During the long-lived PR, multiple contributions to the existing Github Wiki were made, this commit applies those here and mentions the files and authors attributed to the changes: JaapD: dkim.md + forward-only-mailserver-with-ldap-authentication.md Added corrections to `setup.sh config dkim` command. Added compatibility warning about 4096-bit key sizes or greater. Added ldap tip. --- fred727-temp: optional-config.md Added a mention for `user-patches.sh`. --- Semir Patel: setup.sh.md + debugging.md Minor corrections. Additionally corrected `tvial` references that had already been updated in this PR series. --- Stefan Neben: kubernetes.md > Port 25 proxy protocol configuration in master.cf was missing docs(sync): Add Github Wiki contributions > IMAP with STARTTLS is also active, so we need that option here as well docs(sync): Add Github Wiki contribution
4.7 KiB
title |
---|
Best Practices | DKIM |
DKIM is a security measure targeting email spoofing. It is greatly recommended one activates it.
!!! seealso See the Wikipedia page for more details on DKIM.
Enabling DKIM Signature
To enable DKIM signature, you must have created at least one email account. Once its done, just run the following command to generate the signature:
./setup.sh config dkim
After generating DKIM keys, you should restart the mail server. DNS edits may take a few minutes to hours to propagate. The script assumes you're being in the directory where the config/
directory is located. The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS provider limits the size), then provide the size as the first parameter of the command:
./setup.sh config dkim keysize <keysize>
For LDAP systems that do not have any directly created user account you can run the following command (since 8.0.0
) to generate the signature by additionally providing the desired domain name (if you have multiple domains use the command multiple times or provide a comma-separated list of domains):
./setup.sh config dkim keysize <key-size> domain <domain.tld>[,<domain2.tld>]
Now the keys are generated, you can configure your DNS server with DKIM signature, simply by adding a TXT record. If you have direct access to your DNS zone file, then it's only a matter of pasting the content of config/opendkim/keys/domain.tld/mail.txt
in your domain.tld.hosts
zone.
$ dig mail._domainkey.domain.tld TXT
---
;; ANSWER SECTION
mail._domainkey.<DOMAIN> 300 IN TXT "v=DKIM1; k=rsa; p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN"
Configuration using a Web Interface
- Generate a new record of the type
TXT
. - Paste
mail._domainkey
theName
txt field. - In the
Target
orValue
field fill inv=DKIM1; k=rsa; p=AZERTYUGHJKLMWX...
. - In
TTL
(time to live): Time span in seconds. How long the DNS server should cache theTXT
record. - Save.
!!! note
Sometimes the key in config/opendkim/keys/domain.tld/mail.txt
can be on multiple lines. If so then you need to concatenate the values in the TXT record:
$ dig mail._domainkey.domain.tld TXT
---
;; ANSWER SECTION
mail._domainkey.<DOMAIN> 300 IN TXT "v=DKIM1; k=rsa; "
"p=AZERTYUIOPQSDF..."
"asdfQWERTYUIOPQSDF..."
The target (or value) field must then have all the parts together: v=DKIM1; k=rsa; p=AZERTYUIOPQSDF...asdfQWERTYUIOPQSDF...
Verify-Only
If you want DKIM to only verify incoming emails, the following version of /etc/opendkim.conf
may be useful (right now there is no easy mechanism for installing it other than forking the repo):
# This is a simple config file verifying messages only
#LogWhy yes
Syslog yes
SyslogSuccess yes
Socket inet:12301@localhost
PidFile /var/run/opendkim/opendkim.pid
ReportAddress postmaster@my-domain.com
SendReports yes
Mode v
Switch Off DKIM
Simply remove the DKIM key by recreating (not just relaunching) the mailserver container.
Debugging
- DKIM-verifer: A add-on for the mail client Thunderbird.
- You can debug your TXT records with the
dig
tool.
$ dig TXT mail._domainkey.domain.tld
---
; <<>> DiG 9.10.3-P4-Debian <<>> TXT mail._domainkey.domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39669
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail._domainkey.domain.tld. IN TXT
;; ANSWER SECTION:
mail._domainkey.domain.tld. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxBSjG6RnWAdU3oOlqsdf2WC0FOUmU8uHVrzxPLW2R3yRBPGLrGO1++yy3tv6kMieWZwEBHVOdefM6uQOQsZ4brahu9lhG8sFLPX4MaKYN/NR6RK4gdjrZu+MYSdfk3THgSbNwIDAQAB"
;; Query time: 50 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Sep 07 18:22:57 CEST 2016
;; MSG SIZE rcvd: 310
!!! warning "Key sizes >=4096-bit"
Keys of 4096 bits could de denied by some mailservers. According to https://tools.ietf.org/html/rfc6376 keys are preferably between 512 and 2048 bits. See issue [#1854][github-issue-1854].