==== mettre en place DKIM avec postfix====
note : dans notre exemple on agit avec mail pour selecteur et le domaine popote.xyz
installer opendkim :
apt install opendkim
puis mettre cette configuration sur /etc/opendkim.conf :
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
SyslogSuccess yes
LogWhy yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 002
# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain popote.xyz
#KeyFile /etc/opendkim/opendkim.key
KeyFile /etc/opendkim/keys/popote.xyz/mail.private
Selector mail
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization simple
Canonicalization relaxed/simple
Mode sv
#SubDomains no
#ADSPDiscard no
X-Header yes
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)
#ATPSDomains example.com
Socket inet:12345@localhost
#SignatureAlgorithm rsa-sha256
# Our KeyTable and SigningTable
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
# Trusted Hosts
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
puis dans /etc/opendkim/KeyTable :
popote.xyz popote.xyz:mail:/etc/opendkim/keys/popote.xyz/mail.private
puis dans le fichier /etc/opendkim/TrustedHost :
127.0.0.1
::1
localhost
popote.xyz
mail.popote.xyz
opendkim-testkey -d popote.xyz -s mail -k mail.private -vvv
puis dans le fichier /etc/opendkim/SigningTable :
*@popote.xyz popote.xyz
ajouter ceci au fichier de conf /etc/postfix/main.cf :
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345
Générer les clés de chiffrement :
mkdir /etc/opendkim/keys
mkdir /etc/opendkim/keys/popote.xyz/
sudo opendkim-genkey -s mail -d popote.xyz
puis très important lui donner les bon droit sinon opendkim refusera de fonctionner
sudo chown opendkim:opendkim mail.private
il ne reste plus qu'à ajouter les entrées DNS (sur mail._domainkey.popote.xyz) correspondantes avec le fichier mail.txt
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrYgPCRSoqn+awTpE+iGYcKBPpo8HHbcFfCIIV10Hwo4PhCoGZSaKVHOjDm4yefKXhQjM7iKzEPuBatE7O47hAx1CJpNuIdLxhILSbEmbMxJrJAG0HZVn8z6EAoOHZNaPHmK2h4UUrjOG8zA5BHfzJf7tGwI+K619fFUwIDAQAB" ; ----- DKIM key mail for example.com
chez ovh ajouter ces entré en tant qu'entrée TXT
redémarrer postfix et opendkim et le tour est joué
service opendkim restart
service postfix restart
Vous pouvez a présent tester la validité avec :
opendkim-testkey -d popote.xyz -s mail -k mail.private -vvv
{{tag> postfix dkim mail }}