Guide to Install OpenDKIM for multiple domains with Postfix and Debian
Mar 12
Debian debian, DKIM, opendkim, postfix, unix 11 Comments
This is a guide to installing OpenDKIM for multiple domains on a Postfix-installtion on Debian. I tried some other guides but kept running into problems, so this is how I did it.
Among others, Google Gmail and Yahoo mail check your email for a DKIM signature.
Install and Configure OpenDKIM
1. Install OpenDKIM
apt-get install opendkim
Comment: This will install the latest available stable Debian packaged version of OpenDKIM which is currently 2.0.1. This version is already a couple of years old (2010).
If you know how/want to compile sources yourself, then the latest version is 2.4.3 (and 2.5.0 is right around the corner)
2. Edit the OpenDKIM config file
nano /etc/opendkim.conf
Add these rows:
KeyTable /etc/opendkim/KeyTable SigningTable /etc/opendkim/SigningTable ExternalIgnoreList /etc/opendkim/TrustedHosts InternalHosts /etc/opendkim/TrustedHosts
Note: If you run multiple instances of Postfix you need to add this to the opendkim.conf for each instance (or the ones you want to use opendkim)
3. Edit /etc/opendkim/TrustedHosts
nano /etc/opendkim/TrustedHosts
Add domains, hostnames and/or ip’s that should be handled by OpenDKIM. Don’t forget localhost.
127.0.0.1 localhost x.253.204.64 x.253.204.32/27
4. Edit /etc/default/opendkim
nano /etc/default/opendkim
Uncomment this row:
SOCKET="inet:12345@localhost" # listen on loopback on port 12345
Generate keys
Repeat these steps to generate keys for each domain you will send email from. Replace mydomain.com with your domain name in examples below.
1. Generate key
mkdir -p /etc/opendkim/keys/mydomain.com cd /etc/opendkim/keys/mydomain.com opendkim-genkey -r -d mydomain.com chown opendkim:opendkim default.private
2. Add domain to KeyTable /etc/opendkim/KeyTable
nano /etc/opendkim/KeyTable
Add line:
default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default.private
3. Add domain to SigningTable /etc/opendkim/SigningTable
nano /etc/opendkim/SigningTable
Add line:
mydomain.com default._domainkey.mydomain.com
Note that in OpenDKIM 2.0.1 domain names are case sensitive (supposed to be fixed from 2.3.1 but I have not tested).
This means that in the above example an email from info@mydomain.com will be signed, but an email from info@MyDomain.com will not be signed. The workaround is to add one extra entry for MyDomain.com to SigningTable.
4. Add to DKIM public key to DNS
Add an entry for the public key to the DNS server you are using for your domain. You find the public key here:
cat /etc/opendkim/keys/mydomain.com/default.txt
Start OpenDKIM
/etc/init.d/opendkim start
In the future, if you make any changes to configuration remember to restart: /etc/init.d/opendkim restart
Configure and Restart Postifx
1. Configure Postfix
nano /etc/postfix/main.cf
Add or edit these lines:
milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:12345 non_smtpd_milters = inet:localhost:12345
2. Restart Postfix
/etc/init.d/postfix reload
Or in my case as i run postfix multi instance:
/etc/init.d/postfix-multi restart
Other
Log files are in the /var/log directory
cat /var/log/mail.log cat /var/log/mail.warn cat /var/log/mail.err
Log more info
nano /etc/opendkim.conf
Add this line:
LogWhy yes
Credits
Guides that have helped me along the way: Debian Tutorials and Syslog
Aug 31, 2012 @ 09:54:28
Hey there. Nice tutorial, everything went OK, with just one small correction :
When generating the TXT record for a domain in the default.txt file i had :
“v=DKIM1;=rsa; p=MIGfM…..”
I needed to add a “k” before “=rsa”, in order to resolve the “bad header / bad format” reported by Google and Yahoo, when viewing received email source.
Tested on Ubuntu 12.04 x64 Server.
Sep 11, 2012 @ 13:34:16
Hi there,
Thanks for your tutorial, it look to work fine but not for me…
I’ve followed each step of your tutorial but the emails i send from my webmail are still without DKIM signature in the header.
Can someone helps me ?
Thanks
Sep 28, 2012 @ 15:08:21
This excellent website definitely has all the information I needed about this
subject and didn’t know who to ask.
Nov 18, 2012 @ 20:50:58
@ZuRuK I just did the tutorial and had also a problem. Check your log file /var/log/mail.log, I had the following error:
“warning: connect to Milter service inet:localhost:12345: Connection refused”
To fix it I had to add a rule in the /etc/postfix/master.cfg file:
smtps inet n – – – – smtpd
[...]
-o smtpd_milters=inet:127.0.0.1:12345
Feb 26, 2013 @ 23:37:18
Hi, thanks for this tutorial, only one thing is not clear, when you say “Note: If you run multiple instances of Postfix you need to add this to the opendkim.conf for each instance (or the ones you want to use opendkim)” means that you have to make something like this???
KeyTable /etc/opendkim/KeyTable
KeyTable /etc/opendkim/KeyTable2
or in the keytable you have to set one site per line??
Thanks
Mar 20, 2013 @ 19:33:30
Hi there,
wonderful guide. I have one question: how to configure one instance of postfix who is implemented on one server what is responsible for 10 domains as responsible mail server (MX) and for additional 10 server where it serve as smart relay and backup server.
Thanks a lot.
marek