https://wiki.archlinux.org/api.php?action=feedcontributions&user=Frots&feedformat=atomArchWiki - User contributions [en]2024-03-29T11:05:28ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=OpenDKIM&diff=294128OpenDKIM2014-01-23T12:02:23Z<p>Frots: /* Installation */</p>
<hr />
<div>[[Category:Mail Server]]<br />
DomainKeys Identified Mail is a digital email signing/verification technology, which is already supported by some common mail providers. (For example yahoo, google, etc).<br />
<br />
== The idea ==<br />
<br />
Basically DKIM means digitally signing all messages on the server to verify the message actually was sent from the domain in question and is not spam or pishing (and has not been modified).<br />
<br />
*The sender's mail server signs outgoing email with the private key.<br />
<br />
*When the message arrives, the receiver (or his server) requests the public key from the domain's DNS and verifies the signature.<br />
<br />
This ensures the message was sent from a server who's private key matches the domain's public key.<br />
<br />
For more info see [http://tools.ietf.org/html/rfc6376 RFC 6376]<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] the package {{Pkg|opendkim}} from the [[Official repositories]].<br />
<br />
You may add a user for opendkim or use an existing one (for example: postfix)<br />
<br />
== Basic configuration ==<br />
* Generate key (server1 is the selector that is specified in the conf file below):<br />
opendkim-genkey -r -s server1 -d example.com<br />
* Create {{ic|/etc/opendkim/opendkim.conf}} (see example in the same directory)<br />
Minimal config:<br />
{{hc|/etc/opendkim/opendkim.conf|<br />
Domain example.com<br />
KeyFile /path/to/keys/server1.private<br />
Selector server1<br />
Socket inet:8891@localhost<br />
UserID opendkim<br />
}}<br />
<br />
* Add a '''DNS TXT''' record with your selector and public key. The correct record is generated with the private key and can be found in {{ic|server1.txt}} in the same location as the private key.<br />
<br />
* Enable and start the {{ic|opendkim.service}}. Read [[Daemons]] for more information.<br />
<br />
== Postfix integration ==<br />
<br />
Just add<br />
non_smtpd_milters=inet:127.0.0.1:8891<br />
and/or<br />
smtpd_milters=inet:127.0.0.1:8891<br />
into main.cf or smtpd options in master.cf<br />
<br />
master.cf example:<br />
<br />
smtp inet n - n - - smtpd<br />
-o smtpd_client_connection_count_limit=10<br />
-o smtpd_milters=inet:127.0.0.1:8891<br />
<br />
submission inet n - n - - smtpd<br />
-o smtpd_enforce_tls=no<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_client_restrictions=permit_sasl_authenticated,reject<br />
-o smtpd_sasl_path=smtpd<br />
-o cyrus_sasl_config_path=/etc/sasl2<br />
-o smtpd_milters=inet:127.0.0.1:8891<br />
<br />
== Notes ==<br />
While you're about to fight spam and increase people's trust in your server, you might want to take a look at [http://en.wikipedia.org/wiki/Sender_Policy_Framework Sender Policy Framework], which basically means adding a DNS Record stating which servers are authorized to send email for your domain.</div>Frots