{"id":1643,"date":"2018-11-27T17:37:34","date_gmt":"2018-11-27T22:37:34","guid":{"rendered":"http:\/\/www.xavignu.com\/?p=1643"},"modified":"2018-11-27T17:41:17","modified_gmt":"2018-11-27T22:41:17","slug":"opendkim-in-debian","status":"publish","type":"post","link":"https:\/\/www.xavignu.com\/?p=1643","title":{"rendered":"OpenDKIM in Debian"},"content":{"rendered":"

Lately I’ve been playing with postfix<\/a> and ways to validate my mail. That’s how I reached DKIM<\/a> records. Something like ssh keys (a public and private key) but for mail. Installation in Debian GNU\/Linux is pretty simple via apt-get as usual, we need to install opendkim<\/a> and opendkim-tools.<\/p>\n

dpkg -l | grep dkim\r\nii  libmail-dkim-perl              0.40-1                           all          cryptographically identify the sender of email - perl library\r\nii  libopendkim9                   2.9.2-2+deb8u1                   amd64        Library for signing and verifying DomainKeys Identified Mail signatures\r\nii  opendkim                       2.9.2-2+deb8u1                   amd64        Milter implementation of DomainKeys Identified Mail\r\nii  opendkim-tools                 2.9.2-2+deb8u1                   amd64        Set of command line tools for OpenDKIM\r\n<\/pre>\n
We need to open a port for opendkim (8891 in my case), we need to edit \/etc\/default\/opendkim in order to do this as below.<\/p>\n
grep -v \"^#\" \/etc\/default\/opendkim \r\nSOCKET=\"inet:8891@localhost\" # listen on loopback on port 8891\r\n<\/pre>\n
<\/p>\n
We need to edit \/etc\/opendkim.conf to something similar to below.
\n[text]
\nSyslog\t\t\tyes
\nUMask\t\t\t002
\nDomain\t\t\tmydomain.com
\nMode\t\t\tsv
\nOversignHeaders\t\tFrom
\nPidFile                 \/var\/run\/opendkim\/opendkim.pid
\nSignatureAlgorithm      rsa-sha256
\nUserID                  opendkim:opendkim
\nKeyFile\t\t\t\/etc\/opendkim\/keys\/mail.private
\nSelector\t\tmail
\nAutoRestart             Yes
\nCanonicalization        relaxed\/simple
\nAutoRestart             Yes
\nAutoRestartRate         10\/1h
\n[\/text]
\nWe then execute this small script that will create a dir where we will store the keys.
\n[bash]
\n#!\/bin\/bash<\/p>\n
mkdir -p \/etc\/opendkim\/keys
\ncd \/etc\/opendkim\/keys
\nopendkim-genkey    -s mail  -b 2048  –domain mydomain.com –verbose
\n[\/bash]<\/p>\n
It’s important to set the bit rate to 2048, else it will create a key of 1024 bits by default. Once done we will have a private and a public in \/etc\/opendkim\/keys.<\/p>\n
ls -ltr \/etc\/opendkim\/keys\/; cat \/etc\/opendkim\/keys\/mail.txt \r\ntotal 8\r\n-rw------- 1 opendkim opendkim 1679 Nov 25 00:14 mail.private\r\n-rw------- 1 root     root      491 Nov 25 00:14 mail.txt\r\nmail._domainkey\tIN\tTXT\t( \"v=DKIM1; k=rsa; \"\r\n\t  \"p=testingNBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XcAhtpsU3DtaWM0N2yiGs10Wh8wS7RpFWacv1lAk4EbxaGlHCdMpbpNQHqUWBu6Uikj+jadai2Bgyo1TvWGlUZs+JcCoQWcs6pDKkkvMK\/xee7pzmhZCXdyuDbf9QH\/7cNm7d7ZIYDRC92YCI9XNb\/8ANxg0UcxNsGBxA00ksjShl\/EPfCfdYpKODJbgubt+\/bP\/ZBguogHXT\"\r\n\t  \"BPcEWTu6X2B41DKiRCt+LP5RJWzA0XsfukR3y8r712FuRkqSitZsasCqBRtEZmYnuID8yjP92B3JJ9jwOLnJ3MVTnIqMeRDdtJtwxbTsYgND+0S5Q59bonO2CAGoPoVOgqyeXHKtesting\" )  ; ----- DKIM key mail for mydomain.com\r\n<\/pre>\n
We are almost done, we need to the public key part that’s between quotes to our DNS servers and create the record.
\n[text]
\n“v=DKIM1; k=rsa; p=testingNBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XcAhtpsU3DtaWM0N2yiGs10Wh8wS7RpFWacv1lAk4EbxaGlHCdMpbpNQHqUWBu6Uikj+jadai2Bgyo1TvWGlUZs+JcCoQWcs6pDKkkvMK\/xee7pzmhZCXdyuDbf9QH\/7cNm7d7ZIYDRC92YCI9XNb\/8ANxg0UcxNsGBxA00ksjShl\/EPfCfdYpKODJbgubt+\/bP\/ZBguogHXTBPcEWTu6X2B41DKiRCt+LP5RJWzA0XsfukR3y8r712FuRkqSitZsasCqBRtEZmYnuID8yjP92B3JJ9jwOLnJ3MVTnIqMeRDdtJtwxbTsYgND+0S5Q59bonO2CAGoPoVOgqyeXHKtesting”
\n[\/text]
\nOnce uploaded and replied from the DNS servers, we can query the record. We should get an answer thats public key we just uploaded.<\/p>\n
host -t TXT mail._domainkey.mydomain.com\r\nmail._domainkey.mydomain.com descriptive text \"v=DKIM1; k=rsa; p=testingNBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XcAhtpsU3DtaWM0N2yiGs10Wh8wS7RpFWacv1lAk4EbxaGlHCdMpbpNQHqUWBu6Uikj+jadai2Bgyo1TvWGlUZs+JcCoQWcs6pDKkkvMK\/xee7pzmhZCXdyuDbf9QH\/7cNm7d7ZIYDRC92YCI9XNb\/8ANxg0UcxNsGBxA00ksjShl\/EPfCfdYpKODJbgubt+\" \"\/bP\/ZBguogHXTBPcEWTu6X2B41DKiRCt+LP5RJWzA0XsfukR3y8r712FuRkqSitZsasCqBRtEZmYnuID8yjP92B3JJ9jwOLnJ3MVTnIqMeRDdtJtwxbTsYgND+0S5Q59bonO2CAGoPoVOgqyeXHKtesting\"\r\n<\/pre>\n
DKIM is almost done, but we need to let Postfix that we will use opendkim. We need to add below entries to postfix main.conf file.<\/p>\n
 egrep -B 1 -C 1 \"(dkim|milter)\" \/etc\/postfix\/main.cf\r\n\r\n# Added for Opendkim\r\nmilter_protocol = 2\r\nmilter_default_action = accept\r\nsmtpd_milters = inet:127.0.0.1:8891\r\nnon_smtpd_milters = inet:127.0.0.1:8891\r\n\r\n<\/pre>\n
Once done we are good to restart postfix and opendkim for the changes to take effect. If there are no errors we will see something like below in mail.log file.<\/p>\n
\r\nOct 25 00:18:35 sd-129111 postfix\/master[27345]: daemon started -- version 2.11.1, configuration \/etc\/postfix\r\nOCt 25 00:18:38 sd-129111 opendkim[26170]: OpenDKIM Filter: mi_stop=1\r\nOct 25 00:18:38 sd-129111 opendkim[26170]: OpenDKIM Filter v2.9.1 terminating with status 0, errno = 0\r\nOct 25 00:18:38 sd-129111 opendkim[27361]: OpenDKIM Filter v2.9.1 starting (args: -x \/etc\/opendkim.conf -u opendkim -P \/var\/run\/opendkim\/opendkim.pid -p inet:8891@localhost)\r\n<\/pre>\n
Final confirmation will be sending an email to check-auth@verifier.port25.com<\/b> and we shall receive a reply email that if all went well will look like below.
\n[text]
\nThank you for using the verifier,<\/p>\n
The Port25 Solutions, Inc. team<\/p>\n
==========================================================
\nSummary of Results
\n==========================================================
\nSPF check:          pass
\n“iprev” check:      pass
\nDKIM check:         pass
\nSpamAssassin check: ham
\n[\/text]
\nReferences:<\/p>\n
  • Ubuntu<\/a><\/li>\n
  • Linode<\/a><\/li>\n
  • Linoxide<\/a><\/li>\n
  • DigitalOcean<\/a><\/li>\n","protected":false},"excerpt":{"rendered":"
    Lately I’ve been playing with postfix and ways to validate my mail. That’s how I reached DKIM records. Something like ssh keys (a public and private key) but for mail. Installation in Debian GNU\/Linux is pretty simple via apt-get as usual, we need to install opendkim and opendkim-tools. dpkg -l | grep dkim ii libmail-dkim-perl […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[92],"tags":[56,102,22,6,23,103],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_shortlink":"https:\/\/wp.me\/pTQgt-qv","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1643"}],"collection":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1643"}],"version-history":[{"count":15,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1643\/revisions"}],"predecessor-version":[{"id":1662,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1643\/revisions\/1662"}],"wp:attachment":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}