Domainkeys and DKIM with Postfix
From Gentoo Linux Wiki
This guide will show you how to configure Postfix to use Domainkeys and DKIM
Contents |
[edit] Domainkeys
Set selector name to "mydk" (without the quotes), select "[2] 1024 bits" for your key. Your key will be created now. Copy it now and we will paste it into your Bind file later. (before choosing 1024 bits, read 'Notes' section below on this page)
Edit the following file making sure to replace domain.tld with your domain.
ADDITIONAL_OPTS="-l -b sv -d domain.tld -H -s /etc/mail/dk-filter/mydk.private -S mydk \
-C badsignature=reject,dnserror=tempfail,internal=tempfail,nosignature=accept,signaturemissing=reject"
The comma separated values following -C determine how to handle incomming messages according to each test. If you don't want to test incoming mail, and only sign outgoing mail, then change all these to accept instead of reject or tempfail. If you accept incoming email its DomainKeys status is still written to the header. The v is for verifying incoming email, you can remove this if you want.
Now edit your bind configuration. The following is two separate lines.
_domainkey.domain.tld. IN TXT "o=-" mydk._domainkey.domain.tld. IN TXT "k=rsa; p=yourkeyhere;"
Now edit your postfix configuration. The following is two separate lines.
smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock non_smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock
[edit] DKIM
Set selector name to "mydkim" (without the quotes),select "[2] 1024 bits" for your key. Your key will be created now. Copy it now and we will paste it into your Bind file later. (before choosing 1024 bits, read 'Notes' section below on this page)
Edit the following file. Defaults are fine except for the following.
Domain domain.tld KeyFile /etc/mail/dkim-filter/mydkim.private Selector mydkim UMask 000
Now edit your bind configuration.
mydkim._domainkey.domain.tld. IN TXT "v=DKIM1; g=*; k=rsa; p=yourkeyhere;"
Now edit your postfix configuration. The following is two separate lines. We just append the DKIM information to the Domainkey information.
smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock, unix:/var/run/dkim-filter/dkim-filter.sock non_smtpd_milters = unix:/var/run/dk-filter/dk-filter.sock, unix:/var/run/dkim-filter/dkim-filter.sock
[edit] Services
Start up all the services...
You may want to configure these services to start at boot
Thats it, you should now have Domainkey and DKIM signed emails.
[edit] Testing
You can test your Domainkey/DKIM setup by sending a blank email to check-auth@verifier.port25.com
You will receive an email within about 30 seconds letting you know if your Domainkey/DKIM passes the test.
[edit] Notes
The maximum size for all txt records in a DNS cannot exceed 512 bytes. This means that you cannot use 1024 bit for both Domainkeys and DKIM.
If you need to use both Domainkeys and DKIM, you will have to choose one 512 bit and the other one 1024 bit, so that it can fit in the 512 bytes
From the RFC:
3.1.4. Record Size
The published SPF record for a given domain name SHOULD remain small enough that the results of a query for it will fit within 512 octets. This will keep even older DNS implementations from falling over to TCP. Since the answer size is dependent on many things outside the scope of this document, it is only possible to give this guideline: If the combined length of the DNS name and the text of all the records of a given type (TXT or SPF) is under 450 characters, then DNS answers should fit in UDP packets. Note that when computing the sizes for queries of the TXT format, one must take into account any other TXT records published at the domain name. Records that are too long to fit in a single UDP packet MAY be silently ignored by SPF clients.
