Using DKIM in my server for multiple domains (websites)

I've read the tutorial posted by MountainX (Setup DKIM (DomainKeys) for Ubuntu, Postfix and Mailman), but I can't figure out how to apply these steps if I want to host and send e-mails for several domains. Does anybody have a clue?


Solution 1:

Good! I figured this out from the post mentioned in the question. I made a kind of mix between the answer itself and the links provided in it. Specially the fourth link is the one I used.

So the thing goes like this. Suppose you've got a server or VPS and make one of your domains to be the main domain and be used as the server name (in my example: mydomain.com).

So, first of all, we'll change to root to make things easier, but you can skip this step and use sudo before every command.

sudo su

Now, we install OpenDKIM:

apt-get install opendkim opendkim-tools

Let's fix the configuration file. We're opening /etc/opendkim.conf for editing. I use nano, but it's the same with other editor.

nano /etc/opendkim.conf

Once opened, make it look like this. If you feel comfortable, you can change some options, but the Domain, KeyFile and Selector must remain commented.

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
#
#Domain                  example.com
#KeyFile                 /etc/opendkim/201205.private
#Selector                201205
#
# Commonly-used options
Canonicalization        relaxed/simple
Mode                    sv
SubDomains              yes
# Log to syslog
Syslog                  yes
LogWhy                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   022
UserID                  opendkim:opendkim
#
KeyTable                /etc/opendkim/KeyTable
SigningTable            /etc/opendkim/SigningTable
ExternalIgnoreList      /etc/opendkim/TrustedHosts
InternalHosts           /etc/opendkim/TrustedHosts
#
Socket                  inet:8891@localhost
#EOF

Next, we create some of the folder and files that will hold information about what should OpenDKIM use and process. For now, the TrustedHosts file. We create and edit it:

mkdir /etc/opendkim
nano /etc/opendkim/TrustedHosts

We must put into this file a list of trusted addresses: localhost and 127.0.0.1, and your server name and IP:

127.0.0.1
localhost
192.99.34.121
mydomain.com

Now we edit OpenDKIM config file.

nano /etc/default/opendkim

And add these lines at the end of the file. They'll tell OpenDKIM in which port it should expect signing requests:

SOCKET="inet:8891@localhost"

We open the Postfix config file.

nano /etc/postfix/main.cf

And add these lines to the end of the file. They'll tell Postfix that it should send e-mails to be signed and where.

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

If you're not adding domains right now, you can restart everything, so the configuration takes effect.

/etc/init.d/opendkim restart
/etc/init.d/postfix reload
/etc/init.d/postfix restart

Done! The server is ready to work with DKIM. Now, you need to add your domains to this system. The following process is the same for all the domains you want to add. I'll use otherdomain.com for the example, replace it with your own.

Remember I was root from before, but if you're not, run sudo su or precede your commands with the keyword sudo.

sudo su

First, we create a directory for our domain and go inside of it:

mkdir -p /etc/opendkim/keys/otherdomain.com
cd /etc/opendkim/keys/otherdomain.com

Now we generate a key for the domain:

opendkim-genkey -r -d otherdomain.com

We give the OpenDKIM user ownership of the newly created file:

chown opendkim:opendkim default.private

And we open the KeyTable file to add our new key for our new domain:

nano /etc/opendkim/KeyTable

We add it to the end of the file (after all other domains we may have here):

default._domainkey.otherdomain.com otherdomain.com:default:/etc/opendkim/keys/otherdomain.com/default.private

We open the SigningTable file.

nano /etc/opendkim/SigningTable

And append at the end of the file (again, we'll have one line for each domain):

otherdomain.com default._domainkey.otherdomain.com

This SigningTable lists all mails which get signed. Just by adding a domain name, all mails from that domain will be signed.

I'm not sure of the necessity to do the next step, but I just did it, just in case... We open the TrustedHosts file.

nano /etc/opendkim/TrustedHosts

And add at the end of the file:

otherdomain.com

One last thing: we show the contents of the file /etc/opendkim/keys/otherdomain.com/default.txt.

cat /etc/opendkim/keys/otherdomain.com/default.txt

And add the information between the quotes to a TXT record in the DNS Zone of the domain, and we must also use default._domainkey as the name of the record. NOTE: "between the quotes" is the text that starts with "v=DKIM1;k=rsa; p=WIGfM...".

If we're done adding domains (by now), we restart everything to apply the changes.

/etc/init.d/opendkim restart
/etc/init.d/postfix reload
/etc/init.d/postfix restart

Done!

Solution 2:

This script automates the part after "Done! The server is ready to work with DKIM"

To help automate this process a little I created this bash script. Just add one 'domain.com' per line inside the domains=() array.

First create the files and directories if they do not already exist

/etc/opendkim/keys/
/etc/opendkim/KeyTable
/etc/opendkim/SigningTable
/etc/opendkim/TrustedHosts
/etc/opendkim/spfs.txt

spfs.txt file will contain all the spf records you need to add to your DNS records for each domain.

NOTE: do not run more than once, it does not check to see if a domain already exists. Script also needs to be run as root.

#!/bin/bash
domains=(
        'domain.com'
)
for domain in "${domains[@]}"
do
keydir="/etc/opendkim/keys/$domain"
if [ -d "$keydir" ]
then
cd $keydir
else
mkdir $keydir
cd $keydir
fi
opendkim-genkey -r -d $domain
chown opendkim:opendkim default.private
echo "default._domainkey.$domain $domain:default:$keydir/default.private" >> /etc/opendkim/KeyTable
echo "$domain default._domainkey.$domain" >> /etc/opendkim/SigningTable
echo "$domain" >> /etc/opendkim/TrustedHosts
echo "$(cat $keydir/default.txt)" >> spfs.txt
done

Solution 3:

This script automates the part after "Done! The server is ready to work with DKIM"

To help automate this process a little I created this bash script. Just add one domain like 'example.com' per line inside the domains=() array.

This script creates the files for you and checks if a line is already in the file

Spfs.txt is removed and recreated everytime its run and checks the 2nd line of default.txt against spfs.txt before appending

You must place your servers ipv4 and ipv6 (if you have them) in the variables provided. It checks if they arent empty

you can run this file multiple times thanks to the checks added.

#!/bin/bash
# List of domains
domains=( 
        'example.com'
)
# file paths and directories
dkim="/etc/opendkim"
keys="$dkim/keys"
keyfile="$dkim/KeyTable"
signfile="$dkim/SigningTable"
trustfile="$dkim/TrustedHosts"
spffile="$dkim/spfs.txt"
# Set Ipv6 and Ipv4 addresses for the server here
ipv4=""
ipv6=""
# loopback addresses for the server
loop=( localhost 127.0.0.1 )
function loopback {
        for back in "${loop[@]}"
        do
                if ! grep -q "$back" "$trustfile"; then
                        echo "$back" >> "$trustfile"
                fi
        done
}
# Check for files and create / write to them if they dont exist
if [ ! -d "$keys" ]; then
        mkdir "$keys"
fi
if [ ! -f "$keyfile" ]; then
        touch "$keyfile"
fi
if [ ! -f "$signfile" ]; then
        touch "$signfile"
fi
if [ ! -f "$trustfile" ]; then
        touch "$trustfile"
        loopback
else
        loopback
fi
if [ ! -f "$spffile" ]; then
        touch "$spffile"
else
        rm -rf "$spffile"
        touch "$spffile"
fi
if [ ! -z "$ipv6" ]; then
        if ! grep -q "$ipv6" "$trustfile"; then
                echo "$ipv6" >> "$trustfile"
        fi
fi
if [ ! -z "$ipv4" ]; then
        if ! grep -q "$ipv4" "$trustfile"; then
                echo "$ipv4" >> "$trustfile"
        fi
fi
# Generate keys and write the spfs records we need for each domain to one file
for domain in "${domains[@]}"
do
        keydir="$keys/$domain"
        default="$keydir/default.txt"
        if [ ! -d "$keydir" ]; then
                mkdir $keydir
        fi
        cd $keydir
        opendkim-genkey -r -d $domain
        chown opendkim:opendkim default.private
        key="default._domainkey.$domain $domain:default:$keydir/default.private"
        sign="$domain default._domainkey.$domain"
        trust="$domain"
        spf="$(cat $default)"
        # Check only the last line against the spf file as the first line is always the same
        spflast="$(tail -1 $default)"
        if ! grep -q "$key" "$keyfile"; then
                echo "$key" >> "$keyfile"
        fi
        if ! grep -q "$sign" "$signfile"; then
                echo "$sign" >> "$signfile"
        fi
        if ! grep -q "$trust" "$trustfile"; then
                echo "$trust" >> "$trustfile"
        fi
        if ! grep -q "$spflast" "$spffile"; then
                echo "$spf" >> "$spffile"
        fi
done