• Esportare il nome del dominio per facilitare la configurazione:

export OPENDKIM_DOMAIN=example.com.com

• Installare i pacchetti e sistemare l'utenza:

apt install opendkim opendkim-tools

gpasswd -a postfix opendkim 

• Impostare i parametri non di default:

vi /etc/opendkim.conf

# Aggiungere all'inizio
Logwhy               yes

# Decommentare
Canonicalization    relaxed/simple
Mode            sv 
SubDomains      no
UserID             opendkim

# Aggiungere alla fine
AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256

KeyTable           refile:/etc/opendkim/key.table
SigningTable       refile:/etc/opendkim/signing.table
ExternalIgnoreList  /etc/opendkim/trusted.hosts
InternalHosts       /etc/opendkim/trusted.hosts

• Creare directories:

mkdir /etc/opendkim && \
mkdir /etc/opendkim/keys && \
chown -R opendkim:opendkim /etc/opendkim && \
chmod go-rw /etc/opendkim/keys

• Creare la signing table:

cat > /etc/opendkim/signing.table <<EOFile
*@$OPENDKIM_DOMAIN    default._domainkey.$OPENDKIM_DOMAIN
*@*.$OPENDKIM_DOMAIN    default._domainkey.$OPENDKIM_DOMAIN
EOFile

• Verificare:

cat /etc/opendkim/signing.table

*@example.com    default._domainkey.example.com
*@*.example.com    default._domainkey.example.com

• Creare la key table:

cat > /etc/opendkim/key.table <<EOFile
default._domainkey.$OPENDKIM_DOMAIN     $OPENDKIM_DOMAIN:default:/etc/opendkim/keys/$OPENDKIM_DOMAIN/default.private
EOFile

• Verificare:

cat /etc/opendkim/key.table

default._domainkey.example.com     example.com:default:/etc/opendkim/keys/example.com/default.private

• Impostare gli host per cui non va fatto il signing:

cat > /etc/opendkim/trusted.hosts <<EOFile
127.0.0.1
localhost
.$OPENDKIM_DOMAIN
EOFile

• Verificare

cat /etc/opendkim/trusted.hosts

127.0.0.1
localhost
.example.com

• Creare le keys:

mkdir /etc/opendkim/keys/$OPENDKIM_DOMAIN && \
opendkim-genkey -b 2048 -d example.com -D /etc/opendkim/keys/$OPENDKIM_DOMAIN -s default -v && \
chown opendkim:opendkim /etc/opendkim/keys/$OPENDKIM_DOMAIN/default.private && chmod 600 /etc/opendkim/keys/$OPENDKIM_DOMAIN/default.private && \
echo OK

• Creare la stringa per il record DNS:

• Verificarla

cat /etc/opendkim/keys/$OPENDKIM_DOMAIN/default.txt

The public key is the string that starts P=
The public key is separated into two parts. Notice how in the console I have copied the first part between the ” ” and then the second part of the public key between the ” “. I added the two strings together without the ” ” to make one long string.

Copy the entire lines as I have. Next in your DNS manager, you need to create a TXT record with the name 
default._domainkey
and in the content the public key you copied above.

p=MIIBIjANBgkqhklG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy6v89vlMhAtaFd4BFAPn1y2FDCsZAZugRCMMM1fRDRm3TKDU51aIJ9RKu4FJdR/7JF2BAglyBn5l24lk8MIGYPfjgJxxPWBiS/GcIwudkU/jdeQbTl9Ws90u4fRtIgx/1B1ywR7lTvTSYnWlzBUvHsaFaY800TIlT9DJSnP6PXxXMnbyCqGsYOAt4VbQZxgk9HS0JXN78f12oGdXQ7IupGUfJICzPFvbJVnH6l7ectJtEz2652OFovOp+gLT9Vr/b/vora+wknYSZvapw9iKSoxvT/nQQSN6yBtlTM/HglJt7tUwzCuGd5Njmr6wNTx5sOKQ3xgJymbtpmJm0Ho4/QIDAQAB

• Creare il socket per postfix:

mkdir /var/spool/postfix/opendkim && \
chown opendkim:postfix /var/spool/postfix/opendkim

• Impostarlo nell configurazione (commentare e decommentare)

vi /etc/opendkim.conf

Socket    local:/var/spool/postfix/opendkim/opendkim.sock

• Impostarlo nel default (sostituire)

vi /etc/default/opendkim

SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"

vi /etc/postfix/main.cf

milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

systemctl restart opendkim.service; systemctl status opendkim.service

systemctl restart postfix ; systemctl status postfix

opendkim-testkey -d $OPENDKIM_DOMAIN -s default -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'default._domainkey.example.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

• The line saying Key not secure is perfectly normal.

• Verificare con https://mxtoolbox.com con "Eail Health" e "DKIM Lookup" mettendo default._domainkey.example.com

• Postfix DKIM Records and Postfix SPF Records - First2Host

QUESTO PACCHETTO È DEPRECATO E NON SUPPORTATO

• Installare il pacchetto

sudo apt-get install dkim-filter

• Preparare le directory per i socket

sudo mkdir -p /var/spool/postfix/milter/dkim-filter
sudo chown dkim-filter.dkim-filter /var/spool/postfix/milter/dkim-filter
sudo chmod 0755 /var/spool/postfix/milter/dkim-filter 

• Generare le chiavi per il dominio:

sudo mkdir -p /etc/mail/dkim/keys/example.com
cd /etc/mail/dkim/keys/example.com
sudo  dkim-genkey -r -d example.com

• Linkare la chiave al nome DNS del server di uscita delle email del dominio da proteggere, che ad esempio è mymailserver.example.com

sudo ln -s default.private mymailserver

• Dichiarare ora quel chiave usare per firmare le email in uscita per il dominio:

sudoedit /etc/dkim-keys.conf

*@example.com:example.com:/etc/mail/dkim/keys/example.com/mymailserver

• Dichiarare quali indirizzi ip possono spedire mail da questo server senza essere soggette a limitazioni DKIM (in pratica se ci sono server che fanno relay tramite questo). Se non ce ne sono, lasciare solo i localhost:

sudoedit /etc/dkim-internalhosts.conf

127.0.0.1
::1
localhost
server2.example.com
server1.example.com

• Includere quindi questi dati nella configurazione:

sudoedit /etc/dkim-filter.conf

• Scommenatre

 KeyList        /etc/dkim-keys.conf

• Aggiungere

 InternalHosts    /etc/dkim-internalhosts.conf

• Modificare la configurazione del socket in caso di Postfix in chroot

sudoedit /etc/default/dkim-filter

SOCKET="local:/var/spool/postfix/milter/dkim-filter/dkim-filter.sock"

• Creare le directory con le corrette permission:

sudo mkdir -p /var/spool/postfix/milter/dkim-filter
sudo chown dkim-filter.dkim-filter /var/spool/postfix/milter/dkim-filter
sudo chmod 0755 /var/spool/postfix/milter/dkim-filter

• Aggiungere postfix al gruppo dkim-filter, per poter accedere ai socket:

sudo gpasswd -a postfix dkim-filter 

• Riavviare il demone

sudo invoke-rc.d dkim-filter restart

• Dichiare il milter DKIM per l'uso in postfix, aggiugendolo agli esistenti (se presenti):

sudoedit /etc/postfix/main.cf 

smtpd_milters =
    unix:milter/dkim-filter/dkim-filter.sock
non_smtpd_milters =
    unix:milter/dkim-filter/dkim-filter.sock
milter_default_action = accept

• Riavviare Postfix

sudo invoke-rc.d postfix restart

mkdir -p /var/spool/postfix/milter/dk-filter chown dk-filter.dk-filter /var/spool/postfix/milter/dk-filter chmod 2755 /var/spool/postfix/milter/dk-filte

• Domain Keys è obsoleto. Vedi syslog - Postfix + DK (DomainKeys) + DKIM + SPF on Debian 6/Ubuntu

• SPF indica quali sono i mailserver ufficiali per l'invio di mail di un determinato dominio. Una specie di MX al contrario.

• ATTENZIONE: tutti i server che fanno relay a quello dove si riceve la mail, COMPRESI I BACKUP MX, devono avere già un check SPF, perchè verranno whitelistati. Se i relay servr o i backup mx non vengono whitelistati, tutte le mail ricevute tramite loro, non passeranno SPF. Se vengono whitelistati, ma non hanno un controllo SPF, allora si riceveranno mail di spam

• Installare il pacchetto:

sudo apt-get install postfix-policyd-spf-python 

• Whitelistare i backup MX o i server che mandano mail a questo in relay

sudoedit /etc/postfix-policyd-spf-python/policyd-spf.conf 

Whitelist = 1.2.3.4, 5.6.7.8, 9.10.11.12 

• Dichiarare la regola di utilizzo SPF PRIMA DI QUELLE DNSBL e DOPO LA reject_unauth_destination

sudoedit /etc/postfix/main.cf 

smtpd_recipient_restrictions =
#...
#  reject_unauth_destination,
#...
   check_policy_service unix:private/policyd-spf,
#...
#  reject_rbl_client sbl.spamhaus.org,

• Aggiungere anche:

policyd-spf_time_limit = 3600

• Definire il daemon in postfix:

sudoedit /etc/postfix/master.cf 

policyd-spf  unix  -      n      n       -       0       spawn
            user=nobody argv=/usr/bin/python /usr/bin/policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf

• Riavviare postfix

sudo invoke-rc.d postfix restart

• Non serve configurare nulla sul mailserver che invia la mail, ma è solo necessario configurare il record TXT che dice come comportarsi:

@ IN TXT "v=spf1 mx a:mymailserver.example.com ~all"

• @ means default for the domain (ie. when you lookup the base domain), but you can as easily specify the record for subdomains.

• v=spf1 identifies it as an SPF record and gives the version.

• mx says that mail could come from a machine matching the MX records for your domain. For smaller domains this is often all that is needed.

• a specifies an A or AAAA record where mail may come from. This may be an outbound-only mail relay, a security applicance, a webserver that mails customers directly or perhaps a marketing company's systems who sends out mail blasts on your behalf.

• ~all says that all other sources should soft fail (retryable failure, useful for testing). This can also be -all meaning to fail (reject/bounce) other sources, ?all meaning to ignore the policy (again usful for testing), and +all meaning to accept all others which is probably not a good idea. With the a, mx, etc. the + is implied - ie. saying mx really means +mx. You can find much more on this syntax at: http://www.openspf.org/SPF_Record_Syntax

• Verificare che il record sia presente con:

host -t txt example.com

example.com descriptive text "v=spf1 mx a:mailserver.example.com ~all"

• Il test è fattibile con *SPF Test - SPF Verify - SPF Validator - Sender ID

• Glen Pitt-Pladdy :: Blog - Domainkeys,DKIM and SPF with Postfix on Debian
• syslog - Postfix + DK (DomainKeys) + DKIM + SPF on Debian 6/Ubuntu
• Postfix/SPF - Community Ubuntu Documentation