Postfix and opendkim on Mint Deb 64

[prsjm3qf]

This guide assumes you know how to: install packages, start/stop/restart services, use the bash terminal, work with conf files. If you don't know these things you probably shouldn't attempt mailserver admin.

This HOWTO is based mainly on the excellent nginx tutorial at https://rtcamp.com/tutorials/mail/dkim-postfix-ubuntu/ which I highly recommend.
However, it didn't work quite exactly for me so this is my rehash HOWTO for Mint Debian 64 - Debian Linux 8.0 with a bit of extra info.


Software Requirements (install with synaptic or whatever):
opendkim
opendkim-tools
postfix


Significant files and dirs:
/etc/opendkim.conf
/etc/default/opendkim
/etc/opendkim/ # you will make this dir to hold your dkim key
/etc/postfix/main.cf

Testing Environment:
Disable firewall with : sudo ufw disable
Access to any other remote mailserver, eg http://www.mail-tester.com
webmin always comes in handy
Ensure your postfix can successfully send and receive mail to remote servers before you start.

Head Slappers
Ensure all conf files and keys have appropriate owner/permissions and are readable.



STEP 1
Edit /etc/opendkim.conf.

Comment out:
#UMask 002

Insert:

# Added by Steve for opendkim installation 080814
############################################

Domain mydomain.com
KeyFile /etc/opendkim/dkim.key
Selector mail

AutoRestart yes
Background yes
Canonicalization relaxed/relaxed
DNSTimeout 5
Mode sv
#SignatureAlgorithm rsa-sha256
SubDomains no
#UseASPDiscard no
#Version rfc4871
X-Header no

# eof Added by Steve for opendkim installation 080814
############################################


STEP 2
Edit /etc/default/opendkim

Insert:

# Added by Steve for opendkim installation 080814
############################################
SOCKET="inet:8891@localhost" # listen on loopback on port 8891


STEP 3
edit /etc/postfix/main.cf

Insert:
# Added by Steve for opendkim installation 080814
############################################
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891


STEP 4
Generate your dkim key

Create a dir '/etc/opendkim/'
cd your terminal to some temp dir and run : opendkim-genkey -t -s mail -d mydomain.com
Copy the 2 files generated by opendkim-genkey to '/etc/opendkim/'.
Rename your private key file 'mail.private' to 'dkim.key' so it matches the conf file entries you made earlier.


STEP 5
DNS - create a TXT record using the mail.txt file generated in step 4.

(DNS is pretty tricky if you don't know what you are doing. I'm not any sort of DNS expert but can usually
blag my way through it. Please post corrections or ammendments if you know this stuff better than me.)

You need to create a TXT record for your dkim key on the authoritative server for your domain.
In my case I use 123-reg.co.uk to host my dns. So I use their user control panel to edit the dns
for my domain and create the TXT record. You will probably have a different DNS setup, for example a vps controlpanel
or a local BIND server.
The TXT record is a name/value pair taken from the 'mail.txt' file generated in Step 4.

My actual DNS record #############################
TXT record name field : mail._domainkey
TXT record value field : v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhTPYdgdIwWUS+doRHY/+UEr+lJPGj/3sJa9ukq6/uuMFupuLk3XWAGkpJTZuG9FGNGq3DpUblhbjcsP1otoORN8VTBYNpYmW47XugTnSl9erYrhRIJEpVsL7+liNDCPzkj1gtouUU7H0S+M+Nb19fQ8dVzG8zDjkY2jZZZA5VQIDAQAB
###########################################
# NOTE: TXT record value field is actually a single line of text

The "name" field also associates your selector/subdomain with your domain - see step 1.
In my case my selector is "mail" as in mail.mydomain.com. This allows for different dkim key associations with different mail hosts on the same domain.

The "value" field is just a single unterminated line of text - as you would expect for a TXT record, so it is up to you to ensure
correct formatting of the record. If you copy/paste make sure you don't grab any invisible chars,
unwanted quotes, tabs, spaces or carriage returns or you're screwed.

NOTE:
I have omitted 't=y;' from the value entry. This indicates test mode and generates debugging info on the validating server.
t= (flags)
Optional. Defaults to no flags set. A colon (:) separated list of flags to be used by the validator. Two flags are currently defined:
y Indicates test mode. If set it may (hopefully does) generate additional diagnostic messages from the validating receiver, but still
permits the validator to treat the mail normally, that is, a validation failure must still be treated as a failure - no validation
leniency is implied by setting this flag.
s If defined this flag indicates that this key is not valid for subdomains of the domain name (defined in the d= tag of the DKIM-Signature).
To inhibit subdomain signing behavior in OpenDKIM you must set SubDomains No.
t=y:s;



STEP 6
Start/restart the opendkim and postfix daemons

STEP 7
Testing:
Test your setup at http://www.protodave.com/tools/dkim-key-checker/
Send yourself an email to http://www.mail-tester.com

Resulting mail headers from validating server, mail-tester.com:

Received: by vps80627.ovh.net (Postfix, from userid 500) id 380611249E16;
Sat, 9 Aug 2014 19:04:55 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail-tester.com
X-Spam-Level:
X-Spam-Status: No/-0.1/5.0
X-Spam-Test-Scores: DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
SPF_HELO_PASS=-0.001,SPF_PASS=-0.001
X-Spam-Last-External-IP: 92.27.78.56
X-Spam-Last-External-HELO:mydomain.com
X-Spam-Last-External-rDNS: mydomain.com
X-Spam-Date-of-Scan: Sat, 09 Aug 2014 19:04:55 +0200
Received: from mydomain.com (123.123.123.123)
by vps80627.ovh.net (Postfix) with ESMTP id 054301249E00
for <web-BXV428@mail-tester.com>; Sat, 9 Aug 2014 19:04:53 +0200 (CEST)
Received: by mydomain.com (Postfix, from userid 0) id 578992C617C;
Sat, 9 Aug 2014 18:04:52 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com;
s=mail; t=1407603892; bh=TpB2wEvJ7JgtSflg72GrtQcO5n2KLqZJG+n608A6K64=;
h=From:Subject:To:Date:From;
b=FcI/5LjeeSmKyD0/9AikmQR1cisC3Nu6CEPdRteA2XymkWikZvUCTXixIuWyfFtGk
p2VRVUmBLRl/nlEISaNJ47ZELMF59jVK2jIuxVZArpL2Lkb6KmlOOtkwOV3Bp+cgKq
BUr2FQpcenY4f0LqBFr2AMBTu9oa49x+SV8SJzZY=
From: steve@mydomain.com
Subject: dkim test

blah, blah, blah...