Exim/DKIM: Difference between revisions
From wiki
< Exim
Created page with "[https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail DomainKeys Identified Mail (DKIM)] is an email authentication method designed to detect email spoofing. == Initial..." |
Small fixes |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
== Initial Setup == | == Initial Setup == | ||
First you need to create an empty file at <code>/etc/exim4/dkim_domains</code>. | |||
Then, edit <code>/etc/exim4/conf.d/main/00_local_settings</code> and add<sup><ref>https://debian-administration.org/users/lee/weblog/51</ref></sup><syntaxhighlight lang="ini"> | |||
DKIM_DOMAIN = ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}} | DKIM_DOMAIN = ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}} | ||
DKIM_SELECTOR = ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}} | DKIM_SELECTOR = ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}} | ||
| Line 9: | Line 10: | ||
DKIM_CANON = ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}} | DKIM_CANON = ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}} | ||
DKIM_STRICT = ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}} | DKIM_STRICT = ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}} | ||
</syntaxhighlight>Finally reload the configuration by using<syntaxhighlight lang="console"> | |||
$ sudo systemctl reload exim4.service | |||
</syntaxhighlight> | </syntaxhighlight> | ||
== Add Domain == | |||
First choose a selector. DKIM allows each domain to have multiple keys (to allow key rotation, multiple senders…). Each key is identified by a selector. For the example, we will use ''example2017''. | |||
Then create the key<syntaxhighlight lang="console"> | |||
$ sudo openssl genrsa -out /etc/exim4/private/example2017.dkim.example.org.private.pem 2048 | |||
$ sudo openssl rsa -in /etc/exim4/private/example2017.dkim.example.org.private.pem -pubout | |||
writing RSA key | |||
-----BEGIN PUBLIC KEY----- | |||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/ | |||
QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd | |||
04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD | |||
GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1 | |||
U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h | |||
WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA | |||
TwIDAQAB | |||
-----END PUBLIC KEY----- | |||
</syntaxhighlight> | |||
Next step is to create a DNS record. The value after <code>p=</code> is the public RSA key from the command above <syntaxhighlight lang="bash"> | |||
# Record can be either one long line ([...] added for readability) | |||
example2017._domainkey TXT "v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0B[...]D0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSATwIDAQAB" | |||
# or it can be split into multiple lines | |||
example2017._domainkey TXT ("v=DKIM1;t=s;p=" | |||
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/" | |||
"QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd" | |||
"04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD" | |||
"GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1" | |||
"U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h" | |||
"WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA" | |||
"TwIDAQAB") | |||
</syntaxhighlight> | |||
Wait for DNS propagation of the new record. | |||
Finally add or replace the line related to <code>example.org</code> in <code>/etc/exim4/dkim_domains</code><syntaxhighlight lang="properties"> | |||
example.org: selector=example2017 key=/etc/exim4/private/example2017.dkim.example.org.private.pem strict=true | |||
</syntaxhighlight> | |||
== Key Rollover == | |||
As with any cryptographic material, you need to rotate the key regularly. A safe default is once a year. | |||
The process for a key rollover is the same as the initial domain creation. The additional step is that after about a week, the old key should be removed from the DNS. | |||
== Test == | |||
You can test your signatures server by sending a message to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com]. See [https://www.port25.com/authentication-checker/ details page] for advanced options. | |||
== References == | |||
<references /> | |||
[[Category:Email Server]] | |||
[[Category:Linux Server]] | |||
Latest revision as of 01:33, 8 January 2017
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing.
Initial Setup
First you need to create an empty file at /etc/exim4/dkim_domains.
Then, edit /etc/exim4/conf.d/main/00_local_settings and add[1]
DKIM_DOMAIN = ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}}
DKIM_SELECTOR = ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
DKIM_PRIVATE_KEY = ${extract{key}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
DKIM_CANON = ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}}
DKIM_STRICT = ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}}
Finally reload the configuration by using
$ sudo systemctl reload exim4.service
Add Domain
First choose a selector. DKIM allows each domain to have multiple keys (to allow key rotation, multiple senders…). Each key is identified by a selector. For the example, we will use example2017.
Then create the key
$ sudo openssl genrsa -out /etc/exim4/private/example2017.dkim.example.org.private.pem 2048
$ sudo openssl rsa -in /etc/exim4/private/example2017.dkim.example.org.private.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/
QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd
04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD
GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1
U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h
WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA
TwIDAQAB
-----END PUBLIC KEY-----
Next step is to create a DNS record. The value after p= is the public RSA key from the command above
# Record can be either one long line ([...] added for readability)
example2017._domainkey TXT "v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0B[...]D0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSATwIDAQAB"
# or it can be split into multiple lines
example2017._domainkey TXT ("v=DKIM1;t=s;p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/"
"QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd"
"04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD"
"GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1"
"U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h"
"WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA"
"TwIDAQAB")
Wait for DNS propagation of the new record.
Finally add or replace the line related to example.org in /etc/exim4/dkim_domains
example.org: selector=example2017 key=/etc/exim4/private/example2017.dkim.example.org.private.pem strict=true
Key Rollover
As with any cryptographic material, you need to rotate the key regularly. A safe default is once a year.
The process for a key rollover is the same as the initial domain creation. The additional step is that after about a week, the old key should be removed from the DNS.
Test
You can test your signatures server by sending a message to check-auth@verifier.port25.com. See details page for advanced options.
