OpenDKIM (2.11)
From Hexwiki
The default expectation here is to use DKIM software only for signing. Spamassassin has its own DKIM verifier, and it is much less headache-inducing to simply let it take care of it.
Generate DKIM key
cd /etc/dkimkeys/ opendkim-genkey -b 2560 -s whateverselectorname -S
Choose selector as desired. 2560 bits can be squeezed into
Remove spaces and k=rsa from the selectorname.txt file, so it looks like:
- "v=DKIM1;h=sha256;t=s;p=giantstring==
There is room for additional options, but it's largely unnecessary
/etc/opendkim.conf
# Log to syslog Syslog yes # If you run even a modest mailserver, the mailing logs get -immense-. # I like to split them up accordingly. SyslogFacility LOCAL1 # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) # With 007, we add postfix to opendkim's group so it can access the socket UMask 007
# Domain is a dataset, which if just a string is a comma-separated list. # opendkim is unfortunately not compiled with MySQL support by default in # Debian, else I'd use that. Domain example.com,example.net # There is little reason to have more than one key/selector per connected # mail network, it just creates a hassle in my opinion. # It is possible if you actually need to, however. KeyFile /etc/dkim_keys/whateveridentifier.private Selector whateveridentifier # Using years seems a common convention for selectors.
# Relaxed basically ignores whitespace. Seems lots of things like to play # with said whitespace especially in the header, so relaxed/relaxed or # relaxed/simple is best. Canonicalization relaxed # Sign only. Verification is spamassassin's job. Mode s SignatureAlgorithm rsa-sha256 # Don't turn on autorestart without specifying a rate or limit. AutoRestart yes AutoRestartRate 2/1m
# Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian package # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From
Final Steps
Don't forget to restart.
systemctl restart opendkim
The remaining configuration is done in the MTA.