OpenDKIM Postfix SMTP Relay Server on Debian -7 Rumi, September 11, 2016February 26, 2024 Install OpenDKIM Before starting the installation, a system update is recommended: sudo apt-get update sudo apt-get dist-upgrade Install OpenDKIM and it’s dependencies: sudo apt-get install opendkim opendkim-tools Additional packages will be listed as dependencies, type yes and press Enter to continue. Configure OpenDKIM A couple of files must be created and edited in order to configure OpenDKIM. Nano will be used as an editor because it’s installed by default on DigitalOcean droplets and it’s simple to operate: navigate with the arrow keys exit without saving changes: press CTRL + X and then N exit and save changes: press CTRL + X and then Y, and finally press Enter Important: replace every instance of example.com with your own domain in all commands and configuration files. Don’t forget to save your files after editing. Let’s start with the main configuration file: sudo nano /etc/opendkim.conf Append the following lines to the end of the conf file (each parameter is explained below). Optionally, you can choose a custom port number for the Socket. Make sure that it’s not used by a different application. AutoRestart Yes AutoRestartRate 10/1h UMask 002 Syslog yes SyslogSuccess Yes LogWhy Yes Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable Mode sv PidFile /var/run/opendkim/opendkim.pid SignatureAlgorithm rsa-sha256 UserID opendkim:opendkim Socket inet:12301@localhost AutoRestart: auto restart the filter on failures Connect the milter to Postfix: sudo nano /etc/default/opendkim Add the following line, edit the port number only if a custom one is used: SOCKET="inet:12301@localhost" Configure postfix to use this milter: sudo nano /etc/postfix/main.cf Make sure that these two lines are present in the Postfix config file and are not commented out: milter_protocol = 6 milter_default_action = accept It is likely that a filter (SpamAssasin, Clamav etc.) is already used by Postfix; if the following parameters are present, just append the opendkim milter to them (milters are separated by a comma), the port number should be the same as in opendkim.conf: smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301 non_smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301 If the parameters are missing, define them as follows: smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 Create a directory structure that will hold the trusted hosts, key tables, signing tables and crypto keys: sudo mkdir /etc/opendkim sudo mkdir /etc/opendkim/keys Specify trusted hosts: sudo nano /etc/opendkim/TrustedHosts Because our main configuration file declares TrustedHosts as a regular expression file (refile), we can use wildcard patters, *.example.com means that messages coming from example.com’s subdomains will be trusted too, not just the ones sent from the root domain. Since, we’re making it as an SMTP gateway server, we need to add our SOURCE mail server’s hostname + IP address to insert on this TrustedHosts section. Customize and add the following lines to the newly created file. Multiple domains can be specified, do not edit the first three lines: 127.0.0.1 localhost 192.168.0.1/24 *.example.com #*.example.net #*.example.org Create a key table: sudo nano /etc/opendkim/KeyTable A key table contains each selector/domain pair and the path to their private key. Any alphanumeric string can be used as a selector, in this example mail is used and it’s not necessary to change it. mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private #mail._domainkey.example.net example.net:mail:/etc/opendkim/keys/example.net/mail.private #mail._domainkey.example.org example.org:mail:/etc/opendkim/keys/example.org/mail.private Create a signing table: sudo nano /etc/opendkim/SigningTable This file is used for declaring the domains/email addresses and their selectors. ** Please add your domain in this table!! *@example.com mail._domainkey.example.com #*@example.net mail._domainkey.example.net #*@example.org mail._domainkey.example.org Generate the public and private keys Change to the keys directory: cd /etc/opendkim/keys Create a separate folder for the domain to hold the keys: sudo mkdir example.com cd example.com Generate the keys: sudo opendkim-genkey -s mail -d example.com -s specifies the selector and -d the domain, this command will create two files, mail.private is our private key and mail.txt contains the public key. Change the owner of the private key to opendkim: sudo chown opendkim:opendkim mail.private Add the public key to the domain’s DNS records Open mail.txt: sudo nano -$ mail.txt The public key is defined under the p parameter. Do not use the example key below, it’s only an illustration and will not work on your server. mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrYgPCRSoqn+awTpE+iGYcKBPpo8HHbcFfCIIV10Hwo4PhCoGZSaKVHOjDm4yefKXhQjM7iKzEPuBatE7O47hAx1CJpNuIdLxhILSbEmbMxJrJAG0HZVn8z6EAoOHZNaPHmK2h4UUrjOG8zA5BHfzJf7tGwI+K619fFUwIDAQAB" ; ----- DKIM key mail for example.com Copy that key and add a TXT record to your domain’s DNS entries: Name: mail._domainkey.example.com. Text: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrYgPCRSoqn+awTpE+iGYcKBPpo8HHbcFfCIIV10Hwo4PhCoGZSaKVHOjDm4yefKXhQjM7iKzEPuBatE7O47hAx1CJpNuIdLxhILSbEmbMxJrJAG0HZVn8z6EAoOHZNaPHmK2h4UUrjOG8zA5BHfzJf7tGwI+K619fFUwIDAQAB" Restart Postfix and OpenDKIM: sudo service postfix restart sudo service opendkim restart Congratulations! You have successfully configured DKIM for your mail server! The configuration can be tested by sending an empty email to check-auth@verifier.port25.com and a reply will be received. If everything works correctly you should see DKIM check: pass under Summary of Results. ========================================================== Summary of Results ========================================================== SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham Alternatively, you can send a message to a Gmail address that you control, view the received email’s headers in your Gmail inbox, dkim=pass should be present in the Authentication-Results header field. uthentication-Results: mx.google.com; spf=pass (google.com: domain of contact@example.com designates --- as permitted sender) smtp.mail=contact@example.com; dkim=pass header.i=@example.com; Allowing postfix to allow some ip to relay email (Since we’re creating an SMTP gateway server) To allow postfix accept email relaying from a specific ip adress, we can edit /etc/postfix/main.cf: mynetworks = 127.0.0.0/8 to mynetworks = 127.0.0.0/8, a.b.c.d/e where a.b.c.d/e is the new group of ip address, or you can simply add one ip address in it. Restart postfix and now postfix will consider a.b.c.d/e as trusted ip and allow email from this ip address relaying email using this postfix mail server. Add SPF records to DNS The value in an SPF DNS record will look something like the following examples. The full syntax is at the SPF record syntax page. Example 1 Allow mail from all hosts listed in the MX records for the domain: Example-1 v=spf1 mx -all Example 2 Allow mail from a specific host: v=spf1 a:mail.example.com -all Testing your setup The best way to see that everything is working on the server side is to keep an eye on your /var/log/maillog file. tail -f /var/log/maillog When OpenDKIM starts (or restarts), you should see lines like: opendkim[4397]: OpenDKIM Filter: mi_stop=1 opendkim[4397]: OpenDKIM Filter v2.4.2 terminating with status 0, errno = 0 opendkim[27444]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf) When you send a mail that gets successfully signed, you should see: opendkim[22254]: 53D0314803B: DKIM-Signature header added The best way to check that your signed mail is being authenticated and that your DNS records are properly set up is to use one of the free testing services: – Send a signed email to: autorespond+dkim@dk.elandsys.com – Send a signed email to: check-auth@verifier.port25.com Each of these services will return an email telling you if things are working properly, and give you some pointers on troubleshooting if needed. Sources: https://www.howtoforge.com/set-up-dkim-domainkeys-identified-mail-working-with-postfix-on-centos-using-opendkim https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8 http://www.waterworld.com.hk/en/blog/how-let-postfix-allow-some-ip-relay-email https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy A Step-by-Step Guide to Installing OpenDKIM with Postfix on Ubuntu – Unleash the Power of DKIM! Administrations Configurations (Linux) DebainOpenDKIMPostfix