How to Install and Configure OpenDKIM in Ubuntu

Install and Configure OpenDKIM on Ubuntu 20.04 22.04 Debian 9 10

Introduction

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails, a technique often used in phishing and email spam. DKIM allows an organization to claim responsibility for a message in a way that can be validated by the recipient. OpenDKIM is an open-source implementation of the DKIM specification that is widely used to add this layer of security to email systems.

This guide will walk you through the steps of installing and configuring OpenDKIM on an Ubuntu server. We will cover the installation process, configuration details, integration with the Postfix mail server, and testing to ensure everything is set up correctly.

Prerequisites

Before we begin, ensure that you have the following:

  1. An Ubuntu server (20.04 LTS or later).
  2. Root or sudo access to the server.
  3. A domain name and control over DNS settings.
  4. Postfix installed and configured on your server.

Step 1: Update System Packages

Start by updating the package lists on your Ubuntu server to ensure you have the latest versions available.

$ sudo apt update
$ sudo apt upgrade -y

Next, install OpenDKIM and its dependencies using the following command:

$ sudo apt install opendkim opendkim-tools -y

Step 3: Configure OpenDKIM

Create OpenDKIM Configuration Directory

Create a directory for OpenDKIM configuration and key files.

$ sudo mkdir /etc/opendkim
$ sudo mkdir /etc/opendkim/keys

Configure OpenDKIM

Open the main configuration file for OpenDKIM.

$ sudo nano /etc/opendkim.conf

Add the following configuration settings to the file:

Syslog                  yes
UMask                   002
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  inet:12345@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

Configure Trusted Hosts

Edit the TrustedHosts file to include your local network and mail server.

$ sudo nano /etc/opendkim/TrustedHosts

Add the following lines:

127.0.0.1
localhost
192.168.0.1/24  # Replace with your local network
*.yourdomain.com  # Replace with your domain

Configure Key Table

Edit the KeyTable file to specify the location of your DKIM keys.

$ sudo nano /etc/opendkim/KeyTable

Add the following line (replace yourdomain.com with your actual domain name):

mail._domainkey.yourdomain.com yourdomain.com:mail:/etc/opendkim/keys/yourdomain.com/mail.private

Configure Signing Table

Edit the SigningTable file to define which domains should be signed.

$ sudo nano /etc/opendkim/SigningTable

Add the following line:

*@yourdomain.com mail._domainkey.yourdomain.com

Step 4: Generate DKIM Keys

Navigate to the keys directory and create a directory for your domain.

$ cd /etc/opendkim/keys
$ sudo mkdir yourdomain.com
$ cd yourdomain.com

Generate a new DKIM key pair using the following command:

$ sudo opendkim-genkey -s mail -d yourdomain.com
$ sudo chown opendkim:opendkim mail.private

This will generate two files:

  • mail.private: The private key used by OpenDKIM to sign outgoing messages.
  • mail.txt: The public key that will be added to your DNS records.

Step 5: Add DKIM Public Key to DNS

Open the mail.txt file and copy its contents.

$ cat mail.txt

You will see something like this:

mail._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmt+8iyK2xwLth..."

Log in to your DNS provider and create a new TXT record with the following details:

  • Namemail._domainkey
  • TypeTXT
  • Value: (Paste the content from the mail.txt file)

Step 6: Configure Postfix to Use OpenDKIM

Edit the Postfix main configuration file to integrate OpenDKIM.

$ sudo nano /etc/postfix/main.cf

Add the following lines at the end of the file:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

Save and close the file.

Step 7: Start and Enable OpenDKIM

Start the OpenDKIM service and enable it to start on boot.

$ sudo systemctl start opendkim
$ sudo systemctl enable opendkim

Restart Postfix to apply the changes.

$ sudo systemctl restart postfix

Step 8: Test Your Configuration

Send a Test Email

Send a test email to an external email address (e.g., Gmail or Yahoo) to check if DKIM signing is working.

Check Email Headers

After receiving the test email, check the email headers for the DKIM-Signature header. This header indicates that the email has been signed by OpenDKIM.

Verify DKIM Signature

Use an online DKIM verification tool (e.g., DKIMCore, MXToolbox) to verify the DKIM signature. Enter the selector (mail) and your domain (yourdomain.com) to check if the public key is correctly configured in your DNS.

Troubleshooting

Check OpenDKIM Logs

If you encounter issues, check the OpenDKIM logs for error messages.

$ sudo journalctl -u opendkim

Ensure Correct Permissions

Ensure that the opendkim user has the correct permissions for the key files.

$ sudo chown -R opendkim:opendkim /etc/opendkim/keys

Validate DNS Configuration

Double-check your DNS records to ensure the DKIM public key is correctly added.

Restart Services

If changes are made to the configuration files, restart the OpenDKIM and Postfix services.

$ sudo systemctl restart opendkim
$ sudo systemctl restart postfix

Conclusion

Setting up DKIM with OpenDKIM on an Ubuntu server enhances your email security by verifying the authenticity of your emails. By following the steps outlined in this guide, you can successfully install, configure, and integrate OpenDKIM with your Postfix mail server. Regularly monitor and update your DKIM keys and DNS records to maintain a secure email environment.

LEAVE A COMMENT