Although not a difficult task, while searching the Internet for issues people may have faced, there did not appear to be a single website that gave clear, concise and most importantly full instructions on how to go about setting up a Linux (in this case Ubuntu) server running postfix to sign outgoing emails with DKIM signatures.
So below you will find the configuration that we used and tested successfully across a number of domains. (all command are running as root so add sudo if necessary in your environment)
1. Make sure all software is up to date
2. Install opendkim
apt-get install opendkim opendkim-tools
3. Set up a directory for the storage of private keys. You can have as many domains as you wish. Change owner and permissions to the opendkim user.
mkdir -pv /etc/opendkim/example.com/
chown -Rv opendkim:opendkim /etc/opendkim
chmod go-rwx /etc/opendkim/*
4. Every single domain should have a key pair and appropriate security. Navigate to the appropriate folder and generate a key pair. Change the owner to the opendkim user.
cd /etc/opendkim/example.com/ opendkim-genkey -r -h rsa-sha256 -d example.com -s yourtag
chown opendkim:opendkim *
chmod u=rw,go-rwx *
5. Publish the public key using a DNS TXT record for the domain in question. (key shortened here for space)
yourtag._domainkey.example.com IN TXT "v=DKIM1;p=AySFjB......xorQAB"
Once set up check it is showing in DNS. From the command line of the email server:
dig yourtag._domainkey.example.com TXT
6. Set up the key table.
Open up your text editor of choice and open or create /etc/opendkim/KeyTable file with the following text
7. Set up the signing table. Again, open or create /etc/opendkim/SigningTable in your favorite text editor and enter the following text.
8. Set up the TrustedHosts file. Open or create /etc/opendkim/TrustedHosts This will need to contain all the IP ranges that you will allow to use this MTA to sign emails with DKIM in the following format.
9. Next, set up the ownership of files we created to the opendkim user.
chown opendkim:opendkim /etc/opendkim/KeyTable
chown opendkim:opendkim /etc/opendkim/SigningTable
chown opendkim:opendkim /etc/opendkim/TrustedHosts
10. Open /etc/opendkim.conf using your text editor. Make sure the following settings are changed/added. Some ay be present already.
# Enable Logging
# User mask
# Always oversign From (sign using actual From and a null From to prevent malicious signatures header fields (From and/or others) between the signer and the verifier)
# Our KeyTable and SigningTable
# Trusted Hosts
# Hashing Algorithm
# Auto restart when the failure occurs. CAUTION: This may cause a tight fork loops
# Set the user and group to opendkim user
# Specify the working socket
11. Configure the OpenDKIM filter on Postfix.
Open /etc/postfix/main.cf and add/uncomment these lines:
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
12. Restart opendkim and postfix
service opendkim start
service postfix restart
And that is it. Any emails being passed through this MTA with a sending domain that matches those listed in the SigningTable will have a DKIM signature attached.
The easiest way to test everything is working as it should be is to send an email to a Gmail account and look at the original version of the email. It will show you if the DKIM policy has passed and if not hopefully give you some information on what went wrong.
- JBS TechnologiesOwner/Director, 2010 - present
- Custom iTVHead of Group IT, 2001 - 2010
- Titan AnalysisOwner/Director, 1997 - 2001
- Vodafone Group PlcIT Support Manager, 1996 - 1997
- Aztec RentalsTechnical Manager, 1995 - 1996
- First PointSenior Support Engineer, 1993 - 1995
- Royal and Sun AllianceIT Support, 1988 - 1993
+44 (0)845 805 9232
Paul is a writer, photographer, content producer and small business owner.
Paul lives in a small village in Sussex with his wife, Laura, and their daughter. He spends as much time as he can not doing housework and pretending his small garden really does require a large, gas powered BBQ.
Having been in the IT industry since mid 1988, Paul founded JBS Technologies in 2010 to provide SMEs with technical support and IT strategy advice.
Other things to know:
Paul does not own cats for a variety of reasons.
Paul is a Liberal Conservative with far left leanings.
- Open Universitypresent
- Holy Trinity CofE School
The Countdown to Christmas 2011 - showing you how many days until Christ...
The Countdown to. Christmas 2011. 24 days, 12 hours, 2 minutes, 47 seconds.
an example of the usefulness of bittorrent for entirely legal purposes -...
So yesterday, I decided that I'd download Ubuntu and put it in a Virtualbox on my iMac, just to see how the distro is doing these days. As y
My Food Photography Book Goes International! | Nicolesy
I just got these in the mail today from Peachpit! One of the coolest things next to getting the first printed copy of any of my books is get
The Hobbit Official Movie Trailer (An Unexpected Journey) HD
Feast upon it Hobbit fans. Here is the first official Hobbit Trailer released! It has been a long wait, but finally we can see a taste of th
Physical assault by McDonald's for wearing Digital Eye Glass
Physical assault by McDonald's for wearing Digital Eye Glass. Digital Eye Glass. I believe that Digital Eye Glass will ultimately replace gl
Cards Against Humanity, a nasty, funny, CC-licensed card-game
Cards Against Humanity is the perennially sold out, CC-licensed card-game that turns madlibs into an anti-social exercise. They're sold out,
Now +1 Gets Interesting: Button To Launch On YouTube, Android Market, Be...
We broke the news yesterday that Google was planning to announce today that the +1 button is going to be added to partner websites. The ne