DKIM

De TwisterWiki
  • Installation des paquets
 apt install opendkim opendkim-tools
  • explication des variables
 ${my_sqlector} : nom a renseigner au niveau du DNS, ex: dkim._domainkey IN TXT ....
 ${my_tld} : nom de domaine complet, ex: mydomain.com
  • Génération de la clé
 opendkim-genkey -b 2048 -h rsa-sha256 -r -s ${my_sqlector} -d ${my_tld} -v


  • contenu du fichier /etc/opendkim/opendkim.conf
 # Log to syslog
 Syslog                  yes
 # Required to use local socket with MTAs that access the socket as a non-
 # privileged user (e.g. Postfix)
 UMask                   007
 
 # Sign for example.com with key in /etc/dkimkeys/dkim.key using
 # selector '2007' (e.g. 2007._domainkey.example.com)
 Domain                  ${my_tld}
 KeyFile                 /etc/opendkim/opendkim.key
 Selector                ${my_selector}
 
 Socket                  inet:8892@localhost
 #Socket                 local:/var/run/opendkim/opendkim.sock
 PidFile               /var/run/opendkim/opendkim.pid
 
 # malicious signatures header fields (From and/or others) between the signer
 # and the verifier.  From is oversigned by default in the Debian pacakge
 # because it is often the identity key used by reputation systems and thus
 # somewhat security sensitive.
 OversignHeaders         From
 
 ##  TrustAnchorFile filename
 ##      default (none)
 ##
 ## Specifies a file from which trust anchor data should be read when doing
 ## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
 ## at http://unbound.net for the expected format of this file.
 
 TrustAnchorFile       /usr/share/dns/root.key
 
 ##  Userid userid
 ###      default (none)
 ###
 ###  Change to user "userid" before starting normal operation?  May include
 ###  a group ID as well, separated from the userid by a colon.
 #
 UserID                opendkim
 # Our KeyTable and SigningTable
 KeyTable refile:/etc/opendkim/KeyTable
 SigningTable refile:/etc/opendkim/SigningTable
 
 # Trusted Hosts
 ExternalIgnoreList /etc/opendkim/TrustedHosts
 InternalHosts /etc/opendkim/TrustedHosts
  • contenu du fichier /etc/opendkim/Keytable
 # nom de domaine        nom de domaine  selector   fichier clef priv
 ${my_tld}                ${my_tld}:${my_selector}:/etc/opendkim/opendkim.key
  • contenu du fichier /etc/opendkim/SigningTable
 *@${my_tld}     ${my_tld}
  • Contenu du fichier /etc/opendkim/TrustedHosts
127.0.0.1
localhost
mail.${my_tld}

Il faut ensuite éditer la conf de postfix pour ajouter quelques lignes:

  • /etc/postfix/main.cf
 milter_default_action = accept
 milter_protocol = 6
 smtpd_milters = inet:localhost:8892
 non_smtpd_milters = inet:localhost:8892
  • il reste à créer l'enregistrement DNS à partir du contenu de la clé publique générée au début de l'installation
 ${my_selector}._domainkey	IN	TXT	( "v=DKIM1; h=rsa-sha256; k=rsa; s=email; " "p=KLAZGTIRHETGPARE349J3RY" "KRtroihjtre" )  ; ----- DKIM key mail for ${my_tld}