docplaice icon
edr's wiki sysadmin mailserver opendkim

Opendkim

Opendkim is a tool to sign your outgoing mail on a mailserver. The below instructions have been tested on Debian jessie and are largely based on the debian wiki article for opendkim.

Install packages

apt install opendkim opendkim-tools

In debian jessie the installed service file did not respect the socket configuration. To fix this, run

/lib/opendkim/opendkim.service.generate
systemctl daemon-reload
service opendkim restart

Create keys

This assumes you already have a postfix config directory.

DOMAIN=example.com
mkdir -p /etc/postfix/dkim/
opendkim-genkey -D /etc/postfix/dkim/ -d $DOMAIN -s smtp_$DOMAIN
echo "smtp._domainkey.$DOMAIN $DOMAIN:smtp:/etc/postfix/dkim/smtp_$DOMAIN.private" >> /etc/postfix/dkim/keytable
echo "$DOMAIN smtp._domainkey.$DOMAIN" >> "/etc/postfix/dkim/signingtable"
chgrp opendkim /etc/postfix/dkim/*
chmod g+r /etc/postfix/dkim/*
chown opendkim:opendkim /etc/postfix/dkim/smtp_*.private
chmod 600 /etc/postfix/dkim/smtp_*.private

Configure opendkim

Tell opendkim about the key and signing tables in /etc/opendkim.conf:

# Specify the list of keys
KeyTable file:/etc/postfix/dkim/keytable
# Match keys and domains
SigningTable file:/etc/postfix/dkim/signingtable

Configure postfix

In the file /etc/default/opendkim, specify daemon connection settings:

SOCKET="inet:8891@localhost"

And add the line to the Postfix /etc/postfix/main.cf:

milter_default_action = accept
milter_protocol = 2
# As opposed to the debian wiki instructions, do NOT add the below line
#smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Add the following line to the submission section in /etc/postfix/master.cf

-o smtpd_milters=inet:localhost:8891

The consequence of the above modification to instructions you find in other howtos is that you only sign mail that was delivered to you from authenticated clients, rather than e.g. other mailservers trying to impersonate you.

DNS

Refer to the debian wiki article cited above for instructions on DNS records and testing the setup.

Testing the setup

I used (and really liked) dkimvalidator.com to test the setup.