Difference between revisions of "OpenDKIM"

From ArchWiki
Jump to: navigation, search
(Move to mail server.)
(opendkim is now on the repos, instead of aur. Corrected a little bit the style)
Line 16: Line 16:
 
== Installation ==
 
== Installation ==
  
Install [https://aur.archlinux.org/packages.php?ID=47389 opendkim]
+
[[pacman|Install]] the package {{Pkg|opendkim}} from the [[Official repositories]].
  
You may add user for opendkim or use existing one (for example: postfix)
+
You may add an user for opendkim or use existing one (for example: postfix)
  
 
== Basic configuration ==
 
== Basic configuration ==
 
* Generate key:
 
* Generate key:
 
  opendkim-genkey -r -s server1 -d example.com
 
  opendkim-genkey -r -s server1 -d example.com
* Create /etc/opendkim/opendkim.conf (see example in the same directory)
+
* Create {{ic|/etc/opendkim/opendkim.conf}} (see example in the same directory)
 
Minimal config:
 
Minimal config:
  Domain                  example.com
+
{{hc|/etc/opendkim/opendkim.conf|
  KeyFile                /path/to/keys/server1.private
+
Domain                  example.com
  Selector                server1
+
KeyFile                /path/to/keys/server1.private
  Socket                  inet:8891@localhost
+
Selector                server1
  UserID                  opendkim
+
Socket                  inet:8891@localhost
 +
UserID                  opendkim
 +
}}
  
* Add a DNS TXT record with your selector and public key. The correct record is generated with the private key and can be found in "server1.txt" in the same location as the private key.
+
* Add a '''DNS TXT''' record with your selector and public key. The correct record is generated with the private key and can be found in {{ic|server1.txt}} in the same location as the private key.
  
* Run it with /etc/rc.d/opendkim start or add it to DAEMONS in /etc/rc.conf
+
* Enable and start the {{ic|opendkim.service}}. Read [[Daemons]] for more information.
  
 
== Postfix integration ==
 
== Postfix integration ==

Revision as of 08:48, 29 December 2012

DomainKeys Identified Mail is a digital email signing/verification technology, which is already supported by some common mail providers. (For example yahoo, google, etc).

The idea

Basically DKIM means digitally singing all messages on the server to verify the message actually was sent from the domain in question and is not spam or pishing (and has not been modified).

  • The sender's mail server signs outgoing email with the private key.
  • When the message arrives, the receiver (or his server) requests the public key from the domain's DNS and verifies the signature.

This ensures the message was sent from a server who's private key matches the domain's public key.

For more info see RFC 6376

Installation

Install the package opendkim from the Official repositories.

You may add an user for opendkim or use existing one (for example: postfix)

Basic configuration

  • Generate key:
opendkim-genkey -r -s server1 -d example.com
  • Create /etc/opendkim/opendkim.conf (see example in the same directory)

Minimal config:

/etc/opendkim/opendkim.conf
Domain                  example.com
KeyFile                 /path/to/keys/server1.private
Selector                server1
Socket                  inet:8891@localhost
UserID                  opendkim
  • Add a DNS TXT record with your selector and public key. The correct record is generated with the private key and can be found in server1.txt in the same location as the private key.
  • Enable and start the opendkim.service. Read Daemons for more information.

Postfix integration

Just add

 non_smtpd_milters=inet:127.0.0.1:8891

and/or

 smtpd_milters=inet:127.0.0.1:8891

into main.cf or smtpd options in master.cf

master.cf example:

smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_client_connection_count_limit=10
  -o smtpd_milters=inet:127.0.0.1:8891

submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_path=smtpd
  -o cyrus_sasl_config_path=/etc/sasl2
  -o smtpd_milters=inet:127.0.0.1:8891

Notes

While you're about to fight spam and increase people's trust in your server, you might want to take a look at Sender Policy Framework, which basically means adding a DNS Record stating which servers are authorized to send email for your domain.