DKIM with iRedMail

From KlavoWiki
Jump to navigationJump to search

The root domain or the domain name used at installation already has a dkim key.

Bug

There seems to be a bug with amavisd.

ln -s  /etc/amavisd/amavisd.conf /etc/amavisd.conf

Private Key

Create Private Key

cd /var/lib/dkim/
amavisd genrsa mydomain.com.pem
chown amavis:amavis *pem
chmod 400 *pem

Enable Private Key

vi /etc/amavisd/amavisd.conf

add the line under the existing default entry

dkim_key("mydomain.com", "dkim", "/var/lib/dkim/mydomain.com.pem");

Restart amavisd

systemctl restart amavisd

Public Key

Show Installed Keys

amavisd showkeys                     # Shows all keys for each installed domain name
amavisd showkeys mydomain.com        # Show key for specific domain

Publish Public Key

From the command above it tells you the DNS record that needs to be created.
From the showkey you will see this:

; key#3 1024 bits, i=dkim, d=mytestdomain.com, /var/lib/dkim/mytestdomain.com.pem
dkim._domainkey.mytestdomain.com.       3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyjw+kV2uiVMzTqgz1Im/OtHNL"
  "YYwQQayCYkmNpx20F+IuNSiVtmKBhrwoMcb8fxooRIn5Em1P56xH1/WQppB9YVo/"
  "Amo4N11bWbjHRqb9ava4mWfrKJB+x7TEWDbX6Zy22SK1yEf0070Dy7e+ILvacAjD"
  "UONzDC2bedCT8G+jPQIDAQAB")

It means you need to create a DNS records as: (Single line.)
A TXT Record as

dkim._domainkey.mytestdomain.com

With value of

v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyjw+kV2uiVMzTqgz1Im/OtHNLYYwQQayCYkmNpx20F+IuNSiVtmKBhrwoMcb8fxooRIn5Em1P56xH1/WQppB9YVo/Amo4N11bWbjHRqb9ava4mWfrKJB+x7TEWDbX6Zy22SK1yEf0070Dy7e+ILvacAjDUONzDC2bedCT8G+jPQIDAQAB

No that it matter too much but don't forget to set the TTL value to 3600, which is 1 hour.

Test Keys

amavisd testkeys                # Test all domain public Keys
amavisd testkeys domain.com     # Test public for for specific domain

Security

I've seen recommendations that the private/public keys should be replaced on a regular basis. I haven't seen specifics but I'm guessing once every 6/12 months.

Currently most DNS servers don't support records with very long values so using a 2048 encryption key won't work so for now stick with 1024 bit length keys.