Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by mafe72 (Contact Author) (Forums) on Wed, 2012-11-14 19:06. ::

9 Edit your Postfix configuration

Add the following lines at the end of your Postfix main.cf file, which will make Postfix aware of OpenDKIM and allow it to sign and verify mail:

vi /etc/postfix/main.cf

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol		= 2

 

10 Start OpenDKIM and restart Postfix

Assuming you're using bash, do:

hash -r

to rehash your shell so you can find the init script.

Now let's to stop sendmail from starting on CentOS:

chkconfig --del sendmail

Start OpenDKIM:

service opendkim start

You should get a message that says:

Starting OpenDKIM Milter: [ OK ]

However, if you get an error message such as:

Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 5: unrecognized parameter

You probably just mistyped something in one of the config files. Go to the line number of the file listed, and check your work against the example(s) in this HowTo. Then try starting up OpenDKIM again.

Once it starts, restart Postfix with:

/etc/init.d/postfix restart

If everything looks good, let's run chkconfig on OpenDKIM to make sure it starts when you boot your server:

chkconfig --level 2345 opendkim on

If you get some errors, try some of these startup troubleshooting tips before moving on.

 

11 Startup troubleshooting tips

Tip 1: The best place to start troubleshooting any mail issues (including OpenDKIM) is to check your maillog file:

tail -f /var/log/maillog

while you're starting, stopping, and/or restarting OpenDKIM and Postfix. This allows you to see more details about any errors in your configuration.

Tip 2: To get the most verbose information from OpenDKIM, make sure the LogWhy option in your /etc/opendkim.conf file is uncommented and set to Yes. If your outgoing mail isn't getting signed and you want to know why, this should tell you.

 

12 Adding DNS Records

Now that your mail server is signing outgoing mail and verifying incoming mail, you'll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed.

cat /etc/opendkim/keys/example.com/default.txt

The output should look something like this:

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=7k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQABMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp4" ; ----- DKIM default for example.com

Now create a DNS record for your domain and paste the entire contents of the /etc/opendkim/keys/example.com/default.txt file at the bottom of your domain's zone file, the TXT Name would default._domainkey and the TXT Value would be everything inside the quotes (starting with v=). You can ignore the semi-colon and comments at the end.

Make sure you follow the instructions of your DNS provider for adding a new TXT Record to your domain.

Now might be a good time to ensure that you already have a valid SPF Record in place. Having both DKIM and SPF in place will increase your chances of having your outgoing mail successfully delivered.

 

13 Testing your setup

The best way to see that everything is working on the server side is to keep an eye on your /var/log/maillog file.

tail -f /var/log/maillog

When OpenDKIM starts (or restarts), you should see lines like:

opendkim[4397]: OpenDKIM Filter: mi_stop=1
opendkim[4397]: OpenDKIM Filter v2.4.2 terminating with status 0, errno = 0
opendkim[27444]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf)

When you send a mail that gets successfully signed, you should see:

opendkim[22254]: 53D0314803B: DKIM-Signature header added

The best way to check that your signed mail is being authenticated and that your DNS records are properly set up is to use one of the free testing services:

- Send a signed email to: autorespond+dkim@dk.elandsys.com
- Send a signed email to: check-auth@verifier.port25.com

Each of these services will return an email telling you if things are working properly, and give you some pointers on troubleshooting if needed.

 

14 Upgrading OpenDKIM

If you would like to upgrade to a newer version of OpenDKIM, simply download the updated version and follow the guide to compile and install OpenDKIM with these steps:

tar zxvf opendkim-2.4.2.tar.gz
cd opendkim-2.4.2
./configure --sysconfdir=/etc --prefix=/usr/local --localstatedir=/var
make
make install

This will upgrade your OpenDKIM and keep your existing configuration intact. Remember to restart OpenDKIM after your upgrade with:

/etc/init.d/opendkim restart

Then verify that the newer version started up with no problems:

tail -f /var/log/maillog

 

15 Links

DKIM.org -- The official site for DomainKeys Identified Mail.
OpenDKIM.org -- OpenDKIM Project Site.
OpenSPF.org -- A very good spam-fighting technique that you should be using if you're sending email.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Wed, 2014-02-12 08:46.
127.0.0.1
hostname1.example1.com
example1.com
hostname1.example2.com
example2.com

That should point as below to be clear about the example;

127.0.0.1
hostname.example.com
example.com

Submitted by Mohsen (not registered) on Sat, 2013-05-04 03:55.

Add these lines to your tutorial:

mkdir -p /var/run/opendkim
chown -R opendkim:opendkim /var/run/opendkim

Submitted by MostHostLA (registered user) on Wed, 2014-01-15 22:06.
Really wish he had. Would have saved me reading over the log and figuring out what was amiss, along with 2 server restarts....
Submitted by Anonymous (not registered) on Sat, 2014-01-04 11:05.
Another fine tuning is to turn LogWhy to No in the /etc/opendkim.conf to avoid triggering syslog ratelimit in production servers... (see http://www.opendkim.org/opendkim.conf.5.html)