Following tutorial will covers DomainKeys/DKIM implementation using OpenDKIM on SLES or openSUSE. Domain KeysIdentified Mail (DKIM) is a technology designed to make it difficult or impossible for criminals to steal the identities of legitimate organizations. This authentication technology allows good senders to “sign” a message to prove that it really did come from them..
DKIM originally written as sender authentication protocol developed in order to address the problem of forged email messages. Yahoo! released the DomainKeys specification and Cisco released the Internet Identified Mail specification. Both methods are based on cryptographic message signing. The two efforts have been merged, and the combined specification is known as DomainKeys Identified Mail (DKIM).
These are various options for implementing DomainKeys Signature : by using DK-Filter, DKIM-milter, OpenDKIM and also by using Amavisd-new DKIM implementation. Don’t be confused with all the terms. All method have similar function, signing your email as “trusted” or legitimate email.
Implementing OpenDKIM on openSUSE/SLES for Zimbra Mail Server can be achieved with 5 easy steps :
- Installing OpenDKIM
- Configuring OpenDKIM
- Configuring DNS Records
- Integrating with Your Mail Server (in my case : Zimbra Mail Server)
- Testing & Verified DKIM Signature
OPENDKIM INSTALLATION
Download and install OpenDKIM. I found a repo on openSUSE Community Repository, Webpin. RPM has build for openSUSE 11.2 but you may also install it on openSUSE 11.3 or SLES 11.
In case the original RPM removed from repos, I make a backup copy on my repohttp://download.vavai.com.
wget -c http://download.vavai.com/repo/x86_64/opendkim-2.2.2-2.1.x86_64.rpm wget -c http://download.vavai.com/repo/x86_64/libopendkim3-2.2.2-2.1.x86_64.rpm zypper in *.rpm
OPENDKIM CONFIGURATION
- Create OpenDKIM configuration
cp /usr/share/doc/packages/opendkim/opendkim.conf.sample /etc/opendkim.conf mkdir -p /etc/mail/dkim
- Modify /etc/opendkim.conf to meet with your environment
BaseDirectory /var/run/opendkim Domain vavai.web.id InternalHosts 192.168.10.0/24, 127.0.0.1 KeyFile /etc/mail/dkim/selector.private Mode sv Selector selector Socket inet:8891@localhost Syslog Yes SyslogFacility mail X-Header Yes
- Create selector and key for signing message
opendkim-genkey -d vavai.web.id -D /etc/mail/dkim -s selector cd /etc/mail/dkim chmod 440 selector.private
The above command made 2 files : selector.txt &selector.private. selector.txt contain DNS records that we must insert into our DNS Server .
- Run openDKIM with following command :
opendkim -x /etc/opendkim.conf
DNS SERVER CONFIGURATION
Open /etc/mail/dkim/selector.txt and copy it’s content into our DNS Server. If your public DNS managed by ISP, contact and ask them for inserting a TXT records into DNS Server for our domain.
Below are a sample of my DNS Server for domain vavai.web.id :
# cat /var/lib/named/master/vavai.web.id $TTL 2d @ IN SOA ns1.vavai.web.id. root.ns1.vavai.web.id. ( 2010122101 ; serial 3h ; refresh 1h ; retry 1w ; expiry 1d ) ; minimum vavai.web.id. IN NS ns1.vavai.web.id. vavai.web.id. IN NS ns2.vavai.web.id. vavai.web.id. IN A 174.120.9.XXX vavai.web.id. IN MX 0 mail.vavai.web.id. www IN CNAME vavai.web.id. ns1 IN A 202.158.52.xxx mail IN A 202.158.52.xxx ns2 IN A 202.43.115.xxx vavai.web.id. IN TXT "v=spf1 a mx include:mail.vavai.web.id ~all" selector._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIG29fMA0GCSqsdfsdfdsfdsfGSIb3DQEBAQUAA4GNADCBiQKBgQDJ5IZT5e5nvmkotroz5ylTlwU8yEEZ+v/576aI+w6TkbP4XibYxDsWVweXXtVeQQMMAAmw8AwYuK5R9b373Xqu+Hv9HNAJoAteKF/qlKcZc5Akhj5B7P1imXaurZkkIBp63yBZyZRralzQYNT3UrVB7M/xONMWXcU9xm7Zv1PzH1Y1OQIDAQAB"
ZIMBRA MAIL SERVER CONFIGURATION
Open terminal/konsole, login as Zimbra user (su – zimbra) and replace/add following line into /opt/zimbra/postfix/conf/main.cf :
smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 milter_default_action = accept
Save and run reload command : postfix reload
TESTING & VERIFYING OPENDKIM
After all step has been successfully executed, testing OpenDKIM by sending a blank email into sa-test@sendmail.net or check-auth@verifier.port25.com or autorespond+dkim@dk.elandsys.com or into your Gmail/Yahoo email account.
Below are a sample of response message from sendmail :
Authentication System: DomainKeys Identified Mail Result: DKIM signature confirmed GOOD Description: Signature verified, message arrived intact Reporting host: sendmail.net More information: http://mipassoc.org/dkim/ Sendmail milter: https://sourceforge.net/projects/dkim-milter/
Respon from elandsys :
This is an automatic response. Replies to this message will not generate an automatic response. Do not reply to this message except for reporting a problem. The results are as follows: DKIM Signature validation: pass (1024-bit key)
Response from Gmail
Received-SPF: pass (google.com: domain of vavai@vavai.web.id designates XXX.158.52.XXX as permitted sender) client-ip=XXX.158.52.XXX; Authentication-Results: mx.google.com; spf=pass (google.com: domain of vavai@vavai.web.id designates XXX.158.52.XXX as permitted sender) smtp.mail=vavai@vavai.web.id; dkim=pass header.i=@vavai.web.id Received: from localhost (localhost [127.0.0.1]) by mx3.vavai.web.id (Postfix) with ESMTP id 0E666DB0302 for ; Wed, 22 Dec 2010 09:42:12 +0700 (WIT) X-Virus-Scanned: amavisd-new at vavai.web.id Received: from mx3.vavai.web.id ([127.0.0.1]) by localhost (mx3.vavai.web.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id On3P3QqkyMM4 for ; Wed, 22 Dec 2010 09:42:11 +0700 (WIT) Received: from mx3.vavai.web.id (mx3.vavai.web.id [XXX.158.52.XXX]) by mx3.vavai.web.id (Postfix) with ESMTP id 56CC1DB0136 for ; Wed, 22 Dec 2010 09:42:11 +0700 (WIT) X-DKIM: OpenDKIM Filter v2.2.2 mx3.vavai.web.id 56CC1DB0136 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=vavai.web.id; s=selector; t=1292985731; bh=cBOiyKgb7kh/ygTXq8sQihgwMCryqYRvRZBYcO6/z5U=; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type; b=KMOYjsda6qPqNdf0NuyxdEayFxgRCAVmilYKobK3sKV8hSvybT3fmbWM+2mZUCzMY sDSdVVTXMB6RnHoEPyPzNFK7y9TPpAn0SPkGqL0nSzQ+Fr6/VaEBHrcQGduUNm5Ot5 V0Y9vIcmfjLGWTkkAX0RjHpV/9ZK8VPJD0etRsM0=