From 1fbabeefc0eb910ebc75f960abe401766fe96be6 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Wed, 27 Jan 2021 22:17:07 +0100 Subject: [PATCH] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 33 ++++++++++------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 2b84625d..68e46acd 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -4,28 +4,22 @@ DKIM is a security measure targeting email spoofing. It is greatly recommended o To enable DKIM signature, **you must have created at least one email account**. -Once its done, just run the following command to generate the signature (here show from inside the directory of docker-compose.yml in order to use a volume on ./config): +Once its done, just run the following command to generate the signature: ```BASH -docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti tvial/docker-mailserver:latest generate-dkim-config +./setup.sh config dkim ``` -The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS-Provider limits the size), then provide the size as the first parameter of the command: +The script assumes you're being in the directory where the `config/` directory is located. The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS-Provider limits the size), then provide the size as the first parameter of the command: ```BASH -docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti tvial/docker-mailserver:latest generate-dkim-config 4096 +./setup.sh config dkim ``` For LDAP systems that do not have any directly created user account you can run the following command (since `8.0.0`) to generate the signature by additionally providing the desired domain name (if you have multiple domains use the command multiple times or provide a comma-separated list of domains): ```BASH -docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti docker-mailserver/docker-mailserver:latest generate-dkim-config [,] +./setup.sh config dkim [,] ``` Now the keys are generated, you can configure your DNS server with DKIM signature, simply by adding a TXT record. @@ -33,10 +27,10 @@ Now the keys are generated, you can configure your DNS server with DKIM signatur If you have direct access to your DNS zone file, then it's only a matter of pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. ``` TXT -; OpenDKIM -mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN" ) ; ----- DKIM key mail for domain.tld - +$ dig mail._domainkey.domain.tld TXT +--- +;; ANSWER SECTION +mail._domainkey. 300 IN TXT "v=DKIM1; k=rsa; p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN" ```
@@ -55,10 +49,12 @@ After generating DKIM keys, you should restart the mail server. DNS edits may ta Note: Sometimes the key in `config/opendkim/keys/domain.tld/mail.txt` can be on multiple lines. If so then you need to concatenate the values in the TXT record: ``` -; OpenDKIM +$ dig mail._domainkey.domain.tld TXT +--- +;; ANSWER SECTION mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=AZERTYUIOPQSDF..." - "asdfQWERTYUIOPQSDF..." ) ; ----- DKIM key mail for domain.tld + "asdfQWERTYUIOPQSDF..." ) ``` the target (or value) field must then have all the parts together: `v=DKIM1; k=rsa; p=AZERTYUIOPQSDF...asdfQWERTYUIOPQSDF...` @@ -66,7 +62,8 @@ the target (or value) field must then have all the parts together: `v=DKIM1; k=r ## Verify-only If you want DKIM to only _verify_ incoming emails, the following version of /etc/opendkim.conf may be useful (right now there is no easy mechanism for installing it other than forking the repo): -``` + +``` TXT # This is a simple config file verifying messages only #LogWhy yes