This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
Postfix/DKIM
This guide will show you how to configure Postfix to use DKIM functionality provided by the mail-filter/opendkim package. For more information on DKIM, see its Wikipedia page.
DomainKeys, a previous proposal by Yahoo, has been obsoleted by DKIM.
OpenDKIM
First install mail-filter/opendkim:
root #emerge --ask opendkimand then configure the package, to generate the domain keys.
root #emerge --ask --config opendkimThe default opendkim configuration file has some defaults setup for us, but needs some modification as shown below.
Depending whether tcp or unix sockets are required, the Socket line has to be modified. By default opendkim configures itself using an ipv4 socket, but if opendkim is run on the same server as postfix, a unix socket may be preferable. In the following example configuration file, the mail server is under the domain mail.example.com and had as a hostname also mail which the configuration of the package picked up.
If this host handles more (virtual) domains and the same single key is to be used for all the virtual hosts, Domain can point to a file, for example /etc/opendkim/domains with one domain per line. More complex configurations, like separate key per domain, are possible, but are beyond the scope of this example.
/etc/opendkim/opendkim.confDomain example.com Selector mail KeyFile /etc/opendkim/mail.private Socket local:/var/run/opendkim/opendkim.sock UMask 002 ReportAddress postmaster@example.com PidFile /var/run/opendkim/opendkim.pid UserID milter
Also prepare the socket/pidfile location.
root #mkdir /var/run/opendkimroot #chown milter:milter /var/run/opendkimWith this, opendkim can be started (by default) and should be functional.
root #/etc/init.d/opendkim startroot #rc-update add opendkim defaultDNS
Mail and spam filters will verify the signed e-mails by using the key in the DNS system and thus, access to the DNS records is required. A TXT entry needs to be added for domain that is being used to send signed e-mail.
And example how to add this information to bind is shown here, the public key for the domain is printed in the package configuration step, but can also be found in the example dns record in /etc/opendkim/mail.txt for our mail host.
/var/bind/domain.tld.hostsmail._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGaslkjD08u98adfaSDSDaasda898932asd...afDaDSD898sDSLSKDJLSDJSLDKJLDSKJ;"
The private key is written to /etc/opendkim/mail.private and should not be shared with anyone.
A restart or reload may be required to synchronize this new record to the secondary servers and propagated through the DNS system. Once the record is visible in the DNS system, the key can be used. Keep this in mind if testing fails, check the domains TXT record.
Postfix
Finally, postfix needs to be informed of the change, depending on whether the inet or unix socket is being used, this has to be added to the postfix configuration file. In the following example both approaches are shown, where the socket variant is preferred. Double check that the socket or port used here, match the one from the opendkim configuration file.
/etc/postfix/main.cf# OpenDKIM mail verification smtpd_milters = unix:/var/run/opendkim/opendkim.sock non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock #smtpd_milters = inet:localhost:8891 #non_smtpd_milters = inet:localhost:8891
Opendkim runs under the milter user. This is good, but postfix can't access this. Adding postfix to the milter group solves this easily however.
root #usermod -a -G milter postfixInforming postfix of the change makes immediate use of DKIM, a restart is required due to the change of permissions.
root #/etc/init.d/postfix restartTesting
To test the DKIM setup a blank email can be sent to check-auth@verifier.port25.com. An e-mail will be sent within 30 seconds with a test report.
Anything related to DomainKeys can be ignored: it is an obsolete standard.