Difference between revisions of "OpenDKIM (2.6)"
Jump to navigation
Jump to search
(Created page with "The default expectation here is to use DKIM software only for signing. Spamassassin has its own DKIM verifier, and it is much less headache-inducing to simply let it take care...") |
|||
Line 64: | Line 64: | ||
The remaining configuration is done in the MTA. | The remaining configuration is done in the MTA. | ||
+ | |||
+ | {{Bottom Wheezy}} |
Latest revision as of 12:30, 6 May 2014
The default expectation here is to use DKIM software only for signing. Spamassassin has its own DKIM verifier, and it is much less headache-inducing to simply let it take care of it.
Generate DKIM key
mkdir /etc/dkim_keys chgrp opendkim /etc/dkim_keys/ chmod 750 /etc/dkim_keys/ cd /etc/dkim_keys/ opendkim-genkey -b 1152 -s whateverselectorname
Choose selector as desired. 1152 bits is about as much as can meaningfully fit inside a single TXT field.
Remove spaces and k=rsa from the selectorname.txt file, so it looks like:
- v=DKIM1;p=giantstring==
There is room for additional options, but it's largely unnecessary
/etc/opendkim.conf
# Log to syslog Syslog yes # If you run even a modest mailserver, the mailing logs get -immense-. # I like to split them up accordingly. SyslogFacility LOCAL1 # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) # With 007, we add postfix to opendkim's group so it can access the socket UMask 007
# Domain is a dataset, which if just a string is a comma-separated list. # opendkim is unfortunately not compiled with MySQL support by default in # Debian, else I'd use that. Domain example.com,example.net # There is little reason to have more than one key/selector per connected # mail network, it just creates a hassle in my opinion. # It is possible if you actually need to, however. KeyFile /etc/dkim_keys/whateveridentifier.private Selector whateveridentifier # Using years seems a common convention for selectors.
# Relaxed basically ignores whitespace. Seems lots of things like to play # with said whitespace especially in the header, so relaxed/relaxed or # relaxed/simple is best. Canonicalization relaxed # Sign only. Verification is spamassassin's job. Mode s SignatureAlgorithm rsa-sha256 # Don't turn on autorestart without specifying a rate or limit. AutoRestart yes AutoRestartRate 2/1m
# Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian package # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From
Final Steps
Don't forget to restart.
/etc/init.d/opendkim restart
The remaining configuration is done in the MTA.