Installing OpenDKIM RPM via Yum with Postfix or Sendmail (for RHEL / CentOS / Fedora) _2

Edit your MTA configuration

Now you’re ready to tell your MTA about OpenDKIM.

Postfix Users:

Telling Postfix about OpenDKIM is easy. Just add the following lines to your Postfix main.cffile:

1 smtpd_milters           = inet:127.0.0.1:8891
2 non_smtpd_milters       = $smtpd_milters
3 milter_default_action   = accept

If you’re running a version of Postfix prior to 2.6, you may need to add:

milter_protocol   = 2

See http://www.postfix.org/MILTER_README.html#version for more info.

Don’t restart Postfix yet! You need to have OpenDKIM running first, or you’ll get errors in your maillog.

Sendmail Users:

Edit the .mc configuration file that was used to build your current sendmail.cf file. Add the following line:

1 INPUT_MAIL_FILTER(`opendkim', `S=inet:[email protected]')

Then build and install a new sendmail.cf. If you don’t know how to build and install asendmail.cf file, a quick Web search should shove you in the right direction. Explaining how to do that is beyond the scope of these instructions. I will, however, remind you that backing up your current sendmail.cf file is a good idea before you attempt any modifications.

Start OpenDKIM and restart your MTA

It’s time to fire things up! Assuming you’re using bash, do:

hash -r

to rehash your shell so you can find the init script.

Now start OpenDKIM with:

service opendkim start

You should get a message that says:

Starting OpenDKIM Milter:     [  OK  ]

However, if you get an error message such as:

Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 6: unrecognized parameter

don’t freak out. You probably just mistyped something in one of the config files. Go to the line number of the file listed, and check your work against the example(s) in this article. Then try starting up OpenDKIM again.

Once it starts, Postfix users should refresh Postfix with:

postfix reload

and Sendmail users should do:

service sendmail restart

If everything looks good, I recommend running chkconfig on OpenDKIM to make sure it starts when you boot your server:

chkconfig opendkim on

If things didn’t go right, try some of these startup troubleshooting tips before moving on.

Startup troubleshooting tips

Tip 1: The best advice I can give when troubleshooting any mail issues (including OpenDKIM) is to start a second shell session in another window and do:

tail -f /var/log/maillog

while you’re starting, stopping, and/or restarting OpenDKIM and your MTA. This allows you to see more details about any errors in your configuration.

Tip 2: To get the most verbose information from OpenDKIM, make sure the LogWhy option in your /etc/opendkim.conf file is uncommented and set to Yes. If your outgoing mail isn’t getting signed and you want to know why, this should tell you.

Tip 3: If you can’t get things working on your own, I recommend subscribing to theOpenDKIM-Users discussion list at http://lists.opendkim.org/. It’s a low-traffic list with very helpful and friendly members (including me!) who are happy to nudge you in the right direction.

Adding DNS Records

Now that your mail server is signing outgoing mail and verifying incoming mail, you’ll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed. Do:

cat /etc/opendkim/keys/example.com/default.txt

The output should look something like this:

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB" ; ----- DKIM default for example.com

If you manage your own DNS or have full access to your domain’s zone file, you’ll need to paste the entire contents of the default.txt file at the bottom of your domain’s zone file. If you’re using a web interface to manage your zone file, be careful that the long lines of the public key don’t wrap and create line-feed characters (or fix them if they do). Otherwise, your public key won’t work.

If you’re using GoDaddy’s Total DNS, the TXT Name would  default._domainkey and the TXT Value would be everything inside the quotes (starting with v=). You can ignore the semi-colon and comments at the end.

If you’re using some other third-party DNS provider, follow their instructions for adding a new TXT Record.

You should also add another TXT Record to your zone file that reads:

_adsp._domainkey.example.com    IN    TXT    "dkim=unknown"

This record publishes your Author Domain Signing Practices. “Unknown” is the least strict setting, and the best place to start. You can learn more and tinker with other options later, but most people just use “Unknown” for now, since ADSP is relatively new (as of the writing of this post).

And, as long as you’re messing with your domain’s zone file, now might be a good time to ensure that you already have a valid SPF Record in place. Having both DKIM and SPF in place will increase your chances of having your outgoing mail successfully delivered.

Testing Things Out

As I mentioned in my troubleshooting tips, the best way to see that everything is working on the server side is to keep an eye on your /var/log/maillog file. Do a:

tail -f /var/log/maillog

When OpenDKIM starts (or restarts), you should see lines like:

opendkim[4397]: OpenDKIM Filter: mi_stop=1opendkim[4397]: OpenDKIM Filter v2.4.2 terminating with status 0, errno = 0opendkim[27444]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf)

When you send a mail that gets successfully signed, you should see:

opendkim[22254]: 53D0314803B: DKIM-Signature header added

The best way to check that your signed mail is being authenticated and that your DNS records are properly set up is to use one of the free testing services. My favorites are:

Each of these will tell you if things are working properly, and give you some pointers on troubleshooting if needed.

If you have a Gmail account, you can also send a signed message there for a quick and easy test. address Here’s what a signed message in Gmail will look like:

DKIM Test Message

The signed by: line tells you that the message has been verified as signed by the sender (you may need to press the show details link near the top of the message to see it). I like to click the Show Original link (under the Reply drop-down on the right) to see the signed headers in all their glory. :)

Further reading

  • DKIM.org – the official site for DomainKeys Identified Mail
  • OpenDKIM Project Site – the program I used to get DKIM working
  • Sendmail DKIM – a detailed article from Eland Systems about DKIM. They use the dkim-milter package, upon which OpenDKIM is based. I much prefer the newer OpenDKIM, but this article explains DKIM very well and has some good tips.
  • Mail-DKIM and DKIM-proxy – my first experiments with DKIM were with these tools. I never got it working quite right, but there’s lots of good info there.
  • OpenSPF.org – not technically related to DKIM, but it’s another spam-fighting technique that you should be using if you’re sending email
  • My OpenDKIM GitHub repo – if you’d like to mess with the SPEC file or patches that I use to create the OpenDKIM package in the Fedora & EPEL repos, knock yourself out! Please fork the “develop” branch and submit your pull requests there, as the “master” is intended only for release versions.

Good luck! Pease post in the comments with your successes, questions, or suggestions.

发表评论

This site uses Akismet to reduce spam. Learn how your comment data is processed.