§2024-04-30
¶ uninstall it and reinstall, start from scratcj
$ sudo apt remove --purge opendkim-tools
$ sudo apt install opendkim-tools
¶ Edit Config files
alexlai@h2Jammy:~$ sudo cp -v /etc/opendkim.conf /etc/opendkim.conf.ori
'/etc/opendkim.conf' -> '/etc/opendkim.conf.ori'
alexlai@h2Jammy:~$ diff /etc/opendkim.conf.ori /etc/opendkim.conf
24c24
< KeyFile /etc/opendkim/mail.private
---
> KeyFile /etc/postfix/dkim.key
original of /etc/opendkim.conf.ori
alexlai@h2Jammy:~$ cat /etc/opendkim.conf.ori
# This is a basic configuration for signing and verifying. It can easily be
# adapted to suit a basic installation. See opendkim.conf(5) and
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
# documentation of available configuration parameters.
Syslog yes
SyslogSuccess yes
#LogWhy no
# Common signing and verification parameters. In Debian, the "From" header is
# oversigned, because it is often the identity key used by reputation systems
# and thus somewhat security sensitive.
Canonicalization relaxed/simple
#Mode sv
#SubDomains no
OversignHeaders From
# Signing domain, selector, and key (required). For example, perform signing
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
# using the private key stored in /etc/dkimkeys/example.private. More granular
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
Domain h2jammy.yushei.net
Selector mail
KeyFile /etc/opendkim/mail.private
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged
# user (for example, Postfix). You may need to add user "postfix" to group
# "opendkim" in that case.
UserID opendkim
UMask 007
# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
# configured as shown on the last line below.
Socket local:/run/opendkim/opendkim.sock
Socket inet:8891@localhost
#Socket inet:8891
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
# OPERATION section of opendkim(8) for more information.
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
TrustAnchorFile /usr/share/dns/root.key
#Nameservers 127.0.0.1
¶ Postfix file
Open postfix main config file vim /etc/postfix/main.cf
Add following lines towards end.
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
alexlai@h2Jammy:~$ sudo nano /etc/postfix/main.cf
alexlai@h2Jammy:~$ diff /etc/postfix/main.cf.ori /etc/postfix/main.cf
48a49,54
>
> # DKIM
> milter_default_action = accept
> milter_protocol = 2
> smtpd_milters = inet:localhost:8891
> non_smtpd_milters = inet:localhost:8891
¶ DKIM Key Generation
Run following commands with mail and example.com matching values used in /etc/opendkim.conf file in earlier step.
alexlai@h2Jammy:~$ mkdir opendkim && cd $_
alexlai@h2Jammy:~/opendkim$ opendkim-genkey -t -s mail h2jammy.yushei.net
alexlai@h2Jammy:~/opendkim$ ls -l
total 8
-rw------- 1 alexlai alexlai 1704 四 30 18:49 mail.private ---> /etc/postfic/dkim.key
-rw------- 1 alexlai alexlai 504 四 30 18:49 mail.txt ---> DNS set dkim record
alexlai@h2Jammy:~/opendkim$ cat mail.private
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDWdNpfJpJ4kCa0
4iCePmw3myyPFEaR1eWxzmPHCmbVJLvVdVpzuDCcCKHH6/+0yqG+lCkQZrFeuFvI
pw62fOu6XYAPEuVRWFzuXoDWGBdbimBSI6VKbgQ+Lx9RoBfAqrFS0h3UeAFkC9Mh
ZrxG8E5ZLNdG3Z0TaJFKJcY2K8OvtmbCxg4Y0Y1NzzBNqRgz9PhhRJ+Uty+5JXoi
0jzBT4NvzQaxETR578rxcqSSnmSsRgYlW7H8fOOBU6hKfdSa/9JxDIXo/unPdGcR
TRYBxE9kWTgoSPR9iF3gBLhHh5GQUonHMSJ6cvAA3hyMN5x1nPvwKh+umxpDD/25
izVUz5F1AgMBAAECggEAYs2/disdPHKdgqTUBlQYI55YbysWQEZd5weBrMg8DGM6
LuQ8YigwLRNFBgjS7IaW8mjsamQFv/AMSWu+OZFgQaKmR0ubX1jop+HeVcUPrdsY
+X72vk3looivUzoA94Es5U1s9OC9M0zHXxIoGD7KugcQv9OGdNSua4zvvzF2nNMB
/ihpgTOcYN0G3CjpYZW1M1f28VqULWbPy2Hdgdi+ZvQfggwAVg52naWN8eyJPuHY
XUeOXRgbClcLXuJHj+41h3MLtsZuAXQa71Cx0rPuMnUlGdpId+UKvzbll12N5q19
coFHAsWELJYZQa9GUc4ipdgs2OZo1Vm8z0GkPENCWQKBgQDYjs1FiBq9GTJGd8Tf
LBHmufJO7hK5oJk8KbZueKkUaZr7/sq7ArS1ipvVRF3Ru7QiSQjwv8OprXJbEEqs
1rzx3VZC9ylhH1Wqb0epjaVJcDpauM0Gtwkyc5tPnVeZaUj7n2PgBnuUDtaDohcg
oW1KdHfc6RRok28K7TspI6C6MwKBgQD9hBLDs6/dTywz18I6VRDp/8sY75zM+9kh
yfQ8z+FSwmnx9GUUIVHePVgGkq/I/JVJseXCGLPvJSvY3nLKjVs7aymx6bGLZu7D
HYoI53KqIMp5Qw/b6wsTlGqWyR/Mb3Ls05ZOVuW/8Kdic1JSAPLutxKjfDovshUn
SeAiupKttwKBgADfUmRdT/5DA7jU8q4Td17+kMNQojKtOvDLGjkHs2appj4toJNw
R1oT3NzXEamun+MjeC3AGAGu+S70udhIZSp0QcyzQi9p+OZe3GMKdwf8s795zxmf
0yGo5Y9Eiv3LNsgMtFJKtGS8SpDtLjqra81I+tKg/bwOG/xnSD26LwORAoGAIDUV
RTOg1hbm4Lc6f7qq6W+L1+EpJImibj5//vHSCHeWihyocsRA6GEWu88K8hfUx4YI
UH5e7bTlOyoXn1ASFRxqMaYk3jb3gmZQUQ1GbgK4dmtkqmXUBGrIl9t5ZLmL+jZv
VAiKK7ZhLYrFHJHuSxGLFqYDpmeTdGhYR1E4rUUCgYEAopysmM+s1No7Mia7LHnr
fqa2zXlN+qdQzOfkTRcMyNHzZJR6lr0kZvTyOPF3gK+w7qW7f9MWmfjZ4EpiDpVn
phYHmOhOYaXciEIGhgzP0E0Rr+y0Ofc3BcPBD3ba2j6g875IXmaRYNh6nrEY63aF
f1SFJj6JBePS0CJ2Yd3WGgQ=
-----END PRIVATE KEY-----
alexlai@h2Jammy:~/opendkim$ cat mail.txt
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; t=y; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1nTaXyaSeJAmtOIgnj5sN5ssjxRGkdXlsc5jxwpm1SS71XVac7gwnAihx+v/tMqhvpQpEGaxXrhbyKcOtnzrul2ADxLlUVhc7l6A1hgXW4pgUiOlSm4EPi8fUaAXwKqxUtId1HgBZAvTIWa8RvBOWSzXRt2dE2iRSiXGNivDr7ZmwsYOGNGNTc8wTakYM/T4YUSflLcvuSV6It"
"I8wU+Db80GsRE0ee/K8XKkkp5krEYGJVux/HzjgVOoSn3Umv/ScQyF6P7pz3RnEU0WAcRPZFk4KEj0fYhd4AS4R4eRkFKJxzEienLwAN4cjDecdZz78CofrpsaQw/9uYs1VM+RdQIDAQAB" ) ; ----- DKIM key mail for localhost
When put mail.txt into DNS,txt record please remoce ALL " AND BLANK, https://tecadmin.net/setup-dkim-with-postfix-on-ubuntu-debian/
as,v=DKIM1; h=sha256; k=rsa; t=y; ""p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1nTaXyaSeJAmtOIgnj5sN5ssjxRGkdXlsc5jxwpm1SS71XVac7gwnAihx+v/tMqhvpQpEGaxXrhbyKcOtnzrul2ADxLlUVhc7l6A1hgXW4pgUiOlSm4EPi8fUaAXwKqxUtId1HgBZAvTIWa8RvBOWSzXRt2dE2iRSiXGNivDr7ZmwsYOGNGNTc8wTakYM/T4YUSflLcvuSV6It" "I8wU+Db80GsRE0ee/K8XKkkp5krEYGJVux/HzjgVOoSn3Umv/ScQyF6P7pz3RnEU0WAcRPZFk4KEj0fYhd4AS4R4eRkFKJxzEienLwAN4cjDecdZz78CofrpsaQw/9uYs1VM+RdQIDAQAB"
¶ cp -v ~/opendkim/mail.private into /etc/postfic/dkim
alexlai@h2Jammy:~/opendkim$ sudo cp ~/opendkim/mail.private /etc/postfix/dkim.key
[sudo] password for alexlai:
alexlai@h2Jammy:~/opendkim$ ls -l /etc/postfix/dkim.key
-r-------- 1 root root 1704 五 1 03:59 /etc/postfix/dkim.key
¶ after edit your dns to put in the dkim, verify with dig
alexlai@h2Jammy:~/opendkim$ dig mail._domainkey.h2jammy.yushei.net TXT
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> mail._domainkey.h2jammy.yushei.net TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52466
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;mail._domainkey.h2jammy.yushei.net. IN TXT
;; ANSWER SECTION:
mail._domainkey.h2jammy.yushei.net. 7200 IN TXT "v=DKIM1; h=sha256; k=rsa; t=y; \"\"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1nTaXyaSeJAmtOIgnj5sN5ssjxRGkdXlsc5jxwpm1SS71XVac7gwnAihx+v/tMqhvpQpEGaxXrhbyKcOtnzrul2ADxLlUVhc7l6A1hgXW4pgUiOlSm4EPi8fUaAXwKqxUtId1HgBZAvTIWa8RvBOWSzXRt2dE2iRSiXGNivDr7ZmwsYO" "GNGNTc8wTakYM/T4YUSflLcvuSV6It\" \"I8wU+Db80GsRE0ee/K8XKkkp5krEYGJVux/HzjgVOoSn3Umv/ScQyF6P7pz3RnEU0WAcRPZFk4KEj0fYhd4AS4R4eRkFKJxzEienLwAN4cjDecdZz78CofrpsaQw/9uYs1VM+RdQIDAQAB\""
;; Query time: 228 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed May 01 04:03:39 CST 2024
;; MSG SIZE rcvd: 508
¶ Start Signing
Once al config & setup done, you need to start DKIM service and restart postfix.
alexlai@h2Jammy:~/opendkim$ sudo systemctl restart opendkim.service
alexlai@h2Jammy:~/opendkim$ sudo systemctl status opendkim.service
● opendkim.service - OpenDKIM Milter
Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-04-30 19:14:43 CST; 11s ago
Docs: man:opendkim(8)
man:opendkim.conf(5)
man:opendkim-lua(3)
man:opendkim-genkey(8)
man:opendkim-genzone(8)
man:opendkim-testkey(8)
http://www.opendkim.org/docs.html
Process: 13771 ExecStart=/usr/sbin/opendkim (code=exited, status=0/SUCCESS)
Main PID: 13772 (opendkim)
Tasks: 6 (limit: 9222)
Memory: 1.9M
CPU: 18ms
CGroup: /system.slice/opendkim.service
└─13772 /usr/sbin/opendkim
四 30 19:14:43 h2Jammy systemd[1]: Starting OpenDKIM Milter...
四 30 19:14:43 h2Jammy systemd[1]: Started OpenDKIM Milter.
四 30 19:14:43 h2Jammy opendkim[13772]: OpenDKIM Filter v2.11.0 starting
alexlai@h2Jammy:~/opendkim$ sudo systemctl restart postfix
alexlai@h2Jammy:~/opendkim$ sudo systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2024-04-30 19:15:07 CST; 6s ago
Docs: man:postfix(1)
Process: 14414 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 14414 (code=exited, status=0/SUCCESS)
CPU: 2ms
四 30 19:15:07 h2Jammy systemd[1]: Starting Postfix Mail Transport Agent...
四 30 19:15:07 h2Jammy systemd[1]: Finished Postfix Mail Transport Agent.
¶ Move it to the location we specified earlier in /etc/opendkim.conf
alexlai@h2Jammy:~/opendkim$ pwd
/home/alexlai/opendkim
alexlai@h2Jammy:~/opendkim$ ls -l
total 8
-rw------- 1 alexlai alexlai 1704 四 30 18:49 mail.private
-rw------- 1 alexlai alexlai 504 四 30 18:49 mail.txt
alexlai@h2Jammy:~/opendkim$ sudo cp -v mail.txt /etc/postfix/dkim.key
'mail.private' -> '/etc/postfix/dkim.key'
alexlai@h2Jammy:~/opendkim$ ls -l /etc/postfix/dkim.key
-rw------- 1 root root 1704 四 30 18:56 /etc/postfix/dkim.key
This command will generate mail.private and mail.txt file and saved it from the directort you run it. mail.private is private key that will be used to sign outgoing emails. Move it to the location we specified earlier in /etc/opendkim.conf
cp mail.private /etc/postfix/dkim.key
===
¶ how to set up DKIM with postfix by ChatGPT
Setting up DKIM (DomainKeys Identified Mail) for Postfix involves a few steps to generate the DKIM keys and configure Postfix to use them. Here's a general guide on how to set it up:
- Install OpenDKIM: First, you need to install OpenDKIM if you haven't already. You can typically do this using your package manager. For example, on Ubuntu or Debian:
sudo apt-get install opendkim opendkim-tools
- Generate DKIM Keys: Use the opendkim-genkey command to generate your DKIM key pair. Specify your domain name with the -d option. For example:
sudo opendkim-genkey -t -s mail -d h2jammy.yushei.net
This will generate two files: mail.private (your private key) and mail.txt (your public key) stored at the directory where the command is issued.
alexlai@h2Jammy:~$ mkdir dkim
alexlai@h2Jammy:~$ mv mail.* dkim
alexlai@h2Jammy:~$ cd dkim
alexlai@h2Jammy:~/dkim$ ls -l
total 8
-rw------- 1 root root 1704 四 25 18:04 mail.private
-rw------- 1 root root 513 四 25 18:04 mail.txt
alexlai@h2Jammy:~/dkim$ ls
mail.private mail.txt
alexlai@h2Jammy:~/dkim$ cat mail.private
cat: mail.private: Permission denied
alexlai@h2Jammy:~/dkim$ ls -l mail.private
-rw------- 1 root root 1704 四 25 18:04 mail.private
alexlai@h2Jammy:~/dkim$ sudo cat mail.private
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEDYgDEvKi2Qka
r1dqggkXV/eVxhZlEec3GXrvUY8cIiHtdhOCnksw5RZtdo4OG3vICY4IFGkvxse6
v58PRuztgbH/AnuEjiWaw4HHo6gXIckyZH17gAFwFOySk6dU64m0yFfQmffvkEnP
JchATjSZO9CBfTOZmBjQqMDbS0tX8bLC8JMg2ickFl8MrVEsHUUjEhNmGbL7gHiY
s2MZV26zQw1qgeFxHRUTQCGZ3KzoNngz8fhoSE1j0p1+SboRneEhnb73jkzcv8U7
42f79H+0Aper6gvMc0zj1fESPQlCcjd5ppXBCoqxRQitsM0uYz3T1jHUgr9GCTX2
VPkCCc2NAgMBAAECggEAAsrkjJKpBRvNTuV/e8NlaME2hBohuIfUQMsqnp0NSkvM
Kus7JOmnTYd91cpSBK5siXFlZgUQaH9O2gCfveJ3PnzR8b1xz/YMYBN31kWk/8tZ
589ZoDg3DQcnRYE36XQ/bmVKJu0ChJWMD5jMrOnQQvyAoE+NvBrYA6TbtmPwq0x+
I2UFDcVtYjLb2EoH4oQ6hS49XqTqYC4aDn1r8mokdOLDpuVQ4ZhAsynnG72koZKg
mS0szPZ1R/yPRfhlKje+mosMZWenlAnYzxrkSwcKKqyaHwkTJjXfIKHCyPxeZATW
KvCabcqw7jMDH0XH4CRzo/yUvwTW+DUDSS2R9SJlGwKBgQDLakT6PFXKat03i0Cg
Ncp0gASrSwkhtnnojj1VKFWaTWdCDmT3idmsbXrJ2/v4CTDQlc7uWc807SMH9J4E
NZxkUUsSYne0UDsfscA6C/4DCgmYvCAud7O+Fy3lalWAFLgp6Uf+yABhRwXKfWxl
thAUstB8vNgXFN3KgY4hv8sJPwKBgQD2vAmssezw6fiPQ3stlv7AWEBmoRaYX6H9
b6kUbk8QCWFWWp0LHEqYYz2FXN25nHLkJAbMlvjSr38cLgeK6Q6QEYyxHr2/cASe
smUpTCb5PvJVSJZlAADe4ChpPXVZoR48PtjMVzUE1aBfJ+36nn26FHvW7us+L82h
+hhjnKWKMwKBgHx/Uy5QpTVZSIHJUcl8gqfg/nqUV0dx9pUWEYXARPxGqY8tXjB/
B2HYM9G+OS4q+dyABAGvp/k9tjYVSm1LHqfrdWYQLDGI9VbFpOAiHNphV1RKt+uY
ycLrTuTduuzEQZ8tLypJ4KmpHWs8bo6l6puwgZgGwL8Hv2NE/ee8ChljAoGBANfr
ZmwCqN+LYUG+RCV5ZibdFD676hIeXpxzAvwmLHpUOyJe2d/HOmBxOH1k74RnLQQJ
owmXdNirTAlVHrSpj1z0frLhvBuz49cdNvoU8mZcd6W6iCKLBjgE4lh2uCNfpB4E
waTRDEzWxil/v/r6h/w3wMgu/R7GpqWBP6ashxGRAoGAJ7RI2BgTOOD8YkTcil6a
0F7xYxBiaH5CCsXRJMU42rusYIaw0ZJn6ES+c2hFTrQ3Bn6qYa/QM/8bNxyldP6v
2D4WqhlbbF+tAjKG5ygkzofeVT1HmBmZr2vNn+BxRNcWoF2KahXgIaXaCBGwQdNW
OFB+7XvpD0XIkDFhIcW/rEA=
-----END PRIVATE KEY-----
alexlai@h2Jammy:~/dkim$ sudo cat mail.txt
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; t=y; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA2IAxLyotkJGq9XaoIJF1f3lcYWZRHnNxl671GPHCIh7XYTgp5LMOUWbXaODht7yAmOCBRpL8bHur+fD0bs7YGx/wJ7hI4lmsOBx6OoFyHJMmR9e4ABcBTskpOnVOuJtMhX0Jn375BJzyXIQE40mTvQgX0zmZgY0KjA20tLV/GywvCTINonJBZfDK1RLB1FIxITZhmy+4B4mL"
"NjGVdus0MNaoHhcR0VE0Ahmdys6DZ4M/H4aEhNY9Kdfkm6EZ3hIZ2+945M3L/FO+Nn+/R/tAKXq+oLzHNM49XxEj0JQnI3eaaVwQqKsUUIrbDNLmM909Yx1IK/Rgk19lT5AgnNjQIDAQAB" ) ; ----- DKIM key mail for h2jammy.yushei.net
When put mail.txt into DNS,txt record please remoce ALL " AND BLANK, https://tecadmin.net/setup-dkim-with-postfix-on-ubuntu-debian/
as "v=DKIM1;h=sha256;k=rsa;t=y;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA2IAxLyotkJGq9XaoIJF1f3lcYWZRHnNxl671GPHCIh7XYTgp5LMOUWbXaODht7yAmOCBRpL8bHur+fD0bs7YGx/wJ7hI4lmsOBx6OoFyHJMmR9e4ABcBTskpOnVOuJtMhX0Jn375BJzyXIQE40mTvQgX0zmZgY0KjA20tLV/GywvCTINonJBZfDK1RLB1FIxITZhmy+4B4mLNjGVdus0MNaoHhcR0VE0Ahmdys6DZ4M/H4aEhNY9Kdfkm6EZ3hIZ2+945M3L/FO+Nn+/R/tAKXq+oLzHNM49XxEj0JQnI3eaaVwQqKsUUIrbDNLmM909Yx1IK/Rgk19lT5AgnNjQIDAQAB"
¶ check with dig
alexlai@MacMini Downloads % dig mail._domainkey.h2jammy.yushei.net TXT
; <<>> DiG 9.10.6 <<>> mail._domainkey.h2jammy.yushei.net TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15916
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail._domainkey.h2jammy.yushei.net. IN TXT
;; ANSWER SECTION:
mail._domainkey.h2jammy.yushei.net. 7200 IN TXT "v=DKIM1; h=sha256; k=rsa; t=y; \"\"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1nTaXyaSeJAmtOIgnj5sN5ssjxRGkdXlsc5jxwpm1SS71XVac7gwnAihx+v/tMqhvpQpEGaxXrhbyKcOtnzrul2ADxLlUVhc7l6A1hgXW4pgUiOlSm4EPi8fUaAXwKqxUtId1HgBZAvTIWa8RvBOWSzXRt2dE2iRSiXGNivDr7ZmwsYO" "GNGNTc8wTakYM/T4YUSflLcvuSV6It\" \"I8wU+Db80GsRE0ee/K8XKkkp5krEYGJVux/HzjgVOoSn3Umv/ScQyF6P7pz3RnEU0WAcRPZFk4KEj0fYhd4AS4R4eRkFKJxzEienLwAN4cjDecdZz78CofrpsaQw/9uYs1VM+RdQIDAQAB\""
;; Query time: 197 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 30 19:24:13 CST 2024
;; MSG SIZE rcvd: 508
alexlai@MacMini Downloads % dig h2jammy.yushei.net txt
; <<>> DiG 9.10.6 <<>> h2jammy.yushei.net txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2538
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;h2jammy.yushei.net. IN TXT
;; ANSWER SECTION:
h2jammy.yushei.net. 738 IN TXT "v=spf1 include:_spf.google.com mx a:h2Jammy.yushei.net ~all"
;; Query time: 7 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 30 19:24:21 CST 2024
;; MSG SIZE rcvd: 119
- Configure OpenDKIM: Next, you need to configure OpenDKIM. Edit the configuration file, typically located at /etc/opendkim.conf, and make sure it includes at least the following lines:
Domain example.com
KeyFile /etc/opendkim/keys/example.com/mail.private
Selector mail
Make sure to replace example.com with your actual domain name.
root@h2Jammy:/home/alexlai# cp -v /etc/opendkim.conf /etc/opendkim.conf.ori
'/etc/opendkim.conf' -> '/etc/opendkim.conf.ori'
root@h2Jammy:/home/alexlai# nano /etc/opendkim.conf
root@h2Jammy:/home/alexlai# diff /etc/opendkim.conf /etc/opendkim.conf.ori
2alexlai@h2Jammy:~$ diff /etc/opendkim.conf /etc/opendkim.conf.ori
22,24c22,24
< Domain h2jammy.yushei.net
< Selector mail
< KeyFile /etc/opendkim/mail.private
---
> #Domain example.com
> #Selector 2020
> #KeyFile /etc/dkimkeys/example.private
38c38
< Socket inet:8891@localhost <-- else outgoing mail will not be signed!!!
---
> #Socket inet:8891@localhost
- Configure Postfix to use OpenDKIM: Open your Postfix configuration file, typically located at /etc/postfix/main.cf, and add or modify the following lines: ( my case is add these lines ath the end )
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
- Start OpenDKIM and Restart Postfix: After making these changes, restart OpenDKIM and Postfix to apply the configuration changes:
sudo systemctl restart opendkim
- error /home/alexlai/dkim/mail.private: key data is not secure: /home/alexlai is writeable and owned by uid 1026 which is not the executing uid (133) or the superuser
root@h2Jammy:/home/alexlai/dkim# mkdir -p /etc/opendkim
root@h2Jammy:/home/alexlai/dkim# mv -v /home/alexlai/dkim/* /etc/opendkim
renamed '/home/alexlai/dkim/mail.private' -> '/etc/opendkim/mail.private'
renamed '/home/alexlai/dkim/mail.txt' -> '/etc/opendkim/mail.txt'
root@h2Jammy:/home/alexlai/dkim# nano /etc/opendkim.conf
root@h2Jammy:/home/alexlai/dkim# diff /etc/opendkim.conf /etc/opendkim.conf.ori
22,24c22,24
< Domain h2jammy.yushei.net
< Selector mail
< KeyFile /etc/opendkim/mail.private
---
> #Domain example.com
> #Selector 2020
> #KeyFile /etc/dkimkeys/example.private
sudo systemctl restart postfix
- Publish the DKIM public key in DNS: The last step is to publish your DKIM public key in DNS. The contents of the mail.txt file contain the DKIM record that you should add to your DNS records as a TXT record. The record should look something like this:
mail._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=<your-public-key>"
v=DKIM1; h=sha256; k=rsa; t=y; \" \"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA2IAxLyotkJGq9XaoIJF1f3lcYWZRHnNxl671GPHCIh7XYTgp5LMOUWbXaODht7yAmOCBRpL8bHur+fD0bs7YGx/wJ7hI4lmsOBx6OoFyHJMmR9e4ABcBTskpOnVOuJtMhX0Jn375BJzyXIQE40mTvQgX0zmZgY0KjA20tLV/GywvCTINonJBZfDK1RLB1FIxITZhmy+4B4mL\" \"NjGVdus0MNaoHhcR0VE0Ahmdys6DZ4M/H4aEhNY9Kdfkm6EZ3hIZ2+945M3L/FO+Nn+/R/tAKXq+oLzHNM49XxEj0JQnI3eaaVwQqKsUUIrbDNLmM909Yx1IK/Rgk19lT5AgnNjQIDAQAB\" ) ; ----- DKIM key mail for h2jammy.yushei.net
dig +short TXT mail._domainkey.h2jammy.yushei.net
Replace example.com with your domain name, and
Once these steps are completed, your Postfix setup should be configured to sign outgoing emails with DKIM.
warning: connect to Milter service inet:localhost:8891: Connection refused
alexlai@h2Jammy:~$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 h2Jammy.yushei.net ESMTP Postfix (Ubuntu)
EHLO h2jammy.yushei.net
250-h2Jammy.yushei.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
MAIL FROM: alexlai@h2jammy.yushei.net
250 2.1.0 Ok
RCPT TO: rai.sousuke@mac.com
250 2.1.5 Ok
RCPT TO: rai.sousuke@gmail.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Just to say hi
time 2024-04-25 19:46
Please check https://www.kyoto-doitaxi.com/. It might be easier to dire a private taxi to drive you around kyoto with two kids.
.
250 2.0.0 Ok: queued as 65AAF2964924D
quit
221 2.0.0 Bye
Connection closed by foreign host.
alexlai@h2Jammy:~$
Apr 25 19:44:31 h2Jammy postfix/smtpd[22708]: warning: connect to Milter service inet:localhost:8891: Connection refused
Apr 25 19:45:19 h2Jammy postfix/smtpd[22708]: 65AAF2964924D: client=localhost[127.0.0.1]
Apr 25 19:46:38 h2Jammy postfix/cleanup[22714]: 65AAF2964924D: message-id=<20240425114519.65AAF2964924D@h2Jammy.yushei.net>
Apr 25 19:46:38 h2Jammy postfix/qmgr[22083]: 65AAF2964924D: from=<alexlai@h2jammy.yushei.net>, size=519, nrcpt=2 (queue active)
Apr 25 19:46:38 h2Jammy postfix/smtp[22718]: connect to gmail-smtp-in.l.google.com[2404:6800:4008:c05::1a]:25: Network is unreachable
Apr 25 19:46:39 h2Jammy postfix/smtp[22718]: 65AAF2964924D: to=<rai.sousuke@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.187.27]:25, delay=96, delays=95/0.02/0.63/0.73, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[64.233.187.27] said: 550-5.7.26 This mail has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [h2jammy.yushei.net] with ip: [59.126.118.194] = did not pass 550-5.7.26 550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication z7-20020a170902d54700b001ea2838f1d3si4612383plf.458 - gsmtp (in reply to end of DATA command))
Apr 25 19:46:45 h2Jammy postfix/smtp[22719]: 65AAF2964924D: to=<rai.sousuke@mac.com>, relay=mx01.mail.icloud.com[17.57.155.25]:25, delay=102, delays=95/0.04/1.4/6, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4A2161AC0129)
Apr 25 19:46:45 h2Jammy postfix/cleanup[22714]: 792502964925A: message-id=<20240425114645.792502964925A@h2Jammy.yushei.net>
Apr 25 19:46:45 h2Jammy postfix/bounce[22720]: 65AAF2964924D: sender non-delivery notification: 792502964925A
Apr 25 19:46:45 h2Jammy postfix/qmgr[22083]: 792502964925A: from=<>, size=3664, nrcpt=1 (queue active)
Apr 25 19:46:45 h2Jammy postfix/qmgr[22083]: 65AAF2964924D: removed
Apr 25 19:46:45 h2Jammy postfix/local[22723]: 792502964925A: to=<alexlai@h2jammy.yushei.net>, relay=local, delay=0.02, delays=0.01/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 25 19:46:45 h2Jammy postfix/qmgr[22083]: 792502964925A: removed
Apr 25 19:46:50 h2Jammy postfix/smtpd[22708]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6
```
- https://support.google.com/mail/answer/81126#authentication
- https://toolbox.googleapps.com/apps/checkmx/check?domain=h2Jammy.yushei.net&dkim_selector=