http://www.ipsure.com/blog/2010/domainkeys-identified-mail-dkim-with-postfix-smtp-only/
http://www.techsneeze.com/deploy-dkim-milter-multiple-domains-centos-5-sendmail
http://www.cesafaci.ro/tutoriale/sendmail-cu-dkim-pe-centos-fedora-19.html
yum install dkim-milter
cd /etc/mail/dkim-milter/keys
dkim-genkey -r -d your-domain.com= > 2 files : public key (default.txt) and private key (default.private)
At this point you should have a "default.private" and "default.txt" file in your current working directory (which is /etc/mail/dkim-milter/keys).
default.txt contains the DNS TXT record you must add to your DNS entries.
cat default.txt >> /var/named/chroot/var/named/yourdomain.zonemv default.private /etc/mail/dkim-milter/domeniultau_default.key.pem
chown dkim-milter:dkim-milter /etc/mail/dkim-milter/domeniultau_default.key.pem
/etc/mail/dkim-milter/dkim-filter.conf
Domain domeniu.ro KeyFile /etc/mail/dkim-milter/domeniultau_default.key.pem MTA MSA Selector default SignatureAlgorithm rsa-sha1 Socket local:/var/run/dkim-milter/dkim-milter.sock Syslog Yes X-Header Yes
/etc/mail/sendmail.mcdnl # dkim - yahoo domainkeys implementationINPUT_MAIL_FILTER(`dkim-filter', `S=local:/var/run/dkim-milter/dkim-milter.sock')cd /etc/mailmake service named reload service dkim-milter start service sendmail restart chkconfig dkim-milter on
The config file (/etc/mail/dkim-milter/dkim-filter.conf) is fully self-documented and easy to understand.
I made the following changes from the default config:AutoRestart Yes
AutoRestartRate 10/1h
Canonicalization simple/simple
Domain techsneeze.com
ExternalIgnoreList /etc/mail/dkim-milter/trusted-hosts
InternalHosts /etc/mail/dkim-milter/InternalHosts.txt
LogWhy yes
On-Default accept
On-BadSignature accept
On-DNSError accept
On-InternalError accept
On-NoSignature accept
On-Security accept
SignatureAlgorithm rsa-sha256
Socket local:/var/run/dkim-milter/dkim-milter.sock
Syslog yes
SyslogSuccess yes
UserID dkim-milter:dkim-milter
X-Header yes
PROBLEM : if in the logs appear something like : "no signature data" [ cat /var/log/maillog | grep "no signature data" ] or
"external host [192.168.101.54] attempted to send as yourdomain.com"
and this host [192.168.101.54] is on your internal network ...
SOLUTION: #cd /etc/mail/dkim-milter/
#touch InternalHosts.txt
# chmod 444 InternalHosts.txt
# vi InternalHosts.txt
192.168.101.0/24
yourdomain.com
smtp.yourdomain.com
~ ~ ~
We may enhance DKIM TXT entries like:
_domainkey.(yourdomain.com). IN TXT "t=y; o=~; r=postmaster@(yourdomain.com)" where t=y means “this domain is currently testing DKIM, verifier side mustn’t treat the messages differently from unsigned e-mails even if the signature fails to be verified”
o=~ means “some e-mails from this domain are signed, some are not”
o=- means “all e-mails from this domain are signed”
r=postmaster@(yourdomain.com) designates responsible e-mail address
When we implemented DomainKeys Identified Mail (DKIM) with Postfix on FreeBSD, we had used dkim-milter plugin. However, it seems that dkim-milter has expired and recently it has been removed from the ports tree. Consequently, we’ll also move to OpenDKIM which is in fact claimed to be bug free compared to dkim-milter. - See more at: http://www.ipsure.com/blog/2012/dkim-milter-is-no-longer-available-how-to-use-opendkim-instead/#sthash.UraBfaka.dpuf
DKIM includes a cryptographic hash in the e-mail header which is calculated with the private key (on the server) and verified with the public key (in the DNS record).
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
h=from:to:subject:date:keywords:keywords;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR
First, install opendkim.
yum install opendkim
/etc/opendkim.conf.
AutoRestart Yes
UMask 002
Syslog yes
AutoRestartRate 10/1h
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy Yes
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:8891@localhost
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UserID opendkim:opendkim
As you can see, there are three more files to be added, TrustedHosts (whitelisted IPs that can sign e-mails), KeyTable (multiple domain configuration for public and private keys) and SigningTable (whitelisted users that can sign e-mail).
/etc/opendkim/TrustedHosts:
127.0.0.1
example.com
192.168.0.1/24
/etc/opendkim/SigningTable:
*@example.com default._domainkey.example.com
All users from @example.com can sign. You can specifiy usernames and domains, instead of the wildcard, for additional security.
/etc/opendkim/KeyTable:
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com.pvt
Location of the private key and name of the DNS record for each domain. The "default" before _domainkey.example.com and :default: is a selector. This can be changed to something else.
Next, we need to generate the public and private key for each domain.
If some folders don't exist, just create them.
# opendkim-genkey -D /etc/opendkim/keys/example.com -d example.com -s default
Again -s flag is for the selector. If you changed it, you need to enter it here.
The command generates a private key (default) and public key (default.txt). You will probably rename them, to match the configuration.
An important note here is that the files are owned by user opendkim, or you will get permission denied errors in /var/log/mail.err. Default permissions on those files are -rw------.
Move the private key to where you specified it should be in the KeyTable.
Insert the public key in your DNS as a TXT record.
Next up, telling sendmail to talk to opendkim.
Edit /etc/mail/sendmail.mc and add this line at the end.
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
Rebuild sendmail configuration and restart, start opendkim if it's not running yet
service sendmail restart; service opendkim start
DKIM includes a cryptographic hash in the e-mail header which is calculated with the private key (on the server) and verified with the public key (in the DNS record).
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
h=from:to:subject:date:keywords:keywords;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR
First, install opendkim.
yum install opendkim
/etc/opendkim.conf.
AutoRestart Yes UMask 002 Syslog yes AutoRestartRate 10/1h Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable LogWhy Yes Mode sv PidFile /var/run/opendkim/opendkim.pid SignatureAlgorithm rsa-sha256 SigningTable refile:/etc/opendkim/SigningTable Socket inet:8891@localhost SyslogSuccess Yes TemporaryDirectory /var/tmp UserID opendkim:opendkim
As you can see, there are three more files to be added, TrustedHosts (whitelisted IPs that can sign e-mails), KeyTable (multiple domain configuration for public and private keys) and SigningTable (whitelisted users that can sign e-mail).
/etc/opendkim/TrustedHosts:
127.0.0.1
example.com
192.168.0.1/24
/etc/opendkim/SigningTable:
*@example.com default._domainkey.example.com
All users from @example.com can sign. You can specifiy usernames and domains, instead of the wildcard, for additional security.
/etc/opendkim/KeyTable:
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com.pvt
Location of the private key and name of the DNS record for each domain. The "default" before _domainkey.example.com and :default: is a selector. This can be changed to something else.
Next, we need to generate the public and private key for each domain.
If some folders don't exist, just create them.
# opendkim-genkey -D /etc/opendkim/keys/example.com -d example.com -s default
Again -s flag is for the selector. If you changed it, you need to enter it here.
The command generates a private key (default) and public key (default.txt). You will probably rename them, to match the configuration.
An important note here is that the files are owned by user opendkim, or you will get permission denied errors in /var/log/mail.err. Default permissions on those files are -rw------.
An important note here is that the files are owned by user opendkim, or you will get permission denied errors in /var/log/mail.err. Default permissions on those files are -rw------.
Move the private key to where you specified it should be in the KeyTable.
Insert the public key in your DNS as a TXT record.
Insert the public key in your DNS as a TXT record.
Next up, telling sendmail to talk to opendkim.
Edit /etc/mail/sendmail.mc and add this line at the end.
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
Rebuild sendmail configuration and restart, start opendkim if it's not running yet
service sendmail restart; service opendkim start
