Implement DKIM with Postfix on CentOS
What is DomainKeys (DKIM) ?
"DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators. It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam"[^1]
How Does DKIM work?
"When we configured DKIM on sending servers. First we generated a public/private key pair for signing outgoing messages. Public key is configured as TXT record on domains name server, and the private key is configured in outbound email server. When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normal" [^2]
I will be showing you how to integrate DKIM on Postfix.
Setup:
$ yum install opendkim -y
Configure OpenDKIM:
From your configuration /etc/opendkim.conf
verify that the following values are enabled:
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
UserID opendkim:opendkim
Socket inet:8891@localhost
Umask 002
SendReports yes
SoftwareHeader yes
Canonicalization relaxed/relaxed
Selector default
MinimumKeyBits 1024
KeyFile /etc/opendkim/keys/default.private
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
InternalHosts refile:/etc/opendkim/TrustedHosts
Configure Postfix:
Edit your postifx configuration (/etc/postfix/main.cf
) and append the following values:
# DKIM
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept
``` <p>
**Setup and Prepare your First Domain:**
```language-bash
$ opendkim-default-keygen
Generating default DKIM keys:
Default DKIM keys for sysadmins.co.za created in /etc/opendkim/keys.
$ mkdir -p /etc/opendkim/keys/sysadmins.co.za
$ chown -R opendkim:opendkim /etc/opendkim/keys/sysadmins.co.za
$ cd /etc/opendkim/keys/sysadmins.co.za
$ opendkim-genkey -r -d sysadmins.co.za -s default
$ echo "default._domainkey.sysadmins.co.za sysadmins.co.za:default:/etc/opendkim/keys/sysadmins.co.za/default.private" >> /etc/opendkim/KeyTable
$ echo "*@sysadmins.co.za default._domainkey.sysadmins.co.za" >> /etc/opendkim/SigningTable
``` <p>
**Update your DNS:**
Add a TXT Record on your Domain, the content can be retrieved from:
```language-bash
$ cat default.txt
default._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; " "p=MIGfMA0GCSqGS..." ) ; ----- DKIM key default for sysadmins.co.za
``` <p>
**Restart OpenDKIM and Postfix:**
```language-bash
$ service opendkim restart
$ service postfix restart
``` <p>
**Verify that your setup is working:**
```language-bash
$ echo "DKIM Test" | mail -r info@sysadmins.co.za -s "DKIM Testing" ruan@sysadmins.co.za && tail -f /var/log/maillog
``` <p>
You should see something more or less like:
`DKIM-Signature field added (s=default, d=sysadmins.co.za)`
Now everything should be up and running.
###### Coming Soon:
* Implementation of SPF
* PolicyD
* Greylisting
* TLS
References:
[^1]: wikipedia.org
[^2]: tecadmin.net