Skip to main content

Configurando DKIM con Postfix

DKIM es un standard de internet que permite relacionar un mensaje de correo con un nombre de dominio, utiliza un cifrado de clave asimétrica para poder validar un mensaje de correo con su emisor. El MTA del emisor firma los mensajes de correo con la clave privada y el receptor puede validar a partir de la clave pública obtenida del dominio del emisor que las cabeceras del mensaje no han sido alteradas.

Instalar OpenDKIM y sus dependencias:

sudo apt-get install opendkim opendkim-tools

Editar el fichero /etc/opendkim.conf

AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:12301@localhost

Esto es un ejemplo de configuración que permite firmar mensajes para varios dominios, para ver con mayor detalle la configuración puedes ir aquí

Conectar el filtro milter con Postfix

editar el fichero /etc/default/opendkim y añadir la siguiente línea:

SOCKET="inet:12301@localhost"

Editar el fichero /etc/postfix/main.cf de postfix y asegurarse de que estas opciones existen:

milter_protocol = 2
milter_default_action = accept

Si no tienes más filtros milter configurados añadir las siguientes líneas:

smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Crear la estructura de directorios para albergar las claves y los ficheros de configuración de OpenDKIM:

sudo mkdir -p /etc/opendkim/keys

Especificar el fichero de servidores de confianza:

vim /etc/opendkim/TrustedHosts
127.0.0.1
localhost
192.168.0.1/24

*.example.com

#*.example.net
#*.example.org

Crear el fichero KeyTable con la tabla de claves, la tabla contiene el par selector/dominio y la ruta a la clave privada a utilizar para firmar los mensajes:

vim /etc/opendkim/KeyTable
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private
mail._domainkey.example.es example.es:mail:/etc/opendkim/keys/example.es/mail.private

Crear el fichero SigningTable. El fichero se utiliza para especificar los dominios y sus selectores:

vim /etc/opendkim/SigningTable
*@example.com mail._domainkey.example.com
*@example.es mail._domainkey.example.es

Generar el par de claves para cada dominio:

cd /etc/opendkim/keys
mkdir example.com
cd example.com
opendkim-genkey -s mail -d example.com
chown opendkim:opendkim mail.private

Añade la clave pública al registro DNS
Por cada dominio abre el fichero mail.txt

mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN12F+VM4TCEMm8/5vGjhT42Zo/UHbf+N6CZx5Aj3p20u1dR8mqeWLM3TqE+9EpvKsx4GKtrl/8QBL1g7ZmdluVSlz6AIMarDXnjqmKqN4dlpCj15bnOjiHxH6r/bpll36dJrlmRuOL61xnilxTydpWQ4uJtTel2eUG5zeUG1CnQIDAQAB" ; ----- DKIM key mail for example.com

Puedes probar que tu DNS responde correctamente a través del comando dig:

dig txt mail._domainkey.example.com
[...]
;; ANSWER SECTION:
mail._domainkey.example.com. 14400 IN	TXT	"v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN12F+VM4TCEMm8/5vGjhT42Zo/UHbf+N6CZx5Aj3p20u1dR8mqeWLM3TqE+9EpvKsx4GKtrl/8QBL1g7ZmdluVSlz6AIMarDXnjqmKqN4dlpCj15bnOjiHxH6r/bpll36dJrlmRuOL61xnilxTydpWQ4uJtTel2eUG5zeUG1CnQIDAQAB"

Una vez que está todo correcto reinicia el servicio de OpenDKIM y Postfix

# service opendkim restart
# service postfix restart

y para probar que la configuración es correcta envía un mail a la dirección check-auth@verifier.port25.com, el servicio nos responderá con un mensaje en el que se

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

Postfix virtual users with Dovecot

This is a little tutorial for setting up Postfix with dovecot authentication and LDA. With dovecot LDA you can use sieve scripts for mail filter and vacation messages.

Postfix Configuration:

First create vmail user for virtual delivery:

# useradd vmail
# id vmail 
uid=1002(vmail) gid=1003(vmail) grupos=1003(vmail)

We are going to deliver mails for user@domain.com to /var/mail/domain.com/user
For virtual transport we set dovecot. virtual_mailbox_domains are domains that we host in this server and virtual_mailbox_maps is a table to look for valid mailboxes in the server.

main.cf

# delivery
virtual_mailbox_domains = domain1.com, domain2.com
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
mail_spool_directory = /var/mail
virtual_mailbox_base = /var/mail
mailbox_size_limit = 0
recipient_delimiter = +
virtual_minimum_uid = 100
virtual_alias_maps = hash:/etc/postfix/virtual_alias
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox

/etc/postfix/virtual_alias

postmaster@domain1.com	postmaster@otherdomain.com
postmaster@domain2.com	postmaster@otherdomain.com

Rebuild table with:

# postmap /etc/postfix/virtual_alias

/etc/postfix/virtual_mailbox
This fiile is only listing mailboxes that are going to accept for local delivery.

user1@domain1.com  OK
user2@domain1.com  OK
user1@domain2.com  OK
user3@domain2.com  OK

Rebuild table with:

# postmap /etc/postfix/virtual_mailbox

master.cf

In postfix master.cf file we set for submission service dovecot authentication. In this way only authenticated users are allowed to relay mails to external domains.

In the last line we configure dovecot for local delivery agent.

submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination

[...]
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

Dovecot configuration:

/etc/dovecot/vusers.conf
We use this file for authentication as a users database. You can use too a mysql db or ldap for this, but the simplest way is to use a plain file for storing users an its passwords.

info@domain1.com:{SHA256}gSGn1f3fg0lTRDezXhC7uJqp3XapE8uT7W42PKDDLyY=
admin@domain2.com:{SHA256}PtkqLjF6lRo3h6WAQOVbuZQ/2d7hupW5BCv0Vx/q7gY=

To generate the passwords we use doveadm command.

$ doveadm pw -s sha256
Enter new password: 
Retype new password: 
{SHA256}SKqtTLTAct6agUe7MQDvTgOtYyjtxJWWTQXiATus88w=

The following settings are the files I have to change in dovecot to configure the authentication through vusers.conf file and the socket for postfix authentication for mail submission service.

10-auth.conf

auth_mechanisms = plain
!include auth-static.conf.ext

auth-static.conf.ext

passdb {
  driver = passwd-file
  args = username_format=%u /etc/dovecot/vusers.conf
}

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/%d/%n
}

10-mail.conf

mail_home = /var/mail/%d/%n
mail_location = maildir:/var/mail/%d/%n
mail_uid = 1002
mail_gid = 1003
mail_privileged_group = vmail

10-master.conf

under “service auth” configure the auth-userdb socket with user/group vmail and the socket for postfix authentication with user/group postfix.

unix_listener auth-userdb {
    #mode = 0666
    user = vmail
    group = vmail
  }

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

15-lda.conf

lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes

And that’s all, we have a postfix server using dovecot authentication and dovecot LDA. Now, you can install the sieve plugin for dovecot and use for mail filtering and vacations messages.


Deprecated: Function create_function() is deprecated in /home/elkano.org/blog/wp-content/plugins/seo-ultimate/includes/jlfunctions/arr.php on line 64