rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:postfix_opendkim

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:appunti:linux:sa:postfix_opendkim [2022/05/23 11:19] – [Configure Postfix] niccolodoc:appunti:linux:sa:postfix_opendkim [2023/10/31 11:06] (current) – [OpenDKIM on Postfix with virtual domains] niccolo
Line 1: Line 1:
 ====== OpenDKIM on Postfix with virtual domains ====== ====== OpenDKIM on Postfix with virtual domains ======
  
-In this article we will install **[[http://www.opendkim.org/|OpenDKIM]]** on a GNU/Linux mail server based on **Debian 11 Buster**. The mail service is provided by **Postfix** configured for virtual domains using **virtual_alias_domains**.+In this tutorial we will install **[[http://www.opendkim.org/|OpenDKIM]]** on a GNU/Linux mail server based on **Debian 11 Buster**. The mail service is provided by **Postfix** configured for virtual domains using **virtual_alias_domains**.
  
 <code> <code>
 apt install opendkim opendkim-tools apt install opendkim opendkim-tools
 </code> </code>
 +
 +In Debian 11 Bullseye the service is controlled (enable, start, stop, etc.) by Systemd:
 +
 +<code>
 +systemctl status opendkim.service
 +</code>
 +
 +Because Postfix is running into a chroot, it cannot access the ''/run/opendkim/opendkim.sock'' Unix socket to communicate with opendkim, so we change the ''Socket'' option into **/etc/opendkim.conf** and make the daemon to be listening on port **127.0.0.1:8891/TCP**:
 +
 +<file>
 +Socket  inet:8891@localhost
 +</file>
 +
 +The same daemon is used both for signing and verifying. Signing is performed when the client connecting to the MUA is authenticated and the **From:** address matches the domains to be signed (see the command line option **%%-d%%** or the **SigningTable** option of the ''/etc/opendkim.conf'' configuration file), verifying is performed in other cases.
  
 ===== Create the keys in /etc/dkimkeys/ ===== ===== Create the keys in /etc/dkimkeys/ =====
Line 45: Line 59:
 </file> </file>
  
-===== Add the domain to be signed =====+===== Add the domain (or single sender) to be signed =====
  
 Into the file **/etc/dkimkeys/signingtable** we declare that mails originating from that domain must be signed: Into the file **/etc/dkimkeys/signingtable** we declare that mails originating from that domain must be signed:
Line 63: Line 77:
 ===== Configure OpenDKIM ===== ===== Configure OpenDKIM =====
  
-Into the **/etc/opendkim.conf** file we infor OpenDKIM to look into a **KeyTable** to find keys and into a **SigningTable** to know which domains require signing. The service will listen on port **8891/TCP** (should use //Unix domain socket// instead? Better performances? More painfull because Postfix runs in chroot).+Into the **/etc/opendkim.conf** file we inform OpenDKIM to look into a **KeyTable** to find keys and into a **SigningTable** to know which domains require signing. The service will listen on port **8891/TCP** (should use //Unix domain socket// instead? Better performances? More painfull because Postfix runs in chroot).
  
 <file> <file>
Line 120: Line 134:
 </file> </file>
  
-Havig done this, we define the custom **mua_milters** directive in ''main.cf'' to apply SpamAssassin and DKIM filtering on sumbitted messages:+Having done this, we define the custom **mua_milters** directive in ''main.cf'' to apply SpamAssassin and DKIM filtering on sumbitted messages:
  
 <file> <file>
-# Locally generated mails are filtered with OpenDKIM.+# Locally generated mails (e.g. from command line Mutt) are filtered with OpenDKIM.
 non_smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
  
-Uncomment if you want OpenDKIM for all the messages received by SMTPD+Mails received via SMTP protocol are filtered with OpenDKIM
-#smtpd_milters = inet:localhost:8891+messages created using SoGO webmail go through this milter
 +smtpd_milters = inet:localhost:8891
  
-Restriction applied as smtpd_milters over SUMBISSION/587 only.+Filters applied (as smtpd_milters) to messages received via SUMBISSION/587;
 mua_milters = mua_milters =
     unix:spamass/spamass.sock,     unix:spamass/spamass.sock,
     inet:localhost:8891     inet:localhost:8891
 </file> </file>
 +
 +Another important Postfix setting is **milter_default_action**, the default is **tempfail** which means that if the milter does not respond, the message will be held into the queue and retried later. Other settings can be **accept** or **reject**:
 +
 +<file>
 +milter_default_action = tempfail
 +</file>
 +
 +===== Logging =====
 +
 +When a message passes through the OpenDKIM filter, you get the following line into **mail.log**:
 +
 +<code>
 +opendkim[983999]: 37FDD7D659: DKIM-Signature field added (s=2022, d=rigacci.org)
 +</code>
 +
 +If a message does not match any entry in **/etc/dkimkeys/signingtable**, it will not be signed; the log is:
 +
 +<code>
 +opendkim[983999]: 4778D7D610: no signing table match for 'testmail@rigacci.org'
 +opendkim[983999]: 4778D7D610: no signature data
 +</code>
  
 ===== Web References ===== ===== Web References =====
doc/appunti/linux/sa/postfix_opendkim.1653297570.txt.gz · Last modified: 2022/05/23 11:19 by niccolo