OpenDKIM in Debian

Lately I’ve been playing with postfix and ways to validate my mail. That’s how I reached DKIM records. Something like ssh keys (a public and private key) but for mail. Installation in Debian GNU/Linux is pretty simple via apt-get as usual, we need to install opendkim and opendkim-tools.

dpkg -l | grep dkim
ii  libmail-dkim-perl              0.40-1                           all          cryptographically identify the sender of email - perl library
ii  libopendkim9                   2.9.2-2+deb8u1                   amd64        Library for signing and verifying DomainKeys Identified Mail signatures
ii  opendkim                       2.9.2-2+deb8u1                   amd64        Milter implementation of DomainKeys Identified Mail
ii  opendkim-tools                 2.9.2-2+deb8u1                   amd64        Set of command line tools for OpenDKIM

We need to open a port for opendkim (8891 in my case), we need to edit /etc/default/opendkim in order to do this as below.

grep -v "^#" /etc/default/opendkim 
SOCKET="inet:8891@localhost" # listen on loopback on port 8891

We need to edit /etc/opendkim.conf to something similar to below.

Syslog			yes
UMask			002
Domain			mydomain.com
Mode			sv
OversignHeaders		From
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
UserID                  opendkim:opendkim
KeyFile			/etc/opendkim/keys/mail.private
Selector		mail
AutoRestart             Yes
Canonicalization        relaxed/simple
AutoRestart             Yes
AutoRestartRate         10/1h

We then execute this small script that will create a dir where we will store the keys.

#!/bin/bash

mkdir -p /etc/opendkim/keys
cd /etc/opendkim/keys
opendkim-genkey    -s mail  -b 2048  --domain mydomain.com --verbose

It’s important to set the bit rate to 2048, else it will create a key of 1024 bits by default. Once done we will have a private and a public in /etc/opendkim/keys.

ls -ltr /etc/opendkim/keys/; cat /etc/opendkim/keys/mail.txt 
total 8
-rw------- 1 opendkim opendkim 1679 Nov 25 00:14 mail.private
-rw------- 1 root     root      491 Nov 25 00:14 mail.txt
mail._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
	  "p=testingNBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XcAhtpsU3DtaWM0N2yiGs10Wh8wS7RpFWacv1lAk4EbxaGlHCdMpbpNQHqUWBu6Uikj+jadai2Bgyo1TvWGlUZs+JcCoQWcs6pDKkkvMK/xee7pzmhZCXdyuDbf9QH/7cNm7d7ZIYDRC92YCI9XNb/8ANxg0UcxNsGBxA00ksjShl/EPfCfdYpKODJbgubt+/bP/ZBguogHXT"
	  "BPcEWTu6X2B41DKiRCt+LP5RJWzA0XsfukR3y8r712FuRkqSitZsasCqBRtEZmYnuID8yjP92B3JJ9jwOLnJ3MVTnIqMeRDdtJtwxbTsYgND+0S5Q59bonO2CAGoPoVOgqyeXHKtesting" )  ; ----- DKIM key mail for mydomain.com

We are almost done, we need to the public key part that’s between quotes to our DNS servers and create the record.

"v=DKIM1; k=rsa; p=testingNBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XcAhtpsU3DtaWM0N2yiGs10Wh8wS7RpFWacv1lAk4EbxaGlHCdMpbpNQHqUWBu6Uikj+jadai2Bgyo1TvWGlUZs+JcCoQWcs6pDKkkvMK/xee7pzmhZCXdyuDbf9QH/7cNm7d7ZIYDRC92YCI9XNb/8ANxg0UcxNsGBxA00ksjShl/EPfCfdYpKODJbgubt+/bP/ZBguogHXTBPcEWTu6X2B41DKiRCt+LP5RJWzA0XsfukR3y8r712FuRkqSitZsasCqBRtEZmYnuID8yjP92B3JJ9jwOLnJ3MVTnIqMeRDdtJtwxbTsYgND+0S5Q59bonO2CAGoPoVOgqyeXHKtesting"

Once uploaded and replied from the DNS servers, we can query the record. We should get an answer thats public key we just uploaded.

host -t TXT mail._domainkey.mydomain.com
mail._domainkey.mydomain.com descriptive text "v=DKIM1; k=rsa; p=testingNBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XcAhtpsU3DtaWM0N2yiGs10Wh8wS7RpFWacv1lAk4EbxaGlHCdMpbpNQHqUWBu6Uikj+jadai2Bgyo1TvWGlUZs+JcCoQWcs6pDKkkvMK/xee7pzmhZCXdyuDbf9QH/7cNm7d7ZIYDRC92YCI9XNb/8ANxg0UcxNsGBxA00ksjShl/EPfCfdYpKODJbgubt+" "/bP/ZBguogHXTBPcEWTu6X2B41DKiRCt+LP5RJWzA0XsfukR3y8r712FuRkqSitZsasCqBRtEZmYnuID8yjP92B3JJ9jwOLnJ3MVTnIqMeRDdtJtwxbTsYgND+0S5Q59bonO2CAGoPoVOgqyeXHKtesting"

DKIM is almost done, but we need to let Postfix that we will use opendkim. We need to add below entries to postfix main.conf file.

 egrep -B 1 -C 1 "(dkim|milter)" /etc/postfix/main.cf

# Added for Opendkim
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891

Once done we are good to restart postfix and opendkim for the changes to take effect. If there are no errors we will see something like below in mail.log file.

Oct 25 00:18:35 sd-129111 postfix/master[27345]: daemon started -- version 2.11.1, configuration /etc/postfix
OCt 25 00:18:38 sd-129111 opendkim[26170]: OpenDKIM Filter: mi_stop=1
Oct 25 00:18:38 sd-129111 opendkim[26170]: OpenDKIM Filter v2.9.1 terminating with status 0, errno = 0
Oct 25 00:18:38 sd-129111 opendkim[27361]: OpenDKIM Filter v2.9.1 starting (args: -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p inet:8891@localhost)

Final confirmation will be sending an email to check-auth@verifier.port25.com and we shall receive a reply email that if all went well will look like below.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          pass
"iprev" check:      pass
DKIM check:         pass
SpamAssassin check: ham

References:

  • Ubuntu
  • Linode
  • Linoxide
  • DigitalOcean
  • Leave a Reply