ipsure logo
Logo and Language
Login icon Language selection icon
Hello, guest
*NIX Active category menu left background Active category menu right background BACKUP Hands-On blog header image Right block of Hands-On blog header image Final menu block of Hands-On blog header image
Home page Hands-On Services IT Business Contact About References Terms of Use RSS


Dkim-milter is No Longer Available, How to Use OpenDKIM Instead

Filed under: *NIX — Tags: , , , , — Sezgin Bayrak @ 13:23

spam emailsWhen we implemented DomainKeys Identified Mail (DKIM) with Postfix on FreeBSD, we had used dkim-milter plugin. However, it seems that dkim-milter has expired and recently it has been removed from the ports tree. Consequently, we’ll also move to OpenDKIM which is in fact claimed to be bug free compared to dkim-milter. Installation and configuration approach isn’t going to be much different from dkim milter at bottom, anyway we wanted to give the whole process step by step here. Let’s get to work by first updating our ports tree if it’s stale.

# portsnap fetch
# portsnap update

We’ll use OpenDKIM port so we have to edit make.conf to compile it to use Postfix port;

# vi /etc/make.conf

Add the following line into the bottom of the file;


Navigate to “opendkim” port directory and install the port with its default configuration options;

# cd /usr/ports/mail/opendkim/
# make install clean

Copy the sample configuration file as opendkim.conf before starting to edit it;

# cp /usr/local/etc/mail/opendkim.conf.sample /usr/local/etc/mail/opendkim.conf
# vi /usr/local/etc/mail/opendkim.conf

Uncomment the corresponding lines and edit their parameters as shown below. Notice that we changed the mode of operation to “s” which means “sign only”, as we don’t want our system to verify.

Domain                  yourdomain.com
KeyFile                 /var/db/dkim/dkim.key.pem
ReportAddress           "DKIM Error Postmaster" <postmaster@yourdomain.com>
Mode                    s
Selector                dkim
Socket                  inet:10026@localhost
UserID          	    mailnull

Our next step is to create a directory in order to store our new key pair inside.

# mkdir -p /var/db/dkim
# cd /var/db/dkim/

Remember that dkim-milter had an integrated script to generate the public/private key pairs. Here we’ll do the same by using openssl command. Subsequently we’ll rename our private key to “dkim.key.pem” as we want “dkim” to be our selector name.

# openssl genrsa -out rsa.private 1024
# openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM

Now we shall rename the default output to a proper subdomain name (selector) which the public key will also be published by. For example if we want to publish the public key under dkim._domainkey.yourdomain.com then we’ll set it as dkim.key.pem.

_domainkey is the standard and the integral part of the whole domain name as the receipent side will particularly query the public key in that manner. But the SELECTOR part is compeletely up to you and may be whatever you like. Receipent side will find this selector value in your email’s DKIM-Signature: header field.

So we pick “dkim” as a selector for this implementation and rename the private key appropriately.

# mv rsa.private dkim.key.pem
# chmod 600 dkim.key.pem

Previously within dkim-milter, there was a pre-generated DNS TXT record inside dkim.txt which was being generated by the integrated dkim-genkey tool. Here, we’ll assemble our own DNS TXT record by using rsa.public file. The base64 encoding part, that is everything between the first —–BEGIN PUBLIC KEY—– and —–END PUBLIC KEY—– lines must be used as a key string after p= in our TXT record. Watch out for the text wraps and missing quotation marks. Result will look like this;

dkim._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQ......ndSUOxbGQhnVbYOD6X49Z9jEtmBJPn1IowIDAQAB"

After inserting your new TXT record into your DNS zone file and reloading DNS server, you have to enable SMTP-only Milter application inside Postfix configuration file so that milter can handle the emails that arrive via the Postfix server;

# vi /usr/local/etc/postfix/main.cf
smtpd_milters = inet:localhost:10026

Add the daemon directive to your /etc/rc.conf file in order to set OpenDKIM start at system boot time;

# echo 'milteropendkim_enable="YES"' >> /etc/rc.conf

Start the opendkim and reload your postfix;

# /usr/local/etc/rc.d/milter-opendkim start
# postfix reload

Check out your processes to see if opendkim was initiated correctly;

# ps aux | grep opendkim
mailnull 74995   0.0  0.0  25096   4216  ??  Is    6:01PM      0:00.00 /usr/local/sbin/opendkim -l -u mailnull -P /var/run/milterop

Any other issues can be tracked by tailing your /var/log/maillog.

Now that you’ve finished configuring it you can send a test e-mail to your favorite accounts. If there’s no problem with your setup, you’ll notice an additional “signed-by yourdomain.com” field (click show details) upon receiving the e-mail in your Gmail account. Also a successful DKIM implementation must reveal itself in the message sources;

Authentication-Results: mx.google.com; spf=pass (google.com: domain of test@ipsure.com designates 212.x.x.x as permitted sender) smtp.mail=test@ipsure.com; dkim=pass header.i=@ipsure.com

Authentication-Results: mta175.mail.ac4.yahoo.com from=ipsure.com; domainkeys=neutral (no sig); from=ipsure.com; dkim=pass (ok)

But if you face any faulty results in message sources such as;

domainkeys=neutral (no sig); from=ipsure.com; dkim=permerror (no key)
dkim=neutral (bad format) header.i=@ipsure.com

then I can only suggest you to revise your DNS records and check it by using an online tool such as http://dkimcore.org/tools/dkimrecordcheck.html in order to be sure that you’re not breaking something with DNS.

Basically, below NS query should have been giving a healthy response as follows;

# nslookup -q=txt dkim._domainkey.ipsure.com

Non-authoritative answer:
dkim._domainkey.ipsure.com      text = "v=DKIM1\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQ......ndSUOxbGQhnVbYOD6X49Z9jEtmBJPn1IowIDAQAB"
Related Posts with Thumbnails
Subscribe to our RSS feeds Email Subscription via FeedBurner RSS Subscription via FeedBurner
  1. DomainKeys Identified Mail (DKIM) with Postfix (SMTP-Only)
  2. DomainKeys with Postfix Using dk-milter (SMTP-Only)
  3. Postfix (Virtual Setup) Dovecot SpamAssassin ClamAV Maia Roundcube (/w MySQL db) on FreeBSD

1 Comment »


Reader Comments

There are currently no reader comments available at this time.

RSS feed for comments RSS feed for comments on this post. TrackBack URL

Leave a comment