opendkim notes


Hits: 2632


Last Edit:14.11.2020 10:37
Last Edit: 26.08.2015 22:42


What's the fuzz?


Verify that your are the sender by digital signing your outgoing emails.


opendkim


# yum -y install opendkim
 
# cp /etc/opendkim.conf /etc/opendkim.conf.orig
# id opendkim
uid=367(opendkim) gid=365(opendkim) groups=365(opendkim),12(mail)
 
# opendkim-genkey --help
opendkim-genkey: usage: opendkim-genkey [options]
	--append-domain        include domain name in zone file stub
	--bits=n               use n bits to generate the key
	--directory=path       leave output in the named directory
	--domain=name          generate data for the named domain [example.com]
	--hash-algorithms=list limit to use of the named algorithm(s)
	--help                 print help and exit
	--note=string          include specified note in zone data
	--restrict             restrict key to email use only
	--selector=name        selector name [default]
	--subdomains           allow signing of subdomains
	--testmode             indicate key is in test mode
	--verbose              increased output
	--version              print version and exit

generate key 


# opendkim-genkey --bits=4096 --domain=balaskas.gr --restrict --selector=myselector --verbose --directory=/etc/opendkim/keys/
opendkim-genkey: generating private key opendkim-genkey: private key written to myselector.private
opendkim-genkey: extracting public key opendkim-genkey: DNS TXT record written to myselector.txt

Let's Encrypt


or use your Let's Encrypt key !


openssl rsa -in /root/.acme.sh/balaskas.gr/balaskas.gr.key -pubout
 
openssl rsa -in /root/.acme.sh/balaskas.gr/balaskas.gr.key -pubout > /root/.acme.sh/balaskas.gr/balaskas.gr.rsa.pub

configuration


# grep -Ev '#|^$' /etc/opendkim.conf
 
PidFile             /var/run/opendkim/opendkim.pid
Mode                sv Syslog              yes
SyslogSuccess       yes
LogWhy              yes
UserID              opendkim:opendkim
Socket              inet:8891@localhost
Umask               002
SendReports         yes
SoftwareHeader      yes
Canonicalization    relaxed/relaxed
Selector            myselector
MinimumKeyBits      1024
KeyFile             /etc/opendkim/keys/myselector.private
KeyTable            /etc/opendkim/KeyTable
SigningTable        refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts       refile:/etc/opendkim/TrustedHosts
OversignHeaders     From

trusted


# cat /etc/opendkim/TrustedHosts
 
127.0.0.1
::1
2a01:7a0:10:158:255:214:14::/112
158.255.214.14
158.255.214.15

# cat /etc/opendkim/KeyTable
myselector._domainkey.balaskas.gr balaskas.gr:myselector:/etc/opendkim/keys/myselector.private
 
# cat /etc/opendkim/SigningTable
*@balaskas.gr myselector._domainkey.balaskas.gr
 
# chown opendkim:opendkim /etc/opendkim/keys/myselector.private 
 
 
# /etc/init.d/opendkim restart

pdns


# cat /etc/opendkim/keys/myselector.txt >> /etc/pdns/var/balaskas.gr 
 
# dig -t TXT myselector._domainkey.balaskas.gr @localhost
 
;; ANSWER SECTION:
myselector._domainkey.balaskas.gr. 86400 IN TXT	"v=DKIM1\; k=rsa\; s=email\; " "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApfHXCGIYzFzCx3zRRfg/Nl7l8816CS/5TFFLajYJLHBMuO84/87GUbQNktM2HTy2JhWcNnncShyzhK9GdH9c5hksmog14kH2qg+dv7iyoZ0Tkma6+NWzrK4DA6ogKb5lbnxn3eH+6b4TMA6qh2IFFXsiu99Tq6BeIihd0Ui647xXJFPLOaX+9YE89b0p5Ysvzyufdmw7H1vuSA" "g9Ok2QldPip/Czj7qkEleLnNywTyE90c7qGm0EMXuG3fz2yjllA54c/KJq1hzx/3MybfpLomDI3Qkapl3VVQxJpqAmPV8k17ST9iOif2eI5sk9mPZEywwLNDnsZU55xzMFGXxIpsAz2S7R456zut4oFfzmoe2JdVnwV9fe7169qDgyz5AikhRFCM6BK6+RffNdD6CogJ+PduqYUt6QDcrU3ZiQaGN3rvNm7J0lGldL0NKYdvulgKp1PM8G" "N3U9DgpGLsu99OXkVvSCw/0Zb3MRurmWUczT0vv8PAOOpYCbEggS2uyyMEPldmXKjL1vS8vAsGO+vtKcgHpg5yaCdEUVNVaQzQrEMAI+o09TZcy5He+RidOiMsdiH8uHEMg5X/u7mPDNZUy8+u+xL1f7sKF+NUGI6SR6R+J9PTjSiJ7+/t+PB1J79GrdPsw6HdILr0U+xssqHilD6MC3M7AHxLtxnUqL26sCAwEAAQ=="

## selinux ##
 
# cat OpenDKIM_tmp.te 
 
module opendkim 1.0;
 
require {
	type tmp_t;
	type dkim_milter_t;
	class dir { write add_name remove_name };
	class file { create write open unlink };
}
 
#============= dkim_milter_t ==============
 
allow dkim_milter_t tmp_t:dir  { write add_name remove_name };
allow dkim_milter_t tmp_t:file { create write open unlink };
 
 
# make -f /usr/share/selinux/devel/Makefile 
 
# semodule -i OpenDKIM_tmp.pp

postfix


# ebal, Wed, 26 Aug 2015 22:48:10 +0300
non_smtpd_milters=inet:127.0.0.1:8891
smtpd_milters=inet:127.0.0.1:8891
 
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
 
# skip mail without checks if something goes wrong
milter_default_action = accept
 
/etc/init.d/postfix restart

test it 


# opendkim-testkey -vv -d balaskas.gr -s myselector -k /etc/opendkim/keys/myselector.private
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key loaded from /etc/opendkim/keys/myselector.private
opendkim-testkey: checking key 'myselector._domainkey.balaskas.gr'

or


check-auth@verifier.port25.com