OpenDKIM (2.11)

From Hexwiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

The default expectation here is to use DKIM software only for signing. Spamassassin has its own DKIM verifier, and it is much less headache-inducing to simply let it take care of it.

Generate DKIM key

cd /etc/dkimkeys/
opendkim-genkey -b 2560 -s whateverselectorname -S

Choose selector as desired. 2560 bits can be squeezed into

Remove spaces and k=rsa from the selectorname.txt file, so it looks like:

  • "v=DKIM1;h=sha256;t=s;p=giantstring==

There is room for additional options, but it's largely unnecessary

/etc/opendkim.conf

# Log to syslog
Syslog                  yes
# If you run even a modest mailserver, the mailing logs get -immense-.
# I like to split them up accordingly.
SyslogFacility          LOCAL1
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
# With 007, we add postfix to opendkim's group so it can access the socket
UMask                   007

# Domain is a dataset, which if just a string is a comma-separated list.
# opendkim is unfortunately not compiled with MySQL support by default in
# Debian, else I'd use that.
Domain                  example.com,example.net
# There is little reason to have more than one key/selector per connected
# mail network, it just creates a hassle in my opinion.
# It is possible if you actually need to, however.
KeyFile                 /etc/dkim_keys/whateveridentifier.private
Selector                whateveridentifier
# Using years seems a common convention for selectors.

# Relaxed basically ignores whitespace. Seems lots of things like to play
# with said whitespace especially in the header, so relaxed/relaxed or 
# relaxed/simple is best.
Canonicalization        relaxed
# Sign only. Verification is spamassassin's job.
Mode                    s
SignatureAlgorithm      rsa-sha256
# Don't turn on autorestart without specifying a rate or limit.
AutoRestart             yes
AutoRestartRate         2/1m

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian package
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

Final Steps

Don't forget to restart. 

systemctl restart opendkim

The remaining configuration is done in the MTA.

Debian Buster
Initial: Designing a Server - IPMI Installation - Second Steps

Core: Network - OpenSSH - Packages - sysctl.conf - Iptables - Security - User Management

Stack: Unbound - MariaDB - Nginx - PHP (7)

Mail

Mail Setup - Mail Tables - OpenDKIM - Mail and DNS - Spamassassin - ClamAV - Postfix - Dovecot - Reputation Management

Logs and Security: RKHunter - Logging - Logcheck - Backups - AppArmor
Retrieved from "http://hexwiki.com/w/index.php?title=OpenDKIM_(2.11)&oldid=366"