OpenDKIM + Postfix for Ubuntu

"DKIM (DomainKeys Identified Mail) "* is an E-mail authentication method designed to detect spoofing of email messages. Dkim allows the recipient to verify that the email was actually sent from a claimed domain.

Install the OpenDKIM package. It performs the header encryption operations for DKIM.

apt-get install opendkim opendkim-tools

Next, create a certificate for the domain, use opendkim-genkey and form it, create a directory to house the keys:

mkdir /etc/opendkim

Generate the keys with the command ``:

opendkim-genkey -D /etc/opendkim/ --domain testing.ru --selector dkim

• testing.ru - the domain from which the mail will be sent, dkim - selector name, it can be anything.

In the folder /etc/opendkim/ should appear two files with the extensions .private (private key) and .txt (txt record).

Set the opendkim owner group for the created keys:

chown :opendkim /etc/opendkim/*

Set permissions for the owner group:

chmod g+rw /etc/opendkim/*

useradd opendkim -m -s /sbin/nologin

Allow reading to the group owner:

chmod g+r /etc/opendkim/*

Next, configure the ``DNS''.

See the contents of the txt file:

cat /etc/opendkim/dkim.txt

Using this content, in the [DNS] control panel (https://fornex.com/help/dns/) we create a TXT record in the following format:

dkim._domainkey IN TXT ("v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDM+aKFwMV4FHLhuhQs4vEIIIigO0KzRwQojUR8QV0m/aHt6AqO2JDhXpl54d3uXJj7QWE9653McQZxPQZa6Hu34RY70ap9OZQ664fWeVuyUAZ+VeQ7gGXQBCxPF6nAlnBIsYak+KV/s1HtaUuySVMiwIDAQAB"

• dkim is the name of our selector, p=MIGfMA0GCSqG...uySVMiwIDAQAB is an abbreviated public key entry.

OpenDKIM and Postfix configuration

Open the opendkim configuration file.

nano /etc/opendkim.conf

And make it look like this:

AutoRestart Yes
AutoRestartRate 10/1h
Umask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:10021@localhost

• all parameters can be left as in the example, Socket - you can specify another port instead of 10021.

Create a file of trusted hosts. It will contain the names of the hosts, domains and IP addresses that will be accepted as trusted and signed.

nano /etc/opendkim/TrustedHosts

And enter the following:

127.0.0.1
localhost
*.testing.ru

• where testing.ru is the mail domain.

Create a table KeyTable. It contains a list of matches between selectors, domains and private key files. The format of the entries: <селектор>._domainkey.<домен> <домен>:<селектор>:<путь к закрытому ключу>

nano /etc/opendkim/KeyTable

And according to the format, we convert it to the right format:

dkim._domainkey.testing.ru testing.ru:dkim:/etc/opendkim/dkim.private

Next we create a SigningTable. In this table we keep the correspondence between the defined email addresses and the entries in the KeyTable.

nano /etc/opendkim/SigningTable

And make it look like this:

*@testing.ru dkim._domainkey.testing.ru

Start the opendkim service.

service opendkim start

Open the Postfix configuration file .

nano /etc/postfix/main.cf

Add or edit:

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:10021
non_smtpd_milters = inet:localhost:10021

• If smtpd_milters and non_smtpd_milters are present in the configuration file, the values in this example should be added to the existing ones.
• 10021 is the opendkim operation port which was set in opendkim.conf.

Restarting Postfix:

service postfix restart

Send e-mail to different mail systems - mail.ru, gmail.com, yandex.ru. Open our e-mail and look at the headers (in mail.ru: More - Service headers). Find the following line, which means that the domain check based on DKIM is configured:

dkim=pass header.d=testing.ru
```</путь></селектор></домен></домен></селектор>