Dec 26, 2013 OpenDkim + Postfix + Centos 11.5: DKIM check fail (wrong bo. Post by charly75 » Thu Dec 26, 2013 10:15 am Hi.
The author voluntarily contributed this tutorial as a part of Pepipost Write to Contribute program.
- Set Up DKIM On Postfix With dkim-milter (CentOS 5.2) Tweet Follow @kreationnext. DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo’s domainkeys and Cisco’s Identified Internet mail specification. It is defined in RFC 4871.
- I spent a while trying to set up DKIM with Postfix on CentOS 5.2. I read the HOWTOs on HOWToForge written by Andrew Colin Kissa (aka TopDog) who subsequently helped me towards getting this setup working. My setup is that I have a mail spooler and multiple mail senders. This is to say that the.
- Re: DKIM - Postfix/opendkim issue Post by NLBlackEagle » Sat Aug 26, 2017 3:22 pm Yep, anyway DKIM works now, probably a typo somewhere since after I re-added the record in dns it started working.
- Now we can try to start OpenDKIM and reload postfix: service opendkim start chkconfig opendkim on service postfix reload If everything worked well, You can send a test mail and see in the source and it contains a DKIM signature, tail /var/log/maillog -f and see the OpenDKIM entries like DKIM-Signature field added (s=default, d=yourdomain).
Introduction
Postfix is one of the most popular open-source Mail Transfer Agent (MTA) which route and delivers mails. It is an alternative to Sendmail MTA which comes pre-installed in all version before Centos/RHEL 5. CentOS Postfix installation is a process which requires a lot of precision.
Let us look at Wikipedia's definition of Postfix, which says,
'Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is released under the IBM Public License 1.0 which is a free software license. Alternatively, starting with version 3.2.5, it is available under the Eclipse Public License 2.0 at the user's option.' - Wikipedia
The main job of the (CentOS) postfix is to relay mails locally or to a destination server outside the network. In order to install postfix and avoid conflicts, you need to remove sendmail if it is already installed.
Before starting you can also refresh your concepts on how email works with Postfix as a reference. This would help you go further with this content.
Step 1: Checking And Removing Sendmail (Required Only If Sendmail Is Installed)
Input: Run the below command to check whether sendmail is installed or not:
Output: If sendmail is installed on your server, then the following output will come:
If you didn’t get any output that means you don’t have sendmail installed and you are good to skip to step 2.
If you get an output similar to one shown above, then you need to remove Sendmail using the below command:
Once you have successfully removed Sendmail, you will be getting an output similar to one shown below:
Step 2: Install Postfix
It is always one of the easiest ways to install postfix using yum installer (ideally if you are using Centos/RHEL > 5 postfix comes pre-installed).
You can check if postfix centos 7 is already installed or not using the below command:
You will get the above output, if Postfix is already installed. In case Postfix is not installed, then use the below command to install postfix:
Keep saying 'Yes' to the prompt each time it asks. Once all the components are downloaded, you will have the postfix centos 7 installed successfully.
Step 3: Configure Postfix.
We need to edit /etc/postfix/main.cf file.
Make changes according to the below steps.
Note: Mostly you will find the line which needs to be changed on line 67.
Add hostname to the file by unhashing and editing at line no 75
Uncomment and set domain name at line no 83
Uncomment line no 99
Uncomment and Set ipv4 at line no 113
edit line no 119 to all
Comment at line no 164
Uncomment and add IP range at line no 264
Uncomment at line no 419
save and exit the file.
Enable the service using the below command
Start/restart the postfix service.
once you have restarted postfix need check the status of the service using below command:
Step 4: Testing Postfix Server
Let's add a user for testing and call it as “postfixtester”
add password for the user postfixtester
after adding user lets check the server access using telnet.
Start your transaction writing below command.
Once you get 250 DSN you can sendmail.
Case 1: Successful Test
Case 2: Failed Testcase
This usually occurs if your domain is not mapped with the server.
for example :: you have mention mydomain = example.com in /etc/postfix/main.cf file and it is not mapped with your hostname/server postfix will show above error.
If every thing is working fine you can navigate to your newuser (“postfixtester”) directory and check the mail accordingly.
Output:
If you have received something like this we have successfully received an email. To read the following mail, just cat the file:
Output:
This is test mail from your localhost server.
Finally! You have postfix installed and emails getting sent! You are all set to use your server as your private SMTP server to send emails.
The author voluntarily contributed this tutorial as a part of Pepipost Write to Contribute program.
Introduction
In the earlier tutorials, you learned how to install and configure Postfix. But, despite doing the correct setup of Postfix and having correct MX, A and PTR record your emails might be getting flagged as spam by few of the major ISPs like Gmail, Outlook. So, in this tutorial, you will learn how to further improve email delivery to the recipient's inbox by setting up the correct SPF and DKIM records on your server.
What are these SPF and DKIM records all about?
SPF (Sender Policy Framework) is a simple email validation system designed to detect email spoofing. It is an authentication protocol which, when used allows senders to specify which IP addresses are authorized to send emails on behalf of a particular domain. To ensure that your customers and brand are protected from phishing and spoofing attacks, you need to authenticate your email with an SPF record.
DKIM is the acronym for DomainKeys Identified Mail. It is an authentication protocol used to validate sending domain names with email messages. DKIM uses cryptographic authentication by inserting a digital signature into the email message header which is later verified by the receiving host to validate the authenticity of the sender's domain. The DKIM digital signature is created using a unique string of characters encrypted as the public key and stored in your DNS. When a recipient gets your email signed by DKIM, the public key is retrieved from the DNS Records of the sender and is decrypted to authenticate the sender's domain.
Prerequisites
- Make sure you are running the below steps as root or with the sudo prefix.
- You must already have Postfix installed, configured and working. In case, you have not yet installed please refer to this document.Publishing an SPF DNS record without having the SPF policy agent configured within Postfix is safe; however, publishing DKIM DNS records without having OpenDKIM working correctly within Postfix can result in your email being discarded by the recipient’s email server.
Setup SPF Record
Step 1: Create An SPF Record In DNS Of Your Sender Domain
If you are using example.com as the From/Sender domain in all your emails going through Postfix, then this is the domain for which you have to actually set up the SPF record. And, SPF record can be easily set up by login into your DNS provider, e.g. Godaddy, Namecheap.
Once you are logged in, just create a new TXT record like the one below:
Note, there might be a few DNS providers, who will require you to enclose the SPF record with qoutes
Once you have added the SPF records, it might take up to 24-48 hrs to propagate globally over the internet. You can use the dig command to see the current SPF record which is updated globally:
Or you can also use online SPF validators like mxtoolbox.com, Kitterman.com or spf.myisp.ch
Out of the above online SPF validators, spf.myisp.ch is quite useful because it gives a very detailed view of what all servers/IP addresses are allowed to send emails for your domain.
Step 2: Configuring SPF Policy Agent On Server
By setting up the SPF record for your domain, you have completed a very important step to improve the delivery of outgoing emails to recipient's inbox. Like the way you did the SPF configuration for outgoing emails, the very same way you should also do the SPF validation for the incoming emails. This will help you to detect the forged incoming emails coming in your network.
First, install the required package for SPF policy agent
The next step is to edit the postfix's master filemaster.cf. You can use any of your favorite editorvimornanoto edit the file:
Append the following lines at the EOF. This will tell the postfix to start the SPF policy daemon whenever postfix starts itself.
Save and close the file. Next step is to edit the postfix's main configuration filemain.cf.
Add the following lines at the end of the file main.cf. Adding these lines means, you are giving the instructions to postfix to check SPF on incoming emails and reject the emails which are unauthorized.
Save and close the file. You are now done with the SPF setup, just restart the postfix to reflect the changes.
or
How to see whether the emails which you sent to Gmail are SPF passed?
Open any of the email sent via your postfix to Gmail and click on Show original link as shown below:
Next, you will see a window like the one below, where you will see the status of SPF (whether Pass or Fail) in Gmail.
If you see the below line, then this means SPF is pass:
Setting up DKIM
DKIM can be set up by installing OpenDKIM- an open-source package for setting up DKIM.
Once the installation is successful, you need to add postfix user to opendkim group. By doing this, you are actually linking DKIM with your Postfix installation:
Next step is to edit the main configuration file of the OpenDKIM:
Change the below-highlighted content in the main configuration:
Once changes are done, save and close the file.
Create Signing Table
In order to create the signing table, you need to first create a directory structure for OpenDKIM. Execute the following commands to configure the same:
Change the permission and role:
Execute the following command to create the signing table:
then add the following lines in the above file:
Save and close the file.
Create Key Table
Execute the following command to create the key table:
Once created, add the following lines in the file:
Save and close the file.
Create The Trusted Hosts File
Execute the following command to create the trusted table:
Once created, add the following lines in the file:
Adding the above line means that emails coming from the mentioned IP addresses and domains will be trusted and signed.
Generation of the Private and Public Key for DKIM
DKIM is going to be used for signing outgoing emails. So, you need to generate both private and the public key for DKIM. The private key will be used to signing and the public key which will be published in the DNS will be used for remote verification.
Create a folder for your domain for which DKIM to be signed
You can use the opendkim-genkey tool to generate the keys
Once you will execute the above command, two files will get generated:
--> This file will contain your private key.
--> This file will contain your public key which you need to add in the DNS record of your domain.
Change the ownership of the private key file:
Configure Public Key in DNS Record of Domain
Get the public key by doing cat:
Copy the record, and log in to your DNS manager e.g. if your DNS is with GoDaddy or Namecheap, then login to their dashboard and add the following DNS record:
Testing Your DKIM Configuration
Execute the following command on your Ubuntu machine to test your keys:
If the setup is correct, you will get the following message:
Integrate Postfix to OpenDKIM
Postfix can connect with OpenDKIM via unix socket i.e.
But, we need to change the file path because the SMTP daemon which comes with Ubuntu resolves all filenames relative to the Postfix queue directory (
).
Create a new directory to keep the OpenDKIM socket file
The next step is to edit the socket conf file.
Search for the following line:
And, replace it with the following:
Save and close the file.
Note: You need to do similar changes in the opendkim.conf file too:
Search for the following line:
And, replace it with the following:
Next step is to edit the Postfix main configuration file:
Append the following lines after smtpd_recipient_restriction section in the main.cf file.
Save and close the file.
You are now all done. Just restart opendkim and postfix service to reflect all the changes.
Now, your Postfix setup is ready with the SPF and DKIM. We also strongly recommend to visit the Ubuntu community page for additional detailed documentation on SPF and DKIM set up.
Quick Question : Do you know about DMARC policy? It's another crucial component of email authentication.
Keep reading the tutorials and blogs to get deeper into email delivery. Rate us if you loved the article.
Postfix Opendkim Centos
Leave comments if you need help.