I love opensmtpd. But as I’ve never set up a mail server before, some things are hard. DKIM was one of them. Below is what I now use on four servers and all work perfectly:
Credits
README
This is a guide to using filter-dkimsign on Debian 10. It took a bit of effort to get it working and the following is as much for my help as anyone else’s.
Note: this is for an outgoing only mail server
Install the requirements
root@server:/home/simon/src# apt install libevent-dev libssl-dev mandocGrab the files from here:
root@server:/home/simon/src# wget https://simonh.uk/files/src/libopensmtpd-0.7.tar.gz
bc. root@server:/home/simon/src# wget https://simonh.uk/files/src/filter-dkimsign-0.5.tar.gzExtract both packages using tar xvf <each_file>
cd into libopensmtpd first and run
root@server:/home/simon/src/libopensmtpd-0.7# make -f Makefile.gnuYou should get no errors.
root@server:/home/simon/src/libopensmtpd-0.7# make -f Makefile.gnu installNow, cd into ../filter-dkimsign-0.5 and run the two make commands as above.
Next, we’ll create the group and user _dkimsign
root@server:~# addgroup _dkimsign --force-badname
Allowing use of questionable username.
Adding group `_dkimsign' (GID 1001) ...
Done.Now add the _dkimsign user to that group
root@server:~# useradd _dkimsign -g _dkimsignCreate the directory to save your private key with the correct permissions:
root@server:~# install -d -m 770 -o _dkimsign -g _dkimsign /etc/mail/dkimLog out as the root user with exit and run:
simon@server:~/src [ssh] $ sudo -u _dkimsign openssl genrsa -out /etc/mail/dkim/private.rsa.key 1024That has generated and saved our private key. Run below to get the public key that we’ll save in our DNS records:
simon@server:~/src [ssh] $ sudo openssl rsa -in /etc/mail/dkim/private.rsa.key -pubout | sed '1s/.*/v=DKIM1;p=/;:nl;${s/-----.*//;q;};N;s/\n//g;b nl;'
writing RSA key
v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoaV4xJ1D4AeJ6XWU9ilt83yUnRUthPMh2R7qeMZEEHKQ+sWFiiiM5z4kpxwTsQNIvzMO2h8seh9XJIAPzVER8ac9AeCueXIAg/MwHWoZvIrBYJSeFmq6sgCacgKwayI9xp7QcqWmYGXiaBQnI21/SieA4GZsk/UTOiko7UFlE6wIDAQABCopy the long line beneath “writing RSA key”, like so:
v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoaV4xJ1D4AeJ6XWU9ilt83yUnRUthPMh2R7qeMZEEHKQ+sWFiiiM5z4kpxwTsQNIvzMO2h8seh9XJIAPzVER8ac9AeCueXIAg/MwHWoZvIrBYJSeFmq6sgCacgKwayI9xp7QcqWmYGXiaBQnI21/SieA4GZsk/UTOiko7UFlE6wIDAQAB
You need to save that in your DNS record section at you domain registrar as a TXT record.
Following (seemingly) popular advice, I use today’s date 20210622._domainkey. The part before the . (dot) is called the selector. We’ll come back to that in a minute.
Next, we’ll add the filter to our /etc/smtpd.conf making sure to replace -d yourdomain.com and -s 20210622 with your domain and your selector!
filter dkimsign proc-exec "filter-dkimsign -d yourdomain.com -s 20210622 -k /etc/mail/dkim/private.rsa.key" user _dkimsign group _dkimsign
listen on socket filter "dkimsign"
listen on localhost filter "dkimsign"Do a quick check that we have no syntax errors:
root@server:/home/simon/src# smtpd -n
configuration OKNearly there now! We’ll restart and check that opensmtpd has no errors:
root@server:/home/simon/src# systemctl restart opensmtpd
root@server:/home/simon/src# systemctl status opensmtpd
● opensmtpd.service - OpenSMTPD SMTP server
Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset
Active: active (running) since Wed 2021-06-23 15:11:43 BST; 5s ago
Docs: man:smtpd(8)
Process: 10351 ExecStart=/usr/sbin/smtpd (code=exited, status=0/SUCCESS)
Main PID: 10352 (smtpd)
Tasks: 9 (limit: 1148)
Memory: 10.0M
CGroup: /system.slice/opensmtpd.service
├─10352 /usr/sbin/smtpd
├─10353 smtpd: klondike
├─10354 smtpd: control
├─10355 smtpd: lookup
├─10356 smtpd: pony express
├─10357 smtpd: queue
├─10358 smtpd: scheduler
├─10359 /usr/sbin/smtpd
└─10361 /usr/libexec/opensmtpd/filter-dkimsign -d yourdomain.com -s 20210622
Jun 23 15:11:43 server systemd[1]: Starting OpenSMTPD SMTP server...
Jun 23 15:11:43 server smtpd[10351]: info: OpenSMTPD 6.6.4p1 starting
Jun 23 15:11:43 server systemd[1]: Started OpenSMTPD SMTP server.You can see in the last line, that filter-dkimsign is running
Finally, we’ll send an email to a gmail account and check that DKIM is a “PASS”
root@server:/home/simon# echo uptime | mail somebody@gmail.comCheck your gmail account by clicking on the three dots next to reply and click “Show original”. If all went well, you’ll see DKIM at the bottom and “PASS with domain” next to it:
Following these instructions, you should be DKIM friendly in about ten or fifteen minutes!
Any issues feel free to send me an email, or sign up for the opensmtpd mailing list here (subscribe to the misc one).