Notes
I’m running all the steps in this tutorial with root privileges, I’m currently running CentOS 7 with OpenDKIM version 2.4.2 and I will be using example.com as the primary domain for this tutorial.
Download & Install OpenDKIM
You’ll also need to install the OpenSSL and Sendmail development packages, because they contain some “libraries” you need to get OpenDKIM working.
yum install sendmail-devel openssl-devel
- Download OpenDKIM to the /usr/local/src directory:
cd /usr/local/src
wget http://sourceforge.net/projects/opendkim/files/opendkim-2.4.2.tar.gz
- Extract, configure, compile, and install OpenDKIM with:
tar zxvf opendkim-2.4.2.tar.gz
cd opendkim-2.4.2
./configure --sysconfdir=/etc --prefix=/usr/local --localstatedir=/var
make
make install
Create a New User
Add a new user as opendkim.
useradd -r -U -s /sbin/nologin opendkim
Create Directories
Make some new directories for opendkim and give them proper name and permissions.
mkdir -p /etc/opendkim/keys
chown -R opendkim:opendkim /etc/opendkim
chmod -R go-wrx /etc/opendkim/keys
Copy the startup script to /etc/init.d/
OpenDKIM’s source package includes a contrib directory that contains a custom init script to be use with all RedHat-compatible systems, including Fedora and CentOS. You can copy it to your /etc/init.d/ directory to make starting, stopping, restarting, and reloading OpenDKIM easy:
cp /usr/local/src/opendkim-2.4.2/contrib/init/redhat/opendkim /etc/init.d/
Now set the correct permissions for the init script:
chmod 755 /etc/init.d/opendkim
Generate Keys
You need to generate a private and a public key for each of the domains for which you wish to sign mail. The private key is stored away on your server, while the public key gets published in your domain’s DNS records so that receiving mail servers can verify your DKIM-signed mail.
mkdir /etc/opendkim/keys/example.com
/usr/local/bin/opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default
chown -R opendkim:opendkim /etc/opendkim/keys/example.com
mv /etc/opendkim/keys/example.com/default.private /etc/opendkim/keys/example.com/default
Edit configuration files
You need to create or edit four files:
- /etc/opendkim.conf –- OpenDKIM’s main configuration file
- /etc/opendkim/KeyTable –- a list of keys available for signing
- /etc/opendkim/SigningTable – a list of domains and accounts allowed to sign
- /etc/opendkim/TrustedHosts –- a list of servers to “trust” when signing or verifying
- Create the file /etc/opendkim.conf:
vi /etc/opendkim.conf
Make sure the file looks something like:
## opendkim.conf -- configuration file for OpenDKIM filter
AutoRestart Yes
AutoRestartRate 10/1h
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy Yes
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:8891@localhost
Syslog Yes
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UMask 022
UserID opendkim:opendkim
- Create the file /etc/opendkim/KeyTable:
vi /etc/opendkim/KeyTable
Make sure the file looks something like:
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default
The KeyTable file tells OpenDKIM where to find your keys. Each entry in the KeyTable file is a single line for each key location (for example, all of the text in the above example should be on a single line in your file). If you’re going to use multiple keys (to sign mail for virtual domains with different keys), you’ll need to create a separate line in the KeyTable file for each domain.
- Create the file /etc/opendkim/SigningTable:
vi /etc/opendkim/SigningTable
Make sure the file looks something like:
*@example.com default._domainkey.example.com
The SigningTable file tells OpenDKIM how to use your keys, as in which senders should use which selectors for their signatures. In the above example, I’m saying that everyone (*) sending mail from the server “example.com” should use the selector named “default.” It’s important to note that the * wildcard symbol will only work if the SigningTable option uses the refile: prefix before the filename.
- Create the file /etc/opendkim/TrustedHosts:
vi /etc/opendkim/TrustedHosts
Make sure your file that looks like this:
127.0.0.1
hostname1.example1.com
example1.com
hostname1.example2.com
example2.com
IMPORTANT: Make sure you list the IP address for localhost (127.0.0.1) in the TrustedHosts file or OpenDKIM won’t sign mail sent from this server. If you have multiple servers on the same network that relay mail through this server and you want to sign their mail as well, they must be listed in the TrustedHosts file. Put each entry on its own line.
Edit your Postfix configuration
Add the following lines at the end of your Postfix main.cf file, which will make Postfix aware of OpenDKIM and allow it to sign and verify mail:
vi /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
Start OpenDKIM and restart Postfix
Run the following commands:
chkconfig --del sendmail
service opendkim start
service postfix restart
If everything looks good, let’s run chkconfig on OpenDKIM to make sure it starts when you boot your server:
chkconfig --level 2345 opendkim on
Changing DNS Records
Now that your mail server is signing outgoing mail and verifying incoming mail, you’ll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed.
Extract the contents of default.txt and paste at the end of your DNS zone file.
cat /etc/opendkim/keys/example.com/default.txt
Make sure your SPF records exist. To check your DKIM configuration please visit MAIL-TESTER.