doc:appunti:linux:sa:postfix_opendkim
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
doc:appunti:linux:sa:postfix_opendkim [2022/05/12 12:34] – [Add the public key into the DNS zone] niccolo | doc:appunti:linux:sa:postfix_opendkim [2023/10/31 11:06] (current) – [OpenDKIM on Postfix with virtual domains] niccolo | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== OpenDKIM on Postfix with virtual domains ====== | ====== OpenDKIM on Postfix with virtual domains ====== | ||
- | In this article | + | In this tutorial |
< | < | ||
apt install opendkim opendkim-tools | apt install opendkim opendkim-tools | ||
</ | </ | ||
+ | |||
+ | In Debian 11 Bullseye the service is controlled (enable, start, stop, etc.) by Systemd: | ||
+ | |||
+ | < | ||
+ | systemctl status opendkim.service | ||
+ | </ | ||
+ | |||
+ | Because Postfix is running into a chroot, it cannot access the ''/ | ||
+ | |||
+ | < | ||
+ | Socket | ||
+ | </ | ||
+ | |||
+ | The same daemon is used both for signing and verifying. Signing is performed when the client connecting to the MUA is authenticated and the **From:** address matches the domains to be signed (see the command line option **%%-d%%** or the **SigningTable** option of the ''/ | ||
===== Create the keys in / | ===== Create the keys in / | ||
Line 45: | Line 59: | ||
</ | </ | ||
- | ===== Add the domain to be signed ===== | + | ===== Add the domain |
Into the file **/ | Into the file **/ | ||
Line 51: | Line 65: | ||
< | < | ||
*@[DOMAIN] [SELECTOR]._domainkey.[DOMAIN] | *@[DOMAIN] [SELECTOR]._domainkey.[DOMAIN] | ||
- | </code> | + | </file> |
- | **NOTICE**: The use of the wildcard to indicate all the mails from a domain, the // | + | **NOTICE**: The use of the wildcard |
Remember to reload OpenDKIM after changing the **signingtable**: | Remember to reload OpenDKIM after changing the **signingtable**: | ||
Line 63: | Line 77: | ||
===== Configure OpenDKIM ===== | ===== Configure OpenDKIM ===== | ||
- | Into the **/ | + | Into the **/ |
< | < | ||
# We use virtual domains, so we use KeyTable and SigningTable | # We use virtual domains, so we use KeyTable and SigningTable | ||
KeyTable | KeyTable | ||
- | SigningTable | + | SigningTable |
# Match a list of hosts whose messages will be signed. | # Match a list of hosts whose messages will be signed. | ||
Line 78: | Line 92: | ||
</ | </ | ||
+ | **NOTICE**: **refile** means that the file contains regular expressions (e.g. asterisk wildcard to indicate all the mail addresses into a domain). | ||
===== Test the OpenDKIM configuration ===== | ===== Test the OpenDKIM configuration ===== | ||
Line 101: | Line 116: | ||
===== Configure Postfix ===== | ===== Configure Postfix ===== | ||
- | To tell Postfix to use the mail filter provided by OpenDKIM, we use the **non_smtpd_milters** option | + | Message signing with OpenDKIM |
+ | |||
+ | Using the **non_smtpd_milters** directive we may add DKIM for locally generated mails, i.e. local submissions via sendmail command line, submissions to the **qmqpd**, ([[wp> | ||
+ | |||
+ | Using custom settings in **/ | ||
< | < | ||
- | # Filter locally | + | submission inet n |
+ | -o syslog_name=postfix/ | ||
+ | -o smtpd_tls_security_level=encrypt | ||
+ | -o smtpd_sasl_auth_enable=yes | ||
+ | -o smtpd_tls_auth_only=yes | ||
+ | -o smtpd_client_restrictions=permit_sasl_authenticated, | ||
+ | -o smtpd_milters=$mua_milters | ||
+ | -o smtpd_sender_restrictions=$mua_sender_restrictions | ||
+ | -o smtpd_relay_restrictions=$mua_relay_restrictions | ||
+ | </ | ||
+ | |||
+ | Having done this, we define the custom **mua_milters** directive in '' | ||
+ | |||
+ | < | ||
+ | # Locally | ||
non_smtpd_milters = inet: | non_smtpd_milters = inet: | ||
- | # Default action for non working | + | |
- | #milter_default_action | + | # Mails received via SMTP protocol are filtered with OpenDKIM; |
+ | # messages created using SoGO webmail go through this milter. | ||
+ | smtpd_milters = inet: | ||
+ | |||
+ | # Filters applied (as smtpd_milters) to messages received via SUMBISSION/ | ||
+ | mua_milters | ||
+ | unix: | ||
+ | inet: | ||
</ | </ | ||
+ | |||
+ | Another important Postfix setting is **milter_default_action**, | ||
+ | |||
+ | < | ||
+ | milter_default_action = tempfail | ||
+ | </ | ||
+ | |||
+ | ===== Logging ===== | ||
+ | |||
+ | When a message passes through the OpenDKIM filter, you get the following line into **mail.log**: | ||
+ | |||
+ | < | ||
+ | opendkim[983999]: | ||
+ | </ | ||
+ | |||
+ | If a message does not match any entry in **/ | ||
+ | |||
+ | < | ||
+ | opendkim[983999]: | ||
+ | opendkim[983999]: | ||
+ | </ | ||
===== Web References ===== | ===== Web References ===== |
doc/appunti/linux/sa/postfix_opendkim.1652351654.txt.gz · Last modified: 2022/05/12 12:34 by niccolo