2015-03-26 // Setting up DKIM signing with Postfix on Debian Wheezy

This is a log of my setup for OpenDKIM on Debian Wheezy. Some steps (like setting the proper access rights) might be omitted.

1. Install OpenDKIM 

aptitude install opendkim opendkim-tools

On some distros, content of openkim-tools is included in the first package.

2. Generate domain key 

cd /etc/postfix
opendkim-genkey -s mail -d mplicka.cz
mv mail.private opendkim_mail.private
mv mail.txt opendkim_mail.txt

Publish the TXT record. Use the information in /etc/postfix/opendkim_mail.txt For selector “mail”, the DNS record path will be: 

mail._domainkey.mplicka.cz.

Complete DNS record (in the mail.txt file) will look like: 

mail._domainkey IN TXT "v=DKIM1; k=rsa; p=There_will_be_your_public_key_base64_encoded"

3. Set up the opendkim daemon.

I used a unix socket for communication. On Debian, Postfix is chrooted, so create the socket inside the chroot.

Create the directory for the socket and allow postfix to access it: 

mkdir /var/spool/postfix/opendkim
chown opendkim:opendkim /var/spool/postfix/opendkim
adduser postfix opendkim #add postfix user to opendkim group (to gain access to the socket)

Modify /etc/default/opendkim: 

SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"

Modify /etc/opendkim.conf: 

Syslog                  yes      # Log to syslog
UMask                   002      # Allow opendkim group members to access the socket
Domain                  mplicka.cz
KeyFile                 /etc/postfix/opendkim_mail.private      
Selector                mail
AutoRestart             Yes
AutoRestartRate         10/1h
Canonicalization        relaxed/relaxed  #canonize headers before signing
Mode                    s                #sign mode only
SubDomains              yes              #allow to sign emails from sub-domains

Restart the opendkim daemon and check the log

4. Set the postfix - /etc/postfix/main.cf 

milter_default_action = accept
milter_protocol = 2
smtpd_milters = unix:opendkim/opendkim.sock
non_smtpd_milters = unix:opendkim/opendkim.sock

If two last lines already exist (e.g for Amavis), just append the new milter settings to the existing ones

Restart postfix and enjoy.

Published on 2015-03-26 at 21:34 | Tags:

Leave a comment…



B L T J W
  • E-Mail address will not be published.
  • Formatting:
    //italic//  __underlined__
    **bold**  ''preformatted''
  • Links:
    [[http://example.com]]
    [[http://example.com|Link Text]]
  • Quotation:
    > This is a quote. Don't forget the space in front of the text: "> "
  • Code:
    <code>This is unspecific source code</code>
    <code [lang]>This is specifc [lang] code</code>
    <code php><?php echo 'example'; ?></code>
    Available: html, css, javascript, bash, cpp, …
  • Lists:
    Indent your text by two spaces and use a * for
    each unordered list item or a - for ordered ones.
About me
SW developer, amateur tennis player, rock'n'roll & heavy metal fan.