opendkimインストール
[root@ns etc]# dnf install opendkim opendkim-tools
sysconfig確認
[root@ns etc]# cat sysconfig/opendkim
# Set the necessary startup options
OPTIONS="-x /etc/opendkim.conf"
# Set the default DKIM selector
DKIM_SELECTOR=default
# Set the default DKIM key location
DKIM_KEYDIR=/etc/opendkim/keys
設定ファイルは/etc/opendkim.conf
セレクターはdefault
キーは/etc/opendkim/keys
ですね。
キーを作成
[root@ns etc]# opendkim-genkey -D /etc/opendkim/keys/ -d hoge.net -s default
秘密鍵と公開鍵が作成されます。
[root@ns etc]# ls -l opendkim/keys
合計 8
-rw-------. 1 root root 916 3月 23 19:13 default.private
-rw-------. 1 root root 315 3月 23 19:13 default.txt
パーミッションをopendkimに変更しておきます。
[root@ns etc]# chown opendkim:opendkim opendkim/keys/*
[root@ns etc]# ls -l opendkim/keys
合計 8
-rw-------. 1 opendkim opendkim 916 3月 23 19:13 default.private
-rw-------. 1 opendkim opendkim 315 3月 23 19:13 default.txt
公開鍵を確認する。このまま自ドメインDNSへレコード登録しても何ら支障なく動作します。
[root@ns etc]# cat opendkim/keys/default.txt
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3D ~~ 省略 ~~ lMHzysEot3aV5/Q+7ewwIqQIDAQAB" ) ; ----- DKIM key default for hoge.net
設定ファイルの確認と修正
私の場合、出来る限りデフォルトのままで動作させたいので必要最低限の修正に留めた。
MTAはsendmail、milterとはunixソケットでの接続としています。
[root@ns etc]# cat opendkim.conf
## BASIC OPENDKIM CONFIGURATION FILE
## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more
## BEFORE running OpenDKIM you must:
## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
## - generate keys for your domain (if signing)
## - edit your DNS records to publish your public keys (if signing)
## See /usr/share/doc/opendkim/INSTALL for detailed instructions.
## DEPRECATED CONFIGURATION OPTIONS
##
## The following configuration options are no longer valid. They should be
## removed from your existing configuration file to prevent potential issues.
## Failure to do so may result in opendkim being unable to start.
##
## Removed in 2.10.0:
## AddAllSignatureResults
## ADSPAction
## ADSPNoSuchDomain
## BogusPolicy
## DisableADSP
## LDAPSoftStart
## LocalADSP
## NoDiscardableMailTo
## On-PolicyError
## SendADSPReports
## UnprotectedPolicy
## CONFIGURATION OPTIONS
## Specifies the path to the process ID file.
PidFile /run/opendkim/opendkim.pid
## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
## messages.
Mode sv
## Log activity to the system log.
Syslog yes
## Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes
## If logging is enabled, include detailed logging about why or why not a message was
## signed or verified. This causes an increase in the amount of log data generated
## for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy yes
## Attempt to become the specified user before starting operations.
UserID opendkim:opendkim
## Create a socket through which your MTA can communicate.
#Socket inet:8891@localhost
Socket local:/run/opendkim/opendkim.sock
## Required to use local socket with MTAs that access the socket as a non-
## privileged user (e.g. Postfix)
Umask 002
## This specifies a text file in which to store DKIM transaction statistics.
## OpenDKIM must be manually compiled with --enable-stats to enable this feature.
# Statistics /var/spool/opendkim/stats.dat
## Specifies whether or not the filter should generate report mail back
## to senders when verification fails and an address for such a purpose
## is provided. See opendkim.conf(5) for details.
SendReports yes
## Specifies the sending address to be used on From: headers of outgoing
## failure reports. By default, the e-mail address of the user executing
## the filter is used (executing_user@hostname).
# ReportAddress "Example.com Postmaster" <postmaster@example.com>
## Add a DKIM-Filter header field to messages passing through this filter
## to identify messages it has processed.
SoftwareHeader yes
## SIGNING OPTIONS
## Selects the canonicalization method(s) to be used when signing messages.
Canonicalization relaxed/relaxed
## Domain(s) whose mail should be signed by this filter. Mail from other domains will
## be verified rather than being signed. Uncomment and use your domain name.
## This parameter is not required if a SigningTable is in use.
# Domain example.com
Domain hoge.net
## Defines the name of the selector to be used when signing messages.
Selector default
## Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits 1024
## Gives the location of a private key to be used for signing ALL messages. This
## directive is ignored if KeyTable is enabled.
KeyFile /etc/opendkim/keys/default.private
## Gives the location of a file mapping key names to signing keys. In simple terms,
## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
## directive in the configuration file. Requires SigningTable be enabled.
# KeyTable /etc/opendkim/KeyTable
## Defines a table used to select one or more signatures to apply to a message based
## on the address found in the From: header field. In simple terms, this tells
## OpenDKIM how to use your keys. Requires KeyTable be enabled.
# SigningTable refile:/etc/opendkim/SigningTable
## Identifies a set of "external" hosts that may send mail through the server as one
## of the signing domains without credentials as such.
# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
## Identifies a set "internal" hosts whose mail should be signed rather than verified.
InternalHosts refile:/etc/opendkim/TrustedHosts
インターナルホストはコメントを外しトラステッドホストに内部アドレスを追記した。ログにも残りますが追記しないとサインしないです。
## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
## whose mail should be neither signed nor verified by this filter. See man
## page for file format.
# PeerList X.X.X.X
## Always oversign From (sign using actual From and a null From to prevent
## malicious signatures header fields (From and/or others) between the signer
## and the verifier. From is oversigned by default in the Fedora package
## because it is often the identity key used by reputation systems and thus
## somewhat security sensitive.
OversignHeaders From
## Instructs the DKIM library to maintain its own local cache of keys and
## policies retrieved from DNS, rather than relying on the nameserver for
## caching service. Useful if the nameserver being used by the filter is
## not local.
# QueryCache yes
sendmail.cf 書き換え
sendmail.mcにopendkimのインプットメールフィルターを追加します。
フィルターのインプット順はやはり一番最初であろうと既存 spamassassin,clmilter(clamav-milter) の前に入力とした。
INPUT_MAIL_FILTER(`opendkim', `S=local:/var/run/opendkim/opendkim.sock, F=, T=R:2m')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
INPUT_MAIL_FILTER(`clmilter', `S=local:/var/run/clamav-milter/clamav-milter.socket, F=, T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `opendkim,spamassassin,clmilter')dnl
DNS 公開鍵の確認
[root@ns etc]# dig default._domainkey.hoge.net txt
; <<>> DiG 9.18.24 <<>> default._domainkey.hoge.net txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24422
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;default._domainkey.hoge.net. IN TXT
;; ANSWER SECTION:
default._domainkey.hoge.net. 86400 IN TXT "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3D ~~ 省略 ~~ lMHzysEot3aV5/Q+7ewwIqQIDAQAB"
;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Mar 28 10:31:46 JST 2025
;; MSG SIZE rcvd: 307
セカンダリーDNSも確認する
[root@ns etc]# dig ns2.hoge.net +short default._domainkey.hoge.net txt
"v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3D ~~ 省略 ~~ lMHzysEot3aV5/Q+7ewwIqQIDAQAB"
しっかり返してくれました。転送OKですね。
opendkimを自動起動にする
[root@ns etc]# systemctl enable opendkim
ヤフーメールへ送信してみる
ヤフーメールへ送信し、認証情報をクリックすると検証結果を見ることができます。
SPF及びDKIM両方が検証結果PASSと表示される。
また、送信メールログにもサイン済みの記録が残ります。
受信メールのDKIMサイン検証を確認する
ヤフーからの受信メールヘッダーに付加された情報からサイン検証処理が実際に実行されたか確認します。
dkim=passとなっており送信元サーバが付与したサインの検証が受信サーバでOKパスしたと分かります。
導入後記
今となっては、有難くも先輩諸兄がopendkimに関する情報をたくさんアップされており助かりますね。