Learn about Centmin Mod LEMP Stack today
Become a Member

Beta Branch Automated DKIM setup with opendkim

Discussion in 'Beta release code' started by eva2000, Apr 12, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,229
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    9:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    To ensure Centmin Mod LEMP stack server sent emails via Postfix MTA are delivered properly and that these emails don't end up in user's spam box, there are a number of DNS related steps Centmin Mod users can do including setting up valid DNS related SPF/TXT records & PTR records as outlined here. DomainKeys Identified Mail (DKIM) setup is also useful however it's usually more complicated to setup and automation only gets you so far.

    DKIM Info



    Main hostname vs individual domains



    If you use 3rd party transactional email providers like Amazon SES, Mandrill, SparkPost, MailGun, Elasticmail etc, they may have their own required DKIM DNS configuration you have to setup for main domains you send transactional email from. The below addons/opendkim.sh is only for your main hostname of your server and not your individual domains. You need DKIM setup for both your individual domains and main hostname of server. The addons/opendkim.sh addon is only for main hostname of server which is setup from Getting Started Guide step 1.

    addons/opendkim.sh



    I am working on a new Centmin Mod 123.09beta01 or higher addon which will end up at addons/opendkim.sh which will automatically install and configure opendkims YUM package and configure postfix MTA properly and generate the keys etc. The only manual task will be for Centmin Mod user to update their DNS records with DKIM TXT based record for the server main hostname and vhost site domain names.

    To run addons/opendkim.sh type the following:
    Code (Text):
    cd /usr/local/src/centminmod
    git stash
    git pull
    cd addons
    ./opendkim.sh
    


    By default addons/opendkim.sh will only setup DKIM for the server's main hostname which is setup by Centmin Mod end user as per Getting Started Guide step 1. You'd then manually update DNS with DKIM TXT based record for the server main hostname i.e. host.domain.com

    The addons/opendkim.sh script will create the DKIM TXT record file /etc/opendkim/keys/host.domain.com/default.txt which you will add to your DNS via a TXT record. Where host.domain.com would be your server's main hostname.

    Example /etc/opendkim/keys/host.domain.com/default.txt contents
    Code (Text):
    default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
              "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDgpfeHa071A1qtOmV3Oa6n0CkYaH74z0WTXF2oMPzA9cqDi5EMKhXphwMOSQDDBfC4bQp2jwcf/THDO2LFa/yEI2WR69UabqDD4O47o0FcTrVKwvOQGYDGUoeguannuJ7q2AP2uo8g2ndmf8pLxYjyLrdfwfjntTEBYlxFR2I3wIDAQAB" )  ; ----- DKIM key default for host.domain.com
    

    Currently there's a slight bug in that for host.domain.com it doesn't list it properly as the DNS TXT record should be
    Code (Text):
    default._domainkey.host.domain.com      IN      TXT     "v=DKIM1; k=rsa;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDgpfeHa071A1qtOmV3Oa6n0CkYaH74z0WTXF2oMPzA9cqDi5EMKhXphwMOSQDDBfC4bQp2jwcf/THDO2LFa/yEI2WR69UabqDD4O47o0FcTrVKwvOQGYDGUoeguannuJ7q2AP2uo8g2ndmf8pLxYjyLrdfwfjntTEBYlxFR2I3wIDAQAB"
    

    A log file is created by addons/opendkim.sh at /root/centminlogs/dkim_spf_dns_host.domain.com.txt
    Code (Text):
    ls -lahrt /root/centminlogs/ | grep dkim
    -rw-r--r-- 1 root root  453 Apr 11 13:55 dkim_spf_dns_host.domain.com.txt
    

    It contents a copy of the DKIM TXT record as well as a generic SPF TXT record that you may also want to add a DNS TXT record for
    Code (Text):
    cat /root/centminlogs/dkim_spf_dns_host.domain.com.txt
    host.domain.com DKIM DNS Entry
    default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
              "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDgpfeHa071A1qtOmV3Oa6n0CkYaH74z0WTXF2oMPzA9cqDi5EMKhXphwMOSQDDBfC4bQp2jwcf/THDO2LFa/yEI2WR69UabqDD4O47o0FcTrVKwvOQGYDGUoeguannuJ7q2AP2uo8g2ndmf8pLxYjyLrdfwfjntTEBYlxFR2I3wIDAQAB" )  ; ----- DKIM key default for host.domain.com
    host.domain.com SPF DNS Entry
    host.domain.com. 14400 IN TXT "v=spf1 a mx ~all"
    

    Sending a test email via SSH
    Code (Text):
    echo "dkim test today `date`" | mail -s "dkim test `date`" email@domain.com
    

    checking /var/log/maillog for entry for DKIM signed test email
    Code (Text):
    Apr 11 15:10:45 host opendkim[17520]: 4DF4E1210CF: DKIM-Signature field added (s=default, d=host.domain.com)
    

    Code (Text):
    Apr 11 15:10:40 host postfix/master[17620]: daemon started -- version 2.6.6, configuration /etc/postfix
    Apr 11 15:10:45 host postfix/pickup[17622]: 4DF4E1210CF: uid=0 from=<root>
    Apr 11 15:10:45 host postfix/cleanup[17630]: 4DF4E1210CF: message-id=<20160411151045.4DF4E1210CF@host.domain.com>
    Apr 11 15:10:45 host opendkim[17520]: 4DF4E1210CF: DKIM-Signature field added (s=default, d=host.domain.com)
    Apr 11 15:10:45 host postfix/qmgr[17623]: 4DF4E1210CF: from=<root@host.domain.com>, size=557, nrcpt=1 (queue active)
    Apr 11 15:11:06 host postfix/smtp[17633]: connect to aspmx.l.google.com[2607:f8b0:400e:c04::1b]:25: Connection timed out
    Apr 11 15:11:06 host postfix/smtp[17633]: setting up TLS connection to aspmx.l.google.com[74.125.25.27]:25
    Apr 11 15:11:06 host postfix/smtp[17633]: Trusted TLS connection established to aspmx.l.google.com[74.125.25.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    Apr 11 15:11:06 host postfix/smtp[17633]: 4DF4E1210CF: to=<email@domain.com>, relay=aspmx.l.google.com[74.125.25.27]:25, delay=21, delays=0.07/0.04/21/0.16, dsn=2.0.0, status=sent (250 2.0.0 OK 1460387466 f90si3972783pfd.94 - gsmtp)
    Apr 11 15:11:06 host postfix/qmgr[17623]: 4DF4E1210CF: removed
    

    Now check your email inbox at email@domain.com which in my case was a Google App/Gmail account. If you check the source headers you can see the OpenDKIM and DKIM signing
    Code (Text):
    Delivered-To: email@domain.com
    Received: by 10.36.107.84 with SMTP id v81csp1425363itc;
            Mon, 11 Apr 2016 08:11:06 -0700 (PDT)
    X-Received: by 10.98.32.218 with SMTP id m87mr33644924pfj.48.1460387466359;
            Mon, 11 Apr 2016 08:11:06 -0700 (PDT)
    Return-Path: <root@host.domain.com>
    Received: from host.domain.com ([IP.ADDR])
            by mx.google.com with ESMTPS id f90si3972783pfd.94.2016.04.11.08.11.06
            for <email@domain.com>
            (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
            Mon, 11 Apr 2016 08:11:06 -0700 (PDT)
    Received-SPF: pass (google.com: domain of root@host.domain.com designates IP.ADDR as permitted sender) client-ip=IP.ADDR;
    Authentication-Results: mx.google.com;
           dkim=pass header.i=@host.domain.com;
           spf=pass (google.com: domain of root@host.domain.com designates IP.ADDR as permitted sender) smtp.mailfrom=root@host.domain.com;
           dmarc=pass (p=NONE dis=NONE) header.from=domain.com
    Received: by host.domain.com (Postfix, from userid 0)
        id 4DF4E1210CF; Mon, 11 Apr 2016 15:10:45 +0000 (UTC)
    DKIM-Filter: OpenDKIM Filter v2.10.3 host.domain.com 4DF4E1210CF
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
        d=host.domain.com; s=default; t=1460387445;
        bh=seIcwWv49lEDwnTW+9Or1RMDgY4yxdZvQirBisrLv+U=;
        h=Date:To:Subject:From:From;
        b=MxF0nMwEPbO4Kveg/SyZhed+i4N0+xOKZYdLlN8XyfEK9f6lipQVp/3oq5lt5aAlu
        U9RaOQ9AJBL9hXShDbkrfPQxZjLK3JMwcZjeq7ha5v1f02G0cY87v8jaZrbFsmUtMk
        bmpHT5n/r6XGfQuL+pvcQQ5JcRoeyqD6gFbZBCnQ=
    Date: Mon, 11 Apr 2016 15:10:45 +0000
    To: email@domain.com
    Subject: dkim test Mon Apr 11 15:10:45 UTC 2016
    User-Agent: Heirloom mailx 12.4 7/29/08
    MIME-Version: 1.0
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit
    Message-Id: <20160411151045.4DF4E1210CF@host.domain.com>
    From: root@host.domain.com (root)
    
    dkim test today Mon Apr 11 15:10:45 UTC 2016
    


    DKIM Testing Tools



    There's a variety of DKIM testing tools too
    You can also check DKIM DNS TXT record via SSH command line using dig
    Code (Text):
    dig +short default._domainkey.host.domain.com TXT
    "v=DKIM1\; k=rsa\;" "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDgpfeHa071A1qtOmV3Oa6n0CkYaH74z0WTXF2oMPzA9cqDi5EMKhXphwMOSQDDBfC4bQp2jwcf/THDO2LFa/yEI2WR69UabqDD4O47o0FcTrVKwvOQGYDGUoeguannuJ7q2AP2uo8g2ndmf8pLxYjyLrdfwfjntTEBYlxFR2I3wIDAQAB"
    

    Status



    Currently, addons/opendkim.sh addon is undergoing internal private testing and may or may not make it in time to be integrated into 123.09beta01 branch before it goes stable. If you like to support Centmin Mod also consider upgrading to Premium membership as well :)

    @Tracy Perry @Matt @RoldanLT will like this :)

     
    Last edited: Mar 21, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    53,229
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    9:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Latest addons/opendkim.sh version output when ran will also tell you where the DKIM & SPF TXT record are saved to

    i.e. at
    /root/centminlogs/dkim_spf_dns_centos7.localdomain_120416-141219.txt where server main hostname was centos7.localdomain

    Code (Text):
    addons/opendkim.sh
    ---------------------------------------------------------------------------
    centos7.localdomain DKIM DNS Entry
    default._domainkey.centos7.localdomain  IN      TXT     "v=DKIM1; k=rsa; "        "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsA2vO13aEozDDiFL8JHOi5lPVbx/gM0Vc/uFMnUbfK3EAdolx3newoXwNJTXojME1epmejvSuxq82Zh120FkZ7maqXI/NeFy3kyoeESWXjW+pEvY6ve2IBiTg/dCb+SEw5rM5YXd9jk1UJOpyvUXdnTDmcQuhLOGrmEu0hRe0TQIDAQAB"
    ------------------------------------------------------------
    centos7.localdomain SPF DNS Entry
    centos7.localdomain. 14400 IN TXT "v=spf1 a mx ~all"
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    DKIM & SPF TXT details saved at /root/centminlogs/dkim_spf_dns_centos7.localdomain_120416-141219.txt
    ---------------------------------------------------------------------------
     
    Last edited: Apr 13, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    53,229
    12,116
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,654
    Local Time:
    9:25 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Remember, addons/opendkim.sh is officially only meant for main server hostname i.e. hostname.domain.com of your server and not other domains. So running
    Code (Text):
    /usr/local/src/centminmod/addons/opendkim.sh maindomain.com
    

    while is supported, the DKIM entry generated on server might not match the DKIM entry sent from emails @maindomain.com if you use a recommended 3rd party @yourdomain.com provider i.e. Zoho Mail, Google Gsuite, Microsoft Live/One domains etc as they have their own DKIM generated DNS TXT entry you would be directed to add.

    To troubleshoot addons/opendkim.sh setup post to pastebin.com or gist.github.com the contents of the following files. You can use cat command to output them to display and then highlight and copy and paste the contents.
    • /etc/opendkim/KeyTable
      Code (Text):
      cat /etc/opendkim/KeyTable
    • /etc/opendkim/SigningTable
      Code (Text):
      cat /etc/opendkim/SigningTable
    • /etc/opendkim/TrustedHosts
      Code (Text):
      cat /etc/opendkim/TrustedHosts
    • /root/centminlogs/dkim_spf_dns_domain.com_${DT} where domain.com is domain name and/or server main hostname.domain.com you are setting up
      Code (Text):
      cat /root/centminlogs/dkim_spf_dns_domain.com_${DT}
    If you run the clean command below, you will reset and wipe all OpenDKIM KeyTable, SigningTable, TrustedHosts entriesin for main hostname for server ONLY leaving any vhostname sites you added as clean command is only for main hostname. And then opendkim.sh will auto re-run addons/opendkim.sh for main hostname to regenerate a new DKIM signature TXT entry and require you to update your main hostname's domain DNS TXT entry for DKIM again.
    Code (Text):
    /usr/local/src/centminmod/addons/opendkim.sh clean
    
     
Thread Status:
Not open for further replies.