Back to home
Anti spam setup for email servers This means: how to set up your SPF DNS record and DKIM. For this installation, the following is asumed to be at the least installed and already working: (how this is set up is outside the scope of this document)
SPF record This would be the most basic 'todo' these days. It is mainly nothing more than a DNS entry like:

example.org TXT "v=spf1 a mx ip4:1.1.1.1 -all"

Changing the domain name to the correct one, and the ip4 address to the correct ip address of the mailserver is enough.
Note: in the past, this was actually a special DNS record, called SPF, but nowadays, this is simply a TXT record.
DKIM DKIM setup

DKIM is an entirely different 'beast' to handle.. especially if you run a mailserver that is hosting multiple domains.
Fortunately, since the inception of the scheme things have been improving and setting up something like this has become fairly easy, but does need a little attention to not make mistakes.
In short, for freebsd, first run:

portmaster mail/opendkim

or

pkg install opendkim


With that the opendkim milter is installed. If you are on another OS, check how to install opendkim.

In most operating systems you can set things up to autostart. In freebsd, /etc/rc.conf has to be editted and the following should be added:
/etc/rc.conf additions
milteropendkim_enable="YES"
milteropendkim_uid="postfix"
milteropendkim_gid="postfix"
milteropendkim_cfgfile="/usr/local/etc/opendkim/opendkim.conf"
Next, in the folder /usr/local/etc/opendkim we will create the file opendkim.conf
/usr/local/etc/opendkim/opendkim.conf
AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

#Domain                 sleepers.nl
#Selector               mail

ExternalIgnoreList      refile:/usr/local/etc/opendkim/trustedhosts
InternalHosts           refile:/usr/local/etc/opendkim/trustedhosts
KeyTable                refile:/usr/local/etc/opendkim/keytable
SigningTable            refile:/usr/local/etc/opendkim/signingtable

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  postfix:postfix
Socket                  inet:12301@localhost

The file trustedhosts has to be set up:
/usr/local/etc/opendkim/trustedhosts
localhost
127.0.0.1
::1
It is allowed to add wildcards etc like: *.mydomain.com


Next would be the signingtable. This file defines what key should be used for what domain. You can actually re-use a key from a different domain!
/usr/local/etc/opendkim/signingtable
*@mydomain.com mydomainkey
All domains get a line in the file signingtable like the one above.


Last, we connect the signingtable to keys:
/usr/local/etc/opendkim/keytable
mydomainkey mydomain.com:email:/usr/local/etc/opendkim/keys/mydomain.com/email.private
this reads as: the key mydomainkey can be found in DNS as: email._domainkey.mydomain.com, and we're using the file in /usr/local/etc/opendkim/mydomain.com/email.private to sign the email.


Generating the keys

For generating the keys, you can create a folder named 'keys', and next open a new file in that folder called createkey.sh with the following content:
/usr/local/etc/opendkim/keytable
#!/bin/sh
DOMAIN=$1
if [ "$1" == "" ]; then
        echo please add a domain name
        exit;
fi

mkdir $DOMAIN
cd $DOMAIN
opendkim-genkey -s email --restrict -d $DOMAIN
cd ..
chown -R postfix:postfix $DOMAIN
cat ${DOMAIN}/email.txt
This will create the key, set the correct permissions and owner and last types the content you should put in DNS.
For instance, to create a key for mydomain.com, you simply execute it as:

sh createkey.sh mydomain.com

This will create the folder keys/mydomain.com with 2 files: email.private and email.txt
email.private is the key used to sign the emails
email.txt is the exact contents for DNS


Postfix configuration

There's not much to do in postfix except to tell it to actually use opendkim. To do this, edit the file main.cf in the postfix configuration folder, and add:
/usr/local/etc/opendkim/keytable
smtpd_milters                   = inet:localhost:12301
non_smtpd_milters               = $smtpd_milters
milter_default_action           = accept
milter_protocol                 = 2		
	
If you already have an smtpd_milters, then just add this one to that list.


Now, (re)start opendkim and postfix, and you should be able to check if dkim is working by sending an empty email to check-auth@verifier.port25.com


Errors

You might end up getting an error like "signing table references unknown key " followed by some keyname.
This means there's an issue in the keytable file, the key reference in the signingtable can't be found there, or the line that does have it is not correct.
If you make sure the format is correct it should solve this problem.

Another issue might arise with the DNS record, make sure that the domain and selector are correct. Meaning: if you have something like mydomain mydomain.org:email:...... this means that in dns, you should have a record email._domainkey.mydomain.org TXT "..."