thecweb.com

Day: May 2, 2025

  • Self-Hosted Email – Part three – OpenDKIM for thee

    Self-Hosted Email – Part three – OpenDKIM for thee

    Don’t remember if I ran this “semanage port -a -t milter_port_t -p tcp <port>”

    The main config file for this is /etc/opendkim.conf, and we’ll get to that in a bit. I’m actually not even using OpenDKIM per se, but the milter. milter being a portmanteau of mail and filter. The milter adds a signature signed with a private key to each email sent through it. So postfix sends to local port for opendkim, and opendkim does its thing, and sends it to the internet(or possibly back to postfix, I can’t remember, and I am writing this weeks after the fact).

    After I read enough to understand how it worked, the official documentation was most useful in configuring snail. You generate a public/private key pair, publish the public key as a text record, and use the private key to sign messages you are sending. This provides cryptographic proof that the email came from a server authorized to send main from the domain. The selector being part of the key generation and the published DNS record.

    I find it makes most sense to start with the DNS record, which is in the format:

    SELECTOR._domainkey.DOMAIN

    SELECTOR is whatever you want, but some say the convention is to only have your cert valid for a month, and name it the month and year or some shit, but no, I’m too lazy. The selector relates to the cert file store on the system.

    _domainkey just tells anyone looking for the domain key that this is the text record they want.

    do I really need to explain DOMAIN?

    The cert is generated by running:

    opendkim-genkey -s SELECTOR

    The private key is what Opendkim needs read access to, and I copied it to /etc/dkimkeys, which is the style in my distro.

    It also spits out the text part of the text record, so I copy/pasto and it seems fine. It can be tested with this after the DNS is updated on the internet:

    opendkim-testkey -d DOMAIN -s SELECTOR -k rsa.private

    I had to change the following parameters in main.cf, which if you’re following so far I don’t need to explain:

    Domain			<DOMAIN>
Selector		<SELECTOR>
KeyFile		/etc/dkimkeys/<cert>.private

    This allows all hosts on the local subnet to use opendkim:

    InternalHosts		192.168.1.0/24

    listening on inet socket:

    Socket			inet:8891@localhost

    After restarting Opendkim for the changes to take effect, we add some stuff to main.cf to tell postfix what’s up:

    ### OpenDKIM bullshit   ####
## should should document this better
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

    The bottom two lines are as they appear in the docs. I don’t know what the top two do, and past chris being the lazy sack-o-shit that he is, the comments are no help. eh.

  • Self-Hosted Email – Part two -Postfix my dix

    I looked through several tutorials on configuring postfix, but none of them really fit my situation, so after maybe a month of going through those with lackluster results, I ended up following the official documentation.

    I started this configuration thinking I’d go for send and receive, but I broke receiving will getting sending to work, so receiving still points to namecheap, which just forwards everything to my spam gmail. I hope to revisit that at a later date.

    To begin with, postfix configuration is stored in /etc/postfix/main.cf. And after giving up receiving, postfix doesn’t really need that much configuration to get working.

    I decided the most logical setup was to have the system only configured to send and receive mail for the local system and domain(basically default install), and the rest of the config is done through the virtual mailbox config.

    ###  vmailbox with postfix accounts
virtual_mailbox_domains = <INTERNET DOMAINS>
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

    mailbox_domains tells the system which virtual domains to use,

    mailbox_base is on the local filesystem, and is the parent of all mailboxes.

    mailbox_maps goes to a hash of the file /etc/postfix/vmailbox, and it contains the email address-to-mailfile mappings(realtive to base), and must be hashed by the postmap command after changes are made.

    the rest you can figure out.