How to configure DKIM email verification (using sendmail on Rocky9)

From EPrints Documentation
Jump to: navigation, search

Contents

Notes

These instructions have been tested on CentOS7 and Rocky9 both of which using sendmail (not postfix). You will likely be able to adapt these instructions fairly easily to suit your operating system and mail transfer program.

Steps

As eprints user

1. Create a directory to store the keys 

mkdir /opt/eprints3/archives/<REPO-ID>/dkim

As root user

1. Install the opendkim libraries 

dnf install opendkim opendkim-tools

2. Open the opendkim config file and change the following lines 

vim /etc/opendkim.conf

2. a. Change 

Mode V

to 

Mode sv

2. b. Remove comments from the following lines: 

KeyTable                /etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts

2. c. Add the following lines (the DOMAIN is the domain which our server sending email on behalf of) 

Domain <DOMAIN>
RequireSafeKeys False

2. d. Replace the Socket declaration with the following line (it should be commented out above the declaration being used) 

Socket  inet:8891@localhost

3. Modify /etc/opendkim/KeyTable, to add the following line 

default._domainkey.<DOMAIN> <DOMAIN>:default:/opt/eprints3/archives/<REPOID>/dkim/default.private

example: `default._domainkey.eprints-hosting.org eprints-hosting.org:default:/opt/eprints3/archives/repoid/dkim/default.private`

4. Modify /etc/opendkim/SigningTable, to add the following line 

*@<DOMAIN> default._domainkey.<DOMAIN>

example: `*@eprints-hosting.org default._domainkey.eprints-hosting.org`

5. Modify /etc/opendkim/TrustedHosts, to add the following line 

*.<DOMAIN>

example: *.eprints-hosting.org

6. Generate the keypair 

sudo opendkim-genkey -b 1024 -d <DOMAIN> -D /opt/eprints3/archives/<REPO-ID>/dkim<DOMAIN> -s default -v

7. Change ownership and permissions 

sudo chown opendkim:opendkim /opt/eprints3/archives/<REPO-ID>/dkim/* -R
sudo chmod 660 /opt/eprints3/archives/<REPO-ID>/dkim/*

8. Send the txt public key to whoever has access to the DNS records, probably their IT team 

cat /etc/opendkim/keys/<DOMAIN>/default.txt

It should look something like this. 

"v=DKIM1; k=rsa; " "p=REALLY-LONG-HASH-VALUE/HASH-VALUE/HASH-VALUE"

9. Start opendkim 

systemctl start opendkim; systemctl enable opendkim

10. Make sure it is running with the following commands 

service opendkim status

This should say running. 

ps -aux | grep dkim

The opendkim process should be running: "/usr/sbin/opendkim -f -x /etc/opendkim.con" 

netstat -nap | grep 8891

This command should show that opendkim is listening on localhost port 8819

11. Sendmail Configuration

11. a. Modify sendmail.mc, append the following line 

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

11. b. re-make sendmail.cf, restart sendmail. 

/etc/mail/make
systemctl restart sendmail

12. Send a test email 

echo “Subject: DKIM testing” | sendmail test-recipient@address.email

13. If the test email has worked, test again using the web interface admin tool "Send Test Email"

14. Debug any issues using 

tail -F /var/log/maillog*
Retrieved from ‘https://wiki.eprints.org/w/index.php?title=How_to_configure_DKIM_email_verification_(using_sendmail_on_Rocky9)&oldid=16523