OpenDKIM Setup

From KG7QIN's Wiki
Revision as of 06:57, 7 October 2022 by Kg7qin (talk | contribs) (Created initial page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Setup SPF Record

Step 1: Create An SPF Record In DNS Of Your Sender Domain

If you are using [example.com](http://example.com) as the From/Sender domain in all your emails going through Postfix, then this is the domain for which you have to actually set up the SPF record. And, SPF record can be easily set up by login into your DNS provider, e.g. Godaddy, Namecheap.

Once you are logged in, just create a new TXT record like the one below: 

  TXT  @  v=spf1 mx ~all

Note, there might be a few DNS providers, who will require you to enclose the SPF record with quotes, like the one below:

TXT @ "v=spf1 mx ~all"

Once you have added the SPF records, it might take up to 24-48 hrs to propagate globally over the internet. You can use the dig command to see the current SPF record which is updated globally:

dig example.com TXT

Or you can also use online SPF validators like [mxtoolbox.com](http://mxtoolbox.com), [Kitterman.com](http://Kitterman.com) or [spf.myisp.ch](http://spf.myisp.ch)

Out of the above online SPF validators, [spf.myisp.ch](http://spf.myisp.ch) is quite useful because it gives a very detailed view of what all servers/IP addresses are allowed to send emails for your domain.

Step 2: Configuring SPF Policy Agent On Server

By setting up the SPF record for your domain, you have completed a very important step to improve the delivery of outgoing emails to recipient's inbox. Like the way you did the SPF configuration for outgoing emails, the very same way you should also do the SPF validation for the incoming emails. This will help you to detect the forged incoming emails coming in your network.

First, install the required package for SPF policy agent 

  sudo apt install postfix-policyd-spf-python

The next step is to edit the postfix's master file [master.cf](http://master.cf). You can use any of your favourite editor vim or nano to edit the file: 

  sudo nano /etc/postfix/master.cf

Append the following lines at the EOF. This will tell the postfix to start the SPF policy daemon whenever postfix starts itself. 

  policyd-spf  unix  -       n       n       -       0       spawn
      user=policyd-spf argv=/usr/bin/policyd-spf

Save and close the file. Next step is to edit the postfix's main configuration file [main.cf](http://main.cf). 

  sudo nano /etc/postfix/main.cf

Add the following lines at the end of the file [main.cf](http://main.cf). Adding these lines means, you are giving the instructions to postfix to check SPF on incoming emails and reject the emails which are unauthorized. 

  policyd-spf_time_limit = 3600
  smtpd_recipient_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_unauth_destination,
     check_policy_service unix:private/policyd-spf

Save and close the file. You are now done with the SPF setup, just restart the postfix to reflect the changes. 

  sudo service postfix restart

or 

  sudo systemctl restart postfix

Setting up DKIM

DKIM can be set up by installing OpenDKIM- an open-source package for setting up DKIM. 

  sudo apt install opendkim opendkim-tools

Once the installation is successful, you need to add postfix user to opendkim group. By doing this, you are actually linking DKIM with your Postfix installation: 

  sudo gpasswd -a postfix opendkim

Next step is to edit the main configuration file of the OpenDKIM: 

  sudo nano /etc/opendkim.conf

Change the below-highlighted content in the main configuration: 

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog          yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask           002

# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain         example.com
#KeyFile        /etc/mail/dkim.key
#Selector       2007

# Commonly-used options; the commented-out versions show the defaults.
Canonicalization  relaxed/simple
Mode            sv
SubDomains      no
#ADSPAction             continue
AutoRestart       yes
AutoRestartRate         10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm      rsa-sha256

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders     From

# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)

#ATPSDomains        example.com

#OpenDKIM user
# Remember to add user postfix to group opendkim
UserID                 opendkim

# Map domains in From addresses to keys used to sign messages
KeyTable            refile:/etc/opendkim/key.table
SigningTable        refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList  /etc/opendkim/trusted.hosts

# A set of internal hosts whose mail should be signed
InternalHosts /etc/opendkim/trusted.hosts

Once changes are done, save and close the file.

Create Signing Table

In order to create the signing table, you need to first create a directory structure for OpenDKIM. Execute the following commands to configure the same: 

  sudo mkdir /etc/opendkim
  sudo mkdir /etc/opendkim/keys

Change the permission and role: 

  sudo chown -R opendkim:opendkim /etc/opendkim
  sudo chmod go-rw /etc/opendkim/keys

Execute the following command to create the signing table: 

  sudo nano /etc/opendkim/signing.table


then add the following lines in the above file: 

  *@your-domain.com    default._domainkey.your-domain.com

Save and close the file.

Create Key Table

Execute the following command to create the key table: 

  sudo nano /etc/opendkim/key.table

Once created, add the following lines in the file: 

  default._domainkey.your-domain.com your-domain.com:default:/etc/opendkim/keys/your-domain.com/default.private

Save and close the file.

Create The Trusted Hosts File

Execute the following command to create the trusted table: 

  sudo nano /etc/opendkim/trusted.hosts

Once created, add the following lines in the file: 

127.0.0.1
localhost

*.your-domain.com

Adding the above line means that emails coming from the mentioned IP addresses and domains will be trusted and signed

Generation of the Private and Public Key for DKIM

DKIM is going to be used for signing outgoing emails. So, you need to generate both private and the public key for DKIM. The private key will be used to signing and the public key which will be published in the DNS will be used for remote verification.

Create a folder for your domain for which DKIM to be signed 

  sudo mkdir /etc/opendkim/keys/your-domain.com

You can use the opendkim-genkey tool to generate the keys 

  sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s default -v

Once you will execute the above command, two files will get generated:

1. This file will contain your private key. 

  /etc/opendkim/keys/your-domain.com/default.private

2. This file will contain your public key which you need to add in the DNS record of your domain. 

  /etc/opendkim/keys/your-domain.com/default.txt

Change the ownership of the private key file: 

  sudo chown opendkim:opendkim /etc/opendkim/keys/your-domain.com/default.private

Configure Public Key in DNS Record of Domain

Get the public key by doing cat: 

  sudo cat /etc/opendkim/keys/your-domain.com/default.txt

Testing Your DKIM Configuration

Execute the following command on your Ubuntu machine to test your keys: 

  sudo opendkim-testkey -d your-domain.com -s default -vvv

If the setup is correct, you will get the following message: 

  key OK

Integrate Postfix to OpenDKIM

Postfix can connect with OpenDKIM via Unix socket i.e. /var/run/opendkim/opendkim.sock. But, we need to change the file path because the SMTP daemon which comes with Ubuntu resolves all filenames relative to the Postfix queue directory (/var/spool/postfix).

Create a new directory to keep the OpenDKIM socket file 

  sudo mkdir /var/spool/postfix/opendkim
  sudo chown opendkim:postfix /var/spool/postfix/opendkim

The next step is to edit the socket conf file. 

  sudo nano /etc/default/opendkim

Setup SPF Record

Step 1: Create An SPF Record In DNS Of Your Sender Domain

If you are using example.com as the From/Sender domain in all your emails going through Postfix, then this is the domain for which you have to actually set up the SPF record. And, SPF record can be easily set up by login into your DNS provider, e.g. Godaddy, Namecheap.

Once you are logged in, just create a new TXT record like the one below: 

  TXT  @  v=spf1 mx ~all

Note, there might be a few DNS providers, who will require you to enclose the SPF record with quotes, like the one below: 

  TXT  @  "v=spf1 mx ~all"

Once you have added the SPF records, it might take up to 24-48 hrs to propagate globally over the internet. You can use the dig command to see the current SPF record which is updated globally: 

  dig example.com TXT

Or you can also use online SPF validators like http://mxtoolbox.com. http://Kitterman.com or http://spf.myisp.ch

Out of the above online SPF validators, http://spf.myisp.ch is quite useful because it gives a very detailed view of what all servers/IP addresses are allowed to send emails for your domain.

Step 2: Configuring SPF Policy Agent On Server

By setting up the SPF record for your domain, you have completed a very important step to improve the delivery of outgoing emails to recipient's inbox. Like the way you did the SPF configuration for outgoing emails, the very same way you should also do the SPF validation for the incoming emails. This will help you to detect the forged incoming emails coming in your network.

First, install the required package for SPF policy agent 

  sudo apt install postfix-policyd-spf-python

The next step is to edit the postfix's master.cf). You can use any of your favourite editor vim or nano to edit the file: 

  sudo nano /etc/postfix/master.cf

Append the following lines at the EOF. This will tell the postfix to start the SPF policy daemon whenever postfix starts itself. 

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

Save and close the file. Next step is to edit the postfix's main configuration file (main.cf). 

  sudo nano /etc/postfix/main.cf

Add the following lines at the end of main.cf. Adding these lines means, you are giving the instructions to postfix to check SPF on incoming emails and reject the emails which are unauthorized. 

policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_policy_service unix:private/policyd-spf

Save and close the file. You are now done with the SPF setup, just restart the postfix to reflect the changes. 

  sudo service postfix restart

or 

  sudo systemctl restart postfix

Setting up DKIM

DKIM can be set up by installing OpenDKIM- an open-source package for setting up DKIM. 

  sudo apt install opendkim opendkim-tools

Once the installation is successful, you need to add postfix user to opendkim group. By doing this, you are actually linking DKIM with your Postfix installation: 

  sudo gpasswd -a postfix opendkim

Next step is to edit the main configuration file of the OpenDKIM: 

  sudo nano /etc/opendkim.conf

Change the below-highlighted content in the main configuration: 

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog          yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask           002

# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain         example.com
#KeyFile        /etc/mail/dkim.key
#Selector       2007

# Commonly-used options; the commented-out versions show the defaults.
Canonicalization  relaxed/simple
Mode            sv
SubDomains      no
#ADSPAction             continue
AutoRestart       yes
AutoRestartRate         10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm      rsa-sha256

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders     From

# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)

#ATPSDomains        example.com

#OpenDKIM user
# Remember to add user postfix to group opendkim
UserID                 opendkim

# Map domains in From addresses to keys used to sign messages
KeyTable            refile:/etc/opendkim/key.table
SigningTable        refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList  /etc/opendkim/trusted.hosts

# A set of internal hosts whose mail should be signed
InternalHosts /etc/opendkim/trusted.hosts

Once changes are done, save and close the file.

Create Signing Table

In order to create the signing table, you need to first create a directory structure for OpenDKIM. Execute the following commands to configure the same: 

  sudo mkdir /etc/opendkim
  sudo mkdir /etc/opendkim/keys

Change the permission and role: 

  sudo chown -R opendkim:opendkim /etc/opendkim
  sudo chmod go-rw /etc/opendkim/keys

Execute the following command to create the signing table: 

  sudo nano /etc/opendkim/signing.table

then add the following lines in the above file: 

 *@your-domain.com    default._domainkey.your-domain.com

Save and close the file.

Create Key Table

Execute the following command to create the key table: 

  sudo nano /etc/opendkim/key.table

Once created, add the following lines in the file: 

  default._domainkey.your-domain.com your-domain.com:default:/etc/opendkim/keys/your-domain.com/default.private

Save and close the file.

Create The Trusted Hosts File

Execute the following command to create the trusted table: 

  sudo nano /etc/opendkim/trusted.hosts

Once created, add the following lines in the file: 

127.0.0.1
localhost

*.your-domain.com

Adding the above line means that emails coming from the mentioned IP addresses and domains will be trusted and signed

Generation of the Private and Public Key for DKIM

DKIM is going to be used for signing outgoing emails. So, you need to generate both private and the public key for DKIM. The private key will be used to signing and the public key which will be published in the DNS will be used for remote verification.

Create a folder for your domain for which DKIM to be signed 

  sudo mkdir /etc/opendkim/keys/your-domain.com

You can use the opendkim-genkey tool to generate the keys 

  sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s default -v

Once you will execute the above command, two files will get generated:

1. This file will contain your private key. 

  /etc/opendkim/keys/your-domain.com/default.private

2. This file will contain your public key which you need to add in the DNS record of your domain. 

  /etc/opendkim/keys/your-domain.com/default.txt

Change the ownership of the private key file: 

  sudo chown opendkim:opendkim /etc/opendkim/keys/your-domain.com/default.private

Configure Public Key in DNS Record of Domain

Get the public key by doing cat: 

  sudo cat /etc/opendkim/keys/your-domain.com/default.txt

Testing Your DKIM Configuration

Execute the following command on your Ubuntu machine to test your keys: 

  sudo opendkim-testkey -d your-domain.com -s default -vvv

If the setup is correct, you will get the following message: 

  key OK

Integrate Postfix to OpenDKIM

Postfix can connect with OpenDKIM via Unix socket i.e. /var/run/opendkim/opendkim.sock. But, we need to change the file path because the SMTP daemon which comes with Ubuntu resolves all filenames relative to the Postfix queue directory (/var/spool/postfix).

Create a new directory to keep the OpenDKIM socket file 

  sudo mkdir /var/spool/postfix/opendkim
  sudo chown opendkim:postfix /var/spool/postfix/opendkim

The next step is to edit the socket conf file. 

  sudo nano /etc/default/opendkim

Search for the following line: 

  SOCKET="local:/var/run/opendkim/opendkim.sock"

And, replace it with the following: 

  SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"

Save and close the file.

Note: You need to do similar changes in the opendkim.conf file too: 

  sudo nano /etc/opendkim.conf

Search for the following line: 

  Socket                  local:/var/run/opendkim/opendkim.sock

And, replace it with the following: 

  Socket                  local:/var/spool/postfix/opendkim/opendkim.sock

Next step is to edit the Postfix main configuration file: 

  sudo nano /etc/postfix/main.cf

Append the following lines after smtpd\_recipient\_restriction section in the main.cf file. 

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Save and close the file.

You are now all done. Just restart opendkim and postfix service to reflect all the changes. 

  sudo service opendkim restart
  sudo service postfix restart

Now, your Postfix setup is ready with the SPF and DKIM. You can also visit the official Ubuntu community page for additional detailed documentation on SPF and DKIM set up: https://help.ubuntu.com/community/Postfix/DKIM[1]

Search for the following line: 

  SOCKET="local:/var/run/opendkim/opendkim.sock"

And, replace it with the following:

SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"

Save and close the file.

Note: You need to do similar changes in the opendkim.conf file too: 

  sudo nano /etc/opendkim.conf

Search for the following line: 

  Socket                  local:/var/run/opendkim/opendkim.sock

And, replace it with the following: 

  Socket                  local:/var/spool/postfix/opendkim/opendkim.sock

Next step is to edit the Postfix main configuration file: 

  sudo nano /etc/postfix/main.cf

Append the following lines after smtpd\_recipient\_restriction section in the main.cf file. 

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Save and close the file.

You are now all done. Just restart opendkim and postfix service to reflect all the changes. 

  sudo service opendkim restart
  sudo service postfix restart

Now, your Postfix setup is ready with the SPF and DKIM. You can also visit the official Ubuntu community page for additional detailed documentation on SPF and DKIM set up: https://help.ubuntu.com/community/Postfix/DKIM.

References

  1. Ubuntu Postfix DKIM
Retrieved from "https://wiki.kg7qin.org/index.php?title=OpenDKIM_Setup&oldid=19"