This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Installing OpenDKIM
#1
Installing OpenDKIM
This guide will show you how to install and configure the OpenDKIM on your centos 6.5 and Ubuntu server. Before we start, I would just like to put out from the wiki what DKIM is. Just in case anyone doesn't know.

http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail Wrote:DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators. A digital signature included with the message can be validated by the recipient using the signer's public key published in the DNS.

First things first, we always need to ensure our system is up to date. So lets do that first. (This guide also assumes that you are not using the root account, that you are using another account, that can get root permissions.

CentOS
Code:
sudo Yum update

Ubuntu
Code:
sudo apt-get update

In CentOS you need to enable the Epel repo, if you haven't already. Just do the following.
Code:
sudo wget -P /tmp http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm
sudo rpm -Uvh /tmp/epel-release-6-8.noarch.rpm
sudo rm -f /tmp/epel-release-6-8.noarch.rpm

Once you have done that you are ready to install the OpenDKIM and its dependencies.
CentOS
Code:
sudo yum install opendkim

Ubuntu
Code:
sudo apt-get install opendkim opendkim-tools

Okay so now we are at the fun part Smile Configuring it and getting it all setup to run. So using your fav editor after your backup the default config, open OpenDKIM.conf found at /etc/opendkim.conf.

Code:
sudo vim /etc/opendkim.conf

Now once this is open, I found it a lot easier just to delete all the comments and that around it, as we have a backup we can always go there or the opendkim for information. So either delete everything in the .conf or you can change the settings to like I have below;

Code:
AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

Great, not we need to set up our private and public keys, to do that we just do the following, and change the yourdomain.com to the domain you are setting up the keys for. (If you have more domains you would like to sign, you can also do that here just repeat this step with the new domain.)

Code:
sudo mkdir /etc/opendkim/keys/yourdomain.com
sudo opendkim-genkey -D /etc/opendkim/keys/yourdomain.com/ -d yourdomain.com -s default
sudo chown -R opendkim: /etc/opendkim/keys/yourdomain.com
sudo mv /etc/opendkim/keys/yourdomain.com/default.private /etc/opendkim/keys/yourdomain.com/default

Okay so now we have to add this new key to the KeyTable. Again you will have to repeat this step depending on how many domains you are trying to set up with OpenDKIM. This file can be found at /etc/opendkim/KeyTable

Code:
sudo vi /etc/opendkim/KeyTable

Paste in the following;
Code:
default._domainkey.yourdomain.com youdomain.com:default:/etc/opendkim/keys/yourdomain.com/default

Next we need to edit /etc/opendkim/SigningTable a new record in the DKIMsigning table. The * wildcards so that it will sign all emails coming from that domain, however if you only want some signed, you can change the * with the email account.

Code:
*@yourdomain.com default._domainkey.yourdomain.com

The * wildcards so that it will sign all emails coming from that domain, however if you only want some signed, you can change the * with the email account.
Code:
support@yourdomain.com default._domainkey.yourdomain.com # This would only sign the support email.

Great so now we need to add our hostname, localhost and the domain(s) we are going to have signing for in the trusted hosts file located at, /etc/opendkim/TrustedHosts

However before doing this, as I also had some issues with this and not getting OpenDKIM to work, and truly it was a very simple fix. Type in hostname in your terminal, which will provide you with the hostname of you server.

So go ahead and run
Code:
sudo vi /etc/opendkim/TrustedHosts

Make it look something like this.

Code:
127.0.0.1
yourdomain.com
host.yourdomain.com
#This
is your hostname.

Great almost finished now we just need to update some DNS. I use Cloudflare for my dns, you can use which ever you like or if your domain provider offers it, you can use theres. First we got to get the information we are going to be putting there, which would be found in /etc/opendkim/keys/yourdomain.com/default.txt


Code:
sudo vi /etc/opendkim/keys/yourdomain.com/default.txt

You should see something like the following;

Code:
default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" )  ; ----- DKIM key default for yourdomain.com

So now with this information we are going to make a new txt dns zone with the name default._domainkey and we are going to post the the following in the value.

Code:
v=DKIM1; k=rsa; ""p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"


Yours will totally be different so don't just copy and paste this one. Below is a screen shot of how mine looks.
[Image: Screen_Shot_2014_08_10_at_5_27_28_PM.png]

Okay so now we need to edit postfix and let it know that we have a new milter. Open /etc/postfix/main.cf and paste the following;
Code:
smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2

Once that is done, you just have to restart the services.

Code:
sudo service opendkim start
sudo chkconfig opendkim on
sudo service postfix restart

Once that has beed restarted and everything is up and running you just have to test and ensure you are sending signed emails. Which you can do by emailing say a gmail account that you own, and looking at the headers, you should see something like mailed-by; yourdomain.com signed-by: yourdomain.com

Or you can simply email check-auth2@verifier.port25.com and you will get a email back with the information if it is signed, spam etc, in about 5-10 minutes.

You would get something like the following back;

Code:
This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com. The service allows email senders to perform
a simple check of various sender authentication mechanisms. It is provided
free of charge, in the hope that it is useful to the email community. While
it is not officially supported, we welcome any feedback you may have at
<verifier-feedback@port25.com>.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
Reply
#2
RE: Installing OpenDKIM
Awesome mate!!! Smile
Reply
Thanks given by:
#3
RE: Installing OpenDKIM
First thanks for the guide Jason!
I'm on zpanel 10.1.1 still :-(

I followed above instructions then I added these two edits (resolves uppercase changing to lowercase):
Issue So THIS is where you all have been hiding!
then changed to
Issue So THIS is where you all have been hiding!

I added my domains default._domainkey back into mysql thru phpmyadmin, both upper/lowercase now show up thru panels DNS Manager.

I'm still having an issue.

port25 results:
=================
Summary of Results
=================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         permerror
Sender-ID check:    pass
SpamAssassin check: ham
Reply
Thanks given by:
#4
RE: Installing OpenDKIM
Great Tut.

I have got it all working, bar one thing. Which is a bug in the DNS MySQL Table, the limit on the Table for that field is 100 so the key is getting truncated. It is also still being lowercase'd even though looking in the above bug fix file to check if the bugfix has been applied. Which it was.

Will post this as a Bug on the GitSite Smile

OH PS: Running Sentora on and VPS CentOS 6.4
Reply
Thanks given by:
#5
RE: Installing OpenDKIM
5050 DNS bug
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask

200$ free to start your VPS 60 days credit
Reply
Thanks given by:
#6
RE: Installing OpenDKIM
This tutorial is valid for Sentora v1.0.0 ??

I do not want to damage the installation of my server, can someone confirm me please?
Reply
Thanks given by:
#7
RE: Installing OpenDKIM
Hello, I'm having some troubles with this.
When I try to send an email from my gmail account to something@mydomain.com that is being forwarded to my hotmail account I don't get the "Mailed-By" in my header what also means that it goes to spam (because my server is not a gmail server so it isn't allowed to send mails from gmail accounts).
Does anyone know how to fix this?

Jeroen Berkvens
Webmaster All Terrain
Reply
Thanks given by:
#8
RE: Installing OpenDKIM
Seems like this tutorial is a bit out of date. After I executed "sudo apt-get install opendkim opendkim-tools", the "/etc/opendkim" directory did not exist.
Reply
Thanks given by:
#9
RE: Installing OpenDKIM
question - do we include the quotation mark before the v here?
v=DKIM1; k=rsa; "
Reply
Thanks given by:
#10
RE: Installing OpenDKIM
sudo chkconfig opendkim on - > returns command not found.
Any turn around?
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
I need help installing sentora WolfCommunity 2 8 ,305 03-23-2016, 08:52 PM
Last Post: Waqass
after Installing Xbilling Not Able to Use spider 1 6 ,341 01-16-2016, 08:20 AM
Last Post: Jeroen

Forum Jump:


Users browsing this thread: 4 Guest(s)