Domain Keys Identified Mail (DKIM, or Mail Identified through Domain Keys) is a cryptographic technology using which domain owners publish the public keys of public-private key pairs used for signing email messages. This allows third parties to establish a degree of confidence about the message originating from designated and duly authorized infrastructure. In other words, it’s a been there ribbon.
This article explains how to configure a Kolab environment to sign mail messages with DKIM and verify DKIM signatures on inbound email.
This article assumes the Kolab installation is a single-tenant, single-domain and single-system installation.
For distributed environments, verification is supposed to occur on the inbound mail exchanger infrastructure, and signing is supposed to happen on outbound mail exchanger infrastructure. For environments with multiple domains, each domain will need to be configured per the instructions below. For hosted environments (with an unpredictable and dynamic set of domain name spaces), it is recommended to consider using a fall-back key.
Generating a Domain Private Key
To generate a private domain key, execute the following commands;
# mkdir /etc/amavisd/dkim/ # chown root:amavis /etc/amavisd/dkim/ # chmod 750 /etc/amavisd/dkim/ # amavisd -c /etc/amavisd/amavisd.conf genrsa /etc/amavisd/dkim/example.com.dkim20180723.pem 4096
Examining /etc/amavisd/dkim/example.com.dkim20180723.pem will show it is an RSA private key. Please note that we include in the name of this file both the domain name as well as the key identifier.
Since the file is created as the root super-user, we need to make sure that Amavis has read access;
# chmod g+r /etc/amavisd/dkim/example.com.dkim20180723.pem # chgrp amavis /etc/amavisd/dkim/example.com.dkim20180723.pem
Add DKIM Configuration to Amavis
Adding the key to Amavis requires two steps; adding the key to the configuration, and then configuring which sender domains are to be signed with that key.
To add the key to Amavis, edit /etc/amavisd/amavisd.conf and add the following lines:
dkim_key(
'example.com',
'dkim20180723',
'/etc/amavisd/dkim/example.com.dkim20180723.pem'
);
To configure what sender domains to sign with this key, let’s start with the ‘example.com’ sender domain. Add the following configuration;
@dkim_signature_options_bysender_maps = (
{
"example.com" => {
d => 'example.com',
a => 'rsa-sha256',
ttl => 10*24*3600
}
}
);
Lastly, enable DKIM signing by supplying the following configuration;
$enable_dkim_signing = 1;
NOTE: Do not yet restart Amavisd
Add Submission Service to Amavis
In order to distinguish between inbound and outbound mail, a policy should be used associated with a different socket. We’ll use port 10023 for this.
Replace the configuration for $inet_socket_port to reflect the new listener port;
$inet_socket_port = [10023, 10024];
Add the interface policy and policy bank;
$interface_policy{'10023'} = 'SUBMISSION';
$policy_bank{'SUBMISSION'} = {
originating => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME']
};
NOTE: Do not yet restart Amavisd
Now, edit /etc/postfix/master.cf and find the submission service. Change it such that the following line is appended;
submission inet n - n - - smtpd
-o cleanup_service_name=cleanup_submission
(...snip...)
-o content_filter=smtp-amavis:[127.0.0.1]:10023
Add DNS Records
The easiest methodology to ensure you have the correct DNS record that corresponds to the key you just generated is to use the following command;
# amavisd -c /etc/amavisd/amavisd.conf showkeys example.com ; key#1 4096 bits, i=dkim20180723, d=example.com, /etc/amavisd/dkim/example.com.dkim20180723.pem dkim20180723._domainkey.example.com. 3600 TXT ( "v=DKIM1; p=" "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6cH7Zd5hMdUvSF5eCvsg" "kcLQYt1WaYxvy89E2k5a/Kf4mwnPp/e5WGLHMaZ9Br7U3LVj726axKk6VsBeW1xa" "PKj8vblLQ9k9XF0xBRU3PiHtRPZEKpQwrhtAvawWlM4erCjHPm9z807HgIXxZ/YX" "UK1RZXFt2mzwXvC6QZXOljokJvU08dkv7gLsHei7zTBbJMwrlGKo6/zMcwo64pPP" "KpmdcLoKRUgw1N1Lfas/coA7OJGiUhvnLVwvU66YavhWBPKgso63Hl1yn7o8MSB/" "wAmWTmEWgLkN8Z4UgO0zFxfwaUjBihyE3LuuUZFPioJ51vJiBX+i+NtlHAbIkarO" "BlbgqZpiuIt4ePl10AfyDJgSyMDCofsGyNnW6PXfGmbo4td7o19UfCO2dWpAS2DU" "wtWk74ncMW6AhFrGM/COuFmknxXP2rQVcflRPKoBxgUmsm8yuNO7GEN624mlVFSs" "JzCleJ3gIuUuA5x+VaWG5h1YjrFPZIEzuiC+Ki1ZTuxC4YNga233Q/P9ce7lqv2b" "I3rOjkJ2xVsSEhow+vXgnC8xwwVnWHnUPWiQG/ZUqin/YYMGrhGGkvhfRGitAJBv" "J/kI30Nb2VRmSmHPzDLNqI0HceGpmar5lUQJz8L60fnYDe6cHf8FtTTD9wXujamY" "50Tw3XIrbhhIfuL5BzXokx0CAwEAAQ==")
The output can just be copy/pasted in to a BIND 9 zone file if so desired. Let’s not forget to bump the serial for the zone and once loaded and live, check the new Amavis configuration with the following command:
# amavisd -c /etc/amavisd/amavisd.conf testkeys example.com
Enable DKIM Verification
The simplest part of this exercise is to enable DKIM verification. Edit /etc/amavisd/amavisd.conf and supply a setting as follows;
$enable_dkim_verification = 1;
Restart Amavis & Postfix
Now, we can restart Amavisd and Postfix;
# systemctl restart amavisd postfix
NOTE: DKIM signatures will be added only to messages sent through the SMTP submission service on port 587 with STARTTLS and authentication enabled.
1 Comment
Jochen · April 7, 2023 at 6:13 pm
Thanks for the documentation – I’ll might give it a try. Until now I use opendkim to integration DKIM into kolab. I’m happy to share my ansible playbook if there is interest.