When we implemented DomainKeys Identified Mail (DKIM) with Postfix on FreeBSD, we had used dkim-milter plugin. However, it seems that dkim-milter has expired and recently it has been removed from the ports tree. Consequently, we’ll also move to OpenDKIM which is in fact claimed to be bug free compared to dkim-milter. Installation and configuration approach isn’t going to be much different from dkim milter at bottom, anyway we wanted to give the whole process step by step here. Let’s get to work by first updating our ports tree if it’s stale.
# portsnap fetch # portsnap update
We’ll use OpenDKIM port so we have to edit make.conf to compile it to use Postfix port;
# vi /etc/make.conf
Add the following line into the bottom of the file;
Navigate to “opendkim” port directory and install the port with its default configuration options;
# cd /usr/ports/mail/opendkim/ # make install clean
Copy the sample configuration file as opendkim.conf before starting to edit it;
# cp /usr/local/etc/mail/opendkim.conf.sample /usr/local/etc/mail/opendkim.conf # vi /usr/local/etc/mail/opendkim.conf
Uncomment the corresponding lines and edit their parameters as shown below. Notice that we changed the mode of operation to “s” which means “sign only”, as we don’t want our system to verify.
Domain yourdomain.com KeyFile /var/db/dkim/dkim.key.pem ReportAddress "DKIM Error Postmaster" <firstname.lastname@example.org> Mode s Selector dkim Socket inet:10026@localhost UserID mailnull
Our next step is to create a directory in order to store our new key pair inside.
# mkdir -p /var/db/dkim # cd /var/db/dkim/
Remember that dkim-milter had an integrated script to generate the public/private key pairs. Here we’ll do the same by using openssl command. Subsequently we’ll rename our private key to “dkim.key.pem” as we want “dkim” to be our selector name.
# openssl genrsa -out rsa.private 1024 # openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
Now we shall rename the default output to a proper subdomain name (selector) which the public key will also be published by. For example if we want to publish the public key under dkim._domainkey.yourdomain.com then we’ll set it as dkim.key.pem.
_domainkey is the standard and the integral part of the whole domain name as the receipent side will particularly query the public key in that manner. But the SELECTOR part is compeletely up to you and may be whatever you like. Receipent side will find this selector value in your email’s DKIM-Signature: header field.
So we pick “dkim” as a selector for this implementation and rename the private key appropriately.
# mv rsa.private dkim.key.pem # chmod 600 dkim.key.pem
Previously within dkim-milter, there was a pre-generated DNS TXT record inside dkim.txt which was being generated by the integrated dkim-genkey tool. Here, we’ll assemble our own DNS TXT record by using rsa.public file. The base64 encoding part, that is everything between the first —–BEGIN PUBLIC KEY—– and —–END PUBLIC KEY—– lines must be used as a key string after p= in our TXT record. Watch out for the text wraps and missing quotation marks. Result will look like this;
dkim._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQ......ndSUOxbGQhnVbYOD6X49Z9jEtmBJPn1IowIDAQAB"
After inserting your new TXT record into your DNS zone file and reloading DNS server, you have to enable SMTP-only Milter application inside Postfix configuration file so that milter can handle the emails that arrive via the Postfix server;
# vi /usr/local/etc/postfix/main.cf
smtpd_milters = inet:localhost:10026
Add the daemon directive to your /etc/rc.conf file in order to set OpenDKIM start at system boot time;
# echo 'milteropendkim_enable="YES"' >> /etc/rc.conf
Start the opendkim and reload your postfix;
# /usr/local/etc/rc.d/milter-opendkim start # postfix reload
Check out your processes to see if opendkim was initiated correctly;
# ps aux | grep opendkim mailnull 74995 0.0 0.0 25096 4216 ?? Is 6:01PM 0:00.00 /usr/local/sbin/opendkim -l -u mailnull -P /var/run/milterop
Any other issues can be tracked by tailing your /var/log/maillog.
Now that you’ve finished configuring it you can send a test e-mail to your favorite accounts. If there’s no problem with your setup, you’ll notice an additional “signed-by yourdomain.com” field (click show details) upon receiving the e-mail in your Gmail account. Also a successful DKIM implementation must reveal itself in the message sources;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of email@example.com designates 212.x.x.x as permitted sender) firstname.lastname@example.org; dkim=pass email@example.com
Authentication-Results: mta175.mail.ac4.yahoo.com from=ipsure.com; domainkeys=neutral (no sig); from=ipsure.com; dkim=pass (ok)
But if you face any faulty results in message sources such as;
domainkeys=neutral (no sig); from=ipsure.com; dkim=permerror (no key)
dkim=neutral (bad format) firstname.lastname@example.org
then I can only suggest you to revise your DNS records and check it by using an online tool such as http://dkimcore.org/tools/dkimrecordcheck.html in order to be sure that you’re not breaking something with DNS.
Basically, below NS query should have been giving a healthy response as follows;
# nslookup -q=txt dkim._domainkey.ipsure.com Non-authoritative answer: dkim._domainkey.ipsure.com text = "v=DKIM1\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQ......ndSUOxbGQhnVbYOD6X49Z9jEtmBJPn1IowIDAQAB"