How to install and integrate DKIM with OpenDKIM and Postfix on a CentOS 6 VPS

Leave reply

how-to-install-and-integrate-opendkim-with-postfix-on-a-centos-6-vpsThis tutorial is part 5 of the mailserver set-up with virtual users and domains using Postfix and Dovecot series. It goes through the steps of installing and integrating OpenDKIM in Postfix on a CentOS 6 Linux VPS.

After completing this tutorial you will end-up having OpenDKIM adding digital signatures to your emails, thus making the mailserver set-up even more robust and professional.

Also, learn how to do this on a Debian Squeeze Linux VPS: Install and Configure openDKIM on Debian Squeeze.

What is OpenDKIM?
It is a digital email signing/verification technology, which is already supported by some common mail providers. In general, DKIM means digitally signing all messages on the mail-server to verify the message was actually sent from the domain in question and was not spam

UPDATE THE SYSTEM

Before going any further, make sure you’re in a screen session and your system is fully up-to-date by running:

## screen -U -S opendkim-screen
## yum update

ENABLE EPEL REPOSITORY

OpenDKIM is available in the EPEL repository, so we need to enable it on the system before we can install OpenDKIM

## wget -P /tmp http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm
## rpm -Uvh /tmp/epel-release-6-8.noarch.rpm
## rm -f /tmp/epel-release-6-8.noarch.rpm

INSTALL OPENDKIM

Install the package using yum:

## yum install opendkim

CONFIGURE OPENDKIM

Next thing to do is to configure OpenDKIM. Its main configuration file is located in /etc/opendkim.conf, so before making any changes create a backup and add/edit the following:

## cp /etc/opendkim.conf{,.orig}
## vim /etc/opendkim.conf
AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

SET-UP PUBLIC/PRIVATE KEYS

Generate set of keys for your mydomain.com domain name:

## mkdir /etc/opendkim/keys/mydomain.com
## opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default
## chown -R opendkim: /etc/opendkim/keys/mydomain.com
## mv /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default

add mydomain.com to OpenDKIM’s key table by adding the following record in /etc/opendkim/KeyTable

default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default

next, edit /etc/opendkim/SigningTable and add the following record to OpenDKIM’s signing table:

*@mydomain.com default._domainkey.mydomain.com

and add your domain and your hostname as trusted hosts in /etc/opendkim/TrustedHosts:

127.0.0.1
mydomain.com
host.mydomain.com

assuming the domain in question is ‘mydomain.com’ and server’s hostname is set to ‘host.mydomain.com’

finally, edit your mydomain.com DNS zone and add the TXT record from /etc/opendkim/keys/mydomain.com/default.txt

default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" )  ; ----- DKIM key default for mydomain.com

it is also a good idea to add an SPF record if you haven’t already

mydomain.com. 14400 IN TXT "v=spf1 a mx ~all"

you can verify your dkim TXT record is valid using dig for example:

## dig +short default._domainkey.mydomain.com TXT

"v=DKIM1\; k=rsa\; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"

CONFIGURE POSTFIX

In order to integrate OpenDKIM with Postfix we need to add the following few lines in /etc/postfix/main.cf:

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2

(RE)START SERVICES

Add OpenDKIM to your system’s start-up and start opendkim and restart postfix using the following commands:

## service opendkim start
## chkconfig opendkim on
## service postfix restart

TEST THE SET-UP

To test the set-up simply send an email to check-auth@verifier.port25.com and you should receive back an email containing something like this:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
DKIM check:         pass

Implementing OpenDKIM to the mailserver set-up with virtual users and domains using Postfix and Dovecot adds another nice feature which makes your emails digitally signed.

But still, there are other features missing like using dovecot sieve rules to filter emails on server-side, scanning emails for viruses etc.. In the next few related articles, we will be adding additional features to the set-up so stay tuned.

Update: Part 6 – How to set-up server-side email filtering with Dovecot Sieve and Roundcube on a CentOS 6 VPS


Of course, if you are one of our Linux VPS Hosting customers, you don’t have to do any of this, simply ask our admins, sit back and relax. Our admins will set this up for you immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.


50% OFF Coupon

EXCLUSIVE EMAIL UPDATES AND “MEMBERS-ONLY” CONTENT


22 Responses to “How to install and integrate DKIM with OpenDKIM and Postfix on a CentOS 6 VPS”

  1. Install and set-up Roundcube webmail interface | RoseHosting.com Linux VPS Hosting Blog

    […] Update: Part 5 – How to install and integrate OpenDKIM with Postfix on a CentOS 6 VPS […]

    Reply
  2. Set-up SSL encrypted connection in Postfix, Dovecot and Apache | RoseHosting.com Linux VPS Hosting Blog

    […] Update: Part 5 – How to install and integrate OpenDKIM with Postfix on a CentOS 6 VPS […]

    Reply
  3. Pablo B

    Great tutorial!

    But.. just a question about the test. How can be possible that dkim appears as passed, but DomainKeys check appears as neutral?

    Reply
  4. admin

    DomainKeys are not the same as DKIM, although very similar.

    Reply
  5. Steve B.

    One of the most thorough installation walkthroughs I have ever seen; nothing was left to chance with your instructions. Thanks! You guys should set up a wiki with this and other stuff…

    Reply
  6. Lucas

    First of all, thank you for your walkthrough

    I use Godaddy to change my DNS ZoneFile, and even though I followed your walkthrough I still got a failed result for DKIM saying that the signature could not be verified. Any ideas how I could possibly fix that?

    Reply
  7. Hendra S.

    Great tutorial, thanks!

    Reply
  8. Fxbalacon

    Great tutorial, thanks!

    But I want to ask you is how to configure DomainKeys check: pass

    Reply
    • admin

      Hi Fxbalacon,

      may we ask why you need DomainKeys if you have DKIM working?

      DomainKeys Identified Mail (DKIM) is the successor to Yahoo’s DomainKeys. They are quite similar in functionality, except that DKIM has additionally adopted aspects from additional Mail Standards, it is more flexible and secure, it supports multiple signature algorithms (as opposed to just one available with DomainKeys), it has the ability to support signature timeouts in DNS and a few more useful options…

      So, you don’t really need DomainKeys if you have DKIM set-up on your mail server.

      thanks

      Reply
  9. Kaloyan

    finally, edit your mydomain.com DNS zone and add the TXT record from /etc/opendkim/keys/mydomain.com/default.txt

    WHERE TO DO THIS? IN WHAT FILE? I DONT GET IT

    Reply
    • admin

      Each domain have authoritative DNS servers that publish information about that domain. You may use the ‘host -t ns mydomain.com’ command to identify the DNS servers responsible (authoritative) for your domain’s zone file.

      If you didn’t change the authoritative name servers for your domain at your domain registrar at the time of registration or later any time, most likely you use your domain registrar’s name servers so you can create a new TXT domain record for your domain via your domain registrar. Log in to your domain registrar, find the ‘DNS Zone Editor’ (or the section where you can create a DNS record) and create a new TXT DNS record.

      If you use custom name servers for your domain, you need to edit the DNS zone file hosted at your name servers.

      Reply
  10. henho

    hello.
    I installed a new mail server according to your instructions. but SquirrelMail does not receive mail. Can you show me how to solve this problem?
    thank you very much!

    Reply
  11. Rahul

    i did all the things as said but when see email header which received from server it does not show DKIM value
    Will Be Glad if Any one Can Help

    Reply
    • admin

      Did you follow the instructions closely?

      Please check your mail server log files for error messages related to DKIM or so.

      Reply
  12. Adrian

    SPF check: pass
    DomainKeys check: neutral
    DKIM check: neutral
    Sender-ID check: pass
    SpamAssassin check: ham

    please how can i enable everything is pass

    Reply
  13. UGUR

    ———————————————————-
    DKIM check details:
    ———————————————————-
    Result: fail (signature doesn’t verify)
    ID(s) verified:
    Canonicalized Headers:
    date:Tue,’20’17’20’Nov’20’2015’20’09:59:01’20’+0200’0D”0A’
    from:ugur@multihome.com’0D”0A’
    to:check-auth@verifier.port25.com’0D”0A’
    subject:=?UTF-8?Q?=28Konu_Belirtilmemi=C5=9F=29?=’0D”0A’
    dkim-signature:v=1;’20’a=rsa-sha256;’20’c=relaxed/simple;’20’d=multihome.com;’20’s=default;’20’t=1447747141;’20’bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;’20’h=Date:From:To:Subject;’20’b=

    Canonicalized Body:
    ‘0D”0A’

    DNS record(s):
    default._domainkey.multihome.com. 86024 IN TXT “p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl+bUxiRBLFqU6yyfkCLQJNlaJxhknhceeXTIxXO1lsTMZHrpddrGSqITgqjY0LzYjUAMvV66vAolgrRTckn8z98+PJI4xXsrMOoi6tjCBem4O+FnVCvGNWRpy7JThxTe2gkUEvTuQ+r0IglaGSfpvmci2IQNaj642bmg5JKgmmQIDAQAB;”

    Public key used for verification: default._domainkey.multihome.com(1024 bits)

    NOTE: DKIM checking has been performed based on the latest DKIM specs
    (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
    older versions. If you are using Port25’s PowerMTA, you need to use
    version 3.2r11 or later to get a compatible version of DKIM.

    Reply
    • admin

      There is no DNS record found for default._domainkey.multihome.com. Please follow the instructions closely to install and integrate DKIM.

      Reply
  14. Eugen

    Hi,

    They are all working: SPF, DKIM, DMARC, DomainKeys and passes all the post25 tests but emails are delivered in SPAM folder only in Gmail.
    Here are the headers:
    Delivered-To: testpds2@gmail.com
    Received: by 10.194.163.39 with SMTP id yf7csp377905wjb;
    Thu, 10 Dec 2015 01:15:52 -0800 (PST)
    X-Received: by 10.28.4.212 with SMTP id 203mr41790134wme.89.1449738952207;
    Thu, 10 Dec 2015 01:15:52 -0800 (PST)
    Return-Path:
    Received: from s17772156.onlinehome-server.info (s17772156.onlinehome-server.info. [217.160.108.200])
    by mx.google.com with ESMTPS id v10si17523219wjx.223.2015.12.10.01.15.51
    for
    (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
    Thu, 10 Dec 2015 01:15:52 -0800 (PST)
    Received-SPF: pass (google.com: domain of info@pixeldraw.net designates 217.160.108.200 as permitted sender) client-ip=217.160.108.200;
    Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of info@pixeldraw.net designates 217.160.108.200 as permitted sender) smtp.mailfrom=info@pixeldraw.net;
    dkim=pass header.i=@pixeldraw.net;
    dmarc=pass (p=QUARANTINE dis=NONE) header.from=pixeldraw.net
    Received: from webmail.pixeldraw.net (s17772156.onlinehome-server.info [127.0.0.1])
    by s17772156.onlinehome-server.info (Postfix) with ESMTPA id 933451FED
    for ; Thu, 10 Dec 2015 10:15:51 +0100 (CET)
    DKIM-Filter: OpenDKIM Filter v2.10.3 s17772156.onlinehome-server.info 933451FED
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pixeldraw.net;
    s=mail; t=1449738951;
    bh=WkU5qDAu4noB4+ddfOTFnqQoF0uglLhffSImzgEOX4Y=;
    h=Date:From:To:Subject;
    b=WTQrbxctluSHhg89lCIXmcNXxAtsbqN0qdOV8SyaDFtHSYV+a0LVz4yGpLohSyCHT
    KQ2pfAqy8bIPMycFshCv6dEcG54b6lp/GoNfGNL989JfvoN9ffzFho06OQfMD8+H3l
    F/dpQAeU2tXVN/JxiKMctrWA4NqmlLDw/JWtxMK8=
    MIME-Version: 1.0
    Content-Type: text/plain; charset=UTF-8;
    format=flowed
    Content-Transfer-Encoding: 8bit

    I think the problem is: “Received: from webmail.pixeldraw.net (s17772156.onlinehome-server.info [127.0.0.1])
    by s17772156.onlinehome-server.info (Postfix) with ESMTPA id 933451FED”
    127.0.0.1???

    Thanks in advance

    Reply

Leave a Reply