Guide to Install OpenDKIM for multiple domains with Postfix and Debian

20 Comments

This is a guide to installing OpenDKIM for multiple domains on a Postfix-installtion on Debian. I tried some other guides but kept running into problems, so this is how I did it.

Among others, Google Gmail and Yahoo mail check your email for a DKIM signature.

Install and Configure OpenDKIM

1. Install OpenDKIM

apt-get install opendkim

Comment: This will install the latest available stable Debian packaged version of OpenDKIM which is currently 2.0.1. This version is already a couple of years old (2010).
If you know how/want to compile sources yourself, then the latest version is 2.4.3 (and 2.5.0 is right around the corner)

2. Edit the OpenDKIM config file

nano /etc/opendkim.conf

Add these rows:

KeyTable           /etc/opendkim/KeyTable
SigningTable       /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts      /etc/opendkim/TrustedHosts

Note: If you run multiple instances of Postfix you need to add this to the opendkim.conf for each instance (or the ones you want to use opendkim)

3.  Edit /etc/opendkim/TrustedHosts

nano /etc/opendkim/TrustedHosts

Add domains, hostnames and/or ip’s that should be handled by OpenDKIM. Don’t forget localhost.

127.0.0.1
localhost
x.253.204.64
x.253.204.32/27

4. Edit /etc/default/opendkim

nano /etc/default/opendkim

Uncomment this row:

SOCKET="inet:12345@localhost" # listen on loopback on port 12345

Generate keys

Repeat these steps to generate keys for each domain you will send email from. Replace mydomain.com with your domain name in examples below.

1. Generate key

mkdir -p /etc/opendkim/keys/mydomain.com
cd /etc/opendkim/keys/mydomain.com
opendkim-genkey -r -d mydomain.com
chown opendkim:opendkim default.private

2. Add domain to KeyTable /etc/opendkim/KeyTable

nano /etc/opendkim/KeyTable

Add line:

default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default.private

3. Add domain to SigningTable /etc/opendkim/SigningTable

nano /etc/opendkim/SigningTable

Add line:

mydomain.com default._domainkey.mydomain.com

Note that in OpenDKIM 2.0.1 domain names are case sensitive (supposed to be fixed from 2.3.1 but I have not tested).
This means that in the above example an email from info@mydomain.com will be signed, but an email from info@MyDomain.com will not be signed. The workaround is to add one extra entry for MyDomain.com to SigningTable.

4. Add to DKIM public key to DNS

Add an entry for the public key to the DNS server you are using for your domain. You find the public key here:

cat /etc/opendkim/keys/mydomain.com/default.txt

Start OpenDKIM

/etc/init.d/opendkim start

In the future, if you make any changes to configuration remember to restart: /etc/init.d/opendkim restart

Configure and Restart Postifx

1. Configure Postfix

nano /etc/postfix/main.cf

Add or edit these lines:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

2. Restart Postfix

/etc/init.d/postfix reload

Or in my case as i run postfix multi instance:

/etc/init.d/postfix-multi restart

Other

Log files are in the /var/log directory

cat /var/log/mail.log
cat /var/log/mail.warn
cat /var/log/mail.err

Log more info

nano /etc/opendkim.conf

Add this line:

LogWhy yes

Credits

Guides that have helped me along the way: Debian Tutorials and Syslog

OpenDKIM: error loading key `default._domainkey.mydomain.com’

4 Comments

I have been pulling my hair with getting OpenDKIM to work on a Debian machine with Postfix. I have been changing my KeyTable, SigningTable, ExternalIgnoreList, InternalHosts files and references like a madman.

I have kept getting errors like this in /var/log/mail.log

Feb 28 11:21:43 06-135-D2 opendkim[27826]: 5EADD532313: dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed

Feb 28 11:24:00 06-135-D2 opendkim[27955]: D2560532313 error loading key `default._domainkey.mydomain.com'

Unfortunately OpenDKIM does not give more info than this and Googling did not provide many hints mor than possibly being a directory access problem. I checked directory and file access and realized that the key file was only readable by root.

-rw------- 1 root root 891 Feb 28 00:14 default.private

Testing Permissions
(you can skip straight to Solution below)

[Edit: Renamed this part from “Solution” to “Testing Permissions” and added a better Solution below. Thanks to Andreas Schultze on the OpenDKIM mailing list for getting me on the right track to finding the correct solution]

As I used opendkim-genkey to generate my key I would have thought permissions would be set ok from the start but I anyway tried doing chmod 644 on the key file

chmod 644 default.private
-rw-r--r-- 1 root root 891 Feb 28 00:14 default.private

And finally – success!
In /var/log/mail.log:

Feb 28 11:30:28 06-135-D2 opendkim[27955]: 5E811532313 "DKIM-Signature" header added

To me it seems a little unsecure to do chmod 644 on the file as this means anyone with access to the system can read the private key. In my case I consider my system secure as it is only used for SMTP/Postfix so I am happy that is working.

As I am all new to Debian, OpenDKIM and Postfix (The last time I touched Unix was when I worked with IBM’s AIX on their RS/6000 systems in the early 90s…) so I would be happy to hear any thoughts on this.

Solution

To set permissions to allow OpenDKIM but no unauthorized users to access the private key, change owner of the private key file to user and group opendkim with the following command:

chown opendkim:opendkim default.private

(To check what user opendkim is running as, check the running processes once you have started opendkim: ps -f -A
This command shows what groups the user opendkim belongs to: group opendkim)

Maybe this is fixed to set file permissions correctly in a later version of opendkim-genkey, I am running the old 2.0.1 apt-get package that is currently available for Debian.