September 20, 2012

Postfix + DKIM setup

Filed under: Miscellaneous — SupportPRO Admin @ 11:25 pm

Installation

1. Get the rpmforge repo and install it.

# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

# rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

# yum install opendkim postfix

2. stop sendmail and remove from auto start.

# /etc/init.d/sendmail stop
# chkconfig remove sendmail

3. add postfix and opendkim to the autostart pool

# chkconfig postfix on
# chkconfig opendkim on

4. configure postfix.

# vi /etc/postfix/main.cf

configuration options

Change the following or comment out the existing and add accordingly.

myhostname = server.yourdomainname.com ( your server hostname )
mydomain = yourdomainname.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
home_mailbox = Maildir/

Add the following for DKIM in postfix main.cf

smtpd_milters = inet:localhost:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol   = 2

5. configure Opendkim

Configuration files of OpenDKIM

1. /etc/opendkim.conf – OpenDKIM’s main configuration file
2. /etc/opendkim/KeyTable – a list of keys available for signing
3. /etc/opendkim/SigningTable – a list of domains and accounts allowed to sign
4. /etc/init.d/opendkim — Service start up file.

# vi /etc/opendkim.conf

Configuration options:

PidFile /var/run/opendkim/opendkim.pid
Mode    sv
Canonicalization        relaxed/simple
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  inet:8891@localhost
Umask   002
Selector        default
KeyTable        refile:/etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts

# cd /etc/opendkim

We will create the public and private keys now.

# cd keys
# mkdir yourdomainname.com; cd yourdomainname.com
# opendkim-genkey -d yourdomainname.com -s default

here -d denotes your domain and -s is for selector.

# chown opendkim.opendkim ../yourdomainname.com -R

# cd ..
# vi KeyTable

default._domainkey.yourdomainname.com yourdomainname.com:default:/etc/opendkim/keys/yourdomainname.com/default.private

# vi SigningTable

*@yourdomainname.com default._domainkey.yourdomainname.com

# vi TrustedHosts

127.0.0.1
localhost
server.yourdomainname.com
yourdomainname.com

Note: ensure that localhost is mentioned in TrustedHosts file.

Now we are ready to test this. Start opendkim first and then postfix.

# /etc/init.d/opendkim start
# /etc/init.d/postfix start

Ensure that OpenDKIM logs has written on mail log file. This is the only file where you ca see any issue with the opendkim errors.

# tail -f /var/log/maillog

Sep 20 09:43:50 server opendkim[8535]: OpenDKIM Filter v2.5.2 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)

Add the DNS records to your domain name. You can get the public dns record from the following file. This is TXT record.

# cat /etc/opendkim/keys/mydomain.com/default.txt

ensure to add  a “k” ahead of ;=rsa; by default it will be without k, after the mentioned changes the dns record will have ;k=rsa;

default._domainkey IN TXT “v=DKIM1;k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJmb2F+hGx+/1Y4dadbsTzg/thhJVsZHT5chFhaoZH6SMALX6J9IIIPSW3NRsap/mUQQ5GVG9IHIBfpAsIJr8CILOVcqAWQbG5XTn9Sk1p76abg3tyR01rhSTG2CljLmkNAPqOSrE5uUEXRq1T+eGhS1EVHFWmQ5lF8ZAyoyEHewIDAQAB” ; —– DKIM default for yourdomainname.com

Important : Don’t forget to set SPF record that may boost the email delivery.

Send out a test email and verify.

# echo ” This is a test mail ” | mail -s “OpenDKIM test mail” mygmail@gmail.com

If everything goes well you see a messages “DKIM-Singnature header added” in mail log.

# tail -f /var/log/messages

Sep 20 09:47:33 server opendkim[8535]: 33040108639: DKIM-Signature header added (s=default, d=yourdomainname.com)
Sep 20 09:47:33 server postfix/qmgr[2390]: 33040108639: from=<user@yourdomainname.com>, size=3016, nrcpt=1 (queue active)
Sep 20 09:47:33 server sendmail[8671]: q8KDlXa9008671: to=serverhelp247@gmail.com, ctladdr=user@yourdomainname.com (503/503), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32554, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 33040108639)
Sep 20 09:47:33 server postfix/smtpd[8636]: disconnect from GF-P-server.navisite.com[127.0.0.1]
Sep 20 09:47:34 server postfix/smtp[8642]: 33040108639: to=<serverhelp247@gmail.com>, relay=mailin-04.mx.aol.com[205.188.146.194]:25, delay=1.3, delays=0.1/0/0.24/0.95, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 05217380000B9)
Sep 20 09:47:34 server postfix/qmgr[2390]: 33040108639: remove

Check the email header for confirmation : you should see dkim= pass

AddThis Social Bookmark Button

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

You must be logged in to post a comment.

Powered by WordPress