CentOS 7にDKIMを導入 2

以前はCentOS 5にDKIMを導入していましたが､CentOS 7への移行で新たにインストールしました｡

DKIM (Domainkeys Identified Mail) : 迷惑メール対策委員会
http://salt.iajapan.org/wpmu/anti_spam/admin/tech/explanation/dkim/

今回の作業は殆ど下記のサイトと同じです｡

Install DomainKeys Identified Mail (DKIM)

1. インストール

CentOS 7のopendkimはepel repoにあります｡

Shell

# yum -y install epel-release # yum info opendkim Available Packages Name : opendkim Arch : x86_64 Version : 2.11.0 Release : 0.1.el7 Size : 222 k Repo : epel/x86_64 Summary : A DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail URL : http://opendkim.org/ License : BSD and Sendmail Description : OpenDKIM allows signing and/or verification of email through an open source : library that implements the DKIM service, plus a milter-based filter : application that can plug in to any milter-aware MTA, including sendmail, : Postfix, or any other MTA that supports the milter protocol. # repoquery --list opendkim /etc/opendkim /etc/opendkim.conf /etc/opendkim/KeyTable /etc/opendkim/SigningTable /etc/opendkim/TrustedHosts /etc/opendkim/keys /etc/sysconfig/opendkim /etc/tmpfiles.d/opendkim.conf /usr/lib/systemd/system/opendkim.service /usr/sbin/opendkim /usr/sbin/opendkim-default-keygen /usr/sbin/opendkim-genkey /usr/sbin/opendkim-genzone /usr/sbin/opendkim-reportstats /usr/sbin/opendkim-testkey /usr/sbin/opendkim-testmsg /usr/share/doc/opendkim-2.11.0 /usr/share/doc/opendkim-2.11.0/FEATURES /usr/share/doc/opendkim-2.11.0/INSTALL /usr/share/doc/opendkim-2.11.0/KNOWNBUGS /usr/share/doc/opendkim-2.11.0/README /usr/share/doc/opendkim-2.11.0/README.fedora /usr/share/doc/opendkim-2.11.0/RELEASE_NOTES /usr/share/doc/opendkim-2.11.0/RELEASE_NOTES.Sendmail /usr/share/doc/opendkim-2.11.0/authheaders-check-setup-hook.lua /usr/share/doc/opendkim-2.11.0/convert_keylist.sh /usr/share/doc/opendkim-2.11.0/final.lua.sample /usr/share/doc/opendkim-2.11.0/opendkim.conf.sample /usr/share/doc/opendkim-2.11.0/opendkim.conf.simple /usr/share/doc/opendkim-2.11.0/opendkim.conf.simple-verify /usr/share/doc/opendkim-2.11.0/screen.lua.sample /usr/share/doc/opendkim-2.11.0/setup.lua.sample /usr/share/licenses/opendkim-2.11.0 /usr/share/licenses/opendkim-2.11.0/LICENSE /usr/share/licenses/opendkim-2.11.0/LICENSE.Sendmail /usr/share/man/man5/opendkim.conf.5.gz /usr/share/man/man8/opendkim-genkey.8.gz /usr/share/man/man8/opendkim-genzone.8.gz /usr/share/man/man8/opendkim-testkey.8.gz /usr/share/man/man8/opendkim-testmsg.8.gz /usr/share/man/man8/opendkim.8.gz /var/run/opendkim /var/spool/opendkim

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61

# yum -y install epel-release # yum info opendkim Available Packages Name        : opendkim Arch        : x86_64 Version     : 2.11.0 Release     : 0.1.el7 Size        : 222 k Repo        : epel/x86_64 Summary     : A DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail URL         : http://opendkim.org/ License     : BSD and Sendmail Description : OpenDKIM allows signing and/or verification of email through an open source             : library that implements the DKIM service, plus a milter-based filter             : application that can plug in to any milter-aware MTA, including sendmail,             : Postfix, or any other MTA that supports the milter protocol.   # repoquery --list  opendkim /etc/opendkim /etc/opendkim.conf /etc/opendkim/KeyTable /etc/opendkim/SigningTable /etc/opendkim/TrustedHosts /etc/opendkim/keys /etc/sysconfig/opendkim /etc/tmpfiles.d/opendkim.conf /usr/lib/systemd/system/opendkim.service /usr/sbin/opendkim /usr/sbin/opendkim-default-keygen /usr/sbin/opendkim-genkey /usr/sbin/opendkim-genzone /usr/sbin/opendkim-reportstats /usr/sbin/opendkim-testkey /usr/sbin/opendkim-testmsg /usr/share/doc/opendkim-2.11.0 /usr/share/doc/opendkim-2.11.0/FEATURES /usr/share/doc/opendkim-2.11.0/INSTALL /usr/share/doc/opendkim-2.11.0/KNOWNBUGS /usr/share/doc/opendkim-2.11.0/README /usr/share/doc/opendkim-2.11.0/README.fedora /usr/share/doc/opendkim-2.11.0/RELEASE_NOTES /usr/share/doc/opendkim-2.11.0/RELEASE_NOTES.Sendmail /usr/share/doc/opendkim-2.11.0/authheaders-check-setup-hook.lua /usr/share/doc/opendkim-2.11.0/convert_keylist.sh /usr/share/doc/opendkim-2.11.0/final.lua.sample /usr/share/doc/opendkim-2.11.0/opendkim.conf.sample /usr/share/doc/opendkim-2.11.0/opendkim.conf.simple /usr/share/doc/opendkim-2.11.0/opendkim.conf.simple-verify /usr/share/doc/opendkim-2.11.0/screen.lua.sample /usr/share/doc/opendkim-2.11.0/setup.lua.sample /usr/share/licenses/opendkim-2.11.0 /usr/share/licenses/opendkim-2.11.0/LICENSE /usr/share/licenses/opendkim-2.11.0/LICENSE.Sendmail /usr/share/man/man5/opendkim.conf.5.gz /usr/share/man/man8/opendkim-genkey.8.gz /usr/share/man/man8/opendkim-genzone.8.gz /usr/share/man/man8/opendkim-testkey.8.gz /usr/share/man/man8/opendkim-testmsg.8.gz /usr/share/man/man8/opendkim.8.gz /var/run/opendkim /var/spool/opendkim

Shell

# yum -y install opendkim (snip) Installed: opendkim.x86_64 0:2.11.0-0.1.el7 Dependency Installed: libbsd.x86_64 0:0.6.0-3.el7 libmemcached.x86_64 0:1.0.16-5.el7 libopendkim.x86_64 0:2.11.0-0.1.el7 opendbx.x86_64 0:1.4.6-6.el7 sendmail-milter.x86_64 0:8.14.7-4.el7 Complete!

1 2 3 4 5 6 7 8 9 10

# yum -y install opendkim (snip) Installed:   opendkim.x86_64 0:2.11.0-0.1.el7   Dependency Installed:   libbsd.x86_64 0:0.6.0-3.el7       libmemcached.x86_64 0:1.0.16-5.el7         libopendkim.x86_64 0:2.11.0-0.1.el7   opendbx.x86_64 0:1.4.6-6.el7      sendmail-milter.x86_64 0:8.14.7-4.el7   Complete!

2. 暗号化キー保存用ディレクトリの作成

複数ドメイン運用を考慮してドメイン毎に暗号化キーの保存ディレクトリを作成します｡

Shell

# mkdir /etc/opendkim/keys/rootlinks

1	# mkdir /etc/opendkim/keys/rootlinks

3. 暗号化キーの作成

[opendkim-genkey]
http://www.opendkim.org/opendkim-genkey.8.html

Shell

# /usr/sbin/opendkim-genkey -D /etc/opendkim/keys/rootlinks/ -d rootlinks.net -s default

1	# /usr/sbin/opendkim-genkey -D /etc/opendkim/keys/rootlinks/ -d rootlinks.net -s default

4. Ownerの変更

Ownerを変更します。またdefault.privateが秘密鍵、default.txtがDNSに設定する公開鍵になります｡

Shell

# chown -R opendkim:opendkim /etc/opendkim/keys # ls -l /etc/opendkim/keys/rootlinks/ -rw------- 1 opendkim opendkim 887 May 8 16:25 default.private -rw------- 1 opendkim opendkim 317 May 8 16:25 default.txt

1 2 3 4

# chown -R opendkim:opendkim /etc/opendkim/keys # ls -l /etc/opendkim/keys/rootlinks/ -rw------- 1 opendkim opendkim 887 May  8 16:25 default.private -rw------- 1 opendkim opendkim 317 May  8 16:25 default.txt

5. opendkim.confの設定
/etc/opendkim.conf

Shell

# vi /etc/opendkim.conf Mode sv #KeyFile /etc/opendkim/keys/default.private KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts

1 2 3 4 5 6 7 8

# vi /etc/opendkim.conf   Mode sv #KeyFile /etc/opendkim/keys/default.private KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts

6. KeyTableの設定

複数ドメイン運用の場合にはこのファイル/etc/opendkim/KeyTableに暗号化キー情報を追加していきます。

etc/opendkim/KeyTable

Shell

# vi /etc/opendkim/KeyTable default._domainkey.rootlinks.net rootlinks.net:default:/etc/opendkim/keys/rootlinks/default.private

1 2 3

# vi /etc/opendkim/KeyTable   default._domainkey.rootlinks.net rootlinks.net:default:/etc/opendkim/keys/rootlinks/default.private

7. TrustedHostsの設定
/etc/opendkim/TrustedHosts

Shell

# vi /etc/opendkim/TrustedHosts 127.0.0.1 ::1 smtp.rootlinks.net

1 2 3 4 5

# vi /etc/opendkim/TrustedHosts   127.0.0.1 ::1 smtp.rootlinks.net

8. SigningTableの設定

署名するドメイン情報を/etc/opendkim/SigningTableに追加します｡

/etc/opendkim/SigningTable

Shell

# vi /etc/opendkim/SigningTable *@rootlinks.net default._domainkey.rootlinks.net

1 2 3

# vi /etc/opendkim/SigningTable   *@rootlinks.net default._domainkey.rootlinks.net

9. DNSの設定

公開鍵をDNSのzoneファイルに設定します。当然外部からの問い合わせに応答するためにインターネット公開用Zoneファイルに/etc/opendkim/keys/rootlinks/default.txtの内容をそのままコピーします。またキーとは別にDKIMポリシーも追記します｡

default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIGf............................" ) ; ----- DKIM key default for rootlinks.net _adsp._domainkey.rootlinks.net. IN TXT "dkim=unknown"

1 2 3 4

default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "           "p=MIGf............................" )  ; ----- DKIM key default for rootlinks.net   _adsp._domainkey.rootlinks.net. IN TXT "dkim=unknown"

10. dnsのreload
Shell

# systemctl reload named-chroot

1	# systemctl reload named-chroot

公開鍵設定の確認は幾つかのサイトでできますが､今回はMXtoolboxで確認しました｡
https://mxtoolbox.com/SuperTool.aspx#




11. postfixの設定

postfixにopendkimを使用するように設定追加します｡

/etc/postfix/main.cf

Shell

# vi /etc/postfix/main.cf smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept

1 2 3 4 5

# vi /etc/postfix/main.cf   smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept

12. opendkimの有効､起動
Shell

# systemctl enable opendkim Created symlink from /etc/systemd/system/multi-user.target.wants/opendkim.service to /usr/lib/systemd/system/opendkim.service. # systemctl start opendkim # systemctl status opendkim

1 2 3 4

# systemctl enable opendkim Created symlink from /etc/systemd/system/multi-user.target.wants/opendkim.service to /usr/lib/systemd/system/opendkim.service. # systemctl start opendkim # systemctl status opendkim

13. postfixのreload
Shell

# systemctl reload postfix

1	# systemctl reload postfix

14. Testing opendkim

署名が正常に確認されるかテストを行います｡
autorespond+dkim@dk.elandsys.comに空メールを送信すればDKIMの結果メールが送られてきます｡”DKIM Signature validation: pass”があれば正常に署名されています｡

This is an automatic response. Replies to this message will not generate
an automatic response.
Do not reply to this message except for reporting a problem.

The results are as follows:

DKIM Signature validation: pass
DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.rootlinks.net

以前はsa-test@sendmail.netもあったのですが”Host or domain name not found”になりました｡

あるいはgmailなどにメールを送信してソースを確認することでテストできます｡