DKIM, Postfix, and Fedora 17
DKIM, or DomainKeys Identified Mail, is a way to sign emails you send such that other mail servers can verify they came from your domain. This is accomplished by signing the email on the server with an RSA private key and having the receiving server verify the signature using a public key you publish via DNS TXT records. This can be very useful if you’re sending large volumes of mail and want sites like gmail, yahoo, and hotmail to not treat you as spam. So, let’s set it up for Fedora 17!
This guide is geared towards people who need to set up postfix to automatically sign outbound email for a specific domain. Extending it to sign mail for every domain on your server with a single key (or multiple different keys) is outside the scope, but is a trivial extension of the configuration described below.
Install & Configure
yum install dkim-milter cd /etc/mail/dkim-milter/keys dkim-genkey -r -d whatever-your-domain-is.com
At this point you should have a “default.private” and “default.txt” file in your current working directory (which is /etc/mail/dkim-milter/keys). default.txt contains the DNS TXT record you must add to your DNS entries. Here’s what it will look like:
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+rSlv01jhqLorJDSHe3hfbqFKMyRUdDKwh3BunLt8gBIsNvgoNfr1ykhjSA8jzgGc1n7zIXkI3RuoLHaXbGwb1kpuaWp+A4pfJz1plriem9qFRuCOYYkASy25UYK+MULYBwc73FoUQwGv7BvefCHNT6cQpOkSHaoJR4tcSL1OjwIDAQAB" ; ----- DKIM default for test
You’ll also need to set up one more TXT record:
_domainkey IN TXT "t=y; o=~;"
The t=y line lets consumers know you are in test mode, and o=~ denotes that some (but not all) of your emails will be signed. When you’re done testing be sure to remove t=y (and set o=- if you so desire).
Next let’s rename and chown the private key so dkim-milter can use it.
mv default.private default chown dkim-milter:dkim-milter default
Now we’ll need to edit /etc/mail/dkim-milter/keys/keylist to add a line like this (substituting your domain):
Finally, add the postfix group to the dkim-milter user in /etc/group and make sure /var/run/dkim-milter is set to 770 permissions.
We’re all set configuring dkim-milter. Let’s start it up and configure it to turn on at boot.
systemctl start dkim-milter.service systemctl enable dkim-milter.service
Now that we’ve got dkim-milter set up we need to tell postfix to use it. Add the following lines to the end of your /etc/postfix/main.cf
milter_default_action = accept milter_protocol = 6 smtpd_milters = local:/var/run/dkim-milter/dkim-milter.sock non_smtpd_milters = local:/var/run/dkim-milter/dkim-milter.sock
Now restart postfix and we’re ready to test
systemctl restart postfix.service
To test, simply send an email from your server (using the domain you configured) to a gmail address. A valid signature will look like this valid signature from a google.com address: If you don’t see a signed-by that means you’ve made a mistake in your configuration (or possibly your DNS hasn’t had time to propagate properly). You can see what the error is by looking at the raw email headers. Good luck!