Set Up DKIM For Multiple Domains On Postfix With dkim-milter 2.8.x (CentOS 5.3)

Want to support HowtoForge? Become a subscriber!

Submitted by poustchi (Contact Author) (Forums) on Fri, 2009-09-04 17:34. :: CentOS | Postfix

Set Up DKIM For Multiple Domains On Postfix With dkim-milter 2.8.x (CentOS 5.3)

Introduction

The DomainKeys Identified Mail (DKIM) Internet standard enables email senders to digitally sign their messages so that receivers can verify that those messages have not been forged. The DKIM sender authentication scheme allows the recipient of a message to confirm a message originated with the sender's domain and that the message content has not been altered. A cryptography-based solution, DKIM provides businesses an industry-standard method for mitigating email fraud and protecting an organization's brand and reputation at a relatively low implementation cost. The DKIM base specification is being spearheaded by Sendmail, Inc. in conjunction with Cisco and Yahoo!.

This tutorial is based on Set Up DKIM On Postfix With dkim-milter (CentOS 5.2) tutorial and my personal experience.I do not issue any guarantee that this will work for you!

Installation

Topdog software provides Centos rpms for Dkim-milter at http://www.topdog-software.com/oss/dkim-milter so we will install the latest version. At the time of writing this tutorial the latest version is dkim-milter-2.8.3-1

Install the dkim-milter rpm, (32bit and 64bit intel supported)

wget http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.3-1.i386.rpm
rpm -ivh dkim-milter-2.8.3-1.i386.rpm

Generate the Keys

/usr/bin/dkim-genkey -r -d mydomain1.com

Replace mydomain1.com with the domain name you will be signing the mail for. The command will create two files.

default.txt - contains the public key you publish via DNS
default.private - the private key you use for signing your email

Rename and move the private key to the dkim-milter keys directory and secure it.

mv default.private default
mkdir /etc/mail/dkim/keys/mydomain1.com
mv default /etc/mail/dkim/keys/mydomain1.com
chmod 600 /etc/mail/dkim/keys/mydomain1.com/default
chown dkim-milt.dkim-milt /etc/mail/dkim/keys/mydomain1.com/default

Important Note: repeat these steps for other domains and for each domain use seperate folder as you can see above otherwise you will receive "dkim: FAILED, invalid (public key: not available)" error message

DNS Setup

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of default.txt is the line you need to add to your zone file a sample, is below

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDvwn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+zJVW+CKpUcI8BJD03iW2l1CwIDAQAB"
; ----- DKIM default for mydomain1.com

Also add this to your zone file.

_ssp._domainkey IN TXT "t=y; dkim=unknown"

Configuration

You need to check /etc/dkim-filter.conf file.

vi /etc/dkim-filter.conf

It must look like this:

ADSPDiscard             yes
ADSPNoSuchDomain        yes
AllowSHA1Only           no
AlwaysAddARHeader       no
AutoRestart             yes
AutoRestartRate         10/1h
BaseDirectory           /var/run/dkim-milter
Canonicalization        simple/simple
Domain                  mydomain1.com	#add all your domains here and seperate them with comma
ExternalIgnoreList      /etc/mail/dkim/trusted-hosts
InternalHosts           /etc/mail/dkim/trusted-hosts
KeyList                 /etc/mail/dkim/keylist
LocalADSP               /etc/mail/dkim/local-adsp-rules
Mode                    sv
MTA                     MSA
On-Default              reject
On-BadSignature         reject
On-DNSError             tempfail
On-InternalError        accept
On-NoSignature          accept
On-Security             discard
PidFile                 /var/run/dkim-milter/dkim-milter.pid
QueryCache              yes
RemoveOldSignatures     yes
Selector                default
SignatureAlgorithm      rsa-sha1
Socket                  inet:20209@localhost
Syslog                  yes
SyslogSuccess           yes
TemporaryDirectory      /var/tmp
UMask                   022
UserID                  dkim-milt:dkim-milt
X-Header                yes

Check /etc/mail/dkim/keylist file.

vi /etc/mail/dkim/keylist

It must look like this:

*@mydomain1.com:mydomain1.com:/etc/mail/dkim/keys/mydomain1.com/default

Note: if you have other domains you must add them in this file.Each line for one domain

Configure Postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.

vi /etc/postfix/main.cf

smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
milter_protocol = 2
milter_default_action = accept

Append the dkim-milter options to the existing milters if you have other milters already configured.
Start dkim-milter and restart postfix:

service dkim-milter start
service postfix restart

Testing

Send an email to sa-test@sendmail.net or autorespond+dkim@dk.elandsys.com, you will receive a response stating if your setup is working correctly.

Updates

Updated rpms are always provided at http://www.topdog-software.com/oss/dkim-milter

add comment |

view as pdf |

Related Tutorials

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.

Great guide

Submitted by Leif Hetlesaether (not registered) on Tue, 2010-11-16 12:12.

Everything works as a charm. I used rpm from the EPEL repository. Only had to modify the init script to use a port instead of a socket and tweak dkim-filter.conf a little bit.

Also added _adsp._domainkey IN TXT "dkim=all" to my zonefile. Take a look at <url>http://en.wikipedia.org/wiki/Author_Domain_Signing_Practices</url> for an explanation.

Thanks for a great guide.

reply |

view as pdf

DKIM-Milter witn Zimbra 6 on CentOS 5.3

Submitted by Pankaj Garg (not registered) on Thu, 2010-02-18 08:46.

Hi,

I used this document to install and use dkim-milter with zimbra 6 collaboration suite on CentOS 5.3. After implementing DKIM I am unable to receive incoming mails whereas outgoing mails are going without any problem. Could anyone please tell me what may be the reason.

Regards,

Pankaj Garg

reply |

view as pdf

Re: DKIM-Milter witn Zimbra 6 on CentOS 5.3

Submitted by Alipour (not registered) on Thu, 2010-07-08 23:07.

I have same problem, do anyone solve this problem. i have used Centos 5.5X86_64 and zimbra 6.0.7. when i remove milter_protocol = 2 DKIM does not work. but also if i put them to the file No mail will be recieved.

reply |

view as pdf

Hi there,It's really a very

Submitted by Sajjad Haider Abbasi (not registered) on Wed, 2009-11-18 11:42.

Hi there,

It's really a very good tutorial. Steps were very easy to follow. I have couple questions for you. When I send email I get the following error in my maillog:

nov 17 21:27:37 mail2 dkim-filter[11742]: 9CA3CDAC64: no signature data

And when I send email to autorespond+dkim@dk.elandsys.com and I get the following result:

DKIM Signature validation: not available
DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.connect2b.net

Please can you help in this regard.

SHA

reply |

view as pdf

hello to every one i check

Submitted by Anonymous (not registered) on Mon, 2009-09-14 08:20.

hello to every one i check this tutorial it is very good and use full , these days i m working with php and j scripting , there fore i just its technicians ,

reply |

view as pdf

Hi, Is possible to

Submitted by Anonymous (not registered) on Tue, 2009-09-08 07:44.

Hi,

Is possible to configure DKIM if I´m using SPF? My domain is hosted I created a txt record for SPF.

How can I combine them?

Best regards

reply |

view as pdf

Re: Hi, Is possible to

Submitted by Anonymous (not registered) on Wed, 2009-09-09 04:36.