Difference between revisions of "Postfix: DKIM"

From OnnoWiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
  
DKIM with Postfix
+
Jika web-server / webapp anda punya masalah delivery, DKIM (DomainKeys Identified Mail) kemungkinan akan bisa menolong.
  
If mails from your web-server/webapp is having delivery issues, DKIM (DomainKeys Identified Mail) can help you big time.
+
Sangat di sarankan untuk menggunakan DKIM untuk outgong email meskipun server kita tidak menjalankan mail hosting sama sekali.
  
Its highly recommended to use DKIM for outgoing emails even if your server is not running any kind of mail-hosting.
+
==Install DKIM==
  
Install DKIM
+
apt-get install opendkim opendkim-tools
  
apt-get install opendkim opendkim-tools
 
  
Edit Config files
+
==DKIM config==
DKIM config
 
  
Open dkim config file vim /etc/opendkim.conf
+
Edit
  
Add following lines towards end. Make sure you replace example.com with your domain/subdomain.
+
vi /etc/opendkim.conf
  
Domain                  example.com
+
Tambahkan (mis. untuk domain example.com domain/subdomain)
KeyFile                /etc/postfix/dkim.key
 
Selector                mail
 
SOCKET                  inet:8891@localhost
 
  
Next open dkim defaults file vim /etc/default/opendkim
+
Domain                  example.com
 +
KeyFile                /etc/postfix/dkim.key
 +
Selector                mail
 +
# SOCKET                  inet:8891@localhost
  
Change default socket path by adding a line like below:
+
Edit
  
SOCKET="inet:8891@localhost"
+
vi /etc/default/opendkim
  
Postfix file
+
SOCKET="inet:8891@localhost"
  
Open postfix main config file vim /etc/postfix/main.cf
+
==Postfix konfigurasi==
  
Add following lines towards end.
+
Edit
  
# DKIM
+
vi /etc/postfix/main.cf
milter_default_action = accept
 
milter_protocol = 2
 
smtpd_milters = inet:localhost:8891
 
non_smtpd_milters = inet:localhost:8891
 
  
DKIM Key Generation
+
Tambahkan
  
Run following commands with mail and example.com matching values used in /etc/opendkim.conf file in earlier step.
+
# DKIM
 +
milter_default_action = accept
 +
milter_protocol = 2
 +
smtpd_milters = inet:localhost:8891
 +
non_smtpd_milters = inet:localhost:8891
  
opendkim-genkey -t -s mail -d example.com
+
==DKIM Key Generation==
  
This command will generate mail.private and mail.txt file. mail.private is private key that will be used to sign outgoing emails. Move it to the location we specified earlier in /etc/opendkim.conf
+
Jalankan perintah berikut dengan mail dan example.com matching dengan yang digunakan /etc/opendkim.conf  
  
cp mail.private /etc/postfix/dkim.key
+
opendkim-genkey -t -s mail -d example.com
  
DNS Record Setup
+
Akan keluar 2 file mail.private dan mail.txt.
 +
mail.private adalah private key yang digunakanakan untuk sign outgoing email. Pindahkan ke lokasi yang di set di /etc/opendkim.conf
  
Next, you need to create a TXT record on DNS end. Just check content of mail.txt file created by opendkim-genkey command we ran above.
+
cp mail.private /etc/postfix/dkim.key
  
cat mail.txt
+
==DNS Record Setup==
  
You will see something like below:
+
Buat TXT record di DNS. Isinya ada di mail.txt, coba lihat menggunakan
  
mail._domainkey IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB" ; ----- DKIM key mail for example.com
+
cat mail.txt
  
TXT record will require NAMS & VALUE.
+
Isinya kira-kira,
  
Use mail._domainkey for NAME and long string in quotes starting from v=DKIM1 as VALUE.
+
mail._domainkey IN TXT "v=DKIM1; k=rsa; t=y;  p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB" ; ----- DKIM key mail for example.com
  
Below is a sample screenshot for a TXT record. User-interface on your end might differ.
+
TXT ini membutuhkan NAME & VALUE.
  
TXT-DKIM record-1
+
Gunakan mail._domainkey untuk NAME dan long string yang dimulai dari v=DKIM1 as VALUE.
  
If you are editing a previous DNS record, it might take sometime for changes to propogate.
+
==Start Signing==
Start Signing
 
  
Once al config & setup done, you need to start DKIM service and restart postfix.
+
Start DKIM dan Postfix
  
service opendkim start
+
service opendkim start
service postfix restart
+
service postfix restart
  
Testing DKIM setup for correctness
+
==Testing DKIM setup for correctness==
  
 
Anything we do, specially for first time, must end with successful testing!
 
Anything we do, specially for first time, must end with successful testing!
  
 
There are many tools for testing. I will mention few of them below.
 
There are many tools for testing. I will mention few of them below.
Verify DNS Records for DKIM Setup
+
 
 +
==Verify DNS Records for DKIM Setup==
  
 
This will ONLY verify if your TXT record is created successfully.
 
This will ONLY verify if your TXT record is created successfully.
Line 90: Line 89:
 
Classic and easy. You must be having this already. Running…
 
Classic and easy. You must be having this already. Running…
  
dig mail._domainkey.example.com TXT
+
dig mail._domainkey.example.com TXT
  
 
should return a response like…
 
should return a response like…
  
;; ANSWER SECTION:
+
;; ANSWER SECTION:
mail._domainkey.exmaple.com. 86400 IN TXT "v=DKIM1\;" "k=rsa\;" "t=y\;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB"
+
mail._domainkey.exmaple.com. 86400 IN TXT "v=DKIM1\;" "k=rsa\;" "t=y\;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB"
 +
 
 +
==Web-based Record Check==
 +
 
 +
Bisa menggunakan
 +
 
 +
http://www.protodave.com/tools/dkim-key-checker/
 +
 
 +
Gunakan
  
Web-based Record Check
+
* selector mail
 +
* domain example.com
  
You can use http://www.protodave.com/tools/dkim-key-checker/
+
==Verify DKIM Signing==
  
Use selector  mail and domain example.com there.
+
==Test #1 – Email-based==
Verify DKIM Signing
 
Test #1 – Email-based
 
  
 
If you have setup keys correctly then you should pass this test.
 
If you have setup keys correctly then you should pass this test.
Line 111: Line 117:
 
It’s better to use swaks tools for mail-testing (apt-get install swaks).
 
It’s better to use swaks tools for mail-testing (apt-get install swaks).
  
swaks -t check-auth2@verifier.port25.com -f me@example.com
+
swaks -t check-auth2@verifier.port25.com -f me@example.com
  
 
Replace me@example.com with your mail id where you would like to receive test results.
 
Replace me@example.com with your mail id where you would like to receive test results.
Test #2 – Web-based
+
 
 +
==Test #2 – Web-based==
  
 
Better choice will be to use a service like http://www.mail-tester.com/  which gives you a temporary email ID and web-interface to see what happens to the email on receiving end!
 
Better choice will be to use a service like http://www.mail-tester.com/  which gives you a temporary email ID and web-interface to see what happens to the email on receiving end!

Latest revision as of 09:44, 4 October 2019

Sumber: https://easyengine.io/tutorials/mail/dkim-postfix-ubuntu/


Jika web-server / webapp anda punya masalah delivery, DKIM (DomainKeys Identified Mail) kemungkinan akan bisa menolong.

Sangat di sarankan untuk menggunakan DKIM untuk outgong email meskipun server kita tidak menjalankan mail hosting sama sekali.

Install DKIM

apt-get install opendkim opendkim-tools


DKIM config

Edit

vi /etc/opendkim.conf

Tambahkan (mis. untuk domain example.com domain/subdomain)

Domain                  example.com
KeyFile                 /etc/postfix/dkim.key
Selector                mail
# SOCKET                  inet:8891@localhost

Edit

vi /etc/default/opendkim
SOCKET="inet:8891@localhost"

Postfix konfigurasi

Edit

vi /etc/postfix/main.cf

Tambahkan

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

DKIM Key Generation

Jalankan perintah berikut dengan mail dan example.com matching dengan yang digunakan /etc/opendkim.conf

opendkim-genkey -t -s mail -d example.com

Akan keluar 2 file mail.private dan mail.txt. mail.private adalah private key yang digunakanakan untuk sign outgoing email. Pindahkan ke lokasi yang di set di /etc/opendkim.conf

cp mail.private /etc/postfix/dkim.key

DNS Record Setup

Buat TXT record di DNS. Isinya ada di mail.txt, coba lihat menggunakan

cat mail.txt

Isinya kira-kira,

mail._domainkey IN TXT "v=DKIM1; k=rsa; t=y;  p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB" ; ----- DKIM key mail for example.com

TXT ini membutuhkan NAME & VALUE.

Gunakan mail._domainkey untuk NAME dan long string yang dimulai dari v=DKIM1 as VALUE.

Start Signing

Start DKIM dan Postfix

service opendkim start
service postfix restart

Testing DKIM setup for correctness

Anything we do, specially for first time, must end with successful testing!

There are many tools for testing. I will mention few of them below.

Verify DNS Records for DKIM Setup

This will ONLY verify if your TXT record is created successfully. dig command

Classic and easy. You must be having this already. Running…

dig mail._domainkey.example.com TXT

should return a response like…

;; ANSWER SECTION:
mail._domainkey.exmaple.com. 86400 IN	TXT	"v=DKIM1\;" "k=rsa\;" "t=y\;"  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYv84GSl0Xp2CrPdFqMZ9ShBDi9Pal9XpfIf7asEENxLRdIka3TONpqtrcCKksROJBNh2G3OVGuoGJ1watQGT46B+zQtjcCI67+WiTlb2D98s1UV3KO7oi/0QH/lH8DzUmrGJUIy3ZBQ9mIu1t6YDyi8y3hlhTILHW7G4HV/VtwQIDAQAB"

Web-based Record Check

Bisa menggunakan

http://www.protodave.com/tools/dkim-key-checker/

Gunakan

  • selector mail
  • domain example.com

Verify DKIM Signing

Test #1 – Email-based

If you have setup keys correctly then you should pass this test.

You can test by simply sending an email to autorespond+dkim@dk.elandsys.com or check-auth2@verifier.port25.com

It’s better to use swaks tools for mail-testing (apt-get install swaks).

swaks -t check-auth2@verifier.port25.com -f me@example.com

Replace me@example.com with your mail id where you would like to receive test results.

Test #2 – Web-based

Better choice will be to use a service like http://www.mail-tester.com/ which gives you a temporary email ID and web-interface to see what happens to the email on receiving end!



Referensi

Pranala Menarik