[BlueOnyx:25554] Re: DKIM

Adam Lepp a at lepp.net
Fri Jul 29 14:12:30 -05 2022 

Thanks, and it installed.
Could you please tell me how to edit the opendkim.conf (shown below) as well as any additional steps, as I'm afraid if I try it myself something will really go wrong. And I feel the entire group should have this documentation available.

I've looked at https://www.vttoth.com/CMS/technical-notes/356-setting-up-dkim-with-sendmail and https://www.agari.com/email-security-blog/dkim-setup/

And is there a way the DNS TXT can be generated via the GUI, like with Plesk?

-----------------
## BASIC OPENDKIM CONFIGURATION FILE
## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more

## BEFORE running OpenDKIM you must:

## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
## - generate keys for your domain (if signing)
## - edit your DNS records to publish your public keys (if signing)

## See /usr/share/doc/opendkim/INSTALL for detailed instructions.

## DEPRECATED CONFIGURATION OPTIONS
##
## The following configuration options are no longer valid.  They should be
## removed from your existing configuration file to prevent potential issues.
## Failure to do so may result in opendkim being unable to start.
##
## Removed in 2.10.0:
##   AddAllSignatureResults
##   ADSPAction
##   ADSPNoSuchDomain
##   BogusPolicy
##   DisableADSP
##   LDAPSoftStart
##   LocalADSP
##   NoDiscardableMailTo
##   On-PolicyError
##   SendADSPReports
##   UnprotectedPolicy

## CONFIGURATION OPTIONS

##  Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid

##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
##  messages.
Mode    v

##  Log activity to the system log.
Syslog  yes

##  Log additional entries indicating successful signing or verification of messages.
SyslogSuccess   yes

##  If logging is enabled, include detailed logging about why or why not a message was
##  signed or verified. This causes an increase in the amount of log data generated
##  for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy  yes

##  Attempt to become the specified user before starting operations.
UserID  opendkim:opendkim

##  Create a socket through which your MTA can communicate.
Socket  inet:8891 at localhost

##  Required to use local socket with MTAs that access the socket as a non-
##  privileged user (e.g. Postfix)
Umask   002

##  This specifies a text file in which to store DKIM transaction statistics.
##  OpenDKIM must be manually compiled with --enable-stats to enable this feature.
# Statistics    /var/spool/opendkim/stats.dat

##  Specifies whether or not the filter should generate report mail back
##  to senders when verification fails and an address for such a purpose
##  is provided. See opendkim.conf(5) for details.
SendReports     yes

##  Specifies the sending address to be used on From: headers of outgoing
##  failure reports.  By default, the e-mail address of the user executing
##  the filter is used (executing_user at hostname).
# ReportAddress "Example.com Postmaster" <postmaster at example.com>

##  Add a DKIM-Filter header field to messages passing through this filter
##  to identify messages it has processed.
SoftwareHeader  yes

## SIGNING OPTIONS

##  Selects the canonicalization method(s) to be used when signing messages.
Canonicalization        relaxed/relaxed

##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
##  be verified rather than being signed. Uncomment and use your domain name.
##  This parameter is not required if a SigningTable is in use.
# Domain        example.com

##  Defines the name of the selector to be used when signing messages.
Selector        default

##  Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits  1024

##  Gives the location of a private key to be used for signing ALL messages. This
##  directive is ignored if KeyTable is enabled.
KeyFile /etc/opendkim/keys/default.private

##  Gives the location of a file mapping key names to signing keys. In simple terms,
##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
##  directive in the configuration file. Requires SigningTable be enabled.
# KeyTable      /etc/opendkim/KeyTable

##  Defines a table used to select one or more signatures to apply to a message based
##  on the address found in the From: header field. In simple terms, this tells
##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
# SigningTable  refile:/etc/opendkim/SigningTable

##  Identifies a set of "external" hosts that may send mail through the server as one
##  of the signing domains without credentials as such.
# ExternalIgnoreList    refile:/etc/opendkim/TrustedHosts

##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
# InternalHosts refile:/etc/opendkim/TrustedHosts

##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
##  whose mail should be neither signed nor verified by this filter.  See man
##  page for file format.
# PeerList      X.X.X.X

##  Always oversign From (sign using actual From and a null From to prevent
##  malicious signatures header fields (From and/or others) between the signer
##  and the verifier.  From is oversigned by default in the Fedora package
##  because it is often the identity key used by reputation systems and thus
##  somewhat security sensitive.
OversignHeaders From

##  Instructs the DKIM library to maintain its own local cache of keys and
##  policies retrieved from DNS, rather than relying on the nameserver for
##  caching service. Useful if the nameserver being used by the filter is
##  not local.
# QueryCache    yes

-------------------------------

-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Michael Stauber
Sent: Friday, July 29, 2022 2:31 PM
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:25552] Re: DKIM

Hi Adam,

> A long-time client informed me today that RoundCube emails sent to Gmail bounce back, and the rejection message says no SPF or DKIM found.
> This was never previously an issue.
> I've installed DKIM on my DNS via a Plesk server, and it's quite easy.  Gmail problems were fixed immediately.
> In referencing a previous thread, “yum install opendkim” says no package available.
> 5209R /  CentOS Linux release 7.9.2009 (Core) at Virtbiz.
> Can anyone help, please?


Very well. I just dropped the OpenDKIM (and its dependencies) from Epel into the BlueOnyx 5209R and BlueOnyx 5210R YUM repositories.

You should be able to install it this way:

yum install opendkim

Let me know if you run into any problems like missing dependencies or similar and I'll fetch what else might be missing as well.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list