Amazon Web Services - AWS EC2 - Ubuntu 14.04

OpenDKIM

OpenDKIM

  1. Configure OpenDKIM
  2. Configure Postfix
  3. Configure BIND
  4. Tests



1. CONFIGURE OpenDKIM

If our sent email doesn't have DKIM signature it will be probably considered like spam for the major email providers: Google, Yahoo, etc.

Examples of mail source:

DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=elance.com; s=sv;
    i=@elance.com; h=Content-Transfer-Encoding:Content-Disposition:
    Content-Type:Reply-To:MIME-Version:Message-ID:X-ReportingKey:
    X-PVIQ:Subject:Date:To:From; bh=JPJyV5traar3LIBzGzUjVWXgNek=;
    b=p2P569MEO8OGzrfLVJVfXU66fjJ9tsxm5Hk0YV7C6mak2TRCyE+g1+iGpwoIEm
    peayse/eOIbuDWaB7wFfmG305ctpoL9kd8Xzz2A5Qd4OMMJlYKWXz3DjySlsPp4s
    DLZHzxWW1ez5AP+Y+UmY+pFUnD8GqD6F89a43t90u5Wyk=



OpenDKIM Installation

# apt-get install opendkim opendkim-tools

Only two config files are created:

/etc/opendkim.conf

/etc/default/opendkim

 

OpenDkim start, stop, restart

#service opendkim start | stop | restart

#service opendkim status

 * opendkim is running

 

Start OpenDKIM on server boot

#update-rc.d opendkim enable

 

Check opendkim user and process

IMPORTANT: Before dovecot configuring, check which user runs opendkim process:

# ps aux | grep opendkim

opendkim  1604  0.0  0.2 214816  2172 ?        Ssl  16:49   0:00 /usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock

It is opendkim user (orange): #cat /etc/passwd    to list all users.

 

OpenDKIM Generate Keys

Create dirs:

# mkdir /etc/opendkim

# mkdir /etc/opendkim/keys

# mkdir /etc/opendkim/keys/mikosofter.net

 

Create files:

# vim TrustedHosts

127.0.0.1
localhost
mikosoft.net

 

# vim SigningTable

*@mikosofter.net default._domainkey.mikosofter.net

 

# vim KeyTable
default._domainkey.mikosoft.net mikosoft.net:default:/etc/opendkim/keys/mikosoft.net/default.private

 

Generate keys:

# /usr/bin/opendkim-genkey -D /etc/opendkim/keys/mikosofter.net/ -d mikosofter.net -s default

-D is directory,

-d is domain

-s is selector. Selector is an unique keyword that is associated with both private and public key, included in all the signatures, and published in DNS records. In most cases word default is used as selector and filename.

 

# ls /etc/opendkim/mikosofter.net/     - list two key files

default.private  default.txt

 

View generated files:

#  cat default.private
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDTxqEB2kCl27oxmw7XSebxx4ceYQ8OmFba60x/P8orfLD4H5tn
LaX+7FEW2DxHvp1sRv4b67dPNSOEEtkKlV9tn33ZcQE4dpjK8x/qpoOnKCUq0Uky
sjKv2VXbyJT4LRqoGGSkbxsadsAFhEPxegV65TySdHx/OIyQeXvUAYLsDQIDAQAB
AoGAeV1drCgd4G9Z90+7Y5nQpkMIplpNPLoFHJS4VDyEagOdj7TdZHX+qWdY2VS2
xw7wPLs6qVmexd/YKLp8c9pCww6GBNFEg9TO1FbRQPl2MBdgNbSHp/BpQP/OFJOt
fY0U21K5/P0Ws7OQYLQsoNShdsdCW4/m76pbWsolfNSkCQQD6v4qrrha72PDk
6uDjabvlLarhjpKRJuhB3dl223z7/4SKtBViqjqQ9ayurwm6YnB0NylQA3SBs/GR
oLWnvAvbAkEA2DYgQy6k9UgjoZMWo8Qz1DrgaCWirYgmku9+PO9Vd61o/73kn9lj
Cz0/7KboGCxIlpsghujz53kEEHJXcFbjMgNwJAXUd8ErnEg0UE+GPYHUFsQKlodFhR
deX/aOFa0Lh+GlDHwcGUYwvolZyPDLzY5ZlRNCqBF97xLH8AUqhya1+tGQJAMlBu
M5QgOSA/gnMrOpMHCKVm4XWYpM9hQqJO+zkq533ISHNVR8mb3dq0DItOyYlMnxef
814cjspDMnm/HsTxAwJAGrY8W3Pch6idB11oeBJFJi9820e+L/JcTqQnDeFl4mU2
dW7suVvNu2aqmA0UgiObmB534qZcDwZORl8GgHLjCw==
-----END RSA PRIVATE KEY-----

#cat default.txt
default._domainkey    IN    TXT    ( "v=DKIM1; k=rsa; "
      "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADdaQKBgQDTxqEB2kCl27oxmw7XSebxx4ceYQ8OmFba60x/P8orfLD4H5tnLaX+7FEW2DxHvp1sRv4b67dPNSOEEtkKlV9tn33ZcQE4dpjK8x/qpoOnKCUq0UkysjKv2VXbyJTRqoGGSkbxRJVmAFhEPxegV65TySdHx/OIyssdeXvUAYLsDQIDAQAB" )  ; ----- DKIM key default for mikosofter.net

 

Set permissions:

This is very important. If we dont set it correctly we will have error in /var/log/syslog file:

can't load key from /etc/opendkim/keys/mikosoft.net/default.private: Permission denied

 

All dirs and files under /etc/opendkim/ must have opendkim:opendkim ownership so run:

# chown -R opendkim:opendkim /etc/opendkim

 

Set permissions to directories and files:

# chmod -R 750 /etc/opendkim

 

Be more restrictive to files:

# chmod 640 /etc/opendkim/keys/mikosofter.net/default.private

# chmod 644 /etc/opendkim/keys/mikosofter.net/default.txt

# chmod 640 /etc/opendkim/KeyTable

# chmod 640 /etc/opendkim/SigningTable

# chmod 640 /etc/opendkim/TrustedHosts

 

 

Configure OpenDKIM config files

Backup original conf file:

# cp /etc/opendkim.conf{,.orig}

# vim /etc/opendkim.conf

#Domain                 mikosoft.info
#KeyFile                /etc/opendkim/keys/default.private

AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:8891@127.0.0.1

 

# service opendkim restart

 

 

DKIM Debugging & Logging

All logs go to /var/log/syslog file.