Deploy DKIM Milter for Multiple Domains on CentOS 5 with Sendmail

I decided that it was time to learn about DKIM and deploy on my servers. As a habit, I typically run CentOS 5 and Sendmail since it is the default MTA.

To install the DKIM-milter, I would recommend using the packages provided by the “Extra Packages for Enterprise Linux (EPEL)“; a Fedora Project. Once you have the EPEL Repo setup on your system, you can:


yum install dkim-milter

I found quite a few discrepencies with suggestions online and in the manual. I suspect some of it has to do with the way EPEL has packaged things. The config file (/etc/mail/dkim-milter/dkim-filter.conf) is fully self-documented and easy to understand. I made the following changes from the default config:


AutoRestart Yes
AutoRestartRate 10/1h
Canonicalization simple/simple
Domain techsneeze.com
ExternalIgnoreList /etc/mail/dkim-milter/trusted-hosts
InternalHosts /etc/mail/dkim-milter/trusted-hosts
LogWhy yes
On-Default accept
On-BadSignature accept
On-DNSError accept
On-InternalError accept
On-NoSignature accept
On-Security accept
SignatureAlgorithm rsa-sha256
Socket local:/var/run/dkim-milter/dkim-milter.sock
Syslog yes
SyslogSuccess yes
UserID dkim-milter:dkim-milter
X-Header yes

Some of the main differences in this configuration

  • To gain experience, I am choosing to accept messages even on failure
  • Instead of binding to an IP/port, I prefer to run via a socket
  • Enable additional logging.
  • Enable insertion of headers into messages processed

Now that you have the base configurataion setup, you’ll need to create the DKIM keys. After some trial an error, I created the following script to quickly and easily create keys for domains:


#!/bin/sh
KEYDIR=/etc/mail/dkim-milter/keys/$1
mkdir -p $KEYDIR
/usr/sbin/dkim-genkey -D $KEYDIR -r -d $1
mv $KEYDIR/default.private $KEYDIR/default
chmod 700 $KEYDIR
chmod 600 $KEYDIR/default*
chown -R dkim-milter:dkim-milter $KEYDIR
echo "*@$1:$1:/etc/mail/dkim-milter/keys/$1/default" >> /etc/mail/dkim-milter/keys/keylist
cat $KEYDIR/default.txt
echo '_ssp._domainkey IN TXT "t=y; dkim=unknown"'
echo '_adsp._domainkey IN TXT "dkim=unknown"'

Simply provide the domain you need to create to the script. The script creates the keys and places them in the appropriate location, and outputs the DNS entries you need to add to your DNS zone file.


# create-dkim techsneeze.com
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbyfrEr1T+wluDzi2mbqqDteNk2R1XaC/KJ9rdXsC8Vs8aH9liekuHmqjEiAkvGEMqIHqWttb+I6MuHw/4t6HWiAR7Pp0WsaazfeT6jpwj96VlQSLRstMn3uChiEuqX4nbwhbrNBDQTHD3M28Aii/cdwvqpLVnf8NL6nyOC0joiwIDAQAB" ; ----- DKIM default for techsneeze.com
_ssp._domainkey IN TXT "t=y; dkim=unknown"
_adsp._domainkey IN TXT "dkim=unknown"

You’ll want to run this for each domain you want to sign. Again, the “unknown” in those DNS records are for the testing phase, you can change those once you have gain confidence in your configuration.

We can now start the milter:


service dkim-milter start

Now, the milter and DNS are configured, but Sendmail still needs to be configured! This is where I found I had to deviate the most from what other people online suggested.

As mentioned earlier, I had preferred to use a socket instead of binding to an IP/port. I also would get errors when trying to send from a remote authenticated SMTP client. Even though I was authenticated it would say:


dkim-filter[1234]: nf3edf31c8a2d4a4 not authenticated

To overcome the authentication issues and use the socket, I added the following to /etc/mail/sendmail.mc:


INPUT_MAIL_FILTER(`dkim-milter', `S=local:/var/run/dkim-milter/dkim-milter.sock')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl

Now you need to do the following to rebuild the sendmail config:

cd /etc/mail; make && service sendmail restart

At this point you’ll want to check /var/log/maillog for any issues. I would recommend sending test messages to your Gmail and Yahoo accounts. Check the headers of the messages at each of those destinations, and you should be able to see if they were able to validate your DKIM.

Leave a Reply

Your email address will not be published. Required fields are marked *