Difference between revisions of "OpenDKIM (2.6)"

From Hexwiki
Jump to navigation Jump to search
(Created page with "The default expectation here is to use DKIM software only for signing. Spamassassin has its own DKIM verifier, and it is much less headache-inducing to simply let it take care...")
 
 
Line 64: Line 64:
  
 
The remaining configuration is done in the MTA.
 
The remaining configuration is done in the MTA.
 +
 +
{{Bottom Wheezy}}

Latest revision as of 12:30, 6 May 2014

The default expectation here is to use DKIM software only for signing. Spamassassin has its own DKIM verifier, and it is much less headache-inducing to simply let it take care of it.

Generate DKIM key

mkdir /etc/dkim_keys
chgrp opendkim /etc/dkim_keys/
chmod 750 /etc/dkim_keys/
cd /etc/dkim_keys/
opendkim-genkey -b 1152 -s whateverselectorname

Choose selector as desired. 1152 bits is about as much as can meaningfully fit inside a single TXT field.

Remove spaces and k=rsa from the selectorname.txt file, so it looks like:

  • v=DKIM1;p=giantstring==

There is room for additional options, but it's largely unnecessary

/etc/opendkim.conf

# Log to syslog
Syslog                  yes
# If you run even a modest mailserver, the mailing logs get -immense-.
# I like to split them up accordingly.
SyslogFacility          LOCAL1
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
# With 007, we add postfix to opendkim's group so it can access the socket
UMask                   007
# Domain is a dataset, which if just a string is a comma-separated list.
# opendkim is unfortunately not compiled with MySQL support by default in
# Debian, else I'd use that.
Domain                  example.com,example.net
# There is little reason to have more than one key/selector per connected
# mail network, it just creates a hassle in my opinion.
# It is possible if you actually need to, however.
KeyFile                 /etc/dkim_keys/whateveridentifier.private
Selector                whateveridentifier
# Using years seems a common convention for selectors.
# Relaxed basically ignores whitespace. Seems lots of things like to play
# with said whitespace especially in the header, so relaxed/relaxed or 
# relaxed/simple is best.
Canonicalization        relaxed
# Sign only. Verification is spamassassin's job.
Mode                    s
SignatureAlgorithm      rsa-sha256
# Don't turn on autorestart without specifying a rate or limit.
AutoRestart             yes
AutoRestartRate         2/1m
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian package
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

Final Steps

Don't forget to restart.

/etc/init.d/opendkim restart

The remaining configuration is done in the MTA.