relaxed/simple

Here is a little script to make it easier to fill the file and put it in the right format:

Code: Select all

#!/usr/bin/bash
filename="$1"
while read line; do
    name="$line"
    echo "ReportAddress \"$name Postmaster <postmaster@yourmaindomain.com>\""
done < "$filename"

usage:

Code: Select all

# DkimConf-create.sh /path/to/domainlist >> /etc/opendkim.conf

Then for the KeyTable
/etc/opendkim/KeyTable

Code: Select all

domain1._domainkey.domain1.net domain1.net:domain1:/etc/opendkim/keys/domain1.net/domain1.private
domain2._domainkey.domain2.net domain2.net:domain2:/etc/opendkim/keys/domain2.net/domain2.private
domain3._domainkey.domain3.net domain3.net:domain3:/etc/opendkim/keys/domain3.net/domain3.private

here is the "filling" script for large volumes of domains:

Code: Select all

#!/usr/bin/bash
filename="$1"
while read -r line; do
    name="$line"
    echo "$name._domainkey.$name $name:$name:/etc/opendkim/keys/$name/$name.private"
done < "$filename"

the usage is:

Code: Select all

# KeyTable-create.sh /path/to/domainlist >> /etc/opendkim/KeyTable

/etc/opendkim/SigningTable

in the following box, this is how it is described in several places, which I found not to be working and giving lots of errors in the logs:

*@domain1.net domain1._domainkey.domain1.net
*@domain2.net domain2._domainkey.domain2.net
*@domain3.net domain3._domainkey.domain3.net


After several trials and errors, the correct (and working) way in eFa should be ("*@" needs to be removed):

Code: Select all

domain1.net domain1._domainkey.domain1.net
domain2.net domain2._domainkey.domain2.net
domain3.net domain3._domainkey.domain3.net

Here is the script to fill the SigningTable file:

Code: Select all

#!/usr/bin/bash
filename="$1"
while read -r line; do
    name="$line"
    echo "$name $name._domainkey.$name"
done < "$filename"

to be used as follows:

Code: Select all

# SigningTable-create.sh /path/to/domainlist >> /etc/opendkim/SigningTable

/etc/opendkim/TrustedHosts

Code: Select all

mx01.mydomain.net # 1st mail exchanger (MX-Record)
mx02.mydomain.net # 2nd mail exchanger (MX-Record)
192.168.4.5/32 (Mailhost/Exchange Server)

Finally:
you need to have the DNS for all the domains:
As most registrars use webinterfaces here are a few tips:

Code: Select all

Record type: TXT
Hostname: selector._domainkey
Value: "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEl2nednX5/1zjk5R0Hotnb1PLFbfAAGAg0Jv5QSun+fXqvmk4vE/c36ocGA0qjpqZGafpp89Hd0yHjWh1URsv8BwiUv4vDBP0e2MyduOTVshJaKs9HltZjPg21QfHe88L1ObjHZx0WYxqaTO/TT00W0zC1V6Nzkg/nllFZjgySwIDAQAB"

For ease of creating the records, for each domain, I also used the domainname.tld as the selector.

so when you check your DKIM record, you need to enter your domain.tld as selector.
you can check your DKIM record for instance at:
https://mxtoolbox.com/SuperTool.aspx?action=dkim

And finally:
Once you have successfully created the DKIM record, you should also create a DMARC record as this goes hand in hand.

The DMARC record too is a TXT record:

Code: Select all

Record type: TXT
Hostname: _dmarc
Value: v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@yourmaindomain.tld

Note: These records are just sample configurations. You can take them as is (besides the public key of course ) and it is advisable to look further into it. This is just supposed to help you get going

I tried to make this as comprehensive as possible, so that als those with less experience get to master the task in a reasonable time.
Please also ensure that you enable DKIM and DMARC in eFa-configure.

Any suggestions for improvements, error corrections, etc. are always welcome.

[pdwalker]

I think it's time for me to add another domain into the dkim pool. I'll let you know if your notes are better than my half arsed, hodgepodge collection of notes and half remembered things.

[ZimboKraut]

That would be great.

As this guidline is meant for everyone, and I do not consider myself "perfect" I would greatly appreciate any feedback.

All the best