Install required packages
Shell
| apt install opendkim opendkim-tools postfix-policyd-spf-python postfix-pcre |
Add postfix user into opendkim group
Shell
Add 2 records into DNS table (TXT and SPD) containing v=spf1 mx -all
Correct /etc/postfix-policyd-spf-python/policyd-spf.conf for Spamassassin
Code
| #HELO_reject = Fail |
| HELO_reject = False |
| #Mail_From_reject = Fail |
| Mail_From_reject = False |
Add this line into /etc/postfix/master.cf
Code
| policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf |
Add this line into /etc/postfix/main.cf
Code
| policyd-spf_time_limit = 3600 |
| ... |
| smtpd_recipient_restrictions = |
| ... |
| reject_unauth_destination, |
| check_policy_service unix:private/policyd-spf, |
| ... |
Configure OpenDKIM /etc/opendkim.conf
Code
| # This is a basic configuration that can easily be adapted to suit a standard |
| # installation. For more advanced options, see opendkim.conf(5) and/or |
| # /usr/share/doc/opendkim/examples/opendkim.conf.sample. |
| |
| # Log to syslog |
| Syslog yes |
| # Required to use local socket with MTAs that access the socket as a non- |
| # privileged user (e.g. Postfix) |
| UMask 002 |
| # OpenDKIM user |
| # Remember to add user postfix to group opendkim |
| UserID opendkim |
| |
| # Map domains in From addresses to keys used to sign messages |
| KeyTable /etc/opendkim/key.table |
| SigningTable refile:/etc/opendkim/signing.table |
| |
| # Hosts to ignore when verifying signatures |
| ExternalIgnoreList /etc/opendkim/trusted.hosts |
| InternalHosts /etc/opendkim/trusted.hosts |
| |
| # Commonly-used options; the commented-out versions show the defaults. |
| Canonicalization relaxed/simple |
| Mode sv |
| SubDomains no |
| #ADSPAction continue |
| AutoRestart yes |
| AutoRestartRate 10/1M |
| Background yes |
| DNSTimeout 5 |
| SignatureAlgorithm rsa-sha256 |
| |
| # Always oversign From (sign using actual From and a null From to prevent |
| # malicious signatures header fields (From and/or others) between the signer |
| # and the verifier. From is oversigned by default in the Debian package |
| # because it is often the identity key used by reputation systems and thus |
| # somewhat security sensitive. |
| OversignHeaders From |
| |
| # Socket smtp://localhost |
| Socket local:/var/spool/postfix/opendkim/opendkim.sock |
Correct file rights
Shell
| chmod u=rw,go=r /etc/opendkim.conf |
| mkdir /etc/opendkim |
| mkdir /etc/opendkim/keys |
| chown -R opendkim:opendkim /etc/opendkim |
| chmod go-rwx /etc/opendkim/keys |
| |
| echo '*@example.com example' > /etc/opendkim/signing.table |
| |
| echo 'example example.com:YYYYMM:/etc/opendkim/keys/example.private' > /etc/opendkim/key.table |
| |
| cat > /etc/opendkim/trusted.hosts < EOF |
| 127.0.0.1 |
| ::1 |
| localhost |
| myhostname |
| myhostname.example.com |
| example.com |
| EOF |
| |
| opendkim-genkey -b 2048 -h rsa-sha256 -r -s YYYYMM -d example.com -v |
| mv YYYYMM.private example.private |
| mv YYYYMM.txt example.txt |
| |
| chown -R opendkim:opendkim /etc/opendkim |
| chmod -R go-rw /etc/opendkim/keys |
From example.txt, add a DNS entry 201510._domainkey IN TXT
with a text value containting v=DKIM1.... without double quote and replacing h=rsa-sha256
by h=sha256
Test your configuration with:
Shell
| opendkim-testkey -d example.com -s YYYYMM -vvv |
Last message should be "key OK", ignore “key not secure” message.
Hook OpenDKIM into Postfix
Shell
| mkdir /var/spool/postfix/opendkim |
| chown opendkim:postfix /var/spool/postfix/opendkim |
Change socket into /etc/default/opendkin
Code
| SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock" |
Edit /etc/postfix/main.cf
Code
| echo >>/etc/postfix/main.cf < EOF |
| # Milter configuration |
| # OpenDKIM |
| milter_default_action = accept |
| # Postfix >= 2.6 milter_protocol = 6, Postfix <= 2.5 milter_protocol = 2 |
| milter_protocol = 6 |
| smtpd_milters = local:opendkim/opendkim.sock |
| non_smtpd_milters = local:opendkim/opendkim.sock |
| EOF |
Thanks to
https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/