thecweb.com

A place just for me

Log in

aai (1) AI (2) alma (1) Apache (7) arch (2) Art (54) cats (4) cloud-anti (3) comic (7) funny (12) glpi (1) Guacamole (8) iot (1) itsm (1) Life (88) Linux (19) mariadb (2) movies (4) mysql (3) pi (2) politics (3) postfix (2) python (3) rdp (1) Roomba (1) self-hosted (2) series (4) space (2) sql (2) tattoo (1) Tinkering (42) Ubuntu (9) Uncategorized (25) windows (2)

Self-Hosted Email – Part three – OpenDKIM for thee

cweb

Don’t remember if I ran this “semanage port -a -t milter_port_t -p tcp <port>”

The main config file for this is /etc/opendkim.conf, and we’ll get to that in a bit. I’m actually not even using OpenDKIM per se, but the milter. milter being a portmanteau of mail and filter. The milter adds a signature signed with a private key to each email sent through it. So postfix sends to local port for opendkim, and opendkim does its thing, and sends it to the internet(or possibly back to postfix, I can’t remember, and I am writing this weeks after the fact).

After I read enough to understand how it worked, the official documentation was most useful in configuring snail. You generate a public/private key pair, publish the public key as a text record, and use the private key to sign messages you are sending. This provides cryptographic proof that the email came from a server authorized to send main from the domain. The selector being part of the key generation and the published DNS record.

I find it makes most sense to start with the DNS record, which is in the format:

SELECTOR._domainkey.DOMAIN

SELECTOR is whatever you want, but some say the convention is to only have your cert valid for a month, and name it the month and year or some shit, but no, I’m too lazy. The selector relates to the cert file store on the system.

_domainkey just tells anyone looking for the domain key that this is the text record they want.

do I really need to explain DOMAIN?

The cert is generated by running:

opendkim-genkey -s SELECTOR

The private key is what Opendkim needs read access to, and I copied it to /etc/dkimkeys, which is the style in my distro.

It also spits out the text part of the text record, so I copy/pasto and it seems fine. It can be tested with this after the DNS is updated on the internet:

opendkim-testkey -d DOMAIN -s SELECTOR -k rsa.private

I had to change the following parameters in main.cf, which if you’re following so far I don’t need to explain:

Domain			<DOMAIN>
Selector		<SELECTOR>
KeyFile		/etc/dkimkeys/<cert>.private

This allows all hosts on the local subnet to use opendkim:

InternalHosts		192.168.1.0/24

listening on inet socket:

Socket			inet:8891@localhost

After restarting Opendkim for the changes to take effect, we add some stuff to main.cf to tell postfix what’s up:

### OpenDKIM bullshit   ####
## should should document this better
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

The bottom two lines are as they appear in the docs. I don’t know what the top two do, and past chris being the lazy sack-o-shit that he is, the comments are no help. eh.

Leave a Reply

Your email address will not be published. Required fields are marked *

May 2025
M T W T F S S
 1234
567891011
12131415161718
19202122232425
262728293031  

π

Copywrite current date. All rights reserved, even the ones I don’t own.