OpenDKMI+Postfix on Debian

Original link:
Article By Chris Pentago

Goal of this how-to: Step to step guide on how to setup OpenDKIM with postfix on Debian GNU/Linux to send signed email from your VPS.

There are numerous methods or techniques that you can use to achieve email message signing. Good examples are DomainKey as well as DKIM which is an abbreviation for DomainKeys Identified Mail.

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

These two techniques will not use symmetric encryption but rather will employ asymmetric encryption. (more info: In both methods, the common algorithm used is RSA. This algorithm is also the default for these methods of achieving email message signing.

For those wondering about what asymmetric means, the following is a detailed explanation. It is a technique that utilizes a key to sign the email message. Other methods will not require a key. One can have two types of keys: a private key and a public key. These keys will come into play to verify the message as well. The two methods of creating email message signing as highlighted above are filters for SMTP server. DomainKey works with a dk-filter although this filter has been discontinued in the market. OpenDKIM has become the preferred replacement where filters are concerned.

A mail server must be enabled with a filter to set up the server properly. In light of this, Postfix can be used because it is enabled accordingly. Another requirement is the freedom to add or change the DNS records as you desire. With the above in mind, the following is a step by step guide on how to set up Postfix email server with DomainKey Indentified Mail on Debian.

1. The first thing is to update your software if you do not have Postfix installed already. Look at the manual provided to know exactly how to install the software. Once you have it running, move on to the next step.

On Debian, issue these commands:

aptitude update
aptitude safe-upgrade

2. At this point, it is important to install the DKIM filter. As hinted above, the most common and available filter is OpenDKIM. Installing this filter is not complicated at all and should not take much time.

aptitude install opendkim opendkim-tools

3. The next step involves setting up a directory for the storage of private keys. You can have as many domains as you wish but make sure that the permission settings are in order because they are the most critical.

mkdir -pv /etc/opendkim/
chown -Rv opendkim:opendkim /etc/opendkim
chmod go-rwx /etc/opendkim/

4. Here, security is pivotal and it will warrant you to create a key pair for each domain you have. In other words, every single domain should have a key pair and this is the way to go.

cd /etc/opendkim/
opendkim-genkey -r -h rsa-sha256 -d -s mail
mv -v mail.private mail
chown opendkim:opendkim

chmod u=rw,go-rwx

5. The next thing to do is to publish a public key using the DNS record. You will be required to insert new TXT DNS record with key generated previously. You’ll be presented with key in Bind (DNS Server) format but it’s easy to paste necesary parts to your domain’s DNS provider: IN TXT "v=DKIM1; h=rsa-sha256; k=rsa;p=AySFjB......xorQAB"

Example on how it look in CloudFlare’s DNS manager:


6. At this juncture, it is vital to set up the key table. You will do this by using a specified format:

KeyID Domain:Selector:PathToPrivateKey

So fire up your text editor of choice and open/create /etc/opendkim/KeyTable file our example looks like this:

7. The next step involves setting up the signing table. The filter used is programmed to read the table by looking for matched domain. Again, open/create /etc/opendkim/SigningTable in your favorite text editor and put this into it:

8. You will then have to create a /etc/opendkim/TrustedHosts file at this point. It will list the top trusted hosts as you desire. Again, the format used can be as given earlier when creating a signing table as well as a key table. (this is DNS server you'll get from your provider)

9. Next, set up the ownership of files we just created:

chown opendkim:opendkim /etc/opendkim/KeyTable
chown opendkim:opendkim /etc/opendkim/SigningTable
chown opendkim:opendkim /etc/opendkim/TrustedHosts

10. This step is critical because it involves configuring the OpenDKIM filter to read the files that you have created above. Do this by opening /etc/opendkim.conf using your chosen editor. Consequently, it might be good to delete the Debian configuration so that you can replace it with the new and edited information.

# Enable Logging
Syslog yes
SyslogSuccess yes
LogWhy yes

# User mask
UMask 002

# Always oversign From (sign using actual From and a null From to prevent malicious signatures header fields (From and/or others) between the signer and the verifier)

OversignHeaders From

# Our KeyTable and SigningTable
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable

# Trusted Hosts
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts

# Hashing Algorithm
SignatureAlgorithm rsa-sha256

# Auto restart when the failure occurs. CAUTION: This may cause a tight fork loops
AutoRestart Yes

# Set the user and group to opendkim user
UserID opendkim:opendkim

# Specify the working socket
Socket inet:8891@localhost

11. It is now time to change or configure the OpenDKIM filter on Postfix. This can be done by simply altering some parameters to achieve what you require. It is very important to do this carefully so that you avoid any errors that may come up later. Open /etc/postfix/ and add/uncomment these lines:

# OpenDKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters

12. When you reach this step, you are almost there. You will however be required to restart OpenDKIM service as well as Postfix. After doing this, make sure that everything is fine for you to move on to the final step.

service opendkim start

13. The final step is to check whether the changes you were making have turned out well. Check if OpenDKIM service is online and listens on port we defined above.

ps aux | grep dkim
netstat -tanp | grep dkim

This method works like a charm and it is the sure way to attain email messaging signing. It is really not a complicated process but you will need to follow the method to the letter. Beyond the technical jargon, any person willing to follow this guide diligently can achieve success. Keep in mind that the top benefits of DKIM is to curb abuse as well as to reduce spamming to recipients.

It is a method to verify how genuine an organization or a domain is. There are many other elements that will play a good role in helping your business or domain establish a credible name in the market through this process.

This is especially important if you plan to send email from your server outside to GMail or Hotmail servers with increased security/spam filters or your mail may end up sent to SPAM folder or even rejected.

If you followed the procedure but still unable to send mail to GMail for instance, ask your web host to set you up with ReverseDNS so those mail receiving servers could match message header IP address with your domain.

If your VPS or dedicated server are located in highly available and secure government data centre such as Macquarie’s or TheBunker’s, these indetifying features might be already set by default for their new customers.


Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.