News

  • Installing and configuring DKIM for Postfix

    Install all the necessary components using your package manager:

    aptitude install opendkim opendkim-tools

    Now we need to get the keys, which we will use to sign letters. Keys will be stored next to the configuration files Postfix, but you can select another place - it's unprincipled.

    mkdir /etc/postfix/dkim/

    Get the key for the domain example.com and selector mail:

    opendkim-genkey -D /etc/postfix/dkim/ -d example.com -s mail

    This will create files /etc/postfix/dkim/mail.private and /etc/postfix/dkim/mail.txt, with the secret and public keys. The public key should be added to TXT record for your domain.

    Key files necessary to allow access for the group, which employs OpenDKIM:

    chgrp opendkim /etc/postfix/dkim/*
    chmod g+r /etc/postfix/dkim/*

    In the configuration file /etc/opendkim.conf write:

    Syslog yes
    SyslogSuccess yes
    LogWhy yes
    X-Header yes

    Canonicalization relaxed/relaxed
    Mode sv
    #Mode s

    KeyTable file:/etc/postfix/dkim/keytable
    SigningTable file:/etc/postfix/dkim/signingtable
    #ExternalIgnoreList file:/etc/postfix/dkim/trusted
    # список внутренних хостов, почта которых требует подписи -
    #InternalHosts file:/etc/postfix/dkim/internal

    List of available keys in the file /etc/postfix/dkim/keytable:

    mail._domainkey.example.com example.com:mail:/etc/postfix/dkim/mail.private
    mx._domainkey.example.net example.net:mx:/etc/postfix/dkim/mx.private

    Explain what keys to sign domains in the file /etc/postfix/dkim/signingtable:

    example.com mail._domainkey.example.com
    example.net mx._domainkey.example.net
    * mail._domainkey.example.com

    In the file /etc/default/opendkim explain DKIM-daemon where he wait Connections:

    SOCKET="inet:8891@localhost"

    Add to the end of /etc/postfix/main.cf the following lines:

    milter_default_action = accept
    milter_protocol = 2
    smtpd_milters = inet:localhost:8891
    non_smtpd_milters = inet:localhost:8891

    Do not forget to add a TXT record and verify that it is in place:

    dig txt mail._domainkey.example.com

    Restart postfix and opendkim, send a test message somewhere and enjoy successful results verify the signature.

    If the test is successful, you should formally prohibit other servers to accept emails from your domain, but without a signature, adding ADSP record:

    _adsp._domainkey IN TXT "dkim=all"

    Our technical support team takes this instruction. If you could not set up postfix and dkim yourself, please contact our technical support. Our experts will help you.

Post comment