Jan 09

How to install and configure OpenDKIM, Postfix, DNS, Debian 9 (Stretch).

[important]

Tested:
Debian 9.0.x

Tutorial configuration:
Example domain - domain.com
DNS Server - Bind9
Mail Server - Postfix

[/important]

Install and configure OpenDKIM.

Update system, install OpenDKIM and some needed dependencies (perl).

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install opendkim opendkim-tools
sudo apt-get install libdigest-sha-perl libdigest-sha-perl libcrypt-openssl-rsa-perl liberror-perl perl libnet-dns-perl libnet-server-perl libmail-dkim-perl libmailtools-perl

Add user postfix to opendkim.

sudo adduser postfix opendkim

Edit opendkim config file /etc/opendkim.conf.

sudo mkdir -p /var/spool/postfix/opendkim/
sudo nano /etc/opendkim.conf
Syslog           yes
Selector         mail
Mode             sv
SubDomains       yes
Socket           local:/var/spool/postfix/opendkim/opendkim.sock
PidFile          /var/run/opendkim/opendkim.pid
OversignHeaders  From
TrustAnchorFile  /usr/share/dns/root.key
UserID           opendkim
LogWhy           yes

Add these lines below.

KeyTable                  /etc/opendkim/KeyTable
SigningTable              /etc/opendkim/SigningTable
ExternalIgnoreList        /etc/opendkim/TrustedHosts
InternalHosts             /etc/opendkim/TrustedHosts

Edit /etc/opendkim/TrustedHosts.

sudo mkdir /etc/opendkim
sudo nano /etc/opendkim/TrustedHosts

Add domain.com and IP addresses:

127.0.0.1
localhost
192.168.0.0/255.255.255.0
external_IP
domain.com

Generate a key for domain.com server

sudo mkdir -p /etc/opendkim/keys/domain.com
cd /etc/opendkim/keys/domain.com
sudo opendkim-genkey -b 2048 -d domain.com -s mail
sudo chown opendkim:opendkim -R /etc/opendkim
sudo chmod 600 /etc/opendkim/keys/domain/mail.private

Edit /etc/opendkim/KeyTable, specify key location.

sudo nano /etc/opendkim/KeyTable

mail._domainkey.domain.com domain.com:mail:/etc/opendkim/keys/domain.com/mail.private

Edit /etc/opendkim/SigningTable, specify which key will sign a domain.

sudo nano /etc/opendkim/SigningTable
domain.com mail._domainkey.domain.com

Add DKIM key to DNS server.

Print key:

cat /etc/opendkim/keys/domain.com/mail.txt

Copy and paste printed key to your domain.com config file in DNS server (Bind9 - domain.com).

mail._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3... ...DQEBAQUAA4GNAB" ; ----- DKIM default for domain.com

Add extra ADSP (Author Domain Signing Practices).

_adsp._domainkey.domain.com   IN    TXT    "dkim=unknown"

Restart  DNS server.

sudo /etc/init.d/bind9 restart

Edit /etc/default/opendkim.

Specify daemon connection settings.

sudo nano /etc/default/opendkim
SOCKET=local:/var/spool/postfix/opendkim/opendkim.sock
sudo chown opendkim:opendkim /var/spool/postfix/opendkim/
sudo systemctl restart opendkim

Configure Postfix.

Edit /etc/postfix/main.cf.

sudo nano /etc/postfix/main.cf

Add these lines to postfix.

milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = local:/opendkim/opendkim.sock

Restart Postfix.

sudo service postfix restart

Testing.

sudo opendkim-testkey -d domain.com -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.domain.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

[notice]
Support my work by donation. Thank You.

[/notice]

[/notice]

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International

7 comments

Skip to comment form

    • Greg on 3 February 2019 at 23:28
    • #
    • Reply

    Worked like a charm after failing with 2 other instruction pages. Thanks!

    • Name on 11 February 2019 at 17:06
    • #
    • Reply

    Add user postfix to opendkim.
    sudo adduser postfix opendkim

    What? Did you mean:

    usermod -aG opendkim postifx

    1. It is the same..

    • Filip on 23 October 2019 at 07:48
    • #
    • Reply

    Oct 23 08:43:37 LSPC02 opendkim[17024]: OpenDKIM Filter: Unable to bind to port local:/var/spool/postfix/opendkim/opendkim.sock: Permission denied
    Oct 23 08:43:37 LSPC02 opendkim[17024]: OpenDKIM Filter: Unable to create listening socket on conn local:/var/spool/postfix/opendkim/opendkim.sock
    Oct 23 08:43:37 LSPC02 opendkim[17024]: smfi_opensocket() failed

    I set permissions to postfix:root on opendkim folder. I cant figure out how to fix it.

    1. sudo chown opendkim:opendkim /var/spool/postfix/opendkim/
      then
      sudo systemctl restart opendkim
      sudo service postfix restart
      it should work now

    • David on 28 March 2020 at 22:02
    • #
    • Reply

    RE: Copy and paste printed key to your domain.com config file in DNS server (Bind9 – domain.com).

    That doesn’t tell me WHERE – what file or path – to copy the string. Would the file name be something like bind9.conf?

    1. Copy and paste in your own domain.com config in /etc/bind at the end of config..

Leave a Reply

Your e-mail address will not be published.