OpenDKIM

Created on 2020-10-03T23:58:45+00:00

Processes DKIM related tasks.
Includes daemon to sign/verify e-mails.

Generate keys

opendkim-genkey -r -h sha256 -d iceworks.cc -s mail

-h: controls the hashing algorithm used
-d: which domain to create the key for
-s: special name for the key

The special name is later used in your DNS record:

mail._domainkey.iceworks      300 TXT "v=DKIM1; h=sha256; k=rsa; p="

Configs

/etc/opendkim/KeyTable

iceworks.cc iceworks.cc:mail:/path/to/private/key

/etc/opendkim/SigningTable

*@iceworks.cc iceworks.cc

/etc/opendkim/TrustedHosts

127.0.0.1

/etc/opendkim.conf

## https://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
Canonicalization        relaxed/relaxed
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
LogWhy                  Yes
MinimumKeyBits          1024
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  inet:8891@localhost
Syslog                  Yes
SyslogSuccess           Yes
TemporaryDirectory      /var/tmp
UMask                   022
UserID                  opendkim:opendkim

If using postfix, tell it to use the filter daemon. This will sign emails leaving the server with your keys.

/etc/postfix/main.cf

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept