Česky
EnglishBlog
2015-03-26 // Setting up DKIM signing with Postfix on Debian Wheezy
This is a log of my setup for OpenDKIM on Debian Wheezy. Some steps (like setting the proper access rights) might be omitted.
1. Install OpenDKIM
aptitude install opendkim opendkim-tools
On some distros, content of openkim-tools is included in the first package.
2. Generate domain key
cd /etc/postfix opendkim-genkey -s mail -d mplicka.cz mv mail.private opendkim_mail.private mv mail.txt opendkim_mail.txt
Publish the TXT record. Use the information in /etc/postfix/opendkim_mail.txt For selector “mail”, the DNS record path will be:
mail._domainkey.mplicka.cz.
Complete DNS record (in the mail.txt file) will look like:
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=There_will_be_your_public_key_base64_encoded"
3. Set up the opendkim daemon.
I used a unix socket for communication. On Debian, Postfix is chrooted, so create the socket inside the chroot.
Create the directory for the socket and allow postfix to access it:
mkdir /var/spool/postfix/opendkim chown opendkim:opendkim /var/spool/postfix/opendkim
adduser postfix opendkim #add postfix user to opendkim group (to gain access to the socket)
Modify /etc/default/opendkim:
SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"
Modify /etc/opendkim.conf:
Syslog yes # Log to syslog UMask 002 # Allow opendkim group members to access the socket
Domain mplicka.cz KeyFile /etc/postfix/opendkim_mail.private Selector mail
AutoRestart Yes AutoRestartRate 10/1h
Canonicalization relaxed/relaxed #canonize headers before signing Mode s #sign mode only SubDomains yes #allow to sign emails from sub-domains
Restart the opendkim daemon and check the log
4. Set the postfix - /etc/postfix/main.cf
milter_default_action = accept milter_protocol = 2 smtpd_milters = unix:opendkim/opendkim.sock non_smtpd_milters = unix:opendkim/opendkim.sock
If two last lines already exist (e.g for Amavis), just append the new milter settings to the existing ones
Restart postfix and enjoy.