DomainKeys Identified Mail (DKIM)
DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport. A digital signature included with the message can be validated by the recipient using the signers public key published in the DNS. In technical terms, DKIM is a technique to authorize the domain name which is associated with a message through cryptographic authentication.
We use OpenDKIM for signing our outgoing mails and verifying any incoming mails. OpenDKIM is a mail-filter (aka “milter”) for Postfix.
Installation
OpenDKIM is in the Ubuntu software package repository:
$ sudo aptitude install opendkim opendkim-tools
The package installs …
The system user and group opendkim
The configuration files
/etc/opendkim.conf
and/etc/default/opendkim
The system service
opendkim
in the/etc/init.d
directoryA runtime directory
/var/run/opendkim/
for the PID file and UNIX socket.
- Various binaries and tools in
/usr/bin
:
opendkim
opendkim-atpszone
opendkim-genkey
opendkim-genzone
opendkim-spam
opendkim-stats
opendkim-testadsp
opendkim-testkey
opendkim-testmsg
Configuration
Allow Access for Postfix
To allow our Postfix MTA to interact with OpenDKIM, the user running postfix needs access to some OpenDKIM files, especially the UNIX socket path to connect with OpenDKIM. This can be achieved by adding the postfix user to the opendkim group:
$ usermod -g mail opendkim
Create Signing Keys
Mails sent out trough our mail-server will be signed using 1024bit RSA keys. So receiving mail-servers can verify that they have been sent by us and nobody has tampered with them along the way.
To create those RSA keys the opendkim-genkey tool can be used:
$ opendkim-genkey --directory=/etc/mail --selector=${HOSTNAME} --testmode
Configuration File
Configuration is in the file /etc/opendkim.conf
and described in the manpage opendkim.conf(5)
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 002
# Sign for example.net with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.net)
Domain example.net
KeyFile /etc/mail/dkim.key
Selector mail
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization simple
#Mode sv
#SubDomains no
#ADSPAction continue
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)
#ATPSDomains example.net