opendkim[link1] notes
Hits: 2632
Last Edit:14.11.2020 10:37
Last Edit: 26.08.2015 22:42
What's the fuzz?
Verify that your are the sender by digital signing your outgoing emails.
opendkim
# yum -y install opendkim
# cp /etc/opendkim.conf /etc/opendkim.conf.orig
# id opendkim
uid=367(opendkim) gid=365(opendkim) groups=365(opendkim),12(mail)
# opendkim-genkey --help
opendkim-genkey: usage: opendkim-genkey [options]
--append-domain include domain name in zone file stub
--bits=n use n bits to generate the key
--directory=path leave output in the named directory
--domain=name generate data for the named domain [example.com]
--hash-algorithms=list limit to use of the named algorithm(s)
--help print help and exit
--note=string include specified note in zone data
--restrict restrict key to email use only
--selector=name selector name [default]
--subdomains allow signing of subdomains
--testmode indicate key is in test mode
--verbose increased output
--version print version and exit
generate key
# opendkim-genkey --bits=4096 --domain=balaskas.gr --restrict --selector=myselector --verbose --directory=/etc/opendkim/keys/
opendkim-genkey: generating private key opendkim-genkey: private key written to myselector.private
opendkim-genkey: extracting public key opendkim-genkey: DNS TXT record written to myselector.txt
Let's Encrypt
or use your Let's Encrypt key !
openssl rsa -in /root/.acme.sh/balaskas.gr/balaskas.gr.key -pubout
openssl rsa -in /root/.acme.sh/balaskas.gr/balaskas.gr.key -pubout > /root/.acme.sh/balaskas.gr/balaskas.gr.rsa.pub
configuration
# grep -Ev '#|^$' /etc/opendkim.conf
PidFile /var/run/opendkim/opendkim.pid
Mode sv Syslog yes
SyslogSuccess yes
LogWhy yes
UserID opendkim:opendkim
Socket inet:8891@localhost
Umask 002
SendReports yes
SoftwareHeader yes
Canonicalization relaxed/relaxed
Selector myselector
MinimumKeyBits 1024
KeyFile /etc/opendkim/keys/myselector.private
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
OversignHeaders From
trusted
# cat /etc/opendkim/TrustedHosts
127.0.0.1
::1
2a01:7a0:10:158:255:214:14::/112
158.255.214.14
158.255.214.15
# cat /etc/opendkim/KeyTable
myselector._domainkey.balaskas.gr balaskas.gr:myselector:/etc/opendkim/keys/myselector.private
# cat /etc/opendkim/SigningTable
*@balaskas.gr myselector._domainkey.balaskas.gr
# chown opendkim:opendkim /etc/opendkim/keys/myselector.private
# /etc/init.d/opendkim restart
pdns
# cat /etc/opendkim/keys/myselector.txt >> /etc/pdns/var/balaskas.gr
# dig -t TXT myselector._domainkey.balaskas.gr @localhost
;; ANSWER SECTION:
myselector._domainkey.balaskas.gr. 86400 IN TXT "v=DKIM1\; k=rsa\; s=email\; " "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApfHXCGIYzFzCx3zRRfg/Nl7l8816CS/5TFFLajYJLHBMuO84/87GUbQNktM2HTy2JhWcNnncShyzhK9GdH9c5hksmog14kH2qg+dv7iyoZ0Tkma6+NWzrK4DA6ogKb5lbnxn3eH+6b4TMA6qh2IFFXsiu99Tq6BeIihd0Ui647xXJFPLOaX+9YE89b0p5Ysvzyufdmw7H1vuSA" "g9Ok2QldPip/Czj7qkEleLnNywTyE90c7qGm0EMXuG3fz2yjllA54c/KJq1hzx/3MybfpLomDI3Qkapl3VVQxJpqAmPV8k17ST9iOif2eI5sk9mPZEywwLNDnsZU55xzMFGXxIpsAz2S7R456zut4oFfzmoe2JdVnwV9fe7169qDgyz5AikhRFCM6BK6+RffNdD6CogJ+PduqYUt6QDcrU3ZiQaGN3rvNm7J0lGldL0NKYdvulgKp1PM8G" "N3U9DgpGLsu99OXkVvSCw/0Zb3MRurmWUczT0vv8PAOOpYCbEggS2uyyMEPldmXKjL1vS8vAsGO+vtKcgHpg5yaCdEUVNVaQzQrEMAI+o09TZcy5He+RidOiMsdiH8uHEMg5X/u7mPDNZUy8+u+xL1f7sKF+NUGI6SR6R+J9PTjSiJ7+/t+PB1J79GrdPsw6HdILr0U+xssqHilD6MC3M7AHxLtxnUqL26sCAwEAAQ=="
## selinux ##
# cat OpenDKIM_tmp.te
module opendkim 1.0;
require {
type tmp_t;
type dkim_milter_t;
class dir { write add_name remove_name };
class file { create write open unlink };
}
#============= dkim_milter_t ==============
allow dkim_milter_t tmp_t:dir { write add_name remove_name };
allow dkim_milter_t tmp_t:file { create write open unlink };
# make -f /usr/share/selinux/devel/Makefile
# semodule -i OpenDKIM_tmp.pp
postfix
# ebal, Wed, 26 Aug 2015 22:48:10 +0300
non_smtpd_milters=inet:127.0.0.1:8891
smtpd_milters=inet:127.0.0.1:8891
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
# skip mail without checks if something goes wrong
milter_default_action = accept
/etc/init.d/postfix restart
test it
# opendkim-testkey -vv -d balaskas.gr -s myselector -k /etc/opendkim/keys/myselector.private
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key loaded from /etc/opendkim/keys/myselector.private
opendkim-testkey: checking key 'myselector._domainkey.balaskas.gr'
or
check-auth@verifier.port25.com