Postfix dkim and spf filtering
Installing OpenDKIM:
yum install opendkim
Create private and public key:
mkdir /etc/opendkim/keys/myhostname.lt /usr/sbin/opendkim-genkey -D /etc/opendkim/keys/myhostname.lt/ -d myhostname.lt -s default chown -R root:opendkim /etc/opendkim/keys/myhostname.lt chmod 640 /etc/opendkim/keys/myhostname.lt/default.private chmod 644 /etc/opendkim/keys/myhostname.lt/default.txt
Configuring:
nano /etc/opendkim.conf
#Change
.. Mode sv #LogWhy yes Canonicalization relaxed/simple Domain myhostname.lt #KeyFile /etc/opendkim/keys/default.private .. KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts
Edit:
nano /etc/opendkim/TrustedHosts
Add:
myhostname.lt
Edit:
nano /etc/opendkim/KeyTable
Add:
default._dkim.myhostname.lt myhostname.lt:default:/etc/opendkim/keys/myhostname.lt/default.private
Edit:
nano /etc/opendkim/SigningTable
Add:
*@myhostname.lt default._dkim.myhostname.lt
Edit:
nano /etc/postfix/main.cf
Add or edit these lines:
smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = inet:127.0.0.1:8891 milter_default_action = accept
Restart servises:
service opendkim start service postfix restart systemctl enable opendkim
Adding DNS Records
cat /etc/opendkim/keys/myhostname.lt/default.txt
The output should look something like this:
default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAqUAA4GNgDCBiQKBgQW13c2ZT8rbPFpo6dxcEtMYO3oKHb3dIlHyiXCUMh05iXIPELjU+iD/wmggmGTmZMdGGrqbTJ/rOAjqI+V/djb+aBDpAENXYUbYn245SmBASjXkjh+owF1zb8l0UuxtNJaNLrP3N8mjiXwS8zY7m085LGLXHIeNFJF1ihaHS8HWUwISAQAB" ) ; ----- DKIM key default for myhostname.lt
If you’re using a web-based DNS interface (like GoDaddy or CloudFlare), the Name of the TXT record would default._dkim and the Value of the TXT record would be everything from the first quote to the last quote (starting with “v=). You can ignore the parentheses, semi-colon, and comments at the end.
Next. SPF filtering
Install:
yum install perl-Sys-Hostname-Long yum install perl-Mail-SPF.noarch wget https://launchpad.net/postfix-policyd-spf-perl/trunk/release2.010/+download/postfix-policyd-spf-perl-2.010.tar.gz tar -xvf postfix-policyd-spf-perl-2.010.tar.gz cd postfix-policyd-spf-perl-2.010 cp postfix-policyd-spf-perl /usr/local/lib/
Edit:
nano /etc/postfix/master.cf
add following line
policy unix – n n – 0 spawn user=nobody argv=/usr/bin/perl /usr/local/lib/policyd-spf-perl
Configure the Postfix policy service in /etc/postfix/main.cf:
smtpd_recipient_restrictions =
…
reject_unauth_destination
check_policy_service unix:private/policy
…
Add „policy_time_limit = 3600“ to main.cf
NOTES:
Specify check_policy_service AFTER reject_unauth_destination or
else your system can become an open relay.
The user ‘nobody’ is used in this example. This is appropriate if you
do not have any other services running as nobody. If you do, create a
dedicated user for this service and use it instead.
Edit:
nano /etc/postfix/main.cf
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policy policy_time_limit = 3600
Restart postfix:
service postfix restart
Add DNS Record:
@ TXT „v=spf1 a mx ptr -all“
or
The TXT records on domain:
v=spf1 a mx ptr include:spf.serveriai.lt ~all
Done!