OpenDKIM (2.11)

From Hexwiki
Jump to: navigation, search

The default expectation here is to use DKIM software only for signing. Spamassassin has its own DKIM verifier, and it is much less headache-inducing to simply let it take care of it.

Generate DKIM key

cd /etc/dkimkeys/
opendkim-genkey -b 2560 -s whateverselectorname -S

Choose selector as desired. 2560 bits can be squeezed into

Remove spaces and k=rsa from the selectorname.txt file, so it looks like:

  • "v=DKIM1;h=sha256;t=s;p=giantstring==

There is room for additional options, but it's largely unnecessary

/etc/opendkim.conf

# Log to syslog
Syslog                  yes
# If you run even a modest mailserver, the mailing logs get -immense-.
# I like to split them up accordingly.
SyslogFacility          LOCAL1
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
# With 007, we add postfix to opendkim's group so it can access the socket
UMask                   007
# Domain is a dataset, which if just a string is a comma-separated list.
# opendkim is unfortunately not compiled with MySQL support by default in
# Debian, else I'd use that.
Domain                  example.com,example.net
# There is little reason to have more than one key/selector per connected
# mail network, it just creates a hassle in my opinion.
# It is possible if you actually need to, however.
KeyFile                 /etc/dkim_keys/whateveridentifier.private
Selector                whateveridentifier
# Using years seems a common convention for selectors.
# Relaxed basically ignores whitespace. Seems lots of things like to play
# with said whitespace especially in the header, so relaxed/relaxed or 
# relaxed/simple is best.
Canonicalization        relaxed
# Sign only. Verification is spamassassin's job.
Mode                    s
SignatureAlgorithm      rsa-sha256
# Don't turn on autorestart without specifying a rate or limit.
AutoRestart             yes
AutoRestartRate         2/1m
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian package
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

Final Steps

Don't forget to restart.

systemctl restart opendkim

The remaining configuration is done in the MTA.