Small installation guide for postfix and dkim

Juni 9, 2022 - Lesezeit: 6 Minuten

How to install smtp and dkim on linux Server

This description is only a very small installation guide.
For more information and explanation of the parameters read the postfix/dkim manual.

### Install postfix and mailutils ###

Login as root on the server:

    apt-get install postfix
    During the installation set the fqdn for the server
    apt-get install mailutils (mail and mailx for cli)
   
Edit main.cf

    vi /etc/postfix/main.cf
   
    [...]
    myhostname = example.com  (check whether hostname / fqdn is correct)
    sender_canonical_maps=hash:/etc/postfix/sender_canonical
    mtp_tls_security_level = may
    mynetworks = 127.0.0.0/8 172.18.0.0/16 [::ffff:127.0.0.0]/104 [::1]/128 (each client must be listed here to allow access to smtp, or if more than one client the subnet)
    [...]
   
    after dkim has been installed, put these entries at the end of main.cf
   
    inet_protocols = ipv4
    milter_default_action = accept
    milter_protocol = 6
    smtpd_milters = inet:localhost:8891
    non_smtpd_milters = inet:localhost:8891
   
    service postfix restart
   
Edit / create sender_canonical

    vi /etc/postfix/sender_canonical
   
    root root@example.com
   
    postmap /etc/postfix/sender_canonical
   
Restart postfix service

    service postfix restart
   
### Install DKIM ###

    apt-get install opendkim opendkim-tools
   
Edit opendkim, all entries with SOCKET should be comment out, only RUNDIR should be comment in

    vi /etc/default/opendkim
   
    [...]
    RUNDIR=/var/run/opendkim
    [...]
   
Edit opendkim.conf

    vi /etc/opendkim.conf
   
    [...]
    Syslog yes
    UMask 002
    Canonicalization relaxed/simple
    Mode sv
    SubDomains yes
    SignatureAlgorithm rsa-sha256
    OversignHeaders From
    Socket inet:8891@localhost
    PidFile /var/run/opendkim/opendkim.pid
    OversignHeaders From
    TrustAnchorFile /usr/share/dns/root.key
    UserID opendkim
    KeyTable /etc/opendkim/key.table
    SigningTable refile:/etc/opendkim/signing.table
    ExternalIgnoreList /etc/opendkim/trusted.hosts
    InternalHosts /etc/opendkim/trusted.hosts
    [...]
   
Change permission and create directory

    chmod u=rw,go=r /etc/opendkim.conf
    mkdir /etc/opendkim/keys
    chown -R opendkim:opendkim /etc/opendkim
    chmod go-rw /etc/opendkim/keys
   
Edit signing.table and key.table

    vi /etc/opendkim/signing.table
   
    *@example.com    example
   
    vi /etc/opendkim/key.table
   
    example    example.com:202207:/etc/opendkim/keys/example.com.private
   
    (202207 is the selector, it is needed for dns entry later. You can name it, however you like.)
   
Edit trusted.hosts

    vi /etc/opendkim/trusted.hosts
   
    127.0.0.127
    ::1
    example
    example.com
   
Change permissions

    chown -R opendkim:opendkim /etc/opendkim
    chmod -R go-rwx /etc/opendkim/keys
   
Create Domain Key and rename it

    cd /etc/opendkim/keys
    opendkim-genkey -d example.com -b 2048 -r -s 202207
    mv 202207.private example.private
    mv 202207.txt example.txt
   
Change permissions and restart opendkim

    chown -R opendkim:opendkim /etc/opendkim
    chmod -R go-rw /etc/opendkim/keys
    systemctl restart opendkim
    systemctl status -l opendkim
   
The Content of example.txt must be inserted in DNS e.g.
 
    cat /etc/opendkim/keys/example.txt

    202207._domainkey       IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; s=email; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp/JLS3R5eetf9EHDd9tJzPwjK7yigXG4DRX/zlwqp01E9vrHNE3YGEmSdAy9vWPgzY4WDcWvuci+SllFZTIt+0MGCKfAJ2qnQK2S9BGKAUxMsLw2RPdg+95OaQKAdbXn9KLdmUsMv4kOIvhfrqx7oekFOi9J1uVo7z95lDmNugQ4yvYlWg+XFe33LCb1SKZboOw4b5rlZP59tk"
          "eLZTL+rm8CLCFyM4xQOHO30B9X5iXMWx9sWSuCKrVGNXFuTSzO69F33pBzS6LQpG1IMn9jtKf4L18CUoXdW7t1hd2g9eQ1Hw7ab17/jIC19nm2fEkdBHRfmnSx23uQj8yfDAYDgQIDAQAB" )  ; ----- DKIM key 202207 for example.com
         

          This is important for DNS:
         
          v=DKIM1; h=sha256; k=rsa; s=email; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp/JLS3R5eetf9EHDd9tJzPwjK7yigXG4DRX/zlwqp01E9vrHNE3YGEmSdAy9vWPgzY4WDcWvuci+SllFZTIt+0MGCKfAJ2qnQK2S9BGKAUxMsLw2RPdg+95OaQKAdbXn9KLdmUsMv4kOIvhfrqx7oekFOi9J1uVo7z95lDmNugQ4yvYlWg+XFe33LCb1SKZboOw4b5rlZP59tk"
          "eLZTL+rm8CLCFyM4xQOHO30B9X5iXMWx9sWSuCKrVGNXFuTSzO69F33pBzS6LQpG1IMn9jtKf4L18CUoXdW7t1hd2g9eQ1Hw7ab17/jIC19nm2fEkdBHRfmnSx23uQj8yfDAYDgQIDAQAB
         
          Selector is 202207
         
To check the key, wait 24h

    opendkim-testkey -d example.com -s 202207 -vvv
    opendkim-testkey: using default configfile /etc/opendkim.conf
    opendkim-testkey: checking key '202207._domainkey.example.com'
    opendkim-testkey: key not secure  ==> it is ok, no DNSSEC in use
    opendkim-testkey: key OK