rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:postfix_opendkim

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
doc:appunti:linux:sa:postfix_opendkim [2022/05/23 11:19] – [Configure Postfix] niccolodoc:appunti:linux:sa:postfix_opendkim [2023/10/31 10:52] – [OpenDKIM on Postfix with virtual domains] niccolo
Line 1: Line 1:
 ====== OpenDKIM on Postfix with virtual domains ====== ====== OpenDKIM on Postfix with virtual domains ======
  
-In this article we will install **[[http://www.opendkim.org/|OpenDKIM]]** on a GNU/Linux mail server based on **Debian 11 Buster**. The mail service is provided by **Postfix** configured for virtual domains using **virtual_alias_domains**.+In this tutorial we will install **[[http://www.opendkim.org/|OpenDKIM]]** on a GNU/Linux mail server based on **Debian 11 Buster**. The mail service is provided by **Postfix** configured for virtual domains using **virtual_alias_domains**.
  
 <code> <code>
 apt install opendkim opendkim-tools apt install opendkim opendkim-tools
 </code> </code>
 +
 +In Debian 11 Bullseye the service is controlled (enable, start, stop, etc.) by Systemd:
 +
 +<code>
 +systemctl status opendkim.service
 +</code>
 +
 +Because Postfix is running into a chroot, it cannot access the ''/run/opendkim/opendkim.sock'' Unix socket to communicate with opendkim, so we change the ''Socket'' option into **/etc/opendkim.conf** and make the daemon to be listening on port **127.0.0.1:8891/TCP**:
 +
 +<file>
 +Socket  inet:8891@localhost
 +</file>
 +
 +The same daemon is used both for signing and verifying. Signing is performed when the **From:** address matches the domains to be signed (see the command line option **%%-d%%** or the **SigningTable** option of the ''/etc/opendkim.conf'' configuration file), verifying is performed in other cases.
  
 ===== Create the keys in /etc/dkimkeys/ ===== ===== Create the keys in /etc/dkimkeys/ =====
Line 45: Line 59:
 </file> </file>
  
-===== Add the domain to be signed =====+===== Add the domain (or single sender) to be signed =====
  
 Into the file **/etc/dkimkeys/signingtable** we declare that mails originating from that domain must be signed: Into the file **/etc/dkimkeys/signingtable** we declare that mails originating from that domain must be signed:
Line 63: Line 77:
 ===== Configure OpenDKIM ===== ===== Configure OpenDKIM =====
  
-Into the **/etc/opendkim.conf** file we infor OpenDKIM to look into a **KeyTable** to find keys and into a **SigningTable** to know which domains require signing. The service will listen on port **8891/TCP** (should use //Unix domain socket// instead? Better performances? More painfull because Postfix runs in chroot).+Into the **/etc/opendkim.conf** file we inform OpenDKIM to look into a **KeyTable** to find keys and into a **SigningTable** to know which domains require signing. The service will listen on port **8891/TCP** (should use //Unix domain socket// instead? Better performances? More painfull because Postfix runs in chroot).
  
 <file> <file>
Line 120: Line 134:
 </file> </file>
  
-Havig done this, we define the custom **mua_milters** directive in ''main.cf'' to apply SpamAssassin and DKIM filtering on sumbitted messages:+Having done this, we define the custom **mua_milters** directive in ''main.cf'' to apply SpamAssassin and DKIM filtering on sumbitted messages:
  
 <file> <file>
-# Locally generated mails are filtered with OpenDKIM.+# Locally generated mails (e.g. from command line Mutt) are filtered with OpenDKIM.
 non_smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
  
-Uncomment if you want OpenDKIM for all the messages received by SMTPD+Mails received via SMTP protocol are filtered with OpenDKIM
-#smtpd_milters = inet:localhost:8891+messages created using SoGO webmail go through this milter
 +smtpd_milters = inet:localhost:8891
  
-Restriction applied as smtpd_milters over SUMBISSION/587 only.+Filters applied (as smtpd_milters) to messages received via SUMBISSION/587;
 mua_milters = mua_milters =
     unix:spamass/spamass.sock,     unix:spamass/spamass.sock,
     inet:localhost:8891     inet:localhost:8891
 </file> </file>
 +
 +Another important Postfix setting is **milter_default_action**, the default is **tempfail** which means that if the milter does not respond, the message will be held into the queue and retried later. Other settings can be **accept** or **reject**:
 +
 +<file>
 +milter_default_action = tempfail
 +</file>
 +
 +===== Logging =====
 +
 +When a message passes through the OpenDKIM filter, you get the following line into **mail.log**:
 +
 +<code>
 +opendkim[983999]: 37FDD7D659: DKIM-Signature field added (s=2022, d=rigacci.org)
 +</code>
 +
 +If a message does not match any entry in **/etc/dkimkeys/signingtable**, it will not be signed; the log is:
 +
 +<code>
 +opendkim[983999]: 4778D7D610: no signing table match for 'testmail@rigacci.org'
 +opendkim[983999]: 4778D7D610: no signature data
 +</code>
  
 ===== Web References ===== ===== Web References =====
doc/appunti/linux/sa/postfix_opendkim.txt · Last modified: 2023/10/31 11:06 by niccolo