Difference between revisions of "Postfix: DKIM"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 2: | Line 2: | ||
| − | DKIM | + | Jika web-server / webapp anda punya masalah delivery, DKIM (DomainKeys Identified Mail) kemungkinan akan bisa menolong. |
| − | + | Sangat di sarankan untuk menggunakan DKIM untuk outgong email meskipun server kita tidak menjalankan mail hosting sama sekali. | |
| − | |||
| − | |||
==Install DKIM== | ==Install DKIM== | ||
| Line 15: | Line 13: | ||
==DKIM config== | ==DKIM config== | ||
| − | + | Edit | |
| + | |||
| + | vi /etc/opendkim.conf | ||
| + | |||
| + | Tambahkan (mis. untuk domain example.com domain/subdomain) | ||
| − | + | Domain example.com | |
| + | KeyFile /etc/postfix/dkim.key | ||
| + | Selector mail | ||
| + | # SOCKET inet:8891@localhost | ||
| − | + | Edit | |
| − | |||
| − | |||
| − | |||
| − | + | vi /etc/default/opendkim | |
| − | + | SOCKET="inet:8891@localhost" | |
| − | + | ==Postfix konfigurasi== | |
| − | + | Edit | |
| − | + | vi /etc/postfix/main.cf | |
| − | + | Tambahkan | |
| − | # DKIM | + | # DKIM |
| − | milter_default_action = accept | + | milter_default_action = accept |
| − | milter_protocol = 2 | + | milter_protocol = 2 |
| − | smtpd_milters = inet:localhost:8891 | + | smtpd_milters = inet:localhost:8891 |
| − | non_smtpd_milters = inet:localhost:8891 | + | non_smtpd_milters = inet:localhost:8891 |
| − | DKIM Key Generation | + | ==DKIM Key Generation== |
| − | + | Jalankan perintah berikut dengan mail dan example.com matching dengan yang digunakan /etc/opendkim.conf | |
| − | opendkim-genkey -t -s mail -d example.com | + | opendkim-genkey -t -s mail -d example.com |
| − | + | Akan keluar 2 file mail.private dan mail.txt. | |
| + | mail.private adalah private key yang digunakanakan untuk sign outgoing email. Pindahkan ke lokasi yang di set di /etc/opendkim.conf | ||
| − | cp mail.private /etc/postfix/dkim.key | + | cp mail.private /etc/postfix/dkim.key |
| − | DNS Record Setup | + | ==DNS Record Setup== |
| − | + | Buat TXT record di DNS. Isinya ada di mail.txt, coba lihat menggunakan | |
| − | cat mail.txt | + | cat mail.txt |
| − | + | Isinya kira-kira, | |
| − | mail._domainkey IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB" ; ----- DKIM key mail for example.com | + | mail._domainkey IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB" ; ----- DKIM key mail for example.com |
| − | TXT | + | TXT ini membutuhkan NAME & VALUE. |
| − | + | Gunakan mail._domainkey untuk NAME dan long string yang dimulai dari v=DKIM1 as VALUE. | |
Below is a sample screenshot for a TXT record. User-interface on your end might differ. | Below is a sample screenshot for a TXT record. User-interface on your end might differ. | ||
| − | + | ==Start Signing== | |
| − | |||
| − | |||
| − | Start Signing | ||
| − | + | Start DKIM dan Postfix | |
| − | service opendkim start | + | service opendkim start |
| − | service postfix restart | + | service postfix restart |
| − | Testing DKIM setup for correctness | + | ==Testing DKIM setup for correctness== |
Anything we do, specially for first time, must end with successful testing! | Anything we do, specially for first time, must end with successful testing! | ||
There are many tools for testing. I will mention few of them below. | There are many tools for testing. I will mention few of them below. | ||
| − | Verify DNS Records for DKIM Setup | + | |
| + | ==Verify DNS Records for DKIM Setup== | ||
This will ONLY verify if your TXT record is created successfully. | This will ONLY verify if your TXT record is created successfully. | ||
| Line 90: | Line 91: | ||
Classic and easy. You must be having this already. Running… | Classic and easy. You must be having this already. Running… | ||
| − | dig mail._domainkey.example.com TXT | + | dig mail._domainkey.example.com TXT |
should return a response like… | should return a response like… | ||
| − | ;; ANSWER SECTION: | + | ;; ANSWER SECTION: |
| − | mail._domainkey.exmaple.com. 86400 IN TXT "v=DKIM1\;" "k=rsa\;" "t=y\;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB" | + | mail._domainkey.exmaple.com. 86400 IN TXT "v=DKIM1\;" "k=rsa\;" "t=y\;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB" |
| − | Web-based Record Check | + | ==Web-based Record Check== |
You can use http://www.protodave.com/tools/dkim-key-checker/ | You can use http://www.protodave.com/tools/dkim-key-checker/ | ||
Use selector mail and domain example.com there. | Use selector mail and domain example.com there. | ||
| − | Verify DKIM Signing | + | |
| − | Test #1 – Email-based | + | ==Verify DKIM Signing== |
| + | |||
| + | ==Test #1 – Email-based== | ||
If you have setup keys correctly then you should pass this test. | If you have setup keys correctly then you should pass this test. | ||
| Line 111: | Line 114: | ||
It’s better to use swaks tools for mail-testing (apt-get install swaks). | It’s better to use swaks tools for mail-testing (apt-get install swaks). | ||
| − | swaks -t check-auth2@verifier.port25.com -f me@example.com | + | swaks -t check-auth2@verifier.port25.com -f me@example.com |
Replace me@example.com with your mail id where you would like to receive test results. | Replace me@example.com with your mail id where you would like to receive test results. | ||
| − | Test #2 – Web-based | + | |
| + | ==Test #2 – Web-based== | ||
Better choice will be to use a service like http://www.mail-tester.com/ which gives you a temporary email ID and web-interface to see what happens to the email on receiving end! | Better choice will be to use a service like http://www.mail-tester.com/ which gives you a temporary email ID and web-interface to see what happens to the email on receiving end! | ||
Revision as of 09:27, 4 October 2019
Sumber: https://easyengine.io/tutorials/mail/dkim-postfix-ubuntu/
Jika web-server / webapp anda punya masalah delivery, DKIM (DomainKeys Identified Mail) kemungkinan akan bisa menolong.
Sangat di sarankan untuk menggunakan DKIM untuk outgong email meskipun server kita tidak menjalankan mail hosting sama sekali.
Install DKIM
apt-get install opendkim opendkim-tools
DKIM config
Edit
vi /etc/opendkim.conf
Tambahkan (mis. untuk domain example.com domain/subdomain)
Domain example.com KeyFile /etc/postfix/dkim.key Selector mail # SOCKET inet:8891@localhost
Edit
vi /etc/default/opendkim
SOCKET="inet:8891@localhost"
Postfix konfigurasi
Edit
vi /etc/postfix/main.cf
Tambahkan
# DKIM milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
DKIM Key Generation
Jalankan perintah berikut dengan mail dan example.com matching dengan yang digunakan /etc/opendkim.conf
opendkim-genkey -t -s mail -d example.com
Akan keluar 2 file mail.private dan mail.txt. mail.private adalah private key yang digunakanakan untuk sign outgoing email. Pindahkan ke lokasi yang di set di /etc/opendkim.conf
cp mail.private /etc/postfix/dkim.key
DNS Record Setup
Buat TXT record di DNS. Isinya ada di mail.txt, coba lihat menggunakan
cat mail.txt
Isinya kira-kira,
mail._domainkey IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB" ; ----- DKIM key mail for example.com
TXT ini membutuhkan NAME & VALUE.
Gunakan mail._domainkey untuk NAME dan long string yang dimulai dari v=DKIM1 as VALUE.
Below is a sample screenshot for a TXT record. User-interface on your end might differ.
Start Signing
Start DKIM dan Postfix
service opendkim start service postfix restart
Testing DKIM setup for correctness
Anything we do, specially for first time, must end with successful testing!
There are many tools for testing. I will mention few of them below.
Verify DNS Records for DKIM Setup
This will ONLY verify if your TXT record is created successfully. dig command
Classic and easy. You must be having this already. Running…
dig mail._domainkey.example.com TXT
should return a response like…
;; ANSWER SECTION: mail._domainkey.exmaple.com. 86400 IN TXT "v=DKIM1\;" "k=rsa\;" "t=y\;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB"
Web-based Record Check
You can use http://www.protodave.com/tools/dkim-key-checker/
Use selector mail and domain example.com there.
Verify DKIM Signing
Test #1 – Email-based
If you have setup keys correctly then you should pass this test.
You can test by simply sending an email to autorespond+dkim@dk.elandsys.com or check-auth2@verifier.port25.com
It’s better to use swaks tools for mail-testing (apt-get install swaks).
swaks -t check-auth2@verifier.port25.com -f me@example.com
Replace me@example.com with your mail id where you would like to receive test results.
Test #2 – Web-based
Better choice will be to use a service like http://www.mail-tester.com/ which gives you a temporary email ID and web-interface to see what happens to the email on receiving end!