opendkim notes
Hits: 2632
Last Edit:14.11.2020 10:37
Last Edit: 26.08.2015 22:42
What's the fuzz?
Verify that your are the sender by digital signing your outgoing emails.
opendkim
# yum -y install opendkim # cp /etc/opendkim.conf /etc/opendkim.conf.orig # id opendkim uid=367(opendkim) gid=365(opendkim) groups=365(opendkim),12(mail) # opendkim-genkey --help opendkim-genkey: usage: opendkim-genkey [options] --append-domain include domain name in zone file stub --bits=n use n bits to generate the key --directory=path leave output in the named directory --domain=name generate data for the named domain [example.com] --hash-algorithms=list limit to use of the named algorithm(s) --help print help and exit --note=string include specified note in zone data --restrict restrict key to email use only --selector=name selector name [default] --subdomains allow signing of subdomains --testmode indicate key is in test mode --verbose increased output --version print version and exit
generate key
# opendkim-genkey --bits=4096 --domain=balaskas.gr --restrict --selector=myselector --verbose --directory=/etc/opendkim/keys/
opendkim-genkey: generating private key opendkim-genkey: private key written to myselector.private
opendkim-genkey: extracting public key opendkim-genkey: DNS TXT record written to myselector.txt
Let's Encrypt
or use your Let's Encrypt key !
openssl rsa -in /root/.acme.sh/balaskas.gr/balaskas.gr.key -pubout openssl rsa -in /root/.acme.sh/balaskas.gr/balaskas.gr.key -pubout > /root/.acme.sh/balaskas.gr/balaskas.gr.rsa.pub
configuration
# grep -Ev '#|^$' /etc/opendkim.conf PidFile /var/run/opendkim/opendkim.pid Mode sv Syslog yes SyslogSuccess yes LogWhy yes UserID opendkim:opendkim Socket inet:8891@localhost Umask 002 SendReports yes SoftwareHeader yes Canonicalization relaxed/relaxed Selector myselector MinimumKeyBits 1024 KeyFile /etc/opendkim/keys/myselector.private KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts OversignHeaders From
trusted
# cat /etc/opendkim/TrustedHosts 127.0.0.1 ::1 2a01:7a0:10:158:255:214:14::/112 158.255.214.14 158.255.214.15
# cat /etc/opendkim/KeyTable myselector._domainkey.balaskas.gr balaskas.gr:myselector:/etc/opendkim/keys/myselector.private # cat /etc/opendkim/SigningTable *@balaskas.gr myselector._domainkey.balaskas.gr # chown opendkim:opendkim /etc/opendkim/keys/myselector.private # /etc/init.d/opendkim restart
pdns
# cat /etc/opendkim/keys/myselector.txt >> /etc/pdns/var/balaskas.gr # dig -t TXT myselector._domainkey.balaskas.gr @localhost ;; ANSWER SECTION: myselector._domainkey.balaskas.gr. 86400 IN TXT "v=DKIM1\; k=rsa\; s=email\; " "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApfHXCGIYzFzCx3zRRfg/Nl7l8816CS/5TFFLajYJLHBMuO84/87GUbQNktM2HTy2JhWcNnncShyzhK9GdH9c5hksmog14kH2qg+dv7iyoZ0Tkma6+NWzrK4DA6ogKb5lbnxn3eH+6b4TMA6qh2IFFXsiu99Tq6BeIihd0Ui647xXJFPLOaX+9YE89b0p5Ysvzyufdmw7H1vuSA" "g9Ok2QldPip/Czj7qkEleLnNywTyE90c7qGm0EMXuG3fz2yjllA54c/KJq1hzx/3MybfpLomDI3Qkapl3VVQxJpqAmPV8k17ST9iOif2eI5sk9mPZEywwLNDnsZU55xzMFGXxIpsAz2S7R456zut4oFfzmoe2JdVnwV9fe7169qDgyz5AikhRFCM6BK6+RffNdD6CogJ+PduqYUt6QDcrU3ZiQaGN3rvNm7J0lGldL0NKYdvulgKp1PM8G" "N3U9DgpGLsu99OXkVvSCw/0Zb3MRurmWUczT0vv8PAOOpYCbEggS2uyyMEPldmXKjL1vS8vAsGO+vtKcgHpg5yaCdEUVNVaQzQrEMAI+o09TZcy5He+RidOiMsdiH8uHEMg5X/u7mPDNZUy8+u+xL1f7sKF+NUGI6SR6R+J9PTjSiJ7+/t+PB1J79GrdPsw6HdILr0U+xssqHilD6MC3M7AHxLtxnUqL26sCAwEAAQ=="
## selinux ## # cat OpenDKIM_tmp.te module opendkim 1.0; require { type tmp_t; type dkim_milter_t; class dir { write add_name remove_name }; class file { create write open unlink }; } #============= dkim_milter_t ============== allow dkim_milter_t tmp_t:dir { write add_name remove_name }; allow dkim_milter_t tmp_t:file { create write open unlink }; # make -f /usr/share/selinux/devel/Makefile # semodule -i OpenDKIM_tmp.pp
postfix
# ebal, Wed, 26 Aug 2015 22:48:10 +0300 non_smtpd_milters=inet:127.0.0.1:8891 smtpd_milters=inet:127.0.0.1:8891 milter_protocol = 6 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type} # skip mail without checks if something goes wrong milter_default_action = accept /etc/init.d/postfix restart
test it
# opendkim-testkey -vv -d balaskas.gr -s myselector -k /etc/opendkim/keys/myselector.private opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: key loaded from /etc/opendkim/keys/myselector.private opendkim-testkey: checking key 'myselector._domainkey.balaskas.gr'
or
check-auth@verifier.port25.com