DKIM setup
DKIM is an entirely different 'beast' to handle.. especially if you run a mailserver that is hosting multiple domains.
Fortunately, since the inception of the scheme things have been improving and setting up something like this has become fairly easy, but does need a little attention to not make mistakes.
In short, for freebsd, first run:
portmaster mail/opendkim
or
pkg install opendkim
With that the opendkim milter is installed. If you are on another OS, check how to install opendkim.
In most operating systems you can set things up to autostart. In freebsd, /etc/rc.conf has to be editted and the following should be added:
/etc/rc.conf additions
milteropendkim_enable="YES"
milteropendkim_uid="postfix"
milteropendkim_gid="postfix"
milteropendkim_cfgfile="/usr/local/etc/opendkim/opendkim.conf"
Next, in the folder /usr/local/etc/opendkim we will create the file opendkim.conf
/usr/local/etc/opendkim/opendkim.conf
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
#Domain sleepers.nl
#Selector mail
ExternalIgnoreList refile:/usr/local/etc/opendkim/trustedhosts
InternalHosts refile:/usr/local/etc/opendkim/trustedhosts
KeyTable refile:/usr/local/etc/opendkim/keytable
SigningTable refile:/usr/local/etc/opendkim/signingtable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID postfix:postfix
Socket inet:12301@localhost
The file trustedhosts has to be set up:
/usr/local/etc/opendkim/trustedhosts
localhost
127.0.0.1
::1
It is allowed to add wildcards etc like: *.mydomain.com
Next would be the signingtable. This file defines what key should be used for what domain. You can actually re-use a key from a different domain!
/usr/local/etc/opendkim/signingtable
*@mydomain.com mydomainkey
All domains get a line in the file signingtable like the one above.
Last, we connect the signingtable to keys:
/usr/local/etc/opendkim/keytable
mydomainkey mydomain.com:email:/usr/local/etc/opendkim/keys/mydomain.com/email.private
this reads as: the key mydomainkey can be found in DNS as: email._domainkey.mydomain.com, and we're using the file in /usr/local/etc/opendkim/mydomain.com/email.private to sign the email.
Generating the keys
For generating the keys, you can create a folder named 'keys', and next open a new file in that folder called createkey.sh with the following content:
/usr/local/etc/opendkim/keytable
#!/bin/sh
DOMAIN=$1
if [ "$1" == "" ]; then
echo please add a domain name
exit;
fi
mkdir $DOMAIN
cd $DOMAIN
opendkim-genkey -s email --restrict -d $DOMAIN
cd ..
chown -R postfix:postfix $DOMAIN
cat ${DOMAIN}/email.txt
This will create the key, set the correct permissions and owner and last types the content you should put in DNS.
For instance, to create a key for mydomain.com, you simply execute it as:
sh createkey.sh mydomain.com
This will create the folder keys/mydomain.com with 2 files: email.private and email.txt
email.private is the key used to sign the emails
email.txt is the exact contents for DNS
Postfix configuration
There's not much to do in postfix except to tell it to actually use opendkim. To do this, edit the file main.cf in the postfix configuration folder, and add:
/usr/local/etc/opendkim/keytable
smtpd_milters = inet:localhost:12301
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
If you already have an smtpd_milters, then just add this one to that list.
Now, (re)start opendkim and postfix, and you should be able to check if dkim is working by sending an empty email to check-auth@verifier.port25.com
Errors
You might end up getting an error like "signing table references unknown key " followed by some keyname.
This means there's an issue in the keytable file, the key reference in the signingtable can't be found there, or the line that does have it is not correct.
If you make sure the format is correct it should solve this problem.
Another issue might arise with the DNS record, make sure that the domain and selector are correct. Meaning: if you have something like mydomain mydomain.org:email:...... this means that in dns, you should have a record email._domainkey.mydomain.org TXT "..."