Difference between revisions of "Exim/DKIM"
From wiki
< Exim
(Created page with "[https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail DomainKeys Identified Mail (DKIM)] is an email authentication method designed to detect email spoofing. == Initial...") |
(Add key generation) |
||
| Line 10: | Line 10: | ||
DKIM_STRICT = ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}} | DKIM_STRICT = ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}} | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| + | == Add Domain == | ||
| + | First choose a selector. DKIM allows each domain to have multiple keys (to allow key rotation, multiple senders…). Each key is identified by a selector. For the example, we will use ''example2016''. | ||
| + | |||
| + | Then create the key<syntaxhighlight lang="console"> | ||
| + | # openssl genrsa -out /etc/exim4/private/example2016.dkim.example.org.private.pem 2048 | ||
| + | # openssl rsa -in /etc/exim4/private/example2016.dkim.example.org.private.pem -pubout | ||
| + | writing RSA key | ||
| + | -----BEGIN PUBLIC KEY----- | ||
| + | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/ | ||
| + | QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd | ||
| + | 04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD | ||
| + | GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1 | ||
| + | U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h | ||
| + | WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA | ||
| + | TwIDAQAB | ||
| + | -----END PUBLIC KEY----- | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Next step is to create a DNS record. The <syntaxhighlight lang="bash"> | ||
| + | # Record can be either one long line ([...] added for readability) | ||
| + | example2016._domainkey TXT "v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0B[...]D0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSATwIDAQAB" | ||
| + | # or it can be split into multiple lines | ||
| + | example2016._domainkey TXT ("v=DKIM1;t=s;p=" | ||
| + | "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/" | ||
| + | "QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd" | ||
| + | "04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD" | ||
| + | "GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1" | ||
| + | "U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h" | ||
| + | "WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA" | ||
| + | "TwIDAQAB") | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Finally add a line to <code>/etc/exim4/dkim_domains</code><syntaxhighlight lang="properties"> | ||
| + | example.org: selector=example2016 key=/etc/exim4/private/example2016.dkim.example.org.private.pem strict=true | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | == Test == | ||
| + | You can test your signatures server by sending a message to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com]. See [https://www.port25.com/support/authentication-center/email-verification/ details page] for advanced options. | ||
Revision as of 07:38, 7 June 2016
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing.
Initial Setup
- Create an empty file at
/etc/exim4/dkim_domains - Edit
/etc/exim4/conf.d/main/00_local_settingsand addDKIM_DOMAIN = ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}} DKIM_SELECTOR = ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}} DKIM_PRIVATE_KEY = ${extract{key}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}} DKIM_CANON = ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}} DKIM_STRICT = ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}}
Add Domain
First choose a selector. DKIM allows each domain to have multiple keys (to allow key rotation, multiple senders…). Each key is identified by a selector. For the example, we will use example2016.
Then create the key
# openssl genrsa -out /etc/exim4/private/example2016.dkim.example.org.private.pem 2048
# openssl rsa -in /etc/exim4/private/example2016.dkim.example.org.private.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/
QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd
04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD
GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1
U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h
WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA
TwIDAQAB
-----END PUBLIC KEY-----
Next step is to create a DNS record. The
# Record can be either one long line ([...] added for readability)
example2016._domainkey TXT "v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0B[...]D0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSATwIDAQAB"
# or it can be split into multiple lines
example2016._domainkey TXT ("v=DKIM1;t=s;p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/"
"QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd"
"04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD"
"GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1"
"U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h"
"WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA"
"TwIDAQAB")
Finally add a line to /etc/exim4/dkim_domains
example.org: selector=example2016 key=/etc/exim4/private/example2016.dkim.example.org.private.pem strict=true
Test
You can test your signatures server by sending a message to check-auth@verifier.port25.com. See details page for advanced options.
