Setup DKIM on Postfix with dkim-milter

March 10, 2009 at 11:54 PM | categories: Postfix, Howto, DKIM, Centos, Email | View Comments

Introduction

DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

We will be using the milter implementation of dkim http://dkim-milter.sf.net on centos 5.3.

This howto has been updated to allow for the following.

  • Multiple domains using different keys
  • Same domain using different selectors
  • Selective signing of email

Older versions are provided below for reference.

Installation

I provide Centos rpms for Dkim-milter at http://www.topdog- software.com/oss/ so we will install the latest version.

Install the rpm, ( 32bit and 64bit intel supported )

# wget http://www.topdog-software.com/oss/roundcube/andrew_topdog-software.com_key.txt
# rpm --import andrew_topdog-software.com_key.txt
# http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.2-2.$(uname -i).rpm

Generate the Keys

# dkim-genkey -d <domain_name> -s <selector> -t

Replace with the domain name you will be signing the mail for, and with a selector name it can be anything (but just one word). The command will create two files.

  • .txt - contains the public key you publish via DNS

  • .private - the private key you use for signing your email

Create a sub directory in /etc/mail/dkim/keys to store your key, i prefer to use the domain name as the sub directory name.

# mv <selector>.private /etc/mail/dkim/keys/<domain_name>/<selector>.pem
# chmod 600 /etc/mail/dkim/keys/<domain_name>/<selector>.pem
# chown dkim-milt.dkim-milt /etc/mail/dkim/keys/<domain_name>/<selector>.pem

DNS Setup

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of .txt is the record you need to add to your zone file a sample, is below (it uses default as the selector and topdog-software.com as the domain_name)

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA
DCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDv
wn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+z
JVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for topdog-software.com

Also add this to your zone file. (This sets your policy see http://www.sendmail.org/dkim/wizard for an explanation or refer to the RFC)

_adsp._domainkey    IN  TXT "dkim=unknown"

Configuration

Edit the file /etc/mail/dkim/keylist and add your domain using the following format

*@<domain_name>:<domain_name>:/etc/mail/dkim/keys/<domain_name>/<selector>
#sign only for andrew
andrew@<domain_name>:<domain_name>:/etc/mail/dkim/keys/<domain_name>/<selector>

Add your servers IP addresses to /etc/mail/dkim/trusted-hosts

More advanced configuration options can be set in the file /etc/dkim-filter.conf (Refer to the file and the man pages for details)

Configure Postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.

smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209

Append the dkim-milter options to the existing milters if you have other milters already configured.

Start dkim-milter and restart postfix

# service dkim-milter start
# service postfix restart

Testing

Send an email to sa-test@sendmail.net or autorespond+dkim@dk.elandsys.com, you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by “your domain” if your setup was done correctly.

DKIM signed mail in google

Updates

Updated rpms are always provided at http://www.topdog-software.com/oss/dkim-milter/


blog comments powered by Disqus