Install and configure DKIM with Postfix on RHEL7

Signed Email

Introduction

DKIM (Domain Keys Identified Mail) is a measure against email spoofing, Phishing and SPAM mails. Its easy to implement as you will learn in this article.

DKIM signs emails on the outgoing SMTP server, the receiving SMTP can verify the signature by looking up the mail._domainkey TXT DNS record of the respective domain to check if the email originates from that domain or if it is forged.

This howto can be used to implement DKIM on a SMTP server responsible for both, in- and out-going mails.

It has been standardized in 2007 as the successor of DomainKeys introduced by Yahoo in 2004. The latest standard revision is defined in defined in RFC 6376.

Requirements

  • A running Postfix SMTP server
  • Access to the RHEL 7 Optional Software Channel/Repo (rhel-x86_64-server-optional-7)
  • EPEL repository available

Installing the Software

The dependencies will be installed automatically

mail:~# yum -y install opendkim

Enable DKIM on system startup

mail:~# systemctl enable opendkim.service

Configure OpenDKIM

Add/Uncomment the following lines in /etc/opendkim.conf

Socket inet:12341@localhost # Choose any free services number
Mode    sv
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
InternalHosts   refile:/etc/opendkim/TrustedHosts
SignatureAlgorithm      rsa-sha256

/etc/opendkim/TrustedHosts

In this file you configure a whitelist which domains and/or IP addresses are considered as trusted. This is usually just localhost.

127.0.0.1
::1

/etc/opendkim/KeyTable

Here the definition of your private key is set up

mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

/etc/opendkim/SigningTable

Here comes the definitions of email address patterns

*@example.com mail._domainkey.example.com

Create the keypair

mail:~# mkdir /etc/opendkim/keys/example.com
mail:~# cd /etc/opendkim/keys/example.com
mail:~# opendkim-genkey -s mail -d example.com
mail:~# chown opendkim:opendkim mail.private

The file /etc/opendkim/keys/example.com/mail.txt contains the public key which must be added to a DNS server authoritative for the domain. It looks as following:

mail._domainkey IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9grq0kphBEtp9biB09/X0rS42s87yHbxq4DsR0SYBNGTdendDzsFaGZeQMu0bGkY488Jm2OjmT4vXBy7FvTdqFIUKvKWXl0uKbH6nn0NcJe/Q71YnmNsGI1/EFa+YXIHqdbUjCVoQOzXQ1UiB+jZiw/G0Hhs45FW9sR8LFwaj6QIDAQAB" )  ; ----- DKIM key mail for example.com

If you are running (Free)IPA or Redhat Identity Management responsible as a DNS server, do the following:

[root@ipa1 ~]# ipa dnsrecord-add --txt-rec="p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9grq0kphBEtp9biB09/X0rS42s87yHbxq4DsR0SYBNGTdendDzsFaGZeQMu0bGkY488Jm2OjmT4vXBy7FvTdqFIUKvKWXl0uKbH6nn0NcJe/Q71YnmNsGI1/EFa+YXIHqdbUjCVoQOzXQ1UiB+jZiw/G0Hhs45FW9sR8LFwaj6QIDAQAB" example.com mail._domainkey

Configure Postfix

Thanks to Postfix Milter Implementation its a nobrainer to configure postfix:

mail:~# postconf milter_protocol=2
mail:~# postconf milter_default_action=accept
mail:~# postconf smtpd_milters=inet:localhost:12341
mail:~# postconf non_smtpd_milters=inet:localhost:12341

Restart the Services

mail:~# systemctl restart opendkim.service
mail:~# systemctl restart postfix.service

Testing

Write an email to check-auth@verifier.port25.com to test your set up. A few seconds later you will get an automated response which shows the results.

Do not get confused by DomainKeys check: neutral in the test results, they are for the legacy Yahoo DomainKeys. The important stuff is DKIM.

You can also write your self an email and check the source of it, it will be looking simulat to this:

Return-Path: <jdoe@example.com>
X-Original-To: jdoe@example.com
Delivered-To: jdoe@example.com
Received: from client.example.com (unknown [10.10.10.10])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: jdoe@example.com)
	by mail.example.com (Postfix) with ESMTPSA id 3D1CFA34
	for <jdoe@example.com>; Sun, 19 Feb 2017 17:20:37 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.example.com 3D1CFA34
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=mail;
	t=1487521237; bh=asdfasdfasasdfasfasdfsadfsdaf=;
	h=To:From:Subject:Date:From;
	b=asdasdasdasdasdasddasdasdasdasdadadadasdasdasdasdadasddas
         dasdadasdasddasdadasdasddasdadasdasddasdadasdasddasdadasda
         dasdadasdasd=
To: jdoe@example.com
From: Joe Doe <jdoe@example.com>
Subject: test

Read further

Have fun! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *