Skip to main content

Category: Linux

Cómo añadir un esquema en OpenLDAP

sysadmin Leave a comment

En este caso vamos a añadir el esquema dnsdomain2 para servir las zonas DNS desde PowerDNS

Para ver los esquemas que tenemos actualmente ejecutamos el siguiente comando:

~# ls -1 /etc/ldap/slapd.d/cn\=config/cn\=schema
cn={0}core.ldif
cn={1}cosine.ldif
cn={2}nis.ldif
cn={3}inetorgperson.ldif
cn={4}postfix.ldif
~# ls -1 /etc/ldap/slapd.d/cn\=config/cn\=schema cn={0}core.ldif cn={1}cosine.ldif cn={2}nis.ldif cn={3}inetorgperson.ldif cn={4}postfix.ldif
~# ls -1 /etc/ldap/slapd.d/cn\=config/cn\=schema
cn={0}core.ldif
cn={1}cosine.ldif
cn={2}nis.ldif
cn={3}inetorgperson.ldif
cn={4}postfix.ldif

Primero crear un fichero de conversión añadiendo una línea con el esquema que queremos añadir a los que tenemos actualmente (Revisa con el punto anterior que los esquemas que incluyes existen en tu instalación):

~# cat > ./schema_conv.conf << EOL
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/postfix.schema
include /etc/ldap/schema/dnsdomain2.schema
EOL
~# cat > ./schema_conv.conf << EOL include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/postfix.schema include /etc/ldap/schema/dnsdomain2.schema EOL
~# cat > ./schema_conv.conf << EOL
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/postfix.schema
include /etc/ldap/schema/dnsdomain2.schema
EOL

Convertimos el fichero de esquema a formato LDIF:

~# mkdir /tmp/ldif
~# slaptest -f ./schema_conv.conf -F /tmp/ldif/
~# mkdir /tmp/ldif ~# slaptest -f ./schema_conv.conf -F /tmp/ldif/
~# mkdir /tmp/ldif
~# slaptest -f ./schema_conv.conf -F /tmp/ldif/

Abrir el fichero /tmp/ldif/cn=config/cn=schema/cn={6}dnsdomain2.ldif y cambiar las siguientes líneas:

dn: cn={6}dnsdomain2
objectClass: olcSchemaConfig
cn: {6}dnsdomain2
dn: cn={6}dnsdomain2 objectClass: olcSchemaConfig cn: {6}dnsdomain2
dn: cn={6}dnsdomain2
objectClass: olcSchemaConfig
cn: {6}dnsdomain2

A esto otro:

dn: cn=dnsdomain2,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: dnsdomain2
dn: cn=dnsdomain2,cn=schema,cn=config objectClass: olcSchemaConfig cn: dnsdomain2
dn: cn=dnsdomain2,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: dnsdomain2

Además se deben borrar las siguientes líneas justo al final del fichero:

structuralObjectClass: olcSchemaConfig
entryUUID: ccd26c58-54b6-1036-8f0f-cd16c06c9857
creatorsName: cn=config
createTimestamp: 20161212130111Z
entryCSN: 20161212130111.420925Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20161212130111Z
structuralObjectClass: olcSchemaConfig entryUUID: ccd26c58-54b6-1036-8f0f-cd16c06c9857 creatorsName: cn=config createTimestamp: 20161212130111Z entryCSN: 20161212130111.420925Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20161212130111Z
structuralObjectClass: olcSchemaConfig
entryUUID: ccd26c58-54b6-1036-8f0f-cd16c06c9857
creatorsName: cn=config
createTimestamp: 20161212130111Z
entryCSN: 20161212130111.420925Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20161212130111Z

Copiar el fichero al directorio de schemas:

~# cd /etc/ldap/schema
~# cp /tmp/ldif/cn\=config/cn\=schema/cn\=\{6\}dnsdomain2.ldif ./dnsdomain2.ldif
~# cd /etc/ldap/schema ~# cp /tmp/ldif/cn\=config/cn\=schema/cn\=\{6\}dnsdomain2.ldif ./dnsdomain2.ldif
~# cd /etc/ldap/schema
~# cp /tmp/ldif/cn\=config/cn\=schema/cn\=\{6\}dnsdomain2.ldif  ./dnsdomain2.ldif

Insertar el nuevo esquema en el árbol de LDAP

~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/dnsdomain2.ldif
adding new entry "cn=dnsdomain2,cn=schema,cn=config"
~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/dnsdomain2.ldif adding new entry "cn=dnsdomain2,cn=schema,cn=config"
~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/dnsdomain2.ldif
adding new entry "cn=dnsdomain2,cn=schema,cn=config"

Y por último verificar que efectivamente está incluído:

~# ls -1 /etc/ldap/slapd.d/cn\=config/cn\=schema
cn={0}core.ldif
cn={1}cosine.ldif
cn={2}nis.ldif
cn={3}inetorgperson.ldif
cn={4}postfix.ldif
cn={5}dnsdomain2.ldif
~# ls -1 /etc/ldap/slapd.d/cn\=config/cn\=schema cn={0}core.ldif cn={1}cosine.ldif cn={2}nis.ldif cn={3}inetorgperson.ldif cn={4}postfix.ldif cn={5}dnsdomain2.ldif
~# ls -1 /etc/ldap/slapd.d/cn\=config/cn\=schema
cn={0}core.ldif
cn={1}cosine.ldif
cn={2}nis.ldif
cn={3}inetorgperson.ldif
cn={4}postfix.ldif
cn={5}dnsdomain2.ldif

Removing multipath device – map in use

sysadmin 1 Comment

I got in trouble when I tried to remove a multipath device from my servers. This device is on top on some lvm volumes that I am not using it any longer. I tried to remove with multipath -f, but it was not possible, it said that the map was in use:

~# multipath -f /dev/mapper/2554b454e79496758
Dec 05 12:22:31 | 2554b454e79496758: map in use
Dec 05 12:22:31 | failed to remove multipath map 2554b454e79496758
~# multipath -f /dev/mapper/2554b454e79496758 Dec 05 12:22:31 | 2554b454e79496758: map in use Dec 05 12:22:31 | failed to remove multipath map 2554b454e79496758
~# multipath -f /dev/mapper/2554b454e79496758
Dec 05 12:22:31 | 2554b454e79496758: map in use
Dec 05 12:22:31 | failed to remove multipath map 2554b454e79496758

You can view how many processes are using this map with the dmsetup tool, see the open count field:

~# dmsetup info /dev/mapper/2554b454e79496758
Name: 2554b454e79496758
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 4
Event number: 1086846
Major, minor: 251, 4
Number of targets: 1
UUID: mpath-2554b454e79496758
~# dmsetup info /dev/mapper/2554b454e79496758 Name: 2554b454e79496758 State: ACTIVE Read Ahead: 256 Tables present: LIVE Open count: 4 Event number: 1086846 Major, minor: 251, 4 Number of targets: 1 UUID: mpath-2554b454e79496758
~# dmsetup info  /dev/mapper/2554b454e79496758
Name:              2554b454e79496758
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        4
Event number:      1086846
Major, minor:      251, 4
Number of targets: 1
UUID: mpath-2554b454e79496758

First remove any LVM active devices on this device, ex: if you have a volume group “vggroup” and a lvm “vol1” on this device remove them:

~# lvremove /dev/vggroup/vol1
~# vgremove vggroup
~# pvremove /dev/mapper/2554b454e79496758
~# lvremove /dev/vggroup/vol1 ~# vgremove vggroup ~# pvremove /dev/mapper/2554b454e79496758
~# lvremove /dev/vggroup/vol1
~# vgremove vggroup
~# pvremove /dev/mapper/2554b454e79496758

and if the device file is still mapped under /dev remove it:

~# dmsetup remove /dev/vggroup/*
~# dmsetup remove /dev/vggroup/*
~# dmsetup remove /dev/vggroup/*

At this point there shouldn’t be any processes accessing this device and we should be able to remove it with the command above, but it some cases there are still processes blocked waiting for the device. We can try to find out which processes are with lsoft command filtering by device mayor and minor number:

~# lsof | grep "251,4"
~# lsof | grep "251,4"
~# lsof | grep "251,4"

In my case there was some vgs processes blocked trying to access the device. We cannot kill these processes, because they are already waiting for a signal from the kernel.

~# ps aux | grep sbin/vgs
root 1206972 0.0 0.0 32444 4288 ? D dic02 0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free
root 1213321 0.0 0.0 32444 4308 ? D dic02 0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free
root 1248170 0.0 0.0 32444 4196 ? D dic02 0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free
root 2542017 0.0 0.0 32444 4252 ? D 10:46 0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free
~# ps aux | grep sbin/vgs root 1206972 0.0 0.0 32444 4288 ? D dic02 0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free root 1213321 0.0 0.0 32444 4308 ? D dic02 0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free root 1248170 0.0 0.0 32444 4196 ? D dic02 0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free root 2542017 0.0 0.0 32444 4252 ? D 10:46 0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free
~# ps aux | grep sbin/vgs
root     1206972  0.0  0.0  32444  4288 ?        D    dic02   0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free
root     1213321  0.0  0.0  32444  4308 ?        D    dic02   0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free
root     1248170  0.0  0.0  32444  4196 ?        D    dic02   0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free
root     2542017  0.0  0.0  32444  4252 ?        D    10:46   0:00 /sbin/vgs --separator : --noheadings --units b --unbuffered --nosuffix --options vg_name,vg_size,vg_free

We can try to suspend the multipath device to force timeout to the processes:

~# dmsetup suspend /dev/mapper/2554b454e79496758
~# dmsetup info /dev/mapper/2554b454e79496758
Name: 2554b454e79496758
State: SUSPENDED
Read Ahead: 256
Tables present: LIVE
Open count: 4
Event number: 1086846
Major, minor: 251, 4
Number of targets: 1
UUID: mpath-2554b454e79496758
~# dmsetup suspend /dev/mapper/2554b454e79496758 ~# dmsetup info /dev/mapper/2554b454e79496758 Name: 2554b454e79496758 State: SUSPENDED Read Ahead: 256 Tables present: LIVE Open count: 4 Event number: 1086846 Major, minor: 251, 4 Number of targets: 1 UUID: mpath-2554b454e79496758
~# dmsetup suspend /dev/mapper/2554b454e79496758
~# dmsetup info /dev/mapper/2554b454e79496758
Name:              2554b454e79496758
State:             SUSPENDED
Read Ahead:        256
Tables present:    LIVE
Open count:        4
Event number:      1086846
Major, minor:      251, 4
Number of targets: 1
UUID: mpath-2554b454e79496758

And try to clear the device table:

~# dmsetup clear /dev/mapper/2554b454e79496758
~# dmsetup wipe_table /dev/mapper/2554b454e79496758
~# dmsetup clear /dev/mapper/2554b454e79496758 ~# dmsetup wipe_table /dev/mapper/2554b454e79496758
~# dmsetup clear  /dev/mapper/2554b454e79496758
~# dmsetup wipe_table  /dev/mapper/2554b454e79496758

We are lucky and finally the device is not in use any longer:

~# dmsetup info /dev/mapper/2554b454e79496758
Name: 2554b454e79496758
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 0
Event number: 1086846
Major, minor: 251, 7
Number of targets: 1
UUID: mpath-2554b454e79496758
~# dmsetup info /dev/mapper/2554b454e79496758 Name: 2554b454e79496758 State: ACTIVE Read Ahead: 256 Tables present: LIVE Open count: 0 Event number: 1086846 Major, minor: 251, 7 Number of targets: 1 UUID: mpath-2554b454e79496758
~# dmsetup info  /dev/mapper/2554b454e79496758
Name:              2554b454e79496758
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        0
Event number:      1086846
Major, minor:      251, 7
Number of targets: 1
UUID: mpath-2554b454e79496758

Now, we can remove it without problems:

~# mutipath -f /dev/mapper/2554b454e79496758
~# mutipath -f /dev/mapper/2554b454e79496758
~# mutipath -f  /dev/mapper/2554b454e79496758

To avoid multipath rediscover the device again we can blacklist it. Remove device from already discovered devices:

~# sed -i '/2554b454e79496758/d' /etc/multipath/wwids
~# sed -i '/2554b454e79496758/d' /etc/multipath/wwids
~# sed -i '/2554b454e79496758/d' /etc/multipath/wwids

In the multipath configuration file add an entry in the blacklist section withe the wwid of the deivce, if the file does not exist create it:
/etc/multipath.conf

blacklist {
wwid 2554b454e79496758
}
blacklist { wwid 2554b454e79496758 }
blacklist {
   wwid 2554b454e79496758
}

And finally reload multipath:

~# systemctl reload multipath-tools
~# systemctl reload multipath-tools
~# systemctl reload multipath-tools

Cómo saber si los discos soportan la opción discard para liberar espacio

sysadmin Leave a comment

La opción discard de los diospositivos de bloques nos permite liberar el espacio de los discos de forma efectiva cuando en el sistema de ficheros borramos ficheros.
Para saber si tenemos la opción discard activada y podemos liberar espacio en el dispositivo se puede ejecutar este comando en linux:

$ sudo lsblk -o MOUNTPOINT,DISC-MAX,FSTYPE
$ sudo lsblk -o MOUNTPOINT,DISC-MAX,FSTYPE
$ sudo lsblk -o MOUNTPOINT,DISC-MAX,FSTYPE

En el caso de que los dispositivos no lo soporten aparecerá en la colúmna DISC-MAX 0B:

MOUNTPOINT DISC-MAX FSTYPE
/boot 0B ext4
/ 0B ext4
/usr 0B ext4
/var/tmp 0B ext4
/var 0B ext4
/home 0B ext4
MOUNTPOINT DISC-MAX FSTYPE /boot 0B ext4 / 0B ext4 /usr 0B ext4 /var/tmp 0B ext4 /var 0B ext4 /home 0B ext4
MOUNTPOINT DISC-MAX FSTYPE
/boot      0B      ext4
/          0B      ext4
/usr       0B      ext4
/var/tmp   0B      ext4
/var       0B      ext4
/home      0B      ext4

 

Con la opción discard activada nos aparecerá bajo la columna DISC-MAX el tamaño máximo de bytes descartables:

MOUNTPOINT DISC-MAX FSTYPE
/boot 1G ext4
/ 1G ext4
/usr 1G ext4
/var/tmp 1G ext4
/var 1G ext4
/home 1G ext4
MOUNTPOINT DISC-MAX FSTYPE /boot 1G ext4 / 1G ext4 /usr 1G ext4 /var/tmp 1G ext4 /var 1G ext4 /home 1G ext4
MOUNTPOINT DISC-MAX FSTYPE
/boot      1G       ext4
/          1G       ext4
/usr       1G       ext4
/var/tmp   1G       ext4
/var       1G       ext4
/home      1G       ext4

 

 

Otra opción posible es usando la opción -D del mismo comando que nos proporciona algo más de información:

$ sudo lsblk -D
NAME DISC-ALN DISC-GRAN DISC-MAX DISC-ZERO
sda 0 4K 1G 0
├─sda1 0 4K 1G 0
└─sda2 0 4K 1G 0
├─vgsys-root 0 4K 1G 0
├─vgsys-usr 0 4K 1G 0
├─vgsys-tmp 0 4K 1G 0
└─vgsys-var 0 4K 1G 0
sdb 0 4K 1G 0
└─sdb1 0 4K 1G 0
└─vgdata-home 0 4K 1G 0
sr0 0 0B 0B 0
$ sudo lsblk -D NAME DISC-ALN DISC-GRAN DISC-MAX DISC-ZERO sda 0 4K 1G 0 ├─sda1 0 4K 1G 0 └─sda2 0 4K 1G 0 ├─vgsys-root 0 4K 1G 0 ├─vgsys-usr 0 4K 1G 0 ├─vgsys-tmp 0 4K 1G 0 └─vgsys-var 0 4K 1G 0 sdb 0 4K 1G 0 └─sdb1 0 4K 1G 0 └─vgdata-home 0 4K 1G 0 sr0 0 0B 0B 0
$ sudo lsblk -D
NAME            DISC-ALN DISC-GRAN DISC-MAX DISC-ZERO
sda                    0        4K       1G         0
├─sda1                 0        4K       1G         0
└─sda2                 0        4K       1G         0
  ├─vgsys-root         0        4K       1G         0
  ├─vgsys-usr          0        4K       1G         0
  ├─vgsys-tmp          0        4K       1G         0
  └─vgsys-var          0        4K       1G         0
sdb                    0        4K       1G         0
└─sdb1                 0        4K       1G         0
  └─vgdata-home        0        4K       1G         0
sr0                    0        0B       0B         0

Una vez que sabemos que el dispositivo soporta la opción DISCARD podemos ejecutar el comando fstrim para liberar espacio en el backend.

Instalar php5.4 en Debian 8 Jessie

sysadmin Leave a comment

En Debian 8 (Jessie) viene por defecto la versión php 5.6 instalada, pero en mi caso necesitaba tener la versión php 5.4 por los requisitos del proyecto. Para instalar la versión php 5.4 simplemente añadir las sources de dotdeb.org en su versión wheezy:

Crear el fichero /etc/apt/sources.list.d/dotdeb.list con el siguiente contenido:

deb http://packages.dotdeb.org wheezy all
deb-src http://packages.dotdeb.org wheezy all
deb http://packages.dotdeb.org wheezy all deb-src http://packages.dotdeb.org wheezy all
deb http://packages.dotdeb.org wheezy all
deb-src http://packages.dotdeb.org wheezy all

Ejecutar el siguiente comando para importar la clave del repositorio

wget -O - https://www.dotdeb.org/dotdeb.gpg | apt-key add -
wget -O - https://www.dotdeb.org/dotdeb.gpg | apt-key add -
wget -O - https://www.dotdeb.org/dotdeb.gpg | apt-key add -

Y por último instalar php 5.4 en el servidor:

sudo apt-get update
sudo apt-get install php5=5.4.45-1~dotdeb+7.1
sudo apt-get update sudo apt-get install php5=5.4.45-1~dotdeb+7.1
sudo apt-get update
sudo apt-get install php5=5.4.45-1~dotdeb+7.1

y ya podemos disfrutar de la versión 5.4!

Configurando DKIM con Postfix

sysadmin Leave a comment

DKIM es un standard de internet que permite relacionar un mensaje de correo con un nombre de dominio, utiliza un cifrado de clave asimétrica para poder validar un mensaje de correo con su emisor. El MTA del emisor firma los mensajes de correo con la clave privada y el receptor puede validar a partir de la clave pública obtenida del dominio del emisor que las cabeceras del mensaje no han sido alteradas.

Instalar OpenDKIM y sus dependencias:

sudo apt-get install opendkim opendkim-tools
sudo apt-get install opendkim opendkim-tools
sudo apt-get install opendkim opendkim-tools

Editar el fichero /etc/opendkim.conf

AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:12301@localhost
AutoRestart Yes AutoRestartRate 10/1h UMask 002 Syslog yes SyslogSuccess Yes LogWhy Yes Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable Mode sv PidFile /var/run/opendkim/opendkim.pid SignatureAlgorithm rsa-sha256 UserID opendkim:opendkim Socket inet:12301@localhost
AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:12301@localhost

Esto es un ejemplo de configuración que permite firmar mensajes para varios dominios, para ver con mayor detalle la configuración puedes ir aquí

Conectar el filtro milter con Postfix

editar el fichero /etc/default/opendkim y añadir la siguiente línea:

SOCKET="inet:12301@localhost"
SOCKET="inet:12301@localhost"
SOCKET="inet:12301@localhost"

Editar el fichero /etc/postfix/main.cf de postfix y asegurarse de que estas opciones existen:

milter_protocol = 2
milter_default_action = accept
milter_protocol = 2 milter_default_action = accept
milter_protocol = 2
milter_default_action = accept

Si no tienes más filtros milter configurados añadir las siguientes líneas:

smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Crear la estructura de directorios para albergar las claves y los ficheros de configuración de OpenDKIM:

sudo mkdir -p /etc/opendkim/keys
sudo mkdir -p /etc/opendkim/keys
sudo mkdir -p /etc/opendkim/keys

Especificar el fichero de servidores de confianza:

vim /etc/opendkim/TrustedHosts
vim /etc/opendkim/TrustedHosts
vim /etc/opendkim/TrustedHosts
127.0.0.1
localhost
192.168.0.1/24
*.example.com
#*.example.net
#*.example.org
127.0.0.1 localhost 192.168.0.1/24 *.example.com #*.example.net #*.example.org
127.0.0.1
localhost
192.168.0.1/24

*.example.com

#*.example.net
#*.example.org

Crear el fichero KeyTable con la tabla de claves, la tabla contiene el par selector/dominio y la ruta a la clave privada a utilizar para firmar los mensajes:

vim /etc/opendkim/KeyTable
vim /etc/opendkim/KeyTable
vim /etc/opendkim/KeyTable
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private
mail._domainkey.example.es example.es:mail:/etc/opendkim/keys/example.es/mail.private
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private mail._domainkey.example.es example.es:mail:/etc/opendkim/keys/example.es/mail.private
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private
mail._domainkey.example.es example.es:mail:/etc/opendkim/keys/example.es/mail.private

Crear el fichero SigningTable. El fichero se utiliza para especificar los dominios y sus selectores:

vim /etc/opendkim/SigningTable
vim /etc/opendkim/SigningTable
vim /etc/opendkim/SigningTable
*@example.com mail._domainkey.example.com
*@example.es mail._domainkey.example.es
*@example.com mail._domainkey.example.com *@example.es mail._domainkey.example.es
*@example.com mail._domainkey.example.com
*@example.es mail._domainkey.example.es

Generar el par de claves para cada dominio:

cd /etc/opendkim/keys
mkdir example.com
cd example.com
opendkim-genkey -s mail -d example.com
chown opendkim:opendkim mail.private
cd /etc/opendkim/keys mkdir example.com cd example.com opendkim-genkey -s mail -d example.com chown opendkim:opendkim mail.private
cd /etc/opendkim/keys
mkdir example.com
cd example.com
opendkim-genkey -s mail -d example.com
chown opendkim:opendkim mail.private

Añade la clave pública al registro DNS
Por cada dominio abre el fichero mail.txt

mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN12F+VM4TCEMm8/5vGjhT42Zo/UHbf+N6CZx5Aj3p20u1dR8mqeWLM3TqE+9EpvKsx4GKtrl/8QBL1g7ZmdluVSlz6AIMarDXnjqmKqN4dlpCj15bnOjiHxH6r/bpll36dJrlmRuOL61xnilxTydpWQ4uJtTel2eUG5zeUG1CnQIDAQAB" ; ----- DKIM key mail for example.com
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN12F+VM4TCEMm8/5vGjhT42Zo/UHbf+N6CZx5Aj3p20u1dR8mqeWLM3TqE+9EpvKsx4GKtrl/8QBL1g7ZmdluVSlz6AIMarDXnjqmKqN4dlpCj15bnOjiHxH6r/bpll36dJrlmRuOL61xnilxTydpWQ4uJtTel2eUG5zeUG1CnQIDAQAB" ; ----- DKIM key mail for example.com
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN12F+VM4TCEMm8/5vGjhT42Zo/UHbf+N6CZx5Aj3p20u1dR8mqeWLM3TqE+9EpvKsx4GKtrl/8QBL1g7ZmdluVSlz6AIMarDXnjqmKqN4dlpCj15bnOjiHxH6r/bpll36dJrlmRuOL61xnilxTydpWQ4uJtTel2eUG5zeUG1CnQIDAQAB" ; ----- DKIM key mail for example.com

Puedes probar que tu DNS responde correctamente a través del comando dig:

dig txt mail._domainkey.example.com
dig txt mail._domainkey.example.com
dig txt mail._domainkey.example.com
[...]
;; ANSWER SECTION:
mail._domainkey.example.com. 14400 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN12F+VM4TCEMm8/5vGjhT42Zo/UHbf+N6CZx5Aj3p20u1dR8mqeWLM3TqE+9EpvKsx4GKtrl/8QBL1g7ZmdluVSlz6AIMarDXnjqmKqN4dlpCj15bnOjiHxH6r/bpll36dJrlmRuOL61xnilxTydpWQ4uJtTel2eUG5zeUG1CnQIDAQAB"
[...] ;; ANSWER SECTION: mail._domainkey.example.com. 14400 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN12F+VM4TCEMm8/5vGjhT42Zo/UHbf+N6CZx5Aj3p20u1dR8mqeWLM3TqE+9EpvKsx4GKtrl/8QBL1g7ZmdluVSlz6AIMarDXnjqmKqN4dlpCj15bnOjiHxH6r/bpll36dJrlmRuOL61xnilxTydpWQ4uJtTel2eUG5zeUG1CnQIDAQAB"
[...]
;; ANSWER SECTION:
mail._domainkey.example.com. 14400 IN	TXT	"v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN12F+VM4TCEMm8/5vGjhT42Zo/UHbf+N6CZx5Aj3p20u1dR8mqeWLM3TqE+9EpvKsx4GKtrl/8QBL1g7ZmdluVSlz6AIMarDXnjqmKqN4dlpCj15bnOjiHxH6r/bpll36dJrlmRuOL61xnilxTydpWQ4uJtTel2eUG5zeUG1CnQIDAQAB"

Una vez que está todo correcto reinicia el servicio de OpenDKIM y Postfix

# service opendkim restart
# service postfix restart
# service opendkim restart # service postfix restart
# service opendkim restart
# service postfix restart

y para probar que la configuración es correcta envía un mail a la dirección check-auth@verifier.port25.com, el servicio nos responderá con un mensaje en el que se

==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
========================================================== Summary of Results ========================================================== SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham
==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham