Implementing DKIM in Zentyal MTA with SoGO Rumi, June 14, 2023 To implement this authentication mechanism, you can use a third party software called OpenDKIM. These are the steps you have to follow to deploy DKIM. 1. Install the necessary packages: sudo apt-get install -y opendkim opendkim-tools 2. Create the folder for the DKIM keys: sudo mkdir -vp /etc/opendkim/keys 3. Generate the DKIM keys: sudo opendkim-genkey -s mail -d zentyal-domain.lan -D /etc/opendkim/keys 4. Configure the folder permissions: chown -R opendkim:opendkim /etc/opendkim/ sudo chmod 0640 /etc/opendkim/keys/*.private 5. Create the /etc/opendkim/TrustedHosts configuration file, where you indiate the trusted hosts: 127.0.0.1 localhost 192.168.6.0/24 *.zentyal-domain.lan 6. Create the /etc/opendkim/SigningTable configuration file that will contain the domain and subdomains which will be signed by DKIM: *@zentyal-domain.lan mail 7. Define the selector name and the path of the private key to sign the /etc/opendkim/KeyTable configuration file: mail zentyal-domain.lan:mail:/etc/opendkim/keys/mail.private 8. Once you have finished defining these configuration files, you have to create the main OpenDKIM configuration file located in the /etc/opendkim.conf: Mode sv PidFile /var/run/opendkim/opendkim.pid UserID opendkim:opendkim Socket inet:8891@127.0.0.1 SignatureAlgorithm rsa-sha256 AutoRestart Yes AutoRestartRate 10/1h Syslog yes SyslogSuccess yes LogWhy Yes UMask 002 OversignHeaders From Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable Signingtable refile:/etc/opendkim/SigningTable 9. Next, you have to establish the address and listening port of DKIM in the /etc/default/opendkim configuration file: SOCKET="inet:8891@127.0.0.1" 10. To finish the OpenDKIM configuration, you have to start the service and enable it: sudo systemctl restart opendkim sudo systemctl enable opendkim 11. Then you will have to add the following configuration parameters to the /usr/share/zentyal/stubs/mail/main.cf.mas configuration template of the Mail module to use OpenDKIM: ## DKIM Configuration milter_protocol = 6 milter_default_action = accept smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = inet:127.0.0.1:8891 Warning You have to carefully read the Zentyal documentation on stubs to make the change persistent to module updates. 12. Restart the Mail module to apply the changes: sudo zs mail restart 13. Then you will have to add the TXT record to the DNS module with the content of the /etc/opendkim/keys/mail.txt configuration file. An example of its content: mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn66wkANz7H Gd2KvNadQnPRH7g4uU2Ur54VBxG8VFJJcHNCj/D3c8gAqh6kb/B8ZVQ5o G7+1w7KLZJUKwYhPUaYZ3t8CUQOI1+klhSAJGOQRqpUkAGQcEBhSuQFBA R057j/UZrUcwBZTONp5LrhqLWw0duC2G8UaWDdxzIyugYplzZUmtzMqzx 4jo9sjH3cRc/1kNRg7lzzvay" "Q/PxyxpEFGxsx8A6AJe0lZBbntSgXt d3ycnVmgIlX1nn9FHJkA8/xrFcN4tyu5GHGv/zPzC9a6ah73AKNL1P+u4 yqGGBrLNkJ7ERLmmLuIOAdNisBKj9u93cT9ba7V1LD39xHiwwIDAQAB" ) ; ----- DKIM key mail for zentyal-domain.lan 14. And the command [22] to add this particular record: samba-tool dns add zentyal.zentyal-domain.lan zentyal-domain.lan \ mail._domainkey.zentyal-domain.lan TXT '"v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn66wkANz7HGd2KvNad QnPRH7g4uU2Ur54VBxG8VFJJcHNCj/D3c8gAqh6kb/B8ZVQ5oG7+1w7KLZJUKwYhP UaYZ3t8CUQOI1+klhSAJGOQRqpUkAGQcEBhSuQFBAR057j/UZrUcwBZTONp5LrhqL Ww0duC2G8UaWDdxzIyugYplzZUmtzMqzx4jo9sjH3cRc/1kNRg7lzzvay" "Q/Pxy xpEFGxsx8A6AJe0lZBbntSgXtd3ycnVmgIlX1nn9FHJkA8/xrFcN4tyu5GHGv/zPz C9a6ah73AKNL1P+u4yqGGBrLNkJ7ERLmmLuIOAdNisBKj9u93cT9ba7V1LD39xHiw wIDAQAB"' Warning Pay attention to the content of the file before adding the TXT record. 15. Finally, to confirm that the record has been successfully added to the domain, one of the most recommended ways is to use the MXtoolbox website . When sending an email, you should see an excerpt similar to this in the header of the message: Src: https://doc.zentyal.org/en/mail.html Administrations Collected Articles Configurations (Linux) DKIMZentyal