Guide to Install OpenDKIM for multiple domains with Postfix and Debian

This is a guide to installing OpenDKIM for multiple domains on a Postfix-installtion on Debian. I tried some other guides but kept running into problems, so this is how I did it.

Among others, Google Gmail and Yahoo mail check your email for a DKIM signature.

Install and Configure OpenDKIM

1. Install OpenDKIM

[code]apt-get install opendkim[/code]

Comment: This will install the latest available stable Debian packaged version of OpenDKIM which is currently 2.0.1. This version is already a couple of years old (2010).
If you know how/want to compile sources yourself, then the latest version is 2.4.3 (and 2.5.0 is right around the corner)

2. Edit the OpenDKIM config file

[code]nano /etc/opendkim.conf[/code]

Add these rows:

[code]
KeyTable /etc/opendkim/KeyTable
SigningTable /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
[/code]

Note: If you run multiple instances of Postfix you need to add this to the opendkim.conf for each instance (or the ones you want to use opendkim)

3.  Edit /etc/opendkim/TrustedHosts

[code]nano /etc/opendkim/TrustedHosts[/code]

Add domains, hostnames and/or ip’s that should be handled by OpenDKIM. Don’t forget localhost.

[code]
127.0.0.1
localhost
x.253.204.64
x.253.204.32/27
[/code]

4. Edit /etc/default/opendkim

[code]nano /etc/default/opendkim[/code]

Uncomment this row:

[code]SOCKET="inet:12345@localhost" # listen on loopback on port 12345[/code]

Generate keys

Repeat these steps to generate keys for each domain you will send email from. Replace mydomain.com with your domain name in examples below.

1. Generate key

[code]
mkdir -p /etc/opendkim/keys/mydomain.com
cd /etc/opendkim/keys/mydomain.com
opendkim-genkey -r -d mydomain.com
chown opendkim:opendkim default.private
[/code]

2. Add domain to KeyTable /etc/opendkim/KeyTable

[code]nano /etc/opendkim/KeyTable[/code]

Add line:

[code]default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default.private[/code]

3. Add domain to SigningTable /etc/opendkim/SigningTable

[code]nano /etc/opendkim/SigningTable[/code]

Add line:

[code]mydomain.com default._domainkey.mydomain.com[/code]

Note that in OpenDKIM 2.0.1 domain names are case sensitive (supposed to be fixed from 2.3.1 but I have not tested).
This means that in the above example an email from [email protected] will be signed, but an email from [email protected] will not be signed. The workaround is to add one extra entry for MyDomain.com to SigningTable.

4. Add to DKIM public key to DNS

Add an entry for the public key to the DNS server you are using for your domain. You find the public key here:

[code]cat /etc/opendkim/keys/mydomain.com/default.txt[/code]

Start OpenDKIM

[code]/etc/init.d/opendkim start[/code]

In the future, if you make any changes to configuration remember to restart: /etc/init.d/opendkim restart

Configure and Restart Postifx

1. Configure Postfix

[code]nano /etc/postfix/main.cf[/code]

Add or edit these lines:

[code]
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345
[/code]

2. Restart Postfix

[code]/etc/init.d/postfix reload[/code]

Or in my case as i run postfix multi instance:

[code]/etc/init.d/postfix-multi restart[/code]

Other

Log files are in the /var/log directory

[code]
cat /var/log/mail.log
cat /var/log/mail.warn
cat /var/log/mail.err
[/code]

Log more info

[code]nano /etc/opendkim.conf[/code]

Add this line:

[code]LogWhy yes[/code]

Credits

Guides that have helped me along the way: Debian Tutorials and Syslog

21 comments

  1. Pingback: Dkim
  2. Hey there. Nice tutorial, everything went OK, with just one small correction :

    When generating the TXT record for a domain in the default.txt file i had :
    “v=DKIM1;=rsa; p=MIGfM…..”

    I needed to add a “k” before “=rsa”, in order to resolve the “bad header / bad format” reported by Google and Yahoo, when viewing received email source.

    Tested on Ubuntu 12.04 x64 Server.

  3. Hi there,

    Thanks for your tutorial, it look to work fine but not for me…
    I’ve followed each step of your tutorial but the emails i send from my webmail are still without DKIM signature in the header.

    Can someone helps me ?

    Thanks

  4. This excellent website definitely has all the information I needed about this
    subject and didn’t know who to ask.

  5. @ZuRuK I just did the tutorial and had also a problem. Check your log file /var/log/mail.log, I had the following error:
    “warning: connect to Milter service inet:localhost:12345: Connection refused”

    To fix it I had to add a rule in the /etc/postfix/master.cfg file:

    smtps inet n – – – – smtpd
    […]
    -o smtpd_milters=inet:127.0.0.1:12345

  6. Hi, thanks for this tutorial, only one thing is not clear, when you say “Note: If you run multiple instances of Postfix you need to add this to the opendkim.conf for each instance (or the ones you want to use opendkim)” means that you have to make something like this???

    KeyTable /etc/opendkim/KeyTable
    KeyTable /etc/opendkim/KeyTable2

    or in the keytable you have to set one site per line??

    Thanks

  7. Hi there,
    wonderful guide. I have one question: how to configure one instance of postfix who is implemented on one server what is responsible for 10 domains as responsible mail server (MX) and for additional 10 server where it serve as smart relay and backup server.

    Thanks a lot.
    marek

  8. Hello,
    thanks for this Guide!!!

    I have the problem, that i get two DKIM-Signatures in the Mail. It seems, as the first is done, before amavis-scan and the second after. I use Debian7.

    take a look at the E-Mail-Header of the sent Mail:

    Received: from localhost (localhost.localdomain [127.0.0.1])
    by j50905.servers.jiffybox.net (Postfix) with ESMTP id 8B0D960929
    for ; Tue, 25 Jun 2013 21:39:05 +0200 (CEST)
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=himmelswurzeln.de;
    s=default; t=1372189145;
    bh=xajgW4mbJc6DoIEOLV5iLwqxZMv2BXIGUPIadmljvCY=;
    h=To:Subject:Date:From:Reply-To:From;
    b=NrrPOt0DygcRy+4nmk4Ryw9O0i3IjS0j59WR5wH1tYiTOWFwP6wofjYCYVWiiNQXi
    H15T3ceEVVFunMio+kvNxVbQSS6GJbvRCI02JJ/mSeJXdFRRNH+YzSSU4qJqjCvAIz
    hbwGn0/J6M3sEZSnrS/aUyVHaq27ZgsUkiyjWaRg=
    X-Virus-Scanned: Debian amavisd-new at himmelswurzeln.de
    Received: from j50905.servers.jiffybox.net ([127.0.0.1])
    by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 49-F9m_im2oG for ;
    Tue, 25 Jun 2013 21:39:01 +0200 (CEST)
    Received: by j50905.servers.jiffybox.net (Postfix, from userid 5011)
    id 482486092B; Tue, 25 Jun 2013 21:39:01 +0200 (CEST)
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=himmelswurzeln.de;
    s=default; t=1372189141;
    bh=xajgW4mbJc6DoIEOLV5iLwqxZMv2BXIGUPIadmljvCY=;
    h=To:Subject:Date:From:Reply-To:From;
    b=Eukp9pHEd6asIkoPqm+sFb6arCabA+mdrW46uoiK0ISI1oP7myeG96QKdIlPs0NVT
    9fULokAL24aUm0uL+Q+wz09Ecn5ZifgjhtPG0pH+c+uJo5xr12XczraggWkjkQHc/t
    ZBUb+OutDZFLHB98HzOjopqcVDJiWpQY3GLoPMLA=

  9. I have installed and configured as per your directions.
    Service opendkim starts without problem, but it doesn’t add the signature.
    In logs I have no error.
    What I’m doing wrong?

    Thanks!

  10. Thanks for sharing I have used this and the guide below to install Postfix/OpenDKIM on my Debian and CentoOS machines.

  11. Can you explain the step of creating a TXT record for the DNS server?, what should the TXT file be called (the complete name) and shouldn’t we be using the -s option when creating the KDIM key? Also, they should should be sha1024 and above but I can see that your requesting basic encryption?

  12. Superb post but I was wondering if you could write a litte more on this topic?
    I’d be very thankful if you could elaborate a little bit more.
    Kudos!

  13. Very helpful tutorial. I seem to have a problem though. OpenDKIM seems to fail to load . I get “warning: connect to Milter service inet:127.0.0.1:8891: Connection refused” in my logs. After netstat -an | fgrep LISTEN there is nothing listening on 8891. How does one start opendkim?

  14. Excellent tutorial. You only missed out adding the following to the /etc/postfix/master.cfg file:

    smtps inet n – – – – smtpd
    […]
    -o smtpd_milters=inet:127.0.0.1:12345

  15. Everything is very open with a really clear clarification of the challenges.

    It was really informative. Your site is very useful.
    Thanks for sharing!

Leave a comment

Your email address will not be published. Required fields are marked *