Postfix: DKIM

From OnnoWiki
Jump to navigation Jump to search

Sumber: https://easyengine.io/tutorials/mail/dkim-postfix-ubuntu/


Jika web-server / webapp anda punya masalah delivery, DKIM (DomainKeys Identified Mail) kemungkinan akan bisa menolong.

Sangat di sarankan untuk menggunakan DKIM untuk outgong email meskipun server kita tidak menjalankan mail hosting sama sekali.

Install DKIM

apt-get install opendkim opendkim-tools


DKIM config

Edit

vi /etc/opendkim.conf

Tambahkan (mis. untuk domain example.com domain/subdomain)

Domain                  example.com
KeyFile                 /etc/postfix/dkim.key
Selector                mail
# SOCKET                  inet:8891@localhost

Edit

vi /etc/default/opendkim
SOCKET="inet:8891@localhost"

Postfix konfigurasi

Edit

vi /etc/postfix/main.cf

Tambahkan

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

DKIM Key Generation

Jalankan perintah berikut dengan mail dan example.com matching dengan yang digunakan /etc/opendkim.conf

opendkim-genkey -t -s mail -d example.com

Akan keluar 2 file mail.private dan mail.txt. mail.private adalah private key yang digunakanakan untuk sign outgoing email. Pindahkan ke lokasi yang di set di /etc/opendkim.conf

cp mail.private /etc/postfix/dkim.key

DNS Record Setup

Buat TXT record di DNS. Isinya ada di mail.txt, coba lihat menggunakan

cat mail.txt

Isinya kira-kira,

mail._domainkey IN TXT "v=DKIM1; k=rsa; t=y;  p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB" ; ----- DKIM key mail for example.com

TXT ini membutuhkan NAME & VALUE.

Gunakan mail._domainkey untuk NAME dan long string yang dimulai dari v=DKIM1 as VALUE.

Start Signing

Start DKIM dan Postfix

service opendkim start
service postfix restart

Testing DKIM setup for correctness

Anything we do, specially for first time, must end with successful testing!

There are many tools for testing. I will mention few of them below.

Verify DNS Records for DKIM Setup

This will ONLY verify if your TXT record is created successfully. dig command

Classic and easy. You must be having this already. Running…

dig mail._domainkey.example.com TXT

should return a response like…

;; ANSWER SECTION:
mail._domainkey.exmaple.com. 86400 IN	TXT	"v=DKIM1\;" "k=rsa\;" "t=y\;"  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB"

Web-based Record Check

You can use http://www.protodave.com/tools/dkim-key-checker/

Use selector mail and domain example.com there.

Verify DKIM Signing

Test #1 – Email-based

If you have setup keys correctly then you should pass this test.

You can test by simply sending an email to autorespond+dkim@dk.elandsys.com or check-auth2@verifier.port25.com

It’s better to use swaks tools for mail-testing (apt-get install swaks).

swaks -t check-auth2@verifier.port25.com -f me@example.com

Replace me@example.com with your mail id where you would like to receive test results.

Test #2 – Web-based

Better choice will be to use a service like http://www.mail-tester.com/ which gives you a temporary email ID and web-interface to see what happens to the email on receiving end!



Referensi

Pranala Menarik