I used these two sites to figure out how to get DKIM working:
https://wiki.debian.org/opendkim
https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
Install opendkim
and opendkim-tools
cd /etc/dkimkeys
opendkim-genkey -t -s mail -d technomancer.com
Edit /etc/opendkim.conf
:
Domain technomancer.com
KeyFile /etc/dkimkeys/mail.private
Selector mail
Socket local:/var/spool/postfix/opendkim/opendkim.sock
# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts
The socket needs to be in /var/spool/postfix
as postfix runs chrooted from there.
Add the postfix user to the opendkim
group:
adduser postfix opendkim
Edit /etc/postfix/main.cf
and add:
milter_default_action = accept
smtpd_milters = unix:/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
Notice that the socket file here is missing the /var/spool/postfix
; as that is the “root” for the postfix process.
Create the file /etc/dkimkeys/keytable
:
mail._domainkey.technomancer.com technomancer.com:mail:/etc/dkimkeys/mail.private
Create the file /etc/dkimkeys/signingtable
:
# Domain technomancer.com *@technomancer.com mail._domainkey.technomancer.com # You can specify multiple domains # Example.net www._domainkey.technomancer.net
Create the file /etc/dkimkeys/trustedhosts
and add the list of IPs and subnets that you consider trusted:
127.0.0.1 192.168.1.0/24
Set the appropriate ownership and group:
chown opendkkim:opendkim /etc/dkimkeys/*
Add the contents of /etc/dkimkeys/mail.txt
to the technomancer.com zone file (it’s a TXT record), increase the serial, and reload the zone.
Restart the opendkim
and postfix
services.