SMTP – DKIM Postfix with Rspamd

dkimAfter a few easy ones (DMARC and SPF), we now have the last one in our anti-spam triangle, DKIM, which is more complicated to setup.

This mechanism is probably also the most reliable and hack proof solution, since you need to configure your email server, your DNS records and combine the two to make it work.

Configuring this, is different for every mailserver. I was able to test it in 3 different situation which will be divided in 3 posts: Postfix with Rspamd, Postfix without Rspamd, DirectAdmin with Exim4.

Installation of Postfix and Rspamd are outside the scope of this post. Important for this post to know, is that the main Rspamd config resides in /etc/rspamd/local.d directory.

DKIM works with selectors and we’re using “2018” as the selector.

# mkdir /var/lib/rspamd/dkim/
# rspamadm dkim_keygen -b 2048 -s 2018 -k /var/lib/rspamd/dkim/2018.key > /var/lib/rspamd/dkim/2018.txt
# chown -R _rspamd:_rspamd /var/lib/rspamd/dkim
# chmod 440 /var/lib/rspamd/dkim/*

Cat out your key:

# cat /var/lib/rspamd/dkim/2018.txt

Put this part in DNS:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAh4FdAzYTGkc5w5JC8siJZRgA0aBg3YU30ghi6ywALVq5tegUccqR7tJYYRqYjnLBU3ZQFXOy7DGTFplxv5ki6wJuuzqtOdhv4Rm6WHiFWmzAo2YsVCpTZmuCMeD/HK6gTT6qtjLmYgvldhLncgibbxiNdzRC/oW1V6mWk/fLveKi7YmzLKYGzB4idJ1/e6Y2LvbPd5wKGMH3117gvu6JgIcK2fvcgApWPQjr6F5tR7aAJbMnXvTSyj6B6locUZ5isUuZAqfSCOClbrug6CdiDYQohkpXxP7S+oST8824iZGXt0zTI8wwigkeP9yb9oxewIDAQAB

Like so: 5 MINS TXT v=DKIM1; k=rsa; p=yourkeyhere

Finalize your configuration:

# vi /etc/rspamd/local.d/dkim_signing.conf


path = "/var/lib/rspamd/dkim/$selector.key";
selector = "2018";

# Enable DKIM signing for alias sender addresses
allow_username_mismatch = true;

Copy it to arc.conf and you should be done.

# cp -R /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf

Complete series: Backscatter check, DMARC, SPF, DK1M with Postfix, DK1M with Postfix and rspamd, DK1M with DirectAdmin and Exim and SMTP checks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.