§2024-04-25
¶ how to set up DKIM with postfix by ChatGPT
Setting up DKIM (DomainKeys Identified Mail) for Postfix involves a few steps to generate the DKIM keys and configure Postfix to use them. Here's a general guide on how to set it up:
- Install OpenDKIM: First, you need to install OpenDKIM if you haven't already. You can typically do this using your package manager. For example, on Ubuntu or Debian:
sudo apt-get install opendkim opendkim-tools
- Generate DKIM Keys: Use the opendkim-genkey command to generate your DKIM key pair. Specify your domain name with the -d option. For example:
sudo opendkim-genkey -t -s mail -d h2jammy.yushei.net
This will generate two files: mail.private (your private key) and mail.txt (your public key) stored at the directory where the command is issued.
alexlai@h2Jammy:~$ mkdir dkim
alexlai@h2Jammy:~$ mv mail.* dkim
alexlai@h2Jammy:~$ cd dkim
alexlai@h2Jammy:~/dkim$ ls -l
total 8
-rw------- 1 root root 1704 四 25 18:04 mail.private
-rw------- 1 root root 513 四 25 18:04 mail.txt
alexlai@h2Jammy:~/dkim$ ls
mail.private mail.txt
alexlai@h2Jammy:~/dkim$ cat mail.private
cat: mail.private: Permission denied
alexlai@h2Jammy:~/dkim$ ls -l mail.private
-rw------- 1 root root 1704 四 25 18:04 mail.private
alexlai@h2Jammy:~/dkim$ sudo cat mail.private
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEDYgDEvKi2Qka
r1dqggkXV/eVxhZlEec3GXrvUY8cIiHtdhOCnksw5RZtdo4OG3vICY4IFGkvxse6
v58PRuztgbH/AnuEjiWaw4HHo6gXIckyZH17gAFwFOySk6dU64m0yFfQmffvkEnP
JchATjSZO9CBfTOZmBjQqMDbS0tX8bLC8JMg2ickFl8MrVEsHUUjEhNmGbL7gHiY
s2MZV26zQw1qgeFxHRUTQCGZ3KzoNngz8fhoSE1j0p1+SboRneEhnb73jkzcv8U7
42f79H+0Aper6gvMc0zj1fESPQlCcjd5ppXBCoqxRQitsM0uYz3T1jHUgr9GCTX2
VPkCCc2NAgMBAAECggEAAsrkjJKpBRvNTuV/e8NlaME2hBohuIfUQMsqnp0NSkvM
Kus7JOmnTYd91cpSBK5siXFlZgUQaH9O2gCfveJ3PnzR8b1xz/YMYBN31kWk/8tZ
589ZoDg3DQcnRYE36XQ/bmVKJu0ChJWMD5jMrOnQQvyAoE+NvBrYA6TbtmPwq0x+
I2UFDcVtYjLb2EoH4oQ6hS49XqTqYC4aDn1r8mokdOLDpuVQ4ZhAsynnG72koZKg
mS0szPZ1R/yPRfhlKje+mosMZWenlAnYzxrkSwcKKqyaHwkTJjXfIKHCyPxeZATW
KvCabcqw7jMDH0XH4CRzo/yUvwTW+DUDSS2R9SJlGwKBgQDLakT6PFXKat03i0Cg
Ncp0gASrSwkhtnnojj1VKFWaTWdCDmT3idmsbXrJ2/v4CTDQlc7uWc807SMH9J4E
NZxkUUsSYne0UDsfscA6C/4DCgmYvCAud7O+Fy3lalWAFLgp6Uf+yABhRwXKfWxl
thAUstB8vNgXFN3KgY4hv8sJPwKBgQD2vAmssezw6fiPQ3stlv7AWEBmoRaYX6H9
b6kUbk8QCWFWWp0LHEqYYz2FXN25nHLkJAbMlvjSr38cLgeK6Q6QEYyxHr2/cASe
smUpTCb5PvJVSJZlAADe4ChpPXVZoR48PtjMVzUE1aBfJ+36nn26FHvW7us+L82h
+hhjnKWKMwKBgHx/Uy5QpTVZSIHJUcl8gqfg/nqUV0dx9pUWEYXARPxGqY8tXjB/
B2HYM9G+OS4q+dyABAGvp/k9tjYVSm1LHqfrdWYQLDGI9VbFpOAiHNphV1RKt+uY
ycLrTuTduuzEQZ8tLypJ4KmpHWs8bo6l6puwgZgGwL8Hv2NE/ee8ChljAoGBANfr
ZmwCqN+LYUG+RCV5ZibdFD676hIeXpxzAvwmLHpUOyJe2d/HOmBxOH1k74RnLQQJ
owmXdNirTAlVHrSpj1z0frLhvBuz49cdNvoU8mZcd6W6iCKLBjgE4lh2uCNfpB4E
waTRDEzWxil/v/r6h/w3wMgu/R7GpqWBP6ashxGRAoGAJ7RI2BgTOOD8YkTcil6a
0F7xYxBiaH5CCsXRJMU42rusYIaw0ZJn6ES+c2hFTrQ3Bn6qYa/QM/8bNxyldP6v
2D4WqhlbbF+tAjKG5ygkzofeVT1HmBmZr2vNn+BxRNcWoF2KahXgIaXaCBGwQdNW
OFB+7XvpD0XIkDFhIcW/rEA=
-----END PRIVATE KEY-----
alexlai@h2Jammy:~/dkim$ sudo cat mail.txt
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; t=y; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA2IAxLyotkJGq9XaoIJF1f3lcYWZRHnNxl671GPHCIh7XYTgp5LMOUWbXaODht7yAmOCBRpL8bHur+fD0bs7YGx/wJ7hI4lmsOBx6OoFyHJMmR9e4ABcBTskpOnVOuJtMhX0Jn375BJzyXIQE40mTvQgX0zmZgY0KjA20tLV/GywvCTINonJBZfDK1RLB1FIxITZhmy+4B4mL"
"NjGVdus0MNaoHhcR0VE0Ahmdys6DZ4M/H4aEhNY9Kdfkm6EZ3hIZ2+945M3L/FO+Nn+/R/tAKXq+oLzHNM49XxEj0JQnI3eaaVwQqKsUUIrbDNLmM909Yx1IK/Rgk19lT5AgnNjQIDAQAB" ) ; ----- DKIM key mail for h2jammy.yushei.net
When put mail.txt into DNS,txt record please remoce ALL " AND BLANK, https://tecadmin.net/setup-dkim-with-postfix-on-ubuntu-debian/
- Configure OpenDKIM: Next, you need to configure OpenDKIM. Edit the configuration file, typically located at /etc/opendkim.conf, and make sure it includes at least the following lines:
Domain example.com
KeyFile /etc/opendkim/keys/example.com/mail.private
Selector mail
Make sure to replace example.com with your actual domain name.
root@h2Jammy:/home/alexlai# cp -v /etc/opendkim.conf /etc/opendkim.conf.ori
'/etc/opendkim.conf' -> '/etc/opendkim.conf.ori'
root@h2Jammy:/home/alexlai# nano /etc/opendkim.conf
root@h2Jammy:/home/alexlai# diff /etc/opendkim.conf /etc/opendkim.conf.ori
2alexlai@h2Jammy:~$ diff /etc/opendkim.conf /etc/opendkim.conf.ori
22,24c22,24
< Domain h2jammy.yushei.net
< Selector mail
< KeyFile /etc/opendkim/mail.private
---
> #Domain example.com
> #Selector 2020
> #KeyFile /etc/dkimkeys/example.private
38c38
< Socket inet:8891@localhost <-- else outgoing mail will not be signed!!!
---
> #Socket inet:8891@localhost
- Configure Postfix to use OpenDKIM: Open your Postfix configuration file, typically located at /etc/postfix/main.cf, and add or modify the following lines: ( my case is add these lines ath the end )
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
- Start OpenDKIM and Restart Postfix: After making these changes, restart OpenDKIM and Postfix to apply the configuration changes:
sudo systemctl restart opendkim
- error /home/alexlai/dkim/mail.private: key data is not secure: /home/alexlai is writeable and owned by uid 1026 which is not the executing uid (133) or the superuser
root@h2Jammy:/home/alexlai/dkim# mkdir -p /etc/opendkim
root@h2Jammy:/home/alexlai/dkim# mv -v /home/alexlai/dkim/* /etc/opendkim
renamed '/home/alexlai/dkim/mail.private' -> '/etc/opendkim/mail.private'
renamed '/home/alexlai/dkim/mail.txt' -> '/etc/opendkim/mail.txt'
root@h2Jammy:/home/alexlai/dkim# nano /etc/opendkim.conf
root@h2Jammy:/home/alexlai/dkim# diff /etc/opendkim.conf /etc/opendkim.conf.ori
22,24c22,24
< Domain h2jammy.yushei.net
< Selector mail
< KeyFile /etc/opendkim/mail.private
---
> #Domain example.com
> #Selector 2020
> #KeyFile /etc/dkimkeys/example.private
sudo systemctl restart postfix
- Publish the DKIM public key in DNS: The last step is to publish your DKIM public key in DNS. The contents of the mail.txt file contain the DKIM record that you should add to your DNS records as a TXT record. The record should look something like this:
mail._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=<your-public-key>"
v=DKIM1; h=sha256; k=rsa; t=y; \" \"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA2IAxLyotkJGq9XaoIJF1f3lcYWZRHnNxl671GPHCIh7XYTgp5LMOUWbXaODht7yAmOCBRpL8bHur+fD0bs7YGx/wJ7hI4lmsOBx6OoFyHJMmR9e4ABcBTskpOnVOuJtMhX0Jn375BJzyXIQE40mTvQgX0zmZgY0KjA20tLV/GywvCTINonJBZfDK1RLB1FIxITZhmy+4B4mL\" \"NjGVdus0MNaoHhcR0VE0Ahmdys6DZ4M/H4aEhNY9Kdfkm6EZ3hIZ2+945M3L/FO+Nn+/R/tAKXq+oLzHNM49XxEj0JQnI3eaaVwQqKsUUIrbDNLmM909Yx1IK/Rgk19lT5AgnNjQIDAQAB\" ) ; ----- DKIM key mail for h2jammy.yushei.net
dig +short TXT mail._domainkey.h2jammy.yushei.net
Replace example.com with your domain name, and
Once these steps are completed, your Postfix setup should be configured to sign outgoing emails with DKIM.
warning: connect to Milter service inet:localhost:8891: Connection refused
alexlai@h2Jammy:~$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 h2Jammy.yushei.net ESMTP Postfix (Ubuntu)
EHLO h2jammy.yushei.net
250-h2Jammy.yushei.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
MAIL FROM: alexlai@h2jammy.yushei.net
250 2.1.0 Ok
RCPT TO: rai.sousuke@mac.com
250 2.1.5 Ok
RCPT TO: rai.sousuke@gmail.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Just to say hi
time 2024-04-25 19:46
Please check https://www.kyoto-doitaxi.com/. It might be easier to dire a private taxi to drive you around kyoto with two kids.
.
250 2.0.0 Ok: queued as 65AAF2964924D
quit
221 2.0.0 Bye
Connection closed by foreign host.
alexlai@h2Jammy:~$
Apr 25 19:44:31 h2Jammy postfix/smtpd[22708]: warning: connect to Milter service inet:localhost:8891: Connection refused
Apr 25 19:45:19 h2Jammy postfix/smtpd[22708]: 65AAF2964924D: client=localhost[127.0.0.1]
Apr 25 19:46:38 h2Jammy postfix/cleanup[22714]: 65AAF2964924D: message-id=<20240425114519.65AAF2964924D@h2Jammy.yushei.net>
Apr 25 19:46:38 h2Jammy postfix/qmgr[22083]: 65AAF2964924D: from=<alexlai@h2jammy.yushei.net>, size=519, nrcpt=2 (queue active)
Apr 25 19:46:38 h2Jammy postfix/smtp[22718]: connect to gmail-smtp-in.l.google.com[2404:6800:4008:c05::1a]:25: Network is unreachable
Apr 25 19:46:39 h2Jammy postfix/smtp[22718]: 65AAF2964924D: to=<rai.sousuke@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.187.27]:25, delay=96, delays=95/0.02/0.63/0.73, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[64.233.187.27] said: 550-5.7.26 This mail has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [h2jammy.yushei.net] with ip: [59.126.118.194] = did not pass 550-5.7.26 550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication z7-20020a170902d54700b001ea2838f1d3si4612383plf.458 - gsmtp (in reply to end of DATA command))
Apr 25 19:46:45 h2Jammy postfix/smtp[22719]: 65AAF2964924D: to=<rai.sousuke@mac.com>, relay=mx01.mail.icloud.com[17.57.155.25]:25, delay=102, delays=95/0.04/1.4/6, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4A2161AC0129)
Apr 25 19:46:45 h2Jammy postfix/cleanup[22714]: 792502964925A: message-id=<20240425114645.792502964925A@h2Jammy.yushei.net>
Apr 25 19:46:45 h2Jammy postfix/bounce[22720]: 65AAF2964924D: sender non-delivery notification: 792502964925A
Apr 25 19:46:45 h2Jammy postfix/qmgr[22083]: 792502964925A: from=<>, size=3664, nrcpt=1 (queue active)
Apr 25 19:46:45 h2Jammy postfix/qmgr[22083]: 65AAF2964924D: removed
Apr 25 19:46:45 h2Jammy postfix/local[22723]: 792502964925A: to=<alexlai@h2jammy.yushei.net>, relay=local, delay=0.02, delays=0.01/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 25 19:46:45 h2Jammy postfix/qmgr[22083]: 792502964925A: removed
Apr 25 19:46:50 h2Jammy postfix/smtpd[22708]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6
```
- https://support.google.com/mail/answer/81126#authentication
- https://toolbox.googleapps.com/apps/checkmx/check?domain=h2Jammy.yushei.net&dkim_selector=