How to install smtp and dkim on linux Server
This description is only a very small installation guide.
For more information and explanation of the parameters read the postfix/dkim manual.
### Install postfix and mailutils ###
Login as root on the server:
apt-get install postfix
During the installation set the fqdn for the server
apt-get install mailutils (mail and mailx for cli)
Edit main.cf
vi /etc/postfix/main.cf
[...]
myhostname = example.com (check whether hostname / fqdn is correct)
sender_canonical_maps=hash:/etc/postfix/sender_canonical
mtp_tls_security_level = may
mynetworks = 127.0.0.0/8 172.18.0.0/16 [::ffff:127.0.0.0]/104 [::1]/128 (each client must be listed here to allow access to smtp, or if more than one client the subnet)
[...]
after dkim has been installed, put these entries at the end of main.cf
inet_protocols = ipv4
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
service postfix restart
Edit / create sender_canonical
vi /etc/postfix/sender_canonical
root root@example.com
postmap /etc/postfix/sender_canonical
Restart postfix service
service postfix restart
### Install DKIM ###
apt-get install opendkim opendkim-tools
Edit opendkim, all entries with SOCKET should be comment out, only RUNDIR should be comment in
vi /etc/default/opendkim
[...]
RUNDIR=/var/run/opendkim
[...]
Edit opendkim.conf
vi /etc/opendkim.conf
[...]
Syslog yes
UMask 002
Canonicalization relaxed/simple
Mode sv
SubDomains yes
SignatureAlgorithm rsa-sha256
OversignHeaders From
Socket inet:8891@localhost
PidFile /var/run/opendkim/opendkim.pid
OversignHeaders From
TrustAnchorFile /usr/share/dns/root.key
UserID opendkim
KeyTable /etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
ExternalIgnoreList /etc/opendkim/trusted.hosts
InternalHosts /etc/opendkim/trusted.hosts
[...]
Change permission and create directory
chmod u=rw,go=r /etc/opendkim.conf
mkdir /etc/opendkim/keys
chown -R opendkim:opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keys
Edit signing.table and key.table
vi /etc/opendkim/signing.table
*@example.com example
vi /etc/opendkim/key.table
example example.com:202207:/etc/opendkim/keys/example.com.private
(202207 is the selector, it is needed for dns entry later. You can name it, however you like.)
Edit trusted.hosts
vi /etc/opendkim/trusted.hosts
127.0.0.127
::1
example
example.com
Change permissions
chown -R opendkim:opendkim /etc/opendkim
chmod -R go-rwx /etc/opendkim/keys
Create Domain Key and rename it
cd /etc/opendkim/keys
opendkim-genkey -d example.com -b 2048 -r -s 202207
mv 202207.private example.private
mv 202207.txt example.txt
Change permissions and restart opendkim
chown -R opendkim:opendkim /etc/opendkim
chmod -R go-rw /etc/opendkim/keys
systemctl restart opendkim
systemctl status -l opendkim
The Content of example.txt must be inserted in DNS e.g.
cat /etc/opendkim/keys/example.txt
202207._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp/JLS3R5eetf9EHDd9tJzPwjK7yigXG4DRX/zlwqp01E9vrHNE3YGEmSdAy9vWPgzY4WDcWvuci+SllFZTIt+0MGCKfAJ2qnQK2S9BGKAUxMsLw2RPdg+95OaQKAdbXn9KLdmUsMv4kOIvhfrqx7oekFOi9J1uVo7z95lDmNugQ4yvYlWg+XFe33LCb1SKZboOw4b5rlZP59tk"
"eLZTL+rm8CLCFyM4xQOHO30B9X5iXMWx9sWSuCKrVGNXFuTSzO69F33pBzS6LQpG1IMn9jtKf4L18CUoXdW7t1hd2g9eQ1Hw7ab17/jIC19nm2fEkdBHRfmnSx23uQj8yfDAYDgQIDAQAB" ) ; ----- DKIM key 202207 for example.com
This is important for DNS:
v=DKIM1; h=sha256; k=rsa; s=email; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp/JLS3R5eetf9EHDd9tJzPwjK7yigXG4DRX/zlwqp01E9vrHNE3YGEmSdAy9vWPgzY4WDcWvuci+SllFZTIt+0MGCKfAJ2qnQK2S9BGKAUxMsLw2RPdg+95OaQKAdbXn9KLdmUsMv4kOIvhfrqx7oekFOi9J1uVo7z95lDmNugQ4yvYlWg+XFe33LCb1SKZboOw4b5rlZP59tk"
"eLZTL+rm8CLCFyM4xQOHO30B9X5iXMWx9sWSuCKrVGNXFuTSzO69F33pBzS6LQpG1IMn9jtKf4L18CUoXdW7t1hd2g9eQ1Hw7ab17/jIC19nm2fEkdBHRfmnSx23uQj8yfDAYDgQIDAQAB
Selector is 202207
To check the key, wait 24h
opendkim-testkey -d example.com -s 202207 -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key '202207._domainkey.example.com'
opendkim-testkey: key not secure ==> it is ok, no DNSSEC in use
opendkim-testkey: key OK