- Login as root account
- Generate private and public keys for DKIM
cd /etc/postfix/
mkdir dkim
cd dkim
openssl genrsa -out private.key 1024
openssl rsa -in private.key -out public.key -pubout -outform PEM - Create DNS records with public key. Create TXT records for all domains that the server will sent emails from. Public key for all records will be the same, so all records will be almost identical, except domain name.
Name field will look like: mail._domainkey.mydomain01.com
Data (TXT) field will look like: "v=DKIM1; g=*; k=rsa; p=%Public_Key%”
%Public_Key% should be replaced with /etc/postfix/dkim/public.key file content without line-breaks (“k=rsa; t=y; p=MIGf.....AQAB”) - Install core dependencies for Perl Libraries. Accept all defaults.
apt-get update
apt-get install libssl-dev
perl -MCPAN -e 'install Crypt::OpenSSL::RSA'
perl -MCPAN -e 'install Digest::SHA'
perl -MCPAN -e 'install Mail::Address'
perl -MCPAN -e 'install MIME::Base64'
perl -MCPAN -e 'install Net::DNS'
perl -MCPAN -e 'install Net::Server'
perl -MCPAN -e 'install Mail::DKIM'
perl -MCPAN -e 'install Error' - Download and Install DKIMProxy
cd /usr/src
wget http://garr.dl.sourceforge.net/project/dkimproxy/dkimproxy/1.2/dkimproxy-1.2.tar.gz
tar xfh dkimproxy-1.2.tar.gz
cd dkimproxy-1.2
./configure --prefix=/usr/local/dkimproxy
make install - DKIMProxy Configuration. Postfix can listen on port 25 or 587 to sign outgoing emails.
6.1:
Open master.cf that located under postfix instance folder:
vi /etc/postfix/master.cf
For 25 port listener, after
smtp inet n - - - - smtpd
insert these lines
-o smtpd_etrn_restrictions=reject
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,reject
For 587 port listener, after
smtp inet n - - - - smtpd
insert these lines
submission inet n - y - - smtpd
-o smtpd_etrn_restrictions=reject
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,reject
6:2
At the end of the file (master.cf) insert these lines:
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls
* Repeat on 6.1 and 6.2 steps for additional postfix instances.
Service for accepting messages from the DKIM signing proxy should be configured in one master.cf only.
Open last instance master.cf file (vi /etc/postfix09/master.cf), insert at the end of the file these lines:
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
Create user and group for DKIMProxy
groupadd dkim
useradd -s /bin/false -d /dev/null -g dkim dkim
Create domain.key (vi /etc/postfix/dkim/domain.key) that will include all your domain names. This file will look like:
mydomain01.com domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha256,c=relaxed)
mydomain02.com domainkeys(a=rsa-sha1,c=nofws), dkim(a=rsa-sha256,c=relaxed)
Set up init script
vi /etc/init.d/dkimproxy
Copy code from http://www.pastie.org/579385 into this file
Set executable permission for the file
chmod +x /etc/init.d/dkimproxy
Start DKIMProxy
/etc/init.d/dkimproxy start (if you receive error: “hostname: Unknown host” change line 25 from HOSTNAME=`hostname -f` to HOSTNAME=`hostname`)
postfix -c /etc/postfix reload
postfix -c /etc/postfix02 reload (restart additional postfix instances) - Run at startup
Add /etc/init.d/dkimproxy start to /etc/rc.local before exit 0
How to stop DKIMProxy
- In order to stop DKIM signing for specific interface edit (vi /etc/postfix02/master.cf)
- Comment these lines:
# -o smtpd_etrn_restrictions=reject
# -o content_filter=dksign:[127.0.0.1]:10027
# -o receive_override_options=no_address_mappings
# -o smtpd_recipient_restrictions=permit_mynetworks,reject - Reload postfix instance, for example postfix02 instance
postfix -c /etc/postfix02 reload