opendkim

最後更新: 2018-12-18

介紹

run outside the MTA to inspect SMTP events ( All this happens before mail is queued )

 


DNS Setting

 

Install

apt-get install opendkim-tools

DNS record

SELECTOR._domainkey IN TXT ...

Create

# 建立了 mail.private (opendkim load 它)  mail.txt (在 DNS Server 上設定它)

opendkim-genkey -s mail -d example.com

chown opendkim. mail.private

chmod 640 mail.private

Checking

opendkim-testkey -d example.com -s mail

# Fail:

opendkim-testkey: 'mail._domainkey.example.com' record not found

# 成功

echo $?

# tested by sending an empty email to check-auth@verifier.port25.com

 


Setup Server

 

Install

apt-get install opendkim

/etc/default/opendkim

SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock" # chrooted postfix path

/etc/opendkim.conf

AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogFacility          mail
SyslogSuccess           Yes
LogWhy                  Yes
X-Header                Yes

# Map domains in From addresses to keys used to sign messages
KeyTable               /etc/opendkim/key.table
SigningTable           refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList      /etc/opendkim/TrustedHosts
InternalHosts           /etc/opendkim/TrustedHosts

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

/etc/opendkim/TrustedHosts

127.0.0.1
localhost
# mx1, mx2

Checking

/etc/init.d/opendkim restart

[1]

netstat -tnlp | grep 12345

OR

[2]

/var/log/mail.log

Dec 18 16:23:36 debian opendkim[5358]: OpenDKIM Filter: mi_stop=1
Dec 18 16:23:36 debian opendkim[5358]: OpenDKIM Filter v2.0.1 terminating with status 0, errno = 0
Dec 18 16:23:36 debian opendkim[5380]: OpenDKIM Filter v2.0.1 starting (args: ... )

 


opendkim 設定說明

 

refile = regular expression file

Canonicalization

Select canonicalizations to use when signing.

Valid values for each are "simple" and "relaxed"

simple: method allows almost no modification
relaxed: one tolerates minor changes such as whitespace replacement;

relaxed/simple - the message header will be processed with the relaxed algorithm and the body with the simple one

AutoRestart

auto restart the filter on failures

AutoRestartRate

specifies the filter's maximum restart rate, if restarts begin to happen faster than this rate,

the filter will terminate; 10/1h - 10 restarts/hour are allowed at most

UMask

gives all access permissions to the user group defined by UserID and allows other users to read and execute files,

in this case it will allow the creation and modification of a Pid file.

SigningTable           

lists the signatures to apply to a message based on the address found in the From: header field

# domain                     short name for the domain
*@example.com          example

KeyTable

maps key names to signing keys

i.e.

example     DOMAIN_NAME:SELECTOR:/etc/opendkim/keys/example.com/mail.private

Mode

declares operating modes; in this case the milter acts as a signer (s) and a verifier (v)

X-Header

Add an X- header to messages passing through this filter to identify messages it has processed.

 

 



Postfix 設定

 

[1]

/etc/default/opendkim

SOCKET="inet:12345@localhost" # listen on loopback on port 12345

/etc/postfix/main.cf

# opendkim setup
smtpd_milters           = inet:localhost:12345
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 6

[2]

mkdir /var/spool/postfix/var/run/opendkim

chown opendkim.postfix /var/spool/postfix/var/run/opendkim

chmod 770 /var/spool/postfix/var/run/opendkim

/etc/default/opendkim

SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock" # chrooted postfix path

/etc/postfix/main.cf

# opendkim setup
smtpd_milters = unix:var/run/opendkim/opendkim.sock
...

Send 信測試

log

Dec 18 17:32:22 debian opendkim[6402]: 4E5358599B "DKIM-Signature" header added

解釋

smtpd_milters (default: empty)

一共有兩類:

  • SMTP mail filters (arrives via the Postfix smtpd server )( smtpd_milters=... )
  • non-SMTP mail filters ( arrives via the Postfix sendmail(CLI) --> cleanup )( non_smtpd_milters=... )

milter_default_action:

The default action is to respond with a temporary error status

Specify "accept" if you want to receive mail as if the filter does not exist

milter_protocol (default: 6)

2    Use Sendmail 8 mail filter protocol version 2
      (default with Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).

6    Use Sendmail 8 mail filter protocol version 6
      (default with Sendmail version 8.14 and Postfix version 2.6).

 


DOC

 

before-queue Milter: http://www.postfix.org/MILTER_README.html

man opendkim.conf

zcat /usr/share/doc/opendkim/examples/opendkim.conf.sample.gz