Set Up DKIM For Multiple Domains On Postfix With dkim-milter 2.8.x (CentOS 5.3)

Want to support HowtoForge? Become a subscriber!
 
Submitted by poustchi (Contact Author) (Forums) on Fri, 2009-09-04 17:34. :: CentOS | Postfix

Set Up DKIM For Multiple Domains On Postfix With dkim-milter 2.8.x (CentOS 5.3)

Introduction

The DomainKeys Identified Mail (DKIM) Internet standard enables email senders to digitally sign their messages so that receivers can verify that those messages have not been forged. The DKIM sender authentication scheme allows the recipient of a message to confirm a message originated with the sender's domain and that the message content has not been altered. A cryptography-based solution, DKIM provides businesses an industry-standard method for mitigating email fraud and protecting an organization's brand and reputation at a relatively low implementation cost. The DKIM base specification is being spearheaded by Sendmail, Inc. in conjunction with Cisco and Yahoo!.

This tutorial is based on Set Up DKIM On Postfix With dkim-milter (CentOS 5.2) tutorial and my personal experience.I do not issue any guarantee that this will work for you!

 

Installation

Topdog software provides Centos rpms for Dkim-milter at http://www.topdog-software.com/oss/dkim-milter so we will install the latest version. At the time of writing this tutorial the latest version is dkim-milter-2.8.3-1

Install the dkim-milter rpm, (32bit and 64bit intel supported)

wget http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.3-1.i386.rpm
rpm -ivh dkim-milter-2.8.3-1.i386.rpm

 

Generate the Keys

/usr/bin/dkim-genkey -r -d mydomain1.com

Replace mydomain1.com with the domain name you will be signing the mail for. The command will create two files.

default.txt - contains the public key you publish via DNS
default.private - the private key you use for signing your email

Rename and move the private key to the dkim-milter keys directory and secure it.

mv default.private default
mkdir /etc/mail/dkim/keys/mydomain1.com
mv default /etc/mail/dkim/keys/mydomain1.com
chmod 600 /etc/mail/dkim/keys/mydomain1.com/default
chown dkim-milt.dkim-milt /etc/mail/dkim/keys/mydomain1.com/default

Important Note: repeat these steps for other domains and for each domain use seperate folder as you can see above otherwise you will receive "dkim: FAILED, invalid (public key: not available)" error message

 

DNS Setup

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of default.txt is the line you need to add to your zone file a sample, is below

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDvwn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+zJVW+CKpUcI8BJD03iW2l1CwIDAQAB"
; ----- DKIM default for mydomain1.com

Also add this to your zone file.

_ssp._domainkey IN TXT "t=y; dkim=unknown"

 

Configuration

You need to check /etc/dkim-filter.conf file.

vi /etc/dkim-filter.conf

It must look like this:

ADSPDiscard             yes
ADSPNoSuchDomain        yes
AllowSHA1Only           no
AlwaysAddARHeader       no
AutoRestart             yes
AutoRestartRate         10/1h
BaseDirectory           /var/run/dkim-milter
Canonicalization        simple/simple
Domain                  mydomain1.com	#add all your domains here and seperate them with comma
ExternalIgnoreList      /etc/mail/dkim/trusted-hosts
InternalHosts           /etc/mail/dkim/trusted-hosts
KeyList                 /etc/mail/dkim/keylist
LocalADSP               /etc/mail/dkim/local-adsp-rules
Mode                    sv
MTA                     MSA
On-Default              reject
On-BadSignature         reject
On-DNSError             tempfail
On-InternalError        accept
On-NoSignature          accept
On-Security             discard
PidFile                 /var/run/dkim-milter/dkim-milter.pid
QueryCache              yes
RemoveOldSignatures     yes
Selector                default
SignatureAlgorithm      rsa-sha1
Socket                  inet:20209@localhost
Syslog                  yes
SyslogSuccess           yes
TemporaryDirectory      /var/tmp
UMask                   022
UserID                  dkim-milt:dkim-milt
X-Header                yes

Check /etc/mail/dkim/keylist file.

vi /etc/mail/dkim/keylist

It must look like this:

*@mydomain1.com:mydomain1.com:/etc/mail/dkim/keys/mydomain1.com/default

Note: if you have other domains you must add them in this file.Each line for one domain

 

Configure Postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.

vi /etc/postfix/main.cf

smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
milter_protocol = 2
milter_default_action = accept

Append the dkim-milter options to the existing milters if you have other milters already configured.
Start dkim-milter and restart postfix:

service dkim-milter start
service postfix restart

 

Testing

Send an email to sa-test@sendmail.net or autorespond+dkim@dk.elandsys.com, you will receive a response stating if your setup is working correctly.

 

Updates

Updated rpms are always provided at http://www.topdog-software.com/oss/dkim-milter


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Leif Hetlesaether (not registered) on Tue, 2010-11-16 12:12.

Everything works as a charm. I used rpm from the EPEL repository. Only had to modify the init script to use a port instead of a socket and tweak dkim-filter.conf a little bit.
 

Also added _adsp._domainkey     IN    TXT    "dkim=all" to my zonefile. Take a look at <url>http://en.wikipedia.org/wiki/Author_Domain_Signing_Practices</url>  for an explanation.

Thanks for a great guide.

Submitted by Anonymous (not registered) on Sat, 2013-10-05 14:16.
You shouldn't modify the init script.  Instead put custom changes in the /etc/sysconfig/dkim-milter file so they will persist even after an rpm update.
Submitted by Pankaj Garg (not registered) on Thu, 2010-02-18 08:46.

Hi,

I used this document to install and use dkim-milter with zimbra 6 collaboration suite on CentOS 5.3. After implementing DKIM I am unable to receive incoming mails whereas outgoing mails are going without any problem. Could anyone please tell me what may be the reason.

 Regards,

Pankaj Garg

Submitted by Alipour (not registered) on Thu, 2010-07-08 23:07.
I have same problem, do anyone solve this problem. i have used Centos 5.5X86_64 and zimbra 6.0.7.  when i remove  milter_protocol = 2 DKIM does not work. but also if i put them to the file No mail will be recieved.
Submitted by Sajjad Haider Abbasi (not registered) on Wed, 2009-11-18 11:42.

Hi there,

It's really a very good tutorial. Steps were very easy to follow. I have couple questions for you. When I send email I get the following error in my maillog:

nov 17 21:27:37 mail2 dkim-filter[11742]: 9CA3CDAC64: no signature data

And when I send email to autorespond+dkim@dk.elandsys.com and I get the following result:

DKIM Signature validation: not available
DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.connect2b.net

Please can you help in this regard.

 

SHA

Submitted by Anonymous (not registered) on Mon, 2009-09-14 08:20.

hello to every one i check this tutorial it is very good and use full , these days i m working with php and j scripting , there fore i just its  technicians , 

Submitted by Anonymous (not registered) on Tue, 2009-09-08 07:44.

Hi,

 Is possible to configure DKIM if I´m using SPF? My domain is hosted I created a txt record for SPF.

How can I combine them?

 

Best regards

Submitted by Anonymous (not registered) on Wed, 2009-09-09 04:36.
You can configure DKIM regardless of if you're using SPF. They don't affect one another at all.
Submitted by Anonymous (not registered) on Thu, 2010-12-02 22:55.

I did exactly the same way asked to do.

But i could not make it work . I am using Zimbra on Debian 5.

Does it work for that kind of OS. Please let me know.

I don't get any error, but i don't get to validate a Domain key or DKIM verified.

 I used this source to test my email. Is there any specific port the email should go from ?

 

http://www.brandonchecketts.com/emailtest.php?email=FHwI9M7l2o%40www.brandonchecketts.com