Postfix DKIM signing

Posted bythesysadmin Leave a comment on Postfix DKIM signing

Having emails signed with DKIM has become important. DKIM ensure that the mail is not tampered during the transit and also the authenticity of the source.

Adding DKIM support to sign outgoing mail in Postfix is quite easy. We need to install opendkim packages, on Ubuntu run

apt-get install opendkim-tools opendkim

On Centos

yum install opendkim

We now generate the DKIM key for our domain

opendkim-genkey --domain=mydomain-a.com --selector=dkim01

selector can be any arbitrary name, date, source server name etc.
The above command will create 2 files with like dkim01.txt containing a DNS TXT record and a dkim01.private containing a secret key for signing emails.

Add the dkim TXT record from the .txt file to your domains DNS

dkim01._domainkey	IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEb....................GnOXN0Pqp4SOo6pQIDAQAB"

Copy the secret key to /etc/dkimkeys/dkim01.key

Add below lines to /etc/opendkim.conf

KeyTable	/etc/opendkim/keytable
SigningTable	/etc/opendkim/signingtable
Socket                  inet:8891@localhost
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts

KeyTable gives the location of a file mapping key names to signing keys.
SigningTable defines a table used to select one or more signatures to apply to a message based on the address found in the From: header field.
Socket specifies the socket that should be established by the filter to receive connections from mail server (in this case Postfix) in order to provide service.
ExternalIgnoreList identifies a set of “external” hosts that may send mail through the server as one of the signing domains without credentials as such.
InternalHosts identifies a set internal hosts whose mail should be signed.

The format of SigningTable is as below

mydomain-a.com	key01
mydomain-b.com	key02
mydomain-c.com	key03

Format for the KeyTable file is as below

key01	mydomain-a.com:dkim01:/etc/dkimkeys/dkim01.key
key02	mydomain-b.com:dkim02:/etc/dkimkeys/dkim02.key
key03	mydomain-c.com:dkim03:/etc/dkimkeys/dkim03.key

We have used a single file for both InternalHosts and ExternalIgnoreList, as we want all mails sent from the listed IP, hosts to be signed, this file is a simple list of IPs and host names

localhost
11.22.33.44
22.33.44.55
33.44.55.66
mx.mydomain-a.com
mail.mydomain-b.com

Finally add below lines to postfix so that it can pass mail for signing to opendkim

milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

On Ubuntu we also have to update /etc/default/opendkim as below

SOCKET=inet:8891@localhost

restart postfix and opendkim. To test if signing DKIM works send a mail to gmail, you should see headers like

ARC-Authentication-Results: i=1; mx.google.com;
        dkim=pass [email protected] header.s=dkim01 header.b=bA0mP48b;

How useful was this post?

Click on a star to rate it!

Average rating 3 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

How useful was this post?

Click on a star to rate it!

Average rating 3 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Leave a comment

Your email address will not be published. Required fields are marked *