Difference between revisions of "OpenDKIM"

From ArchWiki
Jump to: navigation, search
(How it works?)
(How it works?)
Line 13: Line 13:
For more info see:
For more info see:
* [http://tools.ietf.org/html/rfc5672 RFC 5672]
* [http://tools.ietf.org/html/rfc6376 RFC 6376]
* [http://tools.ietf.org/html/rfc6376 RFC 6376]

Revision as of 12:16, 15 October 2011

What is it?

It is digital email signing/verification technology, which included into RFCs and already supported by many mail servers. (For example yahoo, google, etc).

How it works?

Sender signs email with private key.

Receiver gets signed email, request public key from DNS and verify it.

So you can check who actualy sent this email.

For more info see:


Install opendkim

You may add user for opendkim or use existing one (for example: postfix)

Generic configuration

  • Generate key:
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
  • Create /etc/opendkim/opendkim.conf (see example in the same directory)

Minimal config:

 Domain                  YOUR-DOMAIN1.com, YOUR-DOMAIN2.com
 KeyFile                 /path/to/private.key
 Selector                server1
 Socket                  inet:8891@localhost
 UserID                  postfix
  • Add DNS record with your selector (see Selector in config, you may choose random name) and key:
server1._domainkey IN TXT "k=rsa; p=MHwwDQYJK ... OprwIDAQAB; t=y"

MHwwDQYJK ... OprwIDAQAB - is your public key.

  • Run it with /etc/rc.d/opendkim start or add it to DAEMONS in /etc/rc.conf

Postfix integration

Just add




into main.cf or smtpd options in master.cf

master.cf example:

smtp      inet  n       -       n       -       -       smtpd
    -o smtpd_client_connection_count_limit=10
    -o smtpd_milters=inet:

submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_path=smtpd
  -o cyrus_sasl_config_path=/etc/sasl2
  -o smtpd_milters=inet: