How to configure DKIM email verification (using sendmail on Rocky9)
Manual Steps
As eprints user
1. Create a directory to store the keys
mkdir /opt/eprints3/archives/<REPO-ID>/dkim
As root user
1. Install the opendkim libraries
dnf install opendkim opendkim-tools
2. Open the opendkim config file and change the following lines
vim /etc/opendkim.conf
2. a. Change
Mode V
to
Mode sv
2. b. Remove comments from the following lines:
KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts
2. c. Add the following lines (the DOMAIN is the domain which our server sending email on behalf of)
Domain <DOMAIN> RequireSafeKeys False
2. d. Replace the Socket declaration with the following line (it should be commented out above the declaration being used)
Socket inet:8891@localhost
3. Modify /etc/opendkim/KeyTable, to add the following line
default._domainkey.<DOMAIN> <DOMAIN>:default:/opt/eprints3/archives/<REPOID>/dkim/default.private
example: `default._domainkey.eprints-hosting.org eprints-hosting.org:default:/opt/eprints3/archives/repoid/dkim/default.private`
4. Modify /etc/opendkim/SigningTable, to add the following line
*@<DOMAIN> default._domainkey.<DOMAIN>
example: `*@eprints-hosting.org default._domainkey.eprints-hosting.org`
5. Modify /etc/opendkim/TrustedHosts, to add the following line
*.<DOMAIN>
example: *.eprints-hosting.org
6. Generate the keypair
sudo opendkim-genkey -b 1024 -d <DOMAIN> -D /opt/eprints3/archives/<REPO-ID>/dkim<DOMAIN> -s default -v
7. Change ownership and permissions
sudo chown opendkim:opendkim /opt/eprints3/archives/<REPO-ID>/dkim/* -R sudo chmod 660 /opt/eprints3/archives/<REPO-ID>/dkim/*
8. Send the txt public key to whoever has access to the DNS records, probably their IT team
cat /etc/opendkim/keys/<DOMAIN>/default.txt
It should look something like this.
"v=DKIM1; k=rsa; " "p=REALLY-LONG-HASH-VALUE/HASH-VALUE/HASH-VALUE"
9. Start opendkim
systemctl start opendkim; systemctl enable opendkim
10. Make sure it is running with the following commands
service opendkim status
This should say running.
ps -aux | grep dkim
The opendkim process should be running: "/usr/sbin/opendkim -f -x /etc/opendkim.con"
netstat -nap | grep 8891
This command should show that opendkim is listening on localhost port 8819
11. Sendmail Configuration
11. a. Modify sendmail.mc, append the following line
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
11. b. re-make sendmail.cf, restart sendmail.
/etc/mail/make systemctl restart sendmail
12. Send a test email
echo “Subject: DKIM testing” | sendmail test-recipient@address.email
13. If the test email has worked, test again using the web interface admin tool "Send Test Email"
14. Debug any issues using
tail -F /var/log/maillog*