DKIM and SPF support in YnH

maxime · January 8, 2015, 2:13pm

EDIT LJF: Now Dkim and SPF are directly integrated in YunoHost 2.4

Hi,

Please note that :

This is the revision 2 of this Work In Progress How-To
Until this is natively integrated in YnH core apps, it will mean to that postfix conf will be blocked (or each time there is a change some configuration lines will need to be added to the end of /etc/postfix/main.cf)
To be fully functionnal DKIM requires a modification of the DNS, which propagantion can take up to 24h
CREDIT : This tutorial has been initially based on the DKMI section of : http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/ from Drew Crawford
CREDIT : This tutorial has been reviewed based on https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy from Popute Sebastian Armin
Replace DOMAIN.TLD by your own domain name

Changes in rev 2 :

Much easier to manage more than one DOMAIN.TLD (future proof)
Updated configuration as it seemed that the previous one was based on old software

So, here is the thing :

We start by installing the right software :

sudo aptitude install opendkim opendkim-tools

Then we configure opendkim

sudo nano /etc/opendkim.conf
(Text to be placed in the text file: )

AutoRestart Yes
AutoRestartRate 10/1h
UMask 022
Syslog yes
SyslogSuccess Yes
LogWhy Yes

Canonicalization relaxed/simple

ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable

Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256

UserID opendkim:opendkim

Socket inet:8891@127.0.0.1

Selector mail

Connect the milter to Postfix:

sudo nano /etc/default/opendkim

(Text to be placed in the text file: )
SOCKET=“inet:8891@localhost”

Configure postfix to use this milter:

sudo nano /etc/postfix/main.cf

(Text to be placed AT THE END in the text file: )
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891

Create a directory structure that will hold the trusted hosts, key tables, signing tables and crypto keys:

sudo mkdir -pv /etc/opendkim/keys/DOMAIN.TLD

Specify trusted hosts:

sudo nano /etc/opendkim/TrustedHosts

(Text to be placed in the text file: )
127.0.0.1
localhost
192.168.0.1/24
*.DOMAIN.TLD

Create a key table:

sudo nano /etc/opendkim/KeyTable

(Text to be placed in the text file: Be very careful, it needs to be on a SINGLE LINE for each domain )
mail._domainkey.DOMAIN.TLD DOMAIN.TLD:mail:/etc/opendkim/keys/DOMAIN.TLD/mail.private

Create a signing table:

sudo nano /etc/opendkim/SigningTable

(Text to be placed in the text file: )
*@DOMAIN.TLD mail._domainkey.DOMAIN.TLD

Now we generate the keys !

sudo cd /etc/opendkim/keys/DOMAIN.TLD
sudo opendkim-genkey -s mail -d DOMAIN.TLD

Output the DKIM DNS line to the terminal. Then, we install it on our DNS server. My ZONE file looks like this. (Be very careful with the formatting, the “p=…” needs to be in a single line.

cat mail.txt

mail._domainkey IN TXT “v=DKIM1; k=rsa; p=AAAKKUHGCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFrBM54eXlZPXLJ7EFphiA8qGAcgu4lWuzhzxDDcIHcnA/fdklG2gol1B4r27p87rExxz9hZehJclaiqlaD8otWt8r/UdrAUYNLKNBFGHJ875467jstoAQAB” ; ----- DKIM key mail for DOMAIN.TLD

And we don’t forget to put the right rights otherwise opendkim will get grumpy…

chown -Rv opendkim:opendkim /etc/opendkim*

And finally, we restart everything :
sudo service opendkim restart
sudo service postfix restart
To test if it is all working well (don’t forget that the DNS propagation can take a bit of take…) you can simply send an email to check-auth@verifier.port25.com and a reply will be received. If everything works correctly you should see DKIM check: pass under Summary of Results.

maxime · January 8, 2015, 2:33pm

Now, the SPF support.

This is much quicker and much simpler, we only have to add a line in the DNS such :

DOMAIN.TLD 300 TXT “v=spf1 a:DOMAIN.TLD mx ?all”

Edit I took into account comments from tebo (and Benjamin Sonntag somehow )

maxime · January 8, 2015, 3:57pm

tebo · January 9, 2015, 5:17pm

"-all"

means, if an email wasn’t send from this domain, refuse-it.

I would suggest to use the flag

"?all"

instead of “-all” in the spf configuration.
You don’t really know which smtp server people are using. So using “?all” flag will be more flexible and doesn’t broke your configuration.

Check this french conference for more details:
http://www.iletaitunefoisinternet.fr/lemail-par-benjamin-sonntag/

maxime · January 10, 2015, 5:09pm

Hi,

I took your comment into consideration and updated this How-to for both DKIM and SPF. This is now rev2.

maxime · January 11, 2015, 11:31am

Hi,

I did a fresh install of YnH and followed this tutorial. It seems to work straight away so I rmoved the “WIP”. I pass both DKIM and SPF checks.

Hopefully it will be eventually integrated into the core soon

Cheers,

Maxime

kload · January 15, 2015, 8:14pm

Excellent work !

It would be awesome to put all this nicely in a documentation page as well <3

maxime · January 28, 2015, 11:34am

Do you know if an app will be done and integrated soon ?

juju · January 28, 2015, 2:03pm

Actually it is not so easy to develop, as postfix configuration files do not support any include directive.

It is pretty easy to develop an app that adds the correct directives in main.cf, but any update of the yunohost-config-postfix package will overwrite them. Such tricky behavior will be possible in a future Yunohost version, but we really don’t have any date for it

We could eventually do something with a cron job, but that’s really hacking to me…

maxime · January 28, 2015, 2:44pm

Yes, this is exactly my concern : keeping postfix conf clean.
I think the only neat solution is to have an app supported by yunohost.

Novakin · February 11, 2015, 10:03am

Great mate ! thanks!

jodumont · June 24, 2015, 7:31am

Hi;
I did this DigitalOcean how to with success
+change into /etc/opendkim.conf
Canonicalization relaxed/simple
for Canonicalization relaxed/relaxed
like G**gle is

now my next question/challenge is to have an 2048bit key
because with this how to you finish with an 1024bit key

Anybody know where you interact with this parameter ?

Cheers to all!

maxime · June 24, 2015, 7:51am

Hi jodumont,

I found this on the Internet : http://www.opendkim.org/opendkim-genkey.8.html

DESCRIPTION

opendkim-genkey generates (1) a private key for signing messages using opendkim(8) and (2) a DNS TXT record suitable for inclusion in a zone file which publishes the matching public key for use by remote DKIM verifiers.

OPTIONS

−b bits
(−−bits=n) Specifies the size of the key, in bits, to be generated. The default is 1024 which is the value recommended by the DKIM specification.

So, when you use the opendkim-genkey command, you could add the option -b 2048

However, it is also written that the specification advises to use the standard 1024 bit key.

jodumont · July 6, 2015, 8:09am

@maxime thanks for sharing your knowledge and your research
in this case, the key is for authentification, so we must go with the flow

tebo · November 25, 2015, 7:38pm

Hi, I’m wondering if you would consider this application stable. I’m having trouble with spam and I wanted to solve this problem.

Also, I don’t quite guet why this cannot be included as default configuration in the next yunohost releases.