OpenDKIM (2.6)

From Hexwiki
Jump to: navigation, search

The default expectation here is to use DKIM software only for signing. Spamassassin has its own DKIM verifier, and it is much less headache-inducing to simply let it take care of it.

Generate DKIM key

mkdir /etc/dkim_keys
chgrp opendkim /etc/dkim_keys/
chmod 750 /etc/dkim_keys/
cd /etc/dkim_keys/
opendkim-genkey -b 1152 -s whateverselectorname

Choose selector as desired. 1152 bits is about as much as can meaningfully fit inside a single TXT field.

Remove spaces and k=rsa from the selectorname.txt file, so it looks like:

  • v=DKIM1;p=giantstring==

There is room for additional options, but it's largely unnecessary

/etc/opendkim.conf

# Log to syslog
Syslog                  yes
# If you run even a modest mailserver, the mailing logs get -immense-.
# I like to split them up accordingly.
SyslogFacility          LOCAL1
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
# With 007, we add postfix to opendkim's group so it can access the socket
UMask                   007
# Domain is a dataset, which if just a string is a comma-separated list.
# opendkim is unfortunately not compiled with MySQL support by default in
# Debian, else I'd use that.
Domain                  example.com,example.net
# There is little reason to have more than one key/selector per connected
# mail network, it just creates a hassle in my opinion.
# It is possible if you actually need to, however.
KeyFile                 /etc/dkim_keys/whateveridentifier.private
Selector                whateveridentifier
# Using years seems a common convention for selectors.
# Relaxed basically ignores whitespace. Seems lots of things like to play
# with said whitespace especially in the header, so relaxed/relaxed or 
# relaxed/simple is best.
Canonicalization        relaxed
# Sign only. Verification is spamassassin's job.
Mode                    s
SignatureAlgorithm      rsa-sha256
# Don't turn on autorestart without specifying a rate or limit.
AutoRestart             yes
AutoRestartRate         2/1m
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian package
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

Final Steps

Don't forget to restart.

/etc/init.d/opendkim restart

The remaining configuration is done in the MTA.