Set Up DKIM On Postfix With dkim-milter (CentOS 5.2)
Author: Andrew Colin Kissa <andrew [at] topdog [dot] za [dot] net>
Last edited 01/04/2009
This howto has been superseded by http://www.topdog.za.net/postfix_dkim_milter
DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.
We will be using the milter implementation of dkim http://dkim-milter.sf.net on CentOS 5.2.
I provide Centos rpms for Dkim-milter at http://www.topdog-software.com/oss/ so we will install the latest version.
- Install the rpm, ( 32bit and 64bit intel supported )
# wget http://www.topdog-software.com/oss/roundcube/andrew_topdog-software.com_key.txt
# rpm --import andrew_topdog-software.com_key.txt
# http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.2-0.$(uname -i).rpm
Generate the Keys
# sh /usr/share/doc/dkim-milter-2.8.2/dkim-genkey.sh -r -d <domain_name>
Replace <domain_name> with the domain name you will be signing the mail for. The command will create two files.
- default.txt - contains the public key you publish via DNS
- default.private - the private key you use for signing your email
Move the private key to the dkim-milter directory and secure it.
# mv default.private /etc/mail/dkim/default.key.pem
# chmod 600 /etc/mail/dkim/default.key.pem
# chown dkim-milt.dkim-milt /etc/mail/dkim/default.key.pem
You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of default.txt is the line you need to add to your zone file a sample, is below
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDvwn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+zJVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for topdog-software.com
Also add this to your zone file.
_ssp._domainkey IN TXT "t=y; dkim=unknown"
- Create the file /etc/sysconfig/dkim-milter with the contents below overwriting the existing sample file that was installed by the rpm, Make sure you set the SIGNING_DOMAIN variable to the domain or domains you will be signing mail for.
USER="dkim-milt" PORT="inet:20209@localhost" SIGNING_DOMAIN="<domain_name>" SELECTOR_NAME="default" KEYFILE="/etc/mail/dkim/default.key.pem" SIGNER=yes VERIFIER=yes CANON=simple SIGALG=rsa-sha1 REJECTION="bad=r,dns=t,int=t,no=a" EXTRA_ARGS="-h -l -D"
You need to add the following options to the postfix main.cf file to enable it to use the milter.
smtpd_milters = inet:localhost:20209 non_smtpd_milters = inet:localhost:20209
Append the dkim-milter options to the existing milters if you have other milters already configured.
Start dkim-milter and restart postfix
# service dkim-milter start
# service postfix restart
Send an email to [email protected] or [email protected], you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by "your domain" if your setup was done correctly.
Updated rpms are always provided at http://www.topdog-software.com/oss/dkim-milter/