Difference between revisions of "BIND: Setup DMKI"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(One intermediate revision by the same user not shown) | |||
Line 3: | Line 3: | ||
First, your create a key pair with openssl: | First, your create a key pair with openssl: | ||
− | openssl genrsa -out private.key 1024 | + | openssl genrsa -out private.key 1024 |
− | openssl rsa -in private.key -pubout -out public.key | + | openssl rsa -in private.key -pubout -out public.key |
Your public key looks now like: | Your public key looks now like: | ||
-----BEGIN PUBLIC KEY----- | -----BEGIN PUBLIC KEY----- | ||
− | + | MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpM | |
− | + | PJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n | |
− | + | 3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb | |
− | + | 5MIBp3vDiipAJNTO1wIDAQAB | |
-----END PUBLIC KEY----- | -----END PUBLIC KEY----- | ||
+ | |||
+ | |||
Now you convert this output to one single line: | Now you convert this output to one single line: | ||
− | + | ||
+ | MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpMPJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb5MIBp3vDiipAJNTO1wIDAQAB | ||
+ | |||
This line you will use as public key in your DNS record. | This line you will use as public key in your DNS record. | ||
Line 23: | Line 27: | ||
Next, add two txt records like | Next, add two txt records like | ||
− | _domainkey.domain.com IN TXT o= | + | _domainkey.domain.com IN TXT o=~;r=postmaster@domain.com |
selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key> | selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key> | ||
Latest revision as of 18:09, 28 April 2019
Adding a DKIM record to your DNS is quite simple.
First, your create a key pair with openssl:
openssl genrsa -out private.key 1024 openssl rsa -in private.key -pubout -out public.key
Your public key looks now like:
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpM PJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n 3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb 5MIBp3vDiipAJNTO1wIDAQAB -----END PUBLIC KEY-----
Now you convert this output to one single line:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpMPJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb5MIBp3vDiipAJNTO1wIDAQAB
This line you will use as public key in your DNS record.
Next, add two txt records like
_domainkey.domain.com IN TXT o=~;r=postmaster@domain.com selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key>
Which means:
o=~ the server signs some mail o=- all mail is signed, but unsigned mail should be accepted o=! all mail is signed, do not accept unsigned mail t=y I’m still testing v=DKIM1 we use DKIM version 1 k=rsa it is a RSA key r=<x@xx> report problems to this email address p=<public key> this is the generated public key
Do not use keys with length other than 1024. 512 is too short and 2048 will give you problems with most DNS servers.