DKIM and SPF
Install required packages
Shell
apt install opendkim opendkim-tools postfix-policyd-spf-python postfix-pcre |
Add postfix user into opendkim group
Shell
adduser postfix opendkim |
Add 2 records into DNS table (TXT and SPD) containing v=spf1 mx -all
Correct /etc/postfix-policyd-spf-python/policyd-spf.conf for Spamassassin
Code
#HELO_reject = Fail | |
HELO_reject = False | |
#Mail_From_reject = Fail | |
Mail_From_reject = False |
Add this line into /etc/postfix/master.cf
Code
policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf |
Add this line into /etc/postfix/main.cf
Code
policyd-spf_time_limit = 3600 | |
... | |
smtpd_recipient_restrictions = | |
... | |
reject_unauth_destination, | |
check_policy_service unix:private/policyd-spf, | |
... |
Configure OpenDKIM /etc/opendkim.conf
Code
# This is a basic configuration that can easily be adapted to suit a standard | |
# installation. For more advanced options, see opendkim.conf(5) and/or | |
# /usr/share/doc/opendkim/examples/opendkim.conf.sample. | |
| |
# Log to syslog | |
Syslog yes | |
# Required to use local socket with MTAs that access the socket as a non- | |
# privileged user (e.g. Postfix) | |
UMask 002 | |
# OpenDKIM user | |
# Remember to add user postfix to group opendkim | |
UserID opendkim | |
| |
# Map domains in From addresses to keys used to sign messages | |
KeyTable /etc/opendkim/key.table | |
SigningTable refile:/etc/opendkim/signing.table | |
| |
# Hosts to ignore when verifying signatures | |
ExternalIgnoreList /etc/opendkim/trusted.hosts | |
InternalHosts /etc/opendkim/trusted.hosts | |
| |
# Commonly-used options; the commented-out versions show the defaults. | |
Canonicalization relaxed/simple | |
Mode sv | |
SubDomains no | |
#ADSPAction continue | |
AutoRestart yes | |
AutoRestartRate 10/1M | |
Background yes | |
DNSTimeout 5 | |
SignatureAlgorithm rsa-sha256 | |
| |
# Always oversign From (sign using actual From and a null From to prevent | |
# malicious signatures header fields (From and/or others) between the signer | |
# and the verifier. From is oversigned by default in the Debian package | |
# because it is often the identity key used by reputation systems and thus | |
# somewhat security sensitive. | |
OversignHeaders From | |
| |
# Socket smtp://localhost | |
Socket local:/var/spool/postfix/opendkim/opendkim.sock |
Correct file rights
Shell
chmod u=rw,go=r /etc/opendkim.conf | |
mkdir /etc/opendkim | |
mkdir /etc/opendkim/keys | |
chown -R opendkim:opendkim /etc/opendkim | |
chmod go-rwx /etc/opendkim/keys | |
| |
echo '*@example.com example' > /etc/opendkim/signing.table | |
| |
echo 'example example.com:YYYYMM:/etc/opendkim/keys/example.private' > /etc/opendkim/key.table | |
| |
cat > /etc/opendkim/trusted.hosts < EOF | |
127.0.0.1 | |
::1 | |
localhost | |
myhostname | |
myhostname.example.com | |
example.com | |
EOF | |
| |
opendkim-genkey -b 2048 -h rsa-sha256 -r -s YYYYMM -d example.com -v | |
mv YYYYMM.private example.private | |
mv YYYYMM.txt example.txt | |
| |
chown -R opendkim:opendkim /etc/opendkim | |
chmod -R go-rw /etc/opendkim/keys |
From example.txt, add a DNS entry 201510._domainkey IN TXT with a text value containting v=DKIM1.... without double quote and replacing h=rsa-sha256 by h=sha256
Test your configuration with:
Shell
opendkim-testkey -d example.com -s YYYYMM -vvv |
Last message should be "key OK", ignore “key not secure” message.
Hook OpenDKIM into Postfix
Shell
mkdir /var/spool/postfix/opendkim | |
chown opendkim:postfix /var/spool/postfix/opendkim |
Change socket into /etc/default/opendkin
Code
SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock" |
Edit /etc/postfix/main.cf
Code
echo >>/etc/postfix/main.cf < EOF | |
# Milter configuration | |
# OpenDKIM | |
milter_default_action = accept | |
# Postfix >= 2.6 milter_protocol = 6, Postfix <= 2.5 milter_protocol = 2 | |
milter_protocol = 6 | |
smtpd_milters = local:opendkim/opendkim.sock | |
non_smtpd_milters = local:opendkim/opendkim.sock | |
EOF |
Thanks to
https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/
