I spent a while trying to set up DKIM with Postfix on CentOS 5.2. I read the HOWTOs on HOWToForge written by Andrew Colin Kissa (aka TopDog) who subsequently helped me towards getting this setup working.
My setup is that I have a mail spooler and multiple mail senders. This is to say that the emails are created on spooler.domain.com and sent via sender1.domain.com and sender2.domain.com. I will walk through how to setup DKIM on the sender machines so that all mail spooled from the spooler still gets signed.
First start out by installing DKIM. At the time the HOWTO was published, I downloaded the RPM from Topdog.
1 2 3 4 5 6 | [root@sender1 dkim]# wget http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.2-0.$(uname -i).rpm ... [root@sender1 dkim]# rpm -Uvh dkim-milter-2.8.2-0.x86_64.rpm warning: dkim-milter-2.8.2-0.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 990dd808 Preparing... ########################################### [100%] 1:dkim-milter ########################################### [100%] |
Once you have installed DKIM you have to create the public and private keys. Do this using the dkim-genkey.sh shell script.
1 | [root@sender1 dkim]# sh /usr/share/doc/dkim-milter-2.8.2/dkim-genkey.sh -r -d yourdomain.com |
By running this script, 2 files will be generated; default.txt: the public key which gets published via DNS; default.private: private key used for signing the emails.
Move the private key to the dkim directory and secure it.
1 2 3 | [root@sender1 dkim]# mv default.private /etc/mail/dkim/default.key.pem [root@sender1 dkim]# chmod 600 /etc/mail/dkim/default.key.pem [root@sender1 dkim]# chown dkim-milt.dkim-milt /etc/mail/dkim/default.key.pem |
Now create the DNS entries. The p= section is the public key created using the dkim-genkey.sh script. Don’t forget to increment the SOA and reload DNS.
1 2 | _ssp._domainkey.yourdomain.com TXT t=y; o=- default._domainkey.yourdomain.com TXT v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GWETBNiQKBgQC5KT1eN2lqCRQGDX+20I4liM2mktrtjWkV6mW9WX7q46cZAYgNrus53vgfl2z1Y/95mBv6Bx9WOS56OAVBQw62+ksXPT5cRUAUN9GkENPdOoPdpvrU1KdAMW5c3zmGOvEOa4jAlB4/wYTV5RkLq/1XLxXfTKNy58v+CKETLQS/eQIDAQAB |
The reason for this peer_list file is so that the senders know that its ok for them to sign emails relayed via the spooler.
1 2 3 4 5 6 7 8 9 | [root@sender1 dkim]# cat /etc/mail/dkim/peer_list mail.yourdomain.com spooler.yourdomain.com sender2.yourdomain.com 1.2.4.7 1.2.4.5 localhost localhost.localdomain 127.0.0.1 |
Onto the configuring of the system. It should look something like the following. I chose to have the port be a local port, but it could be done via a network connection as well. Ensure you change the SIGNING_DOMAIN variable and be sure to note the EXTRA_ARGS variable and where PEER_LIST is used.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | [root@sender1 dkim]# cat /etc/sysconfig/dkim-milter # Default values USER="dkim-milt" PORT="local:/var/run/dkim-milter/dkim.sock" SIGNING_DOMAIN="yourdomain.com" SELECTOR_NAME="default" KEYFILE="/etc/mail/dkim/default.key.pem" SIGNER=yes VERIFIER=yes CANON=simple SIGALG=rsa-sha1 REJECTION="bad=r,dns=t,int=t,no=a" PEER_LIST="/etc/mail/dkim/peer_list" EXTRA_ARGS="-h -l -D -i ${PEER_LIST} -I ${PEER_LIST}" |
Let’s start up dkim. Since it is a daemon running separately from Postfix, running it and restarting it won’t affect mail (yet).
1 | [root@sender1 dkim]# /etc/init.d/dkim-filter start |
And it’s finally time for Postfix. You need to add 2 simple lines to your Postfix main.cf. These 2 lines should match the PORT variable in the dkim-milter.conf sysconfig file.
1 2 | smtpd_milters = local:/var/run/dkim-milter/dkim.sock non_smtpd_milters = local:/var/run/dkim-milter/dkim.sock |
Now you’re asking yourself, how do I test this? The easy answer is to use a Gmail account. When you receive an email, click on the show details link on the right hand side of the screen (to the left of the time). If you have performed this sequence correctly, you will see a line that says:
1 | signed-by yourdomain.com |
Another way to test the success of this is to view the source of the email. You should have some lines that look similar to this:
1 2 3 4 5 6 7 8 9 | X-DKIM: Sendmail DKIM Filter v2.8.2 sender1.yourdomain.com 75866730012 DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=yourdomain.com; s=default; t=1239981026; bh=+NNkD6jOlYKtY2AIGNRToH2tkm0=; h=Date:List-Help:List-Subscribe:List-Unsubscribe:List-Owner: List-Post:From:Reply-To:To:Subject:MIME-Version:Content-Type: Message-Id; b=MrjXBShjNexWy62fC4Uu7xS3Hxav+cHtqIBzwMlcufadsffLtW9KmF5sO58+yHjyy I3SiX0TNyEbvXtSHvRKm9z630zDiN0dxVXGqhgEfdklaj4jlkfhR6GrsRgzW2YOW6/9 sKFnz214AkhAPrFBD30hNmZfRfY75v5q94FnGDUo= |
Congratulations, you have a working DKIM installation.
