Difference between revisions of "Exim/DKIM"

From wiki
(add categories)
(Small fixes)
 
Line 2: Line 2:
  
 
== Initial Setup ==
 
== Initial Setup ==
* Create an empty file at <code>/etc/exim4/dkim_domains</code>
+
First you need to create an empty file at <code>/etc/exim4/dkim_domains</code>.
* Edit <code>/etc/exim4/conf.d/main/00_local_settings</code> and add<sup><ref>https://debian-administration.org/users/lee/weblog/51</ref></sup><syntaxhighlight lang="ini">
+
 
 +
Then, edit <code>/etc/exim4/conf.d/main/00_local_settings</code> and add<sup><ref>https://debian-administration.org/users/lee/weblog/51</ref></sup><syntaxhighlight lang="ini">
 
DKIM_DOMAIN =      ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}}
 
DKIM_DOMAIN =      ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}}
 
DKIM_SELECTOR =    ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
 
DKIM_SELECTOR =    ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
Line 9: Line 10:
 
DKIM_CANON =      ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}}
 
DKIM_CANON =      ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}}
 
DKIM_STRICT =      ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}}
 
DKIM_STRICT =      ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}}
 +
</syntaxhighlight>Finally reload the configuration by using<syntaxhighlight lang="console">
 +
$ sudo systemctl reload exim4.service
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
== Add Domain ==
 
== Add Domain ==
First choose a selector. DKIM allows each domain to have multiple keys (to allow key rotation, multiple senders…). Each key is identified by a selector. For the example, we will use ''example2016''.
+
First choose a selector. DKIM allows each domain to have multiple keys (to allow key rotation, multiple senders…). Each key is identified by a selector. For the example, we will use ''example2017''.
  
 
Then create the key<syntaxhighlight lang="console">
 
Then create the key<syntaxhighlight lang="console">
# openssl genrsa -out /etc/exim4/private/example2016.dkim.example.org.private.pem 2048
+
$ sudo openssl genrsa -out /etc/exim4/private/example2017.dkim.example.org.private.pem 2048
# openssl rsa -in /etc/exim4/private/example2016.dkim.example.org.private.pem -pubout
+
$ sudo openssl rsa -in /etc/exim4/private/example2017.dkim.example.org.private.pem -pubout
 
writing RSA key
 
writing RSA key
 
-----BEGIN PUBLIC KEY-----
 
-----BEGIN PUBLIC KEY-----
Line 29: Line 32:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Next step is to create a DNS record. The <syntaxhighlight lang="bash">
+
Next step is to create a DNS record. The value after <code>p=</code> is the public RSA key from the command above <syntaxhighlight lang="bash">
 
# Record can be either one long line ([...] added for readability)
 
# Record can be either one long line ([...] added for readability)
example2016._domainkey TXT "v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0B[...]D0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSATwIDAQAB"
+
example2017._domainkey TXT "v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0B[...]D0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSATwIDAQAB"
 
# or it can be split into multiple lines
 
# or it can be split into multiple lines
example2016._domainkey TXT ("v=DKIM1;t=s;p="
+
example2017._domainkey TXT ("v=DKIM1;t=s;p="
 
                             "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/"
 
                             "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/"
 
                             "QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd"
 
                             "QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd"
Line 43: Line 46:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Finally add a line to <code>/etc/exim4/dkim_domains</code><syntaxhighlight lang="properties">
+
Wait for DNS propagation of the new record.
example.org: selector=example2016 key=/etc/exim4/private/example2016.dkim.example.org.private.pem strict=true
+
 
 +
Finally add or replace the line related to <code>example.org</code> in <code>/etc/exim4/dkim_domains</code><syntaxhighlight lang="properties">
 +
example.org: selector=example2017 key=/etc/exim4/private/example2017.dkim.example.org.private.pem strict=true
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
== Key Rollover ==
 +
As with any cryptographic material, you need to rotate the key regularly. A safe default is once a year.
 +
 +
The process for a key rollover is the same as the initial domain creation. The additional step is that after about a week, the old key should be removed from the DNS.
  
 
== Test ==
 
== Test ==
You can test your signatures server by sending a message to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com]. See [https://www.port25.com/support/authentication-center/email-verification/ details page] for advanced options.
+
You can test your signatures server by sending a message to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com]. See [https://www.port25.com/authentication-checker/ details page] for advanced options.
  
 
== References ==
 
== References ==

Latest revision as of 01:33, 8 January 2017

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing.

Initial Setup

First you need to create an empty file at /etc/exim4/dkim_domains.

Then, edit /etc/exim4/conf.d/main/00_local_settings and add[1]

DKIM_DOMAIN =      ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}}
DKIM_SELECTOR =    ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
DKIM_PRIVATE_KEY = ${extract{key}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
DKIM_CANON =       ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}}
DKIM_STRICT =      ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}}

Finally reload the configuration by using

$ sudo systemctl reload exim4.service

Add Domain

First choose a selector. DKIM allows each domain to have multiple keys (to allow key rotation, multiple senders…). Each key is identified by a selector. For the example, we will use example2017.

Then create the key

$ sudo openssl genrsa -out /etc/exim4/private/example2017.dkim.example.org.private.pem 2048
$ sudo openssl rsa -in /etc/exim4/private/example2017.dkim.example.org.private.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/
QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd
04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD
GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1
U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h
WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA
TwIDAQAB
-----END PUBLIC KEY-----

Next step is to create a DNS record. The value after p= is the public RSA key from the command above

# Record can be either one long line ([...] added for readability)
example2017._domainkey TXT "v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0B[...]D0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSATwIDAQAB"
# or it can be split into multiple lines
example2017._domainkey TXT ("v=DKIM1;t=s;p="
                            "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/"
                            "QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd"
                            "04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD"
                            "GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1"
                            "U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h"
                            "WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA"
                            "TwIDAQAB")

Wait for DNS propagation of the new record.

Finally add or replace the line related to example.org in /etc/exim4/dkim_domains

example.org: selector=example2017 key=/etc/exim4/private/example2017.dkim.example.org.private.pem strict=true

Key Rollover

As with any cryptographic material, you need to rotate the key regularly. A safe default is once a year.

The process for a key rollover is the same as the initial domain creation. The additional step is that after about a week, the old key should be removed from the DNS.

Test

You can test your signatures server by sending a message to check-auth@verifier.port25.com. See details page for advanced options.

References