Set Up DKIM For Multiple Domains On Postfix With dkim-milter 2.8.x (CentOS 5.3)
The DomainKeys Identified Mail (DKIM) Internet standard enables email senders to digitally sign their messages so that receivers can verify that those messages have not been forged. The DKIM sender authentication scheme allows the recipient of a message to confirm a message originated with the sender's domain and that the message content has not been altered. A cryptography-based solution, DKIM provides businesses an industry-standard method for mitigating email fraud and protecting an organization's brand and reputation at a relatively low implementation cost. The DKIM base specification is being spearheaded by Sendmail, Inc. in conjunction with Cisco and Yahoo!.
This tutorial is based on Set Up DKIM On Postfix With dkim-milter (CentOS 5.2) tutorial and my personal experience.I do not issue any guarantee that this will work for you!
Topdog software provides Centos rpms for Dkim-milter at http://www.topdog-software.com/oss/dkim-milter so we will install the latest version. At the time of writing this tutorial the latest version is dkim-milter-2.8.3-1
Install the dkim-milter rpm, (32bit and 64bit intel supported)
rpm -ivh dkim-milter-2.8.3-1.i386.rpm
Generate the Keys
/usr/bin/dkim-genkey -r -d mydomain1.com
Replace mydomain1.com with the domain name you will be signing the mail for. The command will create two files.
default.txt - contains the public key you publish via DNS
default.private - the private key you use for signing your email
Rename and move the private key to the dkim-milter keys directory and secure it.
mv default.private default
mv default /etc/mail/dkim/keys/mydomain1.com
chmod 600 /etc/mail/dkim/keys/mydomain1.com/default
chown dkim-milt.dkim-milt /etc/mail/dkim/keys/mydomain1.com/default
Important Note: repeat these steps for other domains and for each domain use seperate folder as you can see above otherwise you will receive "dkim: FAILED, invalid (public key: not available)" error message
You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of default.txt is the line you need to add to your zone file a sample, is below
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDvwn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+zJVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for mydomain1.com
Also add this to your zone file.
_ssp._domainkey IN TXT "t=y; dkim=unknown"
You need to check /etc/dkim-filter.conf file.
It must look like this:
ADSPDiscard yes ADSPNoSuchDomain yes AllowSHA1Only no AlwaysAddARHeader no AutoRestart yes AutoRestartRate 10/1h BaseDirectory /var/run/dkim-milter Canonicalization simple/simple Domain mydomain1.com #add all your domains here and seperate them with comma ExternalIgnoreList /etc/mail/dkim/trusted-hosts InternalHosts /etc/mail/dkim/trusted-hosts KeyList /etc/mail/dkim/keylist LocalADSP /etc/mail/dkim/local-adsp-rules Mode sv MTA MSA On-Default reject On-BadSignature reject On-DNSError tempfail On-InternalError accept On-NoSignature accept On-Security discard PidFile /var/run/dkim-milter/dkim-milter.pid QueryCache yes RemoveOldSignatures yes Selector default SignatureAlgorithm rsa-sha1 Socket inet:[email protected] Syslog yes SyslogSuccess yes TemporaryDirectory /var/tmp UMask 022 UserID dkim-milt:dkim-milt X-Header yes
Check /etc/mail/dkim/keylist file.
It must look like this:
Note: if you have other domains you must add them in this file.Each line for one domain
You need to add the following options to the postfix main.cf file to enable it to use the milter.
smtpd_milters = inet:localhost:20209 non_smtpd_milters = inet:localhost:20209 milter_protocol = 2 milter_default_action = accept
Append the dkim-milter options to the existing milters if you have other milters already configured.
Start dkim-milter and restart postfix:
service dkim-milter start
service postfix restart
Send an email to [email protected] or [email protected], you will receive a response stating if your setup is working correctly.
Updated rpms are always provided at http://www.topdog-software.com/oss/dkim-milter