Instalare OpenDKIM
Pentru instalarea OpenDKIM se foloseste comanda:
yum install opendkim
Generare cheie pentru semnarea mesajelor
Trebuie generata cate o cheie privata si una publica pentru fiecare domeniu pentru care se doreste semnarea email-urilor. Cheia privata se stocheaza pe server si nu este accesibila public, iar cheia publica va fi publicata in inregistrarile DNS asa incat serverele care primesc email-urile sa le poata verifica semnaturile.
La prima rulare, opendkim va genera un set implicit de chei care vor fi stocate in /etc/opendkim/keys/ folosind numele de domeniu al serverului si selectorul “default”. Pentru generarea manuala a cheilor se poate folosi acelasi selector, “default”.
Crearea cheilor se realizeaza cu comenzile urmatoare (se va inlocui example.com cu numele real al domeniului):
mkdir /etc/opendkim/keys/example.com
/usr/sbin/opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default
chown -R opendkim:opendkim /etc/opendkim/keys/example.com
mv /etc/opendkim/keys/example.com/default.private /etc/opendkim/keys/example.com/default
Optiuni utilizate:
-D: directory
-d: domain
-s: selector
Modificarea fisierelor de configurare
Trebuie create/modificate urmatoarele 4 fisiere de configurare:
1. /etc/opendkim.conf – fisierul principal de configurare
2. /etc/opendkim/KeyTable – lista cheilor disponibile pentru semnarea mesajelor
3. /etc/opendkim/SigningTable – lista domeniilor si conturilor pentru care se permite semnarea
4. /etc/opendkim/TrustedHosts – lista serverelor “de incredere” (trusted) la semnarea sau verificarea mesajelor
Editarea /etc/opendkim.conf si stabilirea valorilor ca mai jos:
## CONFIGURATION OPTIONS
# Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid
# Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
Mode sv
# Log activity to the system log.
Syslog yes
# Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes
# If logging is enabled, include detailed logging about why or why not a message was
# signed or verified. This causes a large increase in the amount of log data generated
# for each message, so it should be limited to debugging use only.
#LogWhy yes
# Attempt to become the specified user before starting operations.
UserID opendkim:opendkim
# Create a socket through which your MTA can communicate.
Socket inet:8891@127.0.0.1
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
Umask 002
# This specifies a file in which to store DKIM transaction statistics.
#Statistics /var/spool/opendkim/stats.dat
## SIGNING OPTIONS
# Selects the canonicalization method(s) to be used when signing messages.
Canonicalization relaxed/simple
# Domain(s) whose mail should be signed by this filter. Mail from other domains will
# be verified rather than being signed. Uncomment and use your domain name.
# This parameter is not required if a SigningTable is in use.
Domain example.com
# Defines the name of the selector to be used when signing messages.
Selector default
# Gives the location of a private key to be used for signing ALL messages.
#KeyFile /etc/opendkim/keys/default.private
# Gives the location of a file mapping key names to signing keys. In simple terms,
# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
# setting in the configuration file.
KeyTable refile:/etc/opendkim/KeyTable
# Defines a table used to select one or more signatures to apply to a message based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM how to use your keys.
SigningTable refile:/etc/opendkim/SigningTable
# Identifies a set of "external" hosts that may send mail through the server as one
# of the signing domains without credentials as such.
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
# Identifies a set internal hosts whose mail should be signed rather than verified.
InternalHosts refile:/etc/opendkim/TrustedHosts
Trebuie decomentate optiunile Domain, KeyTable, SigningTable, ExternalIgnoreList si InternalHosts, iar, din moment ce se va folosi KeyTable se poate comenta optiunea KeyFile.
Urmeaza crearea/modificarea celor 3 fisiere pe care le-am decomentat in fisierul de configurare.
Crearea/modificarea fisierului /etc/opendkim/KeyTable cu urmatorul continut:
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default
Pentru cazul in care se vor folosi mai multe chei (pentru semnarea mesajelor de pe diferite domenii virtuale cu diferite chei) se va adauga cate o linie pentru fiecare domeniu, dupa exemplul:
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default
default._domainkey.example2.com example2.com:default:/etc/opendkim/keys/example2.com/default
Crearea/modificarea fisierului /etc/opendkim/SigningTable, in care trebuie doar decomentata linia:
*@example.com default._domainkey.example.com
Crearea/modificarea fisierului /etc/opendkim/TrustedHosts, dupa modelul:
127.0.0.1
hostname1.example.com
hostname2.example.com
example.com
Modificarea configurarii MTA (Mail Transport Agent)
Pentru Postfix, doar trebuie adaugate urmatoarele linii in fisierul main.cf:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
Daca se foloseste o versiune a Postfix mai veche de 2.6 mai trebuie adaugata si linia:
milter_protocol = 2
Pentru detalii suplimentare: http://www.postfix.org/MILTER_README.html#version
Nu se restarteaza acum serviciul Postfix, pentru ca mai intai trebuie pornit serviciul opendkim, altfel vor fi generate erori.
Pentru Sendmail trebuie adaugata urmatoarea linie in fisierul /etc/mail/sendmail.mc:
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@127.0.0.1')
Se genereaza fisierul sendmail.cf folosind comanda:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
Pornirea OpenDKIM si repornirea MTA
Pornirea OpenDKIM:
service opendkim start
Repornirea Postfix:
postfix reload
Sau, dupa caz, repornirea Sendmail:
service sendmail restart
Pentru pornirea serviciului opendkim la pornirea serverului se executa comanda chkconfig:
chkconfig opendkim on
Adaugarea inregistrarii DNS
Informatia care trebuie publicata in DNS este continuta in fisierul /etc/opendkim/keys/example.com/default.txt si poate fi vizualizata cu comanda:
cat /etc/opendkim/keys/example.com/default.txt
Informatia arata cam asa:
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB" ; ----- DKIM default for example.com
Aceasta informatie trebuie adaugata la finalul fisierului cu zonele DNS pentru domeniul respectiv.
Testarea configuratiei
Configurata poate fi testata folosind instrumentul http://www.brandonchecketts.com/emailtest.php
sau prin trimiterea unui email cu semnatura DKIM catre una (sau mai multe) din urmatoarele adrese de email:
autorespond+dkim@dk.elandsys.com
sa-test@sendmail.net
check-auth@verifier.port25.com
Alte articole pe aceeasi tema
http://www.dkim.org/
http://www.opendkim.org/
http://blog.mixu.net/2009/11/03/setting-up-spf-senderid-and-dkim-on-centos-5-3-using-sendmail/
http://www.mylinuxtips.info/linuxtipstutorials/setup-dkim-keys-with-sendmail/
http://server-support.co/blog/sysadmin/centos-configure-dkim-sendmail-multiple-domains/
http://www.elandsys.com/resources/sendmail/dkim.html