Difference between revisions of "Postfix: Setup DNS dkim"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Introduction Contents Introduction Installation Configuration Key generation for dkim-milter and its setup with DNS Startup and testing Common errors...")
 
 
(29 intermediate revisions by the same user not shown)
Line 1: Line 1:
Introduction
+
DomainKeys Identified Mail (DKIM) adalah metode untuk otentikasi e-mail, yang memungkinkan seseorang yang menerima email untuk memverifikasi bahwa pesan tersebut sebenarnya berasal dari domain yang diklaim berasal. Kebutuhan akan jenis otentikasi ini muncul karena spam sering kali memalsukan header.
  
Contents
+
DKIM menggunakan public-key cryptography untuk memungkinkan pengirim menandatangani email yang sah secara elektronik dengan cara yang dapat diverifikasi oleh penerima.
  
    Introduction
+
DKIM juga menjaga agar tidak merusak surat, menawarkan integritas end-to-end dari penandatanganan sampai verifikasi Mail transfer agent (MTA).
    Installation
 
    Configuration
 
    Key generation for dkim-milter and its setup with DNS
 
    Startup and testing
 
    Common errors and fixes
 
        Missing signature
 
        Multiple signatures
 
  
DomainKeys Identified Mail (DKIM) is a method for E-mail authentication, allowing a person who receives email to verify that the message actually comes from the domain that it claims to have come from. The need for this type of authentication arises because spam often has forged headers.
+
dkim-milter adalah aplikasi berbasis-milter (dkim-filter) yang terhubung ke Postfix untuk menyediakan layanan DomainKeys Identified Mail untuk server email Anda. dkim-milter tidak lagi dikembangkan, dan pembuat awalnya telah forked source-nya dan sekarang sedang mengembangkan opendkim. Untuk rilis Lucid dan yang lebih baru, opendkim lebih disukai daripada dkim-filter. Petunjuk pada halaman ini harus sama (hanya dengan nama paket yang disesuaikan sesuai kebutuhan).
  
DKIM uses public-key cryptography to allow the sender to electronically sign legitimate emails in a way that can be verified by recipients.
+
==Instalasi==
  
DKIM also guards against tampering with mail, offering almost end-to-end integrity from a signing to a verifying Mail transfer agent (MTA).
+
Asumsi Postfix sudah di install. Instalasi opendkim menggunakan perintah,
  
Read more on Wikipedia
+
sudo apt -y install opendkim opendkim-tools
 +
sudo gpasswd -a postfix opendkim
  
dkim-milter is a milter-based application (dkim-filter) which plugs in to Postfix to provide DomainKeys Identified Mail service for your mail server. dkim-milter is no longer being developed, and it's original author has forked the source and is now developing opendkim. For Lucid and later releases, opendkim is preferred over dkim-filter. The instructions on this page should be the same (just with adjusted package names as needed).
+
sudo mkdir -p /etc/opendkim/keys/lms.onnocenter.or.id/
 +
sudo chown -R opendkim: /etc/opendkim
 +
sudo chmod go-rw /etc/opendkim/keys
  
Installation
 
  
We assume you already successfully installed Postfix MTA, if not, please read the Postfix dedicated page.
 
  
To install opendkim, you need Universe repositories added, if so, use your favorite package manager and install the package.
+
==Key generation dan setup DNS==
  
sudo aptitude install opendkim opendkim-tools
+
Generate key menggunakan perintah
  
Important: For 12.04 Precise you must install opendkim from the precise backports. Note that backports are enabled only by using /precise-backports on a given package, so this will not affect any other packages you have installed.
+
mkdir -p /etc/opendkim/keys/lms.onnocenter.or.id/
 +
cd /etc/opendkim/keys/lms.onnocenter.or.id/
 +
opendkim-genkey -b 2048 -d lms.onnocenter.or.id -D /etc/opendkim/keys/lms.onnocenter.or.id -s lms -v
 +
chown -R opendkim: /etc/opendkim/keys/lms.onnocenter.or.id/
 +
chmod -R 700 /etc/opendkim/keys/lms.onnocenter.or.id/
  
sudo aptitude install opendkim/precise-backports
+
Akan menghasilkan dua (2) file:
sudo aptitude install opendkim-tools/precise-backports
 
  
Configuration
+
* lms.private - berisi private key.
 +
* lms.txt - berisi entry DNS
  
opendkim configuration consists of two files:
+
Argumen
  
/etc/opendkim.conf
+
-s memberikan informasi selector yang digunakan
/etc/default/opendkim
+
-d domain yang digunakan
 +
-t menyatakan DKIM dalam test mode.
  
Use your favorite editor to edit those files. Here's an example of /etc/opendkim.conf file already edited to suit my needs:
 
  
# Log to syslog
+
Tambahkan di DNS sesuai dengan krs.txt, kira2 sebagai berikut
Syslog                  yes
 
# Required to use local socket with MTAs that access the socket as a non-
 
# privileged user (e.g. Postfix)
 
#UMask                  002
 
# dkim-milter (2.5.2.dfsg-1ubuntu1) hardy:
 
# Disable new umask option by default (not needed since Ubuntu default
 
# uses a TCP socket instead of a Unix socket).
 
  
# Attempt to become the specified userid before starting operations.
+
lms._domainkey.lms.onnocenter.or.id IN TXT "v=DKIM1; g=*; k=rsa;
#UserID                105 # 'id postfix' in your shell
+
p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB"
  
 +
Cek DNS menggunakan
  
# Sign for example.com with key in /etc/mail/dkim.key using
+
sudo named-checkconf
# selector '2007' (e.g. 2007._domainkey.example.com)
 
Domain                  ubuntu.ro
 
KeyFile                /etc/mail/dkim.key # See bellow how to generate and set up the key
 
Selector                mail
 
  
# Common settings. See dkim-filter.conf(5) for more information.
+
==Konfigurasi==
AutoRestart            yes
 
Background              yes
 
Canonicalization        relaxed/relaxed
 
DNSTimeout              5
 
Mode                    sv
 
SignatureAlgorithm      rsa-sha256
 
SubDomains              no
 
#UseASPDiscard          no
 
#Version                rfc4871
 
X-Header                no
 
  
#InternalHosts          /etc/mail/dkim-InternalHosts.txt
+
Ada dua (2) file yang penting, yaitu,
# The contents of /etc/mail/dkim-InternalHosts.txt should be
 
#  127.0.0.1/8
 
#  192.168.1.0/24
 
#  other.internal.host.domain.tld
 
# You need InternalHosts if you are signing e-mails on a gateway mail server
 
# for each of the computers on your LAN.
 
  
 +
/etc/opendkim.conf
 +
/etc/default/opendkim
  
###############################################
+
Edit /etc/opendkim.conf misalnya,
# Other (less-standard) configuration options #
 
###############################################
 
#
 
# If enabled, log verification stats here
 
Statistics              /var/log/dkim-filter/dkim-stats
 
#
 
# KeyList is a file containing tuples of key information. Requires
 
# KeyFile to be unset. Each line of the file should be of the format:
 
#    sender glob:signing domain:signing key file
 
# Blank lines and lines beginning with # are ignored. Selector will be
 
# derived from the key's filename.
 
#KeyList                /etc/dkim-keys.conf
 
#
 
# If enabled, will generate verification failure reports for any messages
 
# that fail signature verification. These will be sent to the r= address
 
# in the policy record, if any.
 
#ReportInfo            yes
 
#
 
# If enabled, will issue a Sendmail QUARANTINE for any messages that fail
 
# signature verification, allowing them to be inspected later.
 
#Quarantine            yes
 
#
 
# If enabled, will check for required headers when processing messages.
 
# At a minimum, that means From: and Date: will be required. Messages not
 
# containing the required headers will not be signed or verified, but will
 
# be passed through
 
#RequiredHeaders        yes
 
  
Actually /etc/opendkim.conf is the most important file. It provides our milter with required information about selector (used for DNS requests and email verifications) and used signing key (the key is used for signing the outgoing emails).
+
# Log to syslog
 +
Syslog                  yes
 +
# Required to use local socket with MTAs that access the socket as a non-
 +
# privileged user (e.g. Postfix)
 +
UMask                  002
 +
 +
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
 +
# selector '2007' (e.g. 2007._domainkey.example.com)
 +
Domain                  lms.onnocenter.or.id
 +
KeyFile                /etc/opendkim/dkim.key
 +
Selector                lms
 +
Socket                  inet:8891@localhost
 +
 +
# Common settings. See dkim-filter.conf(5) for more information.
 +
AutoRestart            yes
 +
Background              yes
 +
Canonicalization        relaxed/relaxed
 +
DNSTimeout              5
 +
Mode                    sv
 +
SignatureAlgorithm      rsa-sha256
 +
SubDomains              no
 +
#UseASPDiscard          no
 +
#Version                rfc4871
 +
X-Header                no
 +
 +
OversignHeaders        From
 +
TrustAnchorFile        /usr/share/dns/root.key
 +
Nameservers            127.0.0.1,8.8.8.8,8.8.4.4,103.112.162.222
 +
 +
# Map domains in From addresses to keys used to sign messages
 +
KeyTable                refile:/etc/opendkim/key.table
 +
SigningTable            refile:/etc/opendkim/signing.table
 +
# Hosts to ignore when verifying signatures
 +
ExternalIgnoreList      /etc/opendkim/trusted.hosts
 +
# A set of internal hosts whose mail should be signed
 +
InternalHosts          /etc/opendkim/trusted.hosts
  
Here's an example of /etc/default/opendkim This file is used to connect the milter to MTA:
 
  
# Command-line options specified here will override the contents of
 
# /etc/dkim-filter.conf. See dkim-filter(8) for a complete list of options.
 
#DAEMON_OPTS=""
 
#
 
# Uncomment to specify an alternate socket
 
# Note that setting this will override any Socket value in dkim-filter.conf
 
#SOCKET="local:/var/run/dkim-filter/dkim-filter.sock" # Debian default
 
#SOCKET="inet:54321" # listen on all interfaces on port 54321
 
SOCKET="inet:8891@localhost" # Ubuntu default - listen on loopback on port 8891
 
#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345
 
  
In my case, this file needs no additional editing.
+
File /etc/opendkim.conf adalah yang paling penting. Ini memberi informasi yang diperlukan tentang selector (digunakan untuk  DNS request dan verifikasi email) dan signing key yang digunakan (key yang digunakan untuk menandatangani email keluar).
  
Now, to tell the Postfix about the existing milter, and where to connect with it, edit your Postfix main.cf file /etc/postfix/main.cf, and append to its content the following data:
+
Edit /etc/default/opendkim yang digunakan untuk menyambungkan milter ke MTA:
  
# DKIM
 
milter_default_action = accept
 
milter_protocol = 2
 
smtpd_milters = inet:localhost:8891
 
non_smtpd_milters = inet:localhost:8891
 
  
If you are using already some milter (for example Postfix/DomainKeys), you can add the new one like this:
+
# Command-line options specified here will override the contents of
 +
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
 +
#DAEMON_OPTS=""
 +
#
 +
# Uncomment to specify an alternate socket
 +
# Note that setting this will override any Socket value in opendkim.conf
 +
# default:
 +
# SOCKET="local:/var/run/opendkim/opendkim.sock"
 +
# listen on all interfaces on port 54321:
 +
#SOCKET="inet:54321"
 +
# listen on loopback on port 12345:
 +
SOCKET="inet:8891@localhost" # Ubuntu default - listen on loopback on port 8891
 +
# listen on 192.0.2.1 on port 12345:
 +
#SOCKET="inet:12345@192.0.2.1"
  
milter_default_action = accept
+
Edit /etc/postfix/main.cf, tambahkan setup berikut ini,
milter_protocol = 2
 
smtpd_milters = inet:localhost:8891,inet:localhost:8892
 
non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
 
  
Key generation for dkim-milter and its setup with DNS
+
# DKIM
 +
milter_default_action = accept
 +
milter_protocol = 2
 +
smtpd_milters = inet:localhost:8891
 +
non_smtpd_milters = inet:localhost:8891
  
The opendkim-tools package provides a tool, opendkim-genkey for creating your key pairs:
+
==Tables==
  
opendkim-genkey -t -s mail -d ubuntu.ro
+
Edit
  
This will generate two files: mail.private which is your private key, and mail.txt which is your DNS record containing your public key.
+
sudo vi /etc/opendkim/dkim.key
  
The -s argument supplies the selector (in our case "mail"), the -d argument supplies the domain, and the -t argument says that we are running DKIM in test mode. This indicates that verifiers shouldn't drop your mail if something's wrong with the signature. Its seems that the majority using DKIM run it in test mode.
+
*@lms.onnocenter.or.id:lms.onnocenter.or.id:/etc/opendkmi/keys/lms.onnocenter.or.id/lms.private
  
Copy your private key in place:
 
  
cp mail.private /etc/mail/dkim.key
+
Edit
  
Now create your DNS record as supplied in mail.txt, which should look like this:
+
sudo vi /etc/opendkim/signing.table
  
mail._domainkey.ubuntu.ro. IN TXT "v=DKIM1; g=*; k=rsa; p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB" ; ----- DKIM mail for ubuntu.ro
+
*@lms.onnocenter.or.id lms._domainkey.lms.onnocenter.or.id
  
Startup and testing
 
  
Once configuration above was done, the daemon can be started with:
+
Edit
  
sudo service opendkim start
+
sudo vi /etc/opendkim/key.table
  
If it doesn't start, search the logs for problems and see what it requires more:
+
lms._domainkey.lms.onnocenter.or.id  lms.onnocenter.or.id:lms:/etc/opendkim/keys/lms.onocenter.or.id/lms.private
  
grep -i dkim /var/log/mail.log
 
  
Instead of using sudo service opendkim start you can run dkim-filter directly:
+
Edit
  
dkim-filter -x /etc/dkim-filter.conf
+
sudo vi /etc/opendkim/trusted.hosts
  
If you get the error like: dkim-filter: milter socket must be specified Then try manually specifying the socket. Use this to specify local (which does not match /etc/default/dkim-filter above):
+
127.0.0.1
 +
localhost
 +
onnocenter.or.id
 +
*.onnocenter.or.id
  
dkim-filter -x /etc/dkim-filter.conf -p local
+
==Startup==
  
Now restart the Postfix MTA, and check for email signing:
+
Start opendkim
  
sudo service postfix restart
+
sudo service opendkim start
  
For testing purposes, I recommend you tools like:
+
Jika tidak jalan cek
  
    http://www.sendmail.org/dkim/tools
+
grep -i dkim /var/log/mail.log
    or just send an email to autorespond+dkim[at]dk.elandsys.com
 
  
Testing results should look like this in Gmail: http://stas.nerd.ro/blog/data/dkim-filter.png
+
Atau jalankan langsung menggunakan perintah
  
Common errors and fixes
+
/usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -p 8891
  
Missing signature
+
Restart postfix MTA,
 +
 
 +
sudo service postfix restart
 +
 
 +
==Test==
 +
 
 +
Test
 +
 
 +
opendkim-testkey -d lms.onnocenter.or.id -k /etc/opendkim/keys/lms.onnocenter.or.id/lms.private  -s lms -vvv
 +
 
 +
Untuk testing, coba menggunakan tools:
 +
 
 +
http://www.sendmail.org/dkim/tools
 +
 
 +
Atau email ke
 +
 
 +
check-auth@verifier.port25.com
 +
autorespond+dkim@dk.elandsys.com
 +
 
 +
==Common errors and fixes==
 +
 
 +
===Missing signature===
  
 
If something is not functioning properly (emails are not being signed) look for errors in the log:
 
If something is not functioning properly (emails are not being signed) look for errors in the log:
  
grep -i dkim /var/log/mail.log
+
grep -i dkim /var/log/mail.log
  
 
The following error indicates the filter ran properly however could not match the outgoing email domain with a filter (and thus no signature was generated):
 
The following error indicates the filter ran properly however could not match the outgoing email domain with a filter (and thus no signature was generated):
  
Nov 21 06:59:56 appname dkim-filter[2911]: 81AA7E688: no signature data
+
Nov 21 06:59:56 appname dkim-filter[2911]: 81AA7E688: no signature data
  
 
Consider changing the domain to a wildcard in /etc/opendkim.conf:
 
Consider changing the domain to a wildcard in /etc/opendkim.conf:
  
# Sign for example.com with key in /etc/mail/dkim.key using
+
# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
+
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain                  *
+
Domain                  *
KeyFile                /etc/mail/dkim.key
+
KeyFile                /etc/mail/dkim.key
Selector                mail
+
Selector                mail
  
 
Using a domain of * will require putting the dkim key into EACH domain's DNS zone file for those domains that send email using this server. The dkim signing will work for your server, but without updating each DNS zone file, the public key will not be found by the recipient mail server.
 
Using a domain of * will require putting the dkim key into EACH domain's DNS zone file for those domains that send email using this server. The dkim signing will work for your server, but without updating each DNS zone file, the public key will not be found by the recipient mail server.
Line 220: Line 220:
 
Head to /etc/postfix/master.cf look for the section starting with:
 
Head to /etc/postfix/master.cf look for the section starting with:
  
127.0.0.1:10025 inet    n      -      -      -      -      smtpd
+
127.0.0.1:10025 inet    n      -      -      -      -      smtpd
  
 
Find the option -o receive_override_options= and add ,no_milters to the end of that line. A corrected config could look something like this:
 
Find the option -o receive_override_options= and add ,no_milters to the end of that line. A corrected config could look something like this:
  
127.0.0.1:10025 inet    n      -      -      -      -      smtpd
+
127.0.0.1:10025 inet    n      -      -      -      -      smtpd
        -o content_filter=
+
        -o content_filter=
        -o local_recipient_maps=
+
        -o local_recipient_maps=
        -o relay_recipient_maps=
+
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
+
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
+
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
+
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
+
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
+
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
+
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
+
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
+
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
+
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
+
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
+
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
+
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
+
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
+
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
+
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
 
 
 
 
 
 
  
 
==Referensi==
 
==Referensi==
  
 +
* https://tecadmin.net/setup-dkim-with-postfix-on-ubuntu-debian/
 +
* https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
 
* https://help.ubuntu.com/community/Postfix/DKIM
 
* https://help.ubuntu.com/community/Postfix/DKIM

Latest revision as of 18:06, 29 April 2019

DomainKeys Identified Mail (DKIM) adalah metode untuk otentikasi e-mail, yang memungkinkan seseorang yang menerima email untuk memverifikasi bahwa pesan tersebut sebenarnya berasal dari domain yang diklaim berasal. Kebutuhan akan jenis otentikasi ini muncul karena spam sering kali memalsukan header.

DKIM menggunakan public-key cryptography untuk memungkinkan pengirim menandatangani email yang sah secara elektronik dengan cara yang dapat diverifikasi oleh penerima.

DKIM juga menjaga agar tidak merusak surat, menawarkan integritas end-to-end dari penandatanganan sampai verifikasi Mail transfer agent (MTA).

dkim-milter adalah aplikasi berbasis-milter (dkim-filter) yang terhubung ke Postfix untuk menyediakan layanan DomainKeys Identified Mail untuk server email Anda. dkim-milter tidak lagi dikembangkan, dan pembuat awalnya telah forked source-nya dan sekarang sedang mengembangkan opendkim. Untuk rilis Lucid dan yang lebih baru, opendkim lebih disukai daripada dkim-filter. Petunjuk pada halaman ini harus sama (hanya dengan nama paket yang disesuaikan sesuai kebutuhan).

Instalasi

Asumsi Postfix sudah di install. Instalasi opendkim menggunakan perintah,

sudo apt -y install opendkim opendkim-tools
sudo gpasswd -a postfix opendkim
sudo mkdir -p /etc/opendkim/keys/lms.onnocenter.or.id/
sudo chown -R opendkim: /etc/opendkim
sudo chmod go-rw /etc/opendkim/keys


Key generation dan setup DNS

Generate key menggunakan perintah

mkdir -p /etc/opendkim/keys/lms.onnocenter.or.id/
cd /etc/opendkim/keys/lms.onnocenter.or.id/
opendkim-genkey -b 2048 -d lms.onnocenter.or.id -D /etc/opendkim/keys/lms.onnocenter.or.id -s lms -v
chown -R opendkim: /etc/opendkim/keys/lms.onnocenter.or.id/
chmod -R 700 /etc/opendkim/keys/lms.onnocenter.or.id/

Akan menghasilkan dua (2) file:

  • lms.private - berisi private key.
  • lms.txt - berisi entry DNS

Argumen

-s memberikan informasi selector yang digunakan
-d domain yang digunakan
-t menyatakan DKIM dalam test mode.


Tambahkan di DNS sesuai dengan krs.txt, kira2 sebagai berikut

lms._domainkey.lms.onnocenter.or.id IN TXT "v=DKIM1; g=*; k=rsa;
p=PpYHdE2tevfEpvL1Tk2dDYv0pF28/f5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB"

Cek DNS menggunakan

sudo named-checkconf

Konfigurasi

Ada dua (2) file yang penting, yaitu,

/etc/opendkim.conf
/etc/default/opendkim

Edit /etc/opendkim.conf misalnya,

# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   002

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain                  lms.onnocenter.or.id
KeyFile                 /etc/opendkim/dkim.key
Selector                lms
Socket                  inet:8891@localhost

# Common settings. See dkim-filter.conf(5) for more information.
AutoRestart             yes
Background              yes
Canonicalization        relaxed/relaxed
DNSTimeout              5
Mode                    sv
SignatureAlgorithm      rsa-sha256
SubDomains              no
#UseASPDiscard          no
#Version                rfc4871
X-Header                no

OversignHeaders         From
TrustAnchorFile         /usr/share/dns/root.key
Nameservers             127.0.0.1,8.8.8.8,8.8.4.4,103.112.162.222

# Map domains in From addresses to keys used to sign messages
KeyTable                refile:/etc/opendkim/key.table
SigningTable            refile:/etc/opendkim/signing.table
# Hosts to ignore when verifying signatures
ExternalIgnoreList      /etc/opendkim/trusted.hosts
# A set of internal hosts whose mail should be signed
InternalHosts           /etc/opendkim/trusted.hosts


File /etc/opendkim.conf adalah yang paling penting. Ini memberi informasi yang diperlukan tentang selector (digunakan untuk DNS request dan verifikasi email) dan signing key yang digunakan (key yang digunakan untuk menandatangani email keluar).

Edit /etc/default/opendkim yang digunakan untuk menyambungkan milter ke MTA:


# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
#DAEMON_OPTS=""
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
# SOCKET="local:/var/run/opendkim/opendkim.sock"
# listen on all interfaces on port 54321:
#SOCKET="inet:54321"
# listen on loopback on port 12345:
SOCKET="inet:8891@localhost" # Ubuntu default - listen on loopback on port 8891
# listen on 192.0.2.1 on port 12345:
#SOCKET="inet:12345@192.0.2.1"

Edit /etc/postfix/main.cf, tambahkan setup berikut ini,

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Tables

Edit

sudo vi /etc/opendkim/dkim.key
*@lms.onnocenter.or.id:lms.onnocenter.or.id:/etc/opendkmi/keys/lms.onnocenter.or.id/lms.private


Edit

sudo vi /etc/opendkim/signing.table
*@lms.onnocenter.or.id lms._domainkey.lms.onnocenter.or.id


Edit

sudo vi /etc/opendkim/key.table
lms._domainkey.lms.onnocenter.or.id  lms.onnocenter.or.id:lms:/etc/opendkim/keys/lms.onocenter.or.id/lms.private


Edit

sudo vi /etc/opendkim/trusted.hosts
127.0.0.1
localhost
onnocenter.or.id
*.onnocenter.or.id

Startup

Start opendkim

sudo service opendkim start

Jika tidak jalan cek

grep -i dkim /var/log/mail.log

Atau jalankan langsung menggunakan perintah

/usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -p 8891

Restart postfix MTA,

sudo service postfix restart

Test

Test

opendkim-testkey -d lms.onnocenter.or.id -k /etc/opendkim/keys/lms.onnocenter.or.id/lms.private  -s lms -vvv

Untuk testing, coba menggunakan tools:

http://www.sendmail.org/dkim/tools

Atau email ke

check-auth@verifier.port25.com
autorespond+dkim@dk.elandsys.com

Common errors and fixes

Missing signature

If something is not functioning properly (emails are not being signed) look for errors in the log:

grep -i dkim /var/log/mail.log

The following error indicates the filter ran properly however could not match the outgoing email domain with a filter (and thus no signature was generated):

Nov 21 06:59:56 appname dkim-filter[2911]: 81AA7E688: no signature data

Consider changing the domain to a wildcard in /etc/opendkim.conf:

# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain                  *
KeyFile                 /etc/mail/dkim.key
Selector                mail

Using a domain of * will require putting the dkim key into EACH domain's DNS zone file for those domains that send email using this server. The dkim signing will work for your server, but without updating each DNS zone file, the public key will not be found by the recipient mail server.

Multiple signatures

If amavis-new is installed and dkim signs emails multiple times with same domain and selector, is the configuration error likely to be how you feed messages back to postfix from amavis.

Head to /etc/postfix/master.cf look for the section starting with:

127.0.0.1:10025 inet    n       -       -       -       -       smtpd

Find the option -o receive_override_options= and add ,no_milters to the end of that line. A corrected config could look something like this:

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Referensi