Set Up Postfix DKIM With dkim-milter

Do you like HowtoForge? Please consider to support us by becoming a subscriber.
Submitted by topdog (Contact Author) (Forums) on Wed, 2008-01-30 17:18. :: Anti-Spam/Virus | CentOS | Postfix

Set Up Postfix DKIM With dkim-milter

This howto has been superseded by http://www.topdog.za.net/postfix_dkim_milter

Introduction

DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

We will be using the milter implementation of dkim http://dkim-milter.sf.net on CentOS 5.1

 

Installation

Install the rpm, ignore dependencies as csh is a dependency but it does not affect dkim-milter; it's only required for some sample scripts that are shipped with the rpm.

rpm -Uvh http://www.c-corp.net/linux/centos/5/general/RPMS/i386/dkim-milter-2.2.1-1.i386.rpm --nodeps
mkdir /etc/dkim-milter
chown dkim-milt.dkim-milt /etc/dkim-milter
chmod 700 /etc/dkim-milter
chgrp postfix /var/run/dkim-milter
chmod 770 /var/run/dkim-milter

 

Generate The Keys

Download this script that you can use to easily generate the keys for signing the mail:

./dkim-genkey.sh -d <domainname>

Replace <domainname> with the domain name you will be signing mail for. This will create two files default.txt and default.private, default.txt is the line you need to add to your zone file - a sample is below: 

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDvwn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+zJVW+CKpUcI8BJD03iW2l1CwIDAQAB"
; ----- DKIM default for topdog-software.com

default.private contains your private key. Move this file into /etc/dkim-milter and rename it <domainname>_default.key.pem:

mv default.private /etc/dkim-milter/<domainname>_default.key.pem

Edit the file /etc/sysconfig/dkim-milter and set the variables:

USER="dkim-milt"
PORT=local:/var/run/dkim-milter/dkim.sock
SIGNING_DOMAIN="<domainname>"
SELECTOR_NAME="default"
KEYFILE="/etc/dkim-milter/${SIGNING_DOMAIN}_${SELECTOR_NAME}.key.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
SIGALG=rsa-sha1
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"

 

Init Script Fix

Install my modified init script as the one that is supplied with the rpm has a bug.

wget http://www.topdog-software.com/files/dkim-milter -O /etc/init.d/dkim-milter
chkconfig --level 345 dkim-milter on
service dkim-milter start

 

Configure Postfix

Add this to the postfix configuration file /etc/postfix/main.cf: 

smtpd_milters = unix:/var/run/dkim-milter/dkim.sock
non_smtpd_milters = unix:/var/run/dkim-milter/dkim.sock

Append to the existing milters if you have other milters already configured.

Start dkim-milter and restart Postfix:

 service dkim-milter start

service postfix restart

 

Testing

Send a message to autorespond+dkim@dk.elandsys.com; the system will return a response to let you know if DKIM is working. Examine the headers of mails from domains like gmail to see if your system is checking the DKIM signatures of inbound mail.

DKIM mail in Gmail


Copyright © 2008 Andrew Colin Kissa
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Good Intro to DKIM
Submitted by bazza (registered user) on Sun, 2009-06-07 21:25.
Thanks for this. It's a good intro to getting DKIM up and running but it lacks some functionality, particularly multiple domains / keys (keylist). For production use you'd be better of building from source (you'll need dev packages for sendmail and openssl) or just grab the Fedora 10 dkim-milter rpm and hack that its worth the effort.
reply | view as pdf view as pdf
Re: Good Intro to DKIM
Submitted by topdog (registered user) on Mon, 2009-06-08 11:42.
This howto is dated, if you want flexibility with multiple domains just grab my newer rpm's at http://www.topdog-software.com/oss/dkim-milter/
reply | view as pdf view as pdf
init script with mutiple domains
Submitted by Tanczos Andras (not registered) on Mon, 2008-12-29 23:17.

I've made some minor changes to your init script to work with multiple domains:

39a40
> PORTS=()
69a71
>   PORTS[${NUM}]="$LPORT"
97,98c99,100
<               if [[ ! -z $(echo $PORT |grep "local") && $RETVAL -eq 0  ]]; then
<                         TPORT=$(echo $PORT | sed -e "s/local://")
---
>               if [[ ! -z $(echo ${PORTS[$i]} |grep "local") && $RETVAL -eq 0  ]]; then
>                         TPORT=$(echo ${PORTS[$i]} | sed -e "s/local://")
reply | view as pdf view as pdf
Re: init script with mutiple domains
Submitted by rs87 (not registered) on Fri, 2009-01-16 14:57.

Hi Andras

I tried to setup this. But it seems that doesn´t work. What must I write in my /etc/sysconfig/dkim-milter to use it with multiple domains

SIGNING_DOMAIN="domain1.com, domain2.com "

Like this?

 

reply | view as pdf view as pdf
Re: Re: init script with mutiple domains
Submitted by topdog (registered user) on Tue, 2009-01-27 12:00.
Yes thats what you do for multiple domains, they need to use the same key though.
reply | view as pdf view as pdf
Missing Options on RPM line
Submitted by Acorp (not registered) on Sat, 2008-12-06 00:41.

Everybody probably already knows this, but the options are missing on the RPM line above in the "installation" section. It should be (at least for my CentOS 5.2 installation):

rpm -Uvh http://www.c-corp.net/linux/centos/5/general/RPMS/i386/dkim-milter-2.2.1-1.i386.rpm --nodeps

 instead of:

rpm http://www.c-corp.net/linux/centos/5/general/RPMS/i386/dkim-milter-2.2.1-1.i386.rpm --nodeps

- Paul Rupp, Acorp Computers [Brookings, South Dakota]

reply | view as pdf view as pdf
Re: Missing Options on RPM line
Submitted by Victor (not registered) on Fri, 2009-03-13 04:55.

Hi all,

I already followed the guidelines, everything seemed fine. However, when I sent an email to a yahoo email address, we could not pass the domain authorization check and find the signature as well.

In addition, we also found that there was no any domain signature header to be appended in an email when we sent it to yahoo.

Do any linux expert know the reason? this problem really annoys us and we are very frustrated now. Please help !!!

reply | view as pdf view as pdf