OpenDKIM will give Your mail a signature that will eventually lower the spam score of the mail comming from your domain. This will help signifficantly to exclude these mails from being considered as spam by other servers, including google (google “accidentally” oftem considers a clean mail as spam because it has no dkim signature).

On a Centos box, install OpenDKIM first. It comes from the Epel repos, so if you don’t have them listen in Your repo list, install it 1st:

wget -P /tmp http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh /tmp/epel-release-6-8.noarch.rpm
yum install opendkim

 

Next, the configuration file that we will be using is below. Either find/add those options to the original config file, or even better, make a copy of the original file and replace /etc/opendkim.conf with the following:

AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    s
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

Now we have to setup the public and private keys (replace yourdomain in the text with the apropriate domain name):

mkdir /etc/opendkim/keys/yourdomain
opendkim-genkey -D /etc/opendkim/keys/yourdomain/ -d yourdomain -s default
chown -R opendkim: /etc/opendkim/keys/yourdomain
mv /etc/opendkim/keys/yourdomain/default.private /etc/opendkim/keys/yourdomain/default

Now we have to add it to the OpenDKIM keytable. Edit /etc/opendkim/KeyTable and add:

default._domainkey.yourdomain yourdomain:default:/etc/opendkim/keys/yourdomain/default

Next step, adding the domain to the signing table. Edit /etc/opendkim/SigningTable, and insert:

*@mydomain.com default._domainkey.mydomain.com

And the last move with DKIM, edit /etc/opendkim/TrustedHosts and add your LAN there.

Now we have to tell Postfix that we want to use OpenDKIM miltering. Edit /etc/postfix/main.cf and insert at the end of the file:

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 6

Now we can try to start OpenDKIM and reload postfix:

service opendkim start
chkconfig opendkim on
service postfix reload

If everything worked well, You can send a test mail and see in the source and it contains a DKIM signature, tail /var/log/maillog -f and see the OpenDKIM entries like DKIM-Signature field added (s=default, d=yourdomain)

Now you should add the dkim signature to your domain file (probably at your ISP). The exact signature as it should look was generated by the opendkim certificate generator, and it is located in /etc/opendkim/keys/yourdomain/default.txt
So, all you need is to insert it in the DNS zone file or send it to Your ISP if the DNS is hosted and after a while it will start to work. If you want to check if the DKIM signature is properly inserted in your DNS zone, you can do dig +short default._domainkey.yourdomain TXT
and it should give You and answer with the hashed key.

Hint:
After a working OpenDKIM and SPF, you might want to join it together with the new DMARC technology!

5 thoughts on “Install OpenDKIM with Postfix on CentOS

  1. Thank you for this great tuttorial. I made OpenDKIM work. But one important thing is missing as i found. If you set OpenDKIM mode only “s” (sign) as you mentioned in the tuttorial, Plesk’s DomainKey signing is not working. You must set it “sv” (sign and verify) to make it work both.

    1. And i forget to type. As i learnt it is about Postfix version. Milter protocol must be 6, if it is not working on protocol 2.

      smtpd_milters = , inet:127.0.0.1:12768, inet:127.0.0.1:8891
      non_smtpd_milters = $smtpd_milters
      milter_default_action = accept
      milter_protocol = 6

      1. Hey thanks for the feedback and basically you’re correct. Having in mind the new Postfix versions, the milter_protocol should be set to 6 (although indeed it also works with 2). I’ve corrected this.
        I’ll also make some more corrections about the selector – as apparently the preferred selector is the hostname.
        Obviously and unfortunately I don’t have much time and energy to maintain this site but your feedback gave me some wind in my back. I did have plan to post good “ploys” but just no time…

        Thanks and sorry for the late reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.