§2024-04-27 - review on 2024-05-03 10:18
¶ how to set up DKIM with postfix by ChatGPT
Setting up DKIM (DomainKeys Identified Mail) for Postfix involves a few steps to generate the DKIM keys and configure Postfix to use them. Here's a general guide on how to set it up:
- Install OpenDKIM: First, you need to install OpenDKIM if you haven't already. You can typically do this using your package manager. For example, on Ubuntu or Debian:
sudo apt-get install opendkim opendkim-tools
- Generate DKIM Keys: Use the opendkim-genkey command to generate your DKIM key pair. Specify your domain name with the -d option. For example:
sudo opendkim-genkey -t -s mail -d h2jammy.yushei.net
This will generate two files: mail.private (your private key) and mail.txt (your public key) stored at the directory where the command is issued.
alexlai@h2Jammy:/etc/opendkim$ pwd
/etc/opendkim
alexlai@h2Jammy:/etc/opendkim$ sudo mkdir dkimKeys && cd $_
alexlai@h2Jammy:/etc/opendkim/dkimKeys$ sudo opendkim-genkey -t -s mail -d h2jammy.yushei.net
alexlai@h2Jammy:/etc/opendkim/dkimKeys$ ls -l
total 8
-rw------- 1 root root 1704 五 3 10:23 mail.private
-rw------- 1 root root 513 五 3 10:23 mail.txt
alexlai@h2Jammy:/etc/opendkim/dkimKeys$ sudo cat mail.private
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDTgOGNebBOvanY
QHpWjADnl/djfe6A7QPDIl4e7kRlPt402N9t9Bkxxe0cH17XmRDfhgmNlWG/aI4G
vJqi2nHRNa0/Ntd6Smr+Nl0xqilx/8cZs3oDndvmX8CyC9IYb4Z3ZvCIXZEYEcv+
USjQmlf+FS+kvk020UdogsBZz3DpzUVNLVurIXc2SqWNwa4IGculrenmrch6gFxU
3MzZCHOblW5Ujv4hnNanj+tHOcbyCp3aNiqSNYjgPsmN038kYT8tO0deblVWbgCr
00Sm0w8aJ2+hI5290KrqzeHUjHySnomo2IhTY3KjUqA/S5DJIxQW7SJ7CIcY2nZy
qPlrsgvnAgMBAAECggEADB0tTgwdPrVQSBQ8Aumr7O01pzDW+0gYAhIy2ooCctts
oLxB4oCrp2p9uob1c1skre4gbUfpZwGBuP25Iatp/3XtQVn5HNusUHkj/KyRXnfW
8IWTbyeYfmkXlrBkooT+FP1ZY4YbFworPpq+wAvxuZopthbhl0qEpjDEUaCMXWe2
BUGmfVGnAE3KLD8kOVCfM8/wXUhH93zpoLDdaiLptda675mubPlPr1Jtzvsum1y4
/RsZ0DdHes7aMN+B5d9FTVHHkn2gTWXdE4DrjgCfGZyw/6wIaJKpkPrz/THvL5J4
Vb1ukER+m3Ch98duF5jp0CRzwqgj5kXq6IUPnvfrSQKBgQD8VGONcn4dM1t29TBy
5jS0ZHvdrAA/wPsfSqqBVAVYqNO4yylvPM5QY/3heSp2x6Ruu/7qcmE7dJbcP3pw
EnJ8w62LThZQO2gl7xdNl9PecajTDirFa8YS3GEpk/5GA1hcZLHMypvGjN7SlBei
TynZr7Y8A2B4Irt8xgPRwjJ+PQKBgQDWlHdBY+92tDNIAmRqC6wV+YfJLGzuhH3p
ETXPvIzPvZlN/JEugVf4gE5gASRqP8TMiQibcfsyecAu+ocnqhNHrihCrBOJ3dYP
NBWfECq9eafJFXtf0LTnDml4kOZ7v4PWAFqLOUcOO2Ct+SDYJoTlfYsQz+n+HE1/
f5b7gxCY8wKBgFkCM7PbpV0LlsIZr6N4TTMtFvyVBel3W54oKolAaDpkI3tWPyF8
I5L8EryMj0wjFH/zVPLCskXU1LqQsdICz9vu8rLnMrvOmOh4tJGscxJOqaz5nGDT
qaVRk/yktddgqrS82HNTLSwW2SsTDls07aBaeUAmOMtoBRb4irRdeo5JAoGAVruo
AHxefIKV/9NHtz2Ej1VPN1eHqFlRc3WLZK531Dh00Pr3y+5oGn/yLggIKhIgf/Qb
0Ikf2eUwc0y8eKHcLSsOBvT66M0MCxUocCTewbt8wGC4f6AinwpKQ3t+TiK5LTTz
ZDcAq5YAnBGI3xWivggiv+bqU9Yo1RJDeuIdQVUCgYEAzmGP44NOFaCim6sIexo/
Nq4gQRy9ZHqHyjPoaVMqb7RdGkWMAnNACgC0mh/W3JhjQnTBWaWt9qNfJugWhX6D
8b+AUHQol8aHcZLVSu8i0a+Cqwc5OvhPB0c0K0m8xQ8DgSyp7OnhdMFs4Gd2N5oG
t3etW38p7YouSxXeegWFxSw=
-----END PRIVATE KEY-----
alexlai@h2Jammy:/etc/opendkim/dkimKeys$ sudo cat mail.txt
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; t=y; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA04DhjXmwTr2p2EB6VowA55f3Y33ugO0DwyJeHu5EZT7eNNjfbfQZMcXtHB9e15kQ34YJjZVhv2iOBryaotpx0TWtPzbXekpq/jZdMaopcf/HGbN6A53b5l/AsgvSGG+Gd2bwiF2RGBHL/lEo0JpX/hUvpL5NNtFHaILAWc9w6c1FTS1bqyF3NkqljcGuCBnLpa3p5q3IeoBcVN"
"zM2Qhzm5VuVI7+IZzWp4/rRznG8gqd2jYqkjWI4D7JjdN/JGE/LTtHXm5VVm4Aq9NEptMPGidvoSOdvdCq6s3h1Ix8kp6JqNiIU2Nyo1KgP0uQySMUFu0iewiHGNp2cqj5a7IL5wIDAQAB" ) ; ----- DKIM key mail for h2jammy.yushei.net
alexlai@h2Jammy:/etc/opendkim/dkimKeys$ sudo cp -v mail.private /etc/postfix/dkim.key
'mail.private' -> '/etc/postfix/dkim.key'
When put mail.txt into DNS,txt record please remoce
ALL " AND BLANK, https://tecadmin.net/setup-dkim-with-postfix-on-ubuntu-debian/
Name/Target: yourselector._domainkey Content: Value you’ve copied in the previous stage. Make sure to remove any spaces or double-quotes.
as v=DKIM1; h=sha256; k=rsa; t=y; ""p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA04DhjXmwTr2p2EB6VowA55f3Y33ugO0DwyJeHu5EZT7eNNjfbfQZMcXtHB9e15kQ34YJjZVhv2iOBryaotpx0TWtPzbXekpq/jZdMaopcf/HGbN6A53b5l/AsgvSGG+Gd2bwiF2RGBHL/lEo0JpX/hUvpL5NNtFHaILAWc9w6c1FTS1bqyF3NkqljcGuCBnLpa3p5q3IeoBcVN "zM2Qhzm5VuVI7+IZzWp4/rRznG8gqd2jYqkjWI4D7JjdN/JGE/LTtHXm5VVm4Aq9NEptMPGidvoSOdvdCq6s3h1Ix8kp6JqNiIU2Nyo1KgP0uQySMUFu0iewiHGNp2cqj5a7IL5wIDAQAB
- Configure OpenDKIM: Next, you need to configure OpenDKIM. Edit the configuration file, typically located at /etc/opendkim.conf, and make sure it includes at least the following lines:
Domain example.com
KeyFile /etc/opendkim/keys/example.com/mail.private
Selector mail
Make sure to replace example.com with your actual domain name.
alexlai@h2Jammy:/etc/opendkim/dkimKeys$ sudo cat /etc/opendkim.conf
# This is a basic configuration for signing and verifying. It can easily be
# adapted to suit a basic installation. See opendkim.conf(5) and
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
# documentation of available configuration parameters.
Syslog yes
SyslogSuccess yes
#LogWhy no
# Common signing and verification parameters. In Debian, the "From" header is
# oversigned, because it is often the identity key used by reputation systems
# and thus somewhat security sensitive.
Canonicalization relaxed/simple
#Mode sv
#SubDomains no
OversignHeaders From
# Signing domain, selector, and key (required). For example, perform signing
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
# using the private key stored in /etc/dkimkeys/example.private. More granular
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
Domain h2jammy.yushei.net
Selector mail
KeyFile /etc/postfix/dkim.key
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged
# user (for example, Postfix). You may need to add user "postfix" to group
# "opendkim" in that case.
UserID opendkim
UMask 007
# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
# configured as shown on the last line below.
Socket local:/run/opendkim/opendkim.sock
Socket inet:8891@localhost
#Socket inet:8891
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
# OPERATION section of opendkim(8) for more information.
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
TrustAnchorFile /usr/share/dns/root.key
#Nameservers 127.0.0.1
- current h2jammy.yushei.net's /etc/opendkim.conf
# This is a basic configuration for signing and verifying. It can easily be
# adapted to suit a basic installation. See opendkim.conf(5) and
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
# documentation of available configuration parameters.
Syslog yes
SyslogSuccess yes
#LogWhy no
# Common signing and verification parameters. In Debian, the "From" header is
# oversigned, because it is often the identity key used by reputation systems
# and thus somewhat security sensitive.
Canonicalization relaxed/simple
#Mode sv
#SubDomains no
OversignHeaders From
# Signing domain, selector, and key (required). For example, perform signing
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
# using the private key stored in /etc/dkimkeys/example.private. More granular
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
Domain h2jammy.yushei.net
Selector mail
KeyFile /etc/opendkim/mail.private
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged
# user (for example, Postfix). You may need to add user "postfix" to group
# "opendkim" in that case.
UserID opendkim
UMask 007
# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
# configured as shown on the last line below.
Socket local:/run/opendkim/opendkim.sock
Socket inet:8891@localhost
#Socket inet:8891
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
# OPERATION section of opendkim(8) for more information.
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
TrustAnchorFile /usr/share/dns/root.key
#Nameservers 127.0.0.1
- Configure Postfix to use OpenDKIM: Open your Postfix configuration file, typically located at /etc/postfix/main.cf, and add or modify the following lines: ( my case is add these lines ath the end )
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
- Start OpenDKIM and Restart Postfix: After making these changes, restart OpenDKIM and Postfix to apply the configuration changes:
sudo systemctl restart opendkim
- error /home/alexlai/dkim/mail.private: key data is not secure: /home/alexlai is writeable and owned by uid 1026 which is not the executing uid (133) or the superuser
root@h2Jammy:/home/alexlai/dkim# mkdir -p /etc/opendkim
root@h2Jammy:/home/alexlai/dkim# mv -v /home/alexlai/dkim/* /etc/opendkim
renamed '/home/alexlai/dkim/mail.private' -> '/etc/opendkim/mail.private'
renamed '/home/alexlai/dkim/mail.txt' -> '/etc/opendkim/mail.txt'
root@h2Jammy:/home/alexlai/dkim# nano /etc/opendkim.conf
root@h2Jammy:/home/alexlai/dkim# diff /etc/opendkim.conf /etc/opendkim.conf.ori
22,24c22,24
< Domain h2jammy.yushei.net
< Selector mail
< KeyFile /etc/opendkim/mail.private
---
> #Domain example.com
> #Selector 2020
> #KeyFile /etc/dkimkeys/example.private
sudo systemctl restart postfix
- Publish the DKIM public key in DNS: The last step is to publish your DKIM public key in DNS. The contents of the mail.txt file contain the DKIM record that you should add to your DNS records as a TXT record. The record should look something like this:
mail._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=<your-public-key>"
v=DKIM1; h=sha256; k=rsa; t=y; \" \"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA2IAxLyotkJGq9XaoIJF1f3lcYWZRHnNxl671GPHCIh7XYTgp5LMOUWbXaODht7yAmOCBRpL8bHur+fD0bs7YGx/wJ7hI4lmsOBx6OoFyHJMmR9e4ABcBTskpOnVOuJtMhX0Jn375BJzyXIQE40mTvQgX0zmZgY0KjA20tLV/GywvCTINonJBZfDK1RLB1FIxITZhmy+4B4mL\" \"NjGVdus0MNaoHhcR0VE0Ahmdys6DZ4M/H4aEhNY9Kdfkm6EZ3hIZ2+945M3L/FO+Nn+/R/tAKXq+oLzHNM49XxEj0JQnI3eaaVwQqKsUUIrbDNLmM909Yx1IK/Rgk19lT5AgnNjQIDAQAB\" ) ; ----- DKIM key mail for h2jammy.yushei.net
dig +short TXT mail._domainkey.h2jammy.yushei.net
Replace example.com with your domain name, and
Once these steps are completed, your Postfix setup should be configured to sign outgoing emails with DKIM.
warning: connect to Milter service inet:localhost:8891: Connection refused ?? how to fix I forgot
alexlai@h2Jammy:~$ diff /etc/opendkim.conf.ori /etc/opendkim.conf
22,24c22,24
< #Domain example.com
< #Selector 2020
< #KeyFile /etc/dkimkeys/example.private
---
> Domain h2jammy.yushei.net
> Selector mail
> KeyFile /etc/opendkim/mail.private
38c38
< #Socket inet:8891@localhost
---
> Socket inet:8891@localhost
alexlai@h2Jammy:~$
alexlai@h2Jammy:~$ mail -s "test sendmail to gmail.com"
To: rai.sousuke@gmail.com
Cc:
Time 2024-04-27 15:41
Hi
Bye
.
pr 27 15:41:53 h2Jammy postfix/pickup[2194]: 94CBA4318D0E1: uid=1026 from=<alexlai@h2Jammy.yushei.net>
Apr 27 15:41:53 h2Jammy postfix/cleanup[2690]: 94CBA4318D0E1: message-id=<20240427074153.94CBA4318D0E1@h2Jammy.yushei.net>
Apr 27 15:41:53 h2Jammy opendkim[882]: 94CBA4318D0E1: DKIM-Signature field added (s=mail, d=h2jammy.yushei.net)
Apr 27 15:41:53 h2Jammy postfix/qmgr[2195]: 94CBA4318D0E1: from=<alexlai@h2Jammy.yushei.net>, size=441, nrcpt=1 (queue active)
Apr 27 15:41:55 h2Jammy postfix/smtp[2692]: 94CBA4318D0E1: to=<rai.sousuke@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.188.26]:25, delay=1.7, delays=0.08/0.05/0.94/0.61, dsn=2.0.0, status=sent (250 2.0.0 OK 1714203715 o10-20020a170902d4ca00b001e587993faasi1051515plg.626 - gsmtp)
Apr 27 15:41:55 h2Jammy postfix/qmgr[2195]: 94CBA4318D0E1: removed
---
---
以下: kept for record only
alexlai@h2Jammy:$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 h2Jammy.yushei.net ESMTP Postfix (Ubuntu)
EHLO h2jammy.yushei.net
250-h2Jammy.yushei.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
MAIL FROM: alexlai@h2jammy.yushei.net
250 2.1.0 Ok
RCPT TO: rai.sousuke@mac.com
250 2.1.5 Ok
RCPT TO: rai.sousuke@gmail.com
250 2.1.5 Ok
DATA
354 End data with $
Apr 25 19:44:31 h2Jammy postfix/smtpd[22708]: warning: connect to Milter service inet:localhost:8891: Connection refused Apr 25 19:45:19 h2Jammy postfix/smtpd[22708]: 65AAF2964924D: client=localhost[127.0.0.1] Apr 25 19:46:38 h2Jammy postfix/cleanup[22714]: 65AAF2964924D: message-id=20240425114519.65AAF2964924D@h2Jammy.yushei.net Apr 25 19:46:38 h2Jammy postfix/qmgr[22083]: 65AAF2964924D: from=alexlai@h2jammy.yushei.net, size=519, nrcpt=2 (queue active) Apr 25 19:46:38 h2Jammy postfix/smtp[22718]: connect to gmail-smtp-in.l.google.com[2404:6800:4008:c05::1a]:25: Network is unreachable Apr 25 19:46:39 h2Jammy postfix/smtp[22718]: 65AAF2964924D: to=rai.sousuke@gmail.com, relay=gmail-smtp-in.l.google.com[64.233.187.27]:25, delay=96, delays=95/0.02/0.63/0.73, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[64.233.187.27] said: 550-5.7.26 This mail has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [h2jammy.yushei.net] with ip: [59.126.118.194] = did not pass 550-5.7.26 550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication z7-20020a170902d54700b001ea2838f1d3si4612383plf.458 - gsmtp (in reply to end of DATA command)) Apr 25 19:46:45 h2Jammy postfix/smtp[22719]: 65AAF2964924D: to=rai.sousuke@mac.com, relay=mx01.mail.icloud.com[17.57.155.25]:25, delay=102, delays=95/0.04/1.4/6, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4A2161AC0129) Apr 25 19:46:45 h2Jammy postfix/cleanup[22714]: 792502964925A: message-id=20240425114645.792502964925A@h2Jammy.yushei.net Apr 25 19:46:45 h2Jammy postfix/bounce[22720]: 65AAF2964924D: sender non-delivery notification: 792502964925A Apr 25 19:46:45 h2Jammy postfix/qmgr[22083]: 792502964925A: from=<>, size=3664, nrcpt=1 (queue active) Apr 25 19:46:45 h2Jammy postfix/qmgr[22083]: 65AAF2964924D: removed Apr 25 19:46:45 h2Jammy postfix/local[22723]: 792502964925A: to=alexlai@h2jammy.yushei.net, relay=local, delay=0.02, delays=0.01/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox) Apr 25 19:46:45 h2Jammy postfix/qmgr[22083]: 792502964925A: removed Apr 25 19:46:50 h2Jammy postfix/smtpd[22708]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6
- https://support.google.com/mail/answer/81126#authentication
- https://toolbox.googleapps.com/apps/checkmx/check?domain=h2Jammy.yushei.net&dkim_selector=
---- 2024-05-03 10:46
May 3 10:45:54 h2Jammy postfix/smtpd[29877]: connect from 114-33-29-69.hinet-ip.hinet.net[114.33.29.69] May 3 10:45:55 h2Jammy postfix/smtpd[29877]: 0171A87B0D: client=114-33-29-69.hinet-ip.hinet.net[114.33.29.69], sasl_method=PLAIN, sasl_username=alexlai May 3 10:45:55 h2Jammy postfix/smtpd[29877]: disconnect from 114-33-29-69.hinet-ip.hinet.net[114.33.29.69] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 May 3 10:45:56 h2Jammy postfix/smtp[29881]: 0171A87B0D: to=rai.sousuke@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.23.26]:25, delay=1.3, delays=0.12/0.02/0.54/0.62, dsn=2.0.0, status=sent (250 2.0.0 OK 1714704356 bz31-20020a056a02061f00b005f77b2c2f5esi2138866pgb.293 - gsmtp)