You are here: |Blog|Server Administration|Setup Dkim On Centos 7 Server Running Postfix

Setup DKIM on Centos 7 server running Postfix

The DKIM (Domain Keys Identified Mail) is an email-signing method that utilizes two keys: one private and one public.

DKIM is applied by the mail server of the email recipient in order to verify the authenticity of the sender, and thus to reduce spam.

The workflow of DKIM is rather simple:
Upon setup at the mail server, we create one private and one public key. The public key is then copied to the zone file of our domain in the form of a TXT record. The private key -as the name implies- resides at the mail server in a private folder.
When a user sends an email, this message is signed by the mail agent (ie Postfix) according to the private key. This digital signature is attached to the headers of the email. Finally, the server of the recipient reads that signature and compares it to the public key (which is found in the domain's zone file). If keys and signature match, the message is considered legitimate and is moved to recipient's inbox.

In the following tutorial I will try to explain in 7 simple tasks how to implement DKIM signature in your mail server.
For simplicity purposes, lets assume that you are running RedHat CentOS 7 mail server, Postfix is already up and running, and that our domain name is "domain.com".

 

Task 1: Install OpenDKIM

For this task make sure you have installed and enabled the EPEL repository

# yum install opendkim

 

Task 2: Generate keys

# mkdir -p /etc/opendkim/keys/domain.com
# cd /etc/opendkim/keys/domain.com
# opendkim-genkey -r -d domain.com

 

Task 3: Set the right permissions

# chown -R opendkim:opendkim /etc/opendkim
# chmod go-rw /etc/opendkim/keys

 

Task 4: OpenDKIM configuration

# vi /etc/opendkim.conf

Make sure that the below parameters are as described

Mode sv
Socket inet:8891@localhost
Domain domain.com
#KeyFile /etc/opendkim/keys/default.private ### comment this line
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts

Now edit the domain keys lists setting file:

# vi /etc/opendkim/KeyTable

and add the following line:

default._domainkey.domain.com domain.com:default:/etc/opendkim/keys/domain.com/default.private

Next, edit the signing table file

# vi /etc/opendkim/SigningTable

and make sure the following line appears:

*@domain.com default._domainkey.domain.com

Finally, edit the trusted hosts file

# vi /etc/opendkim/TrustedHosts

and add the hostnames that are permitted to send mail on behalf of your domain:

domain.com
mail.domain.com

 

Task 5: Postfix configuration

Now open the main configuration file of Postfix:

# vi /etc/postfix/main.cf

and add these lines at the end of the file:

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

 

Task 6: Start and enable the new service

We need to start OpenDKIM, make sure it starts automatically on boot, and finally restart Postfix

# service opendkim start
# chkconfig opendkim on
# service postfix restart

 

Task 7: Configure DNS zone file

Get the contents of file default.txt

# cat /etc/opendkim/keys/domain.com/default.txt

You will get an output similar to that one:

default._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdTtEqM8FqndiFYOderzljMMMqBdEp+wJKP+VUbhc9GigmK34ZjrSqqdKjIEWr2q9DvSVp1H1bZs4t050m0HZxJqknDz2yoDJ6W4mCaSCHesRde5V44V/L65Gqm/rvBz1d6CCp8A2515eveWrIAocOD6pKJ4tnXHz3uwV2ZtgQiQIDAQAB" ) ; ----- DKIM key default for domain.com

Mark and copy the contents of your file.

Next at your DNS server open your domain's zone file, and paste the copied content at the very end of it.

If necessary, restart the DNS service.

 

That's it. You are now running the DKIM service!

 

IMPORTANT: In case you serve multiple domains

If your server is shared between more that one domain names, repeat tasks 2 and 3 for each one of your domains.
Then edit the KeyTable and SigningTable to complete the procedure.

vi /etc/opendkim/KeyTable

and for each one of your domains add a line as per example:

default._domainkey.domain1.com domain1.com:default:/etc/opendkim/keys/domain1.com/default.private
default._domainkey.domain2.com domain2.com:default:/etc/opendkim/keys/domain2.com/default.private
default._domainkey.domain3.com domain3.com:default:/etc/opendkim/keys/domain3.com/default.private

and

vi /etc/opendkim/SigningTable

here too, for each one of your domains, add a line as shown below:

*@domain1.com default._domainkey.domain1.com
*@domain2.com default._domainkey.domain2.com
*@domain3.com default._domainkey.domain3.com

Last but not least, for every domain repeat Task 7 and at the end, don't forget to restart the services!

 

Optional task: Verify the service

In case you are wondering, you can verify the proper operation of your new DKIM installation by visiting:

MX Toolbox

Or you can just send an email to: ping@tools.mxtoolbox.com and an automated reply with email status details, will arrive shortly to your Inbox.

It is an excellent mail-deliverability tool and very easy to use.
Just send an email to the specified address (ping@tools.mxtoolbox.com -at the time of the writing), type your email address to the corresponding box, and press "Search" to view your results.

 

 

Categories

Tags

We will be delighted to hear from you

Why choose us?

Choosing the right web development and digital marketing company is crucial to the success of your online presence, and ILUS Web Ltd is the perfect choice for businesses looking to establish a strong and effective online presence. Our team of experts is dedicated to providing top-notch web development and digital marketing services that are tailored to meet the unique needs of our clients.

With over a decade of experience in the industry, we have a proven track record of delivering high-quality solutions to businesses of all sizes. Our team of skilled developers, designers, and digital marketing experts use the latest technologies and best practices to deliver innovative, effective, and user-friendly solutions that exceed our clients' expectations. Whether you need a new website, an e-commerce platform, or a custom web application, we have the expertise to make it happen.

Custom Applications development

We at ILUS Web love programming!
All kinds of programming... Applications programming, Microcontrollers programming, Websites programming.
And we like to try to approach perfection everytime!

The best thing about a boolean is even if you are wrong, you are only off by one bit.

We value User Experience

A beautiful and functional design is very important, as it interacts directly with the end User. And after all, it's the User's experience that we all work for!
Because a happy User, is of the most valuable assets to a business!

If you think good design is expensive, you should look at the cost of bad design.

Search Engine Optimization

A Website without S.E.O. is like a ship with broken steering, sailing in stormy weather!
In this day and age, the number of websites is reaching new records every day. Consequently, the competition of every new Site is huge, and the only way to "survive" is a methodical and successful S.E.O.

S.E.O. is what the Search Engines talk about you, when you are not present!
chart
  • Address: ul. Tsanko Tserkovsky 11, Lozenets , 1164
    Sofia - Bulgaria
  • Cellphone: +359 88 999 4209
  • Website: ilusweb.com
  • Email: infoilusweb.com

Blog

How to add a captcha to your website

Captcha is the acronym for <Completely Automated Public Turing test to tell Computers and Humans Apart>.
It is a very popular technique that tries to do exactly what it's name implies: to tell humans and computers (bots) apart. This can be useful to websites in order to distinguish form submissions made by humans (legitimate), or form submissions made by bots (usually spam).

Before we set up an example, lets see how does captcha work.
On page load, we create a session named -for example- "captcha" and as a value we give it a series of alphanumeric characters, usually from 4 to 6.
This alphanumeric series we also present as a picture in our page, asking the user to copy the identified characters into a field. The field is also submitted as part of our <form> tag.

Upon submission, the script compares the characters of that field to the already created session named "captcha". 
If the content matches the session's value we continue with the form process. If not, we stop any further process and return a "wrong captcha" error.

Pretty simple, isn't it?

Now lets see an example script of the above described function:

Let's start by checking if the session exists, and if yes, create a new one. Also set the number of characters our captcha is going to have.

<?php

session_start();

if(isset($_SESSION['captcha'])){
 unset($_SESSION['captcha']);
}
$num_chars=5; // number of characters for captcha image

Now, let's specify the array of the characters that will form the series. Here we have excluded the letters "l,m,n,o" and the numbers "1 and 0" in order to avoid confusion. We proceed with the construction of the characters sequence and we store that in a session.

$characters=array_merge(range(2,9),range('a','k'),range('p','z')); // creating combination of numbers & alphabets
shuffle($characters); // shuffling the characters

$captcha_text=""; 
for($i=0;$i<$num_chars;$i++){ // getting the required random 5 characters
  $captcha_text.=$characters[rand(0,count($characters)-1)];
}

$_SESSION['captcha'] = $captcha_text; // assigning the characters to the session

Now it's time to create the image. To do that we will use a canvas as background and a set of fonts. The font that we will use for this job is "Times New Yorker". We will place the file "times_new_yorker.ttf" in a folder named "font" and will include in in our script.

header("Content-type: image/png"); // setting the image type as png
$captcha_image=imagecreatetruecolor(120,32); // create the captcha image

$captcha_background=imagecolorallocate($captcha_image,225,238,221); // setting captcha background colour
$captcha_text_colour=imagecolorallocate($captcha_image,58,94,47); // setting cpatcha text colour

imagefilledrectangle($captcha_image,0,0,120,32,$captcha_background); // creating the rectangle

$font='font/times_new_yorker.ttf'; // setting the font path

imagettftext($captcha_image,22,0,14,25,$captcha_text_colour,$font,$captcha_text); // write the text
imagepng($captcha_image); // image created here
imagedestroy($captcha_image); // image destroyed

While most of the above steps are self-explanatory, I will go through them quickly:

We create a header specifying the image type (Here it's .png), and then we create the image.
Then we set the background color and the font color, and we create the rectangle that will contain the text.
Next we specify the font folder and we write the text. 
That image we export as .png, and right after we destroy it since we don't need it anymore (it already shows in our page).

Now for the full code:

<?php

session_start();

if(isset($_SESSION['captcha'])){
  unset($_SESSION['captcha']);
}
$num_chars=5; // number of characters for captcha image

$characters=array_merge(range(2,9),range('a','k'),range('p','z')); // creating combination of numbers & alphabets 

shuffle($characters); // shuffling the characters

$captcha_text=""; 
for($i=0;$i<$num_chars;$i++){ // getting the required random 5 characters
  $captcha_text.=$characters[rand(0,count($characters)-1)];
}

$_SESSION['captcha'] = $captcha_text; // assigning the characters to the session

header("Content-type: image/png"); // setting the image type as png

$captcha_image=imagecreatetruecolor(120,32); // create the captcha image

$captcha_background=imagecolorallocate($captcha_image,225,238,221); // setting captcha background colour
$captcha_text_colour=imagecolorallocate($captcha_image,58,94,47); // setting cpatcha text colour

imagefilledrectangle($captcha_image,0,0,120,32,$captcha_background); // creating the rectangle

$font='font/times_new_yorker.ttf'; // setting the font path

imagettftext($captcha_image,22,0,14,25,$captcha_text_colour,$font,$captcha_text); // write the text
imagepng($captcha_image); // image created here
imagedestroy($captcha_image); // image destroyed 

?>

Now save this as "captcha.img.php" and place it in a folder which must be accessible by the web server.
In the same location also place the folder that contains the .ttf (font file).

To use it, we call it as the "src" in an <img> tag. Like this:

<img src="path/to/captcha_folder/captcha.img.php" />

On every page load the previous session and image are being destroyed, and we are presented with new ones.

Although not fully "bot-proof" this script will repell the vast majority of bots that will try to submit our form.
Some bots might manage to read the characters, but we want these characters to be easily readable by people too, so we can be a little flexible here.

 

 

Adjust the message size in Postfix

Postfix is one of the most popular MTAs (Mail Transport Agents). Due to its popularity, it is handling the mail for many different users and in many different kinds of environments. Therefore some of it's default settings may occasionally need some adjustments.

When browsing the logs of your mail server, have you ever seen something like that?

Sep 26 03:05:01 server01 postfix/local[56145]: A1B2AB123456: to=<root@server01.example.com>, orig_to=<root>, relay=local, delay=0.18, delays=0.08/0.03/0/0.07, dsn=5.2.2, status=bounced (cannot update mailbox /var/mail/root for user root. error writing message: File too large)

Or, did your users complaint that they cannot receive -hmm, these kinda ...larger- attachments?

Well that is because Postfix is adjusted by default to handle messages up to 10240000 bytes, or approximately 10MB. Now think that MIME encoding adds an overhead of 33.33% to the size of any attachment. That's because every 3 bytes are being increased by 1, to a total of 4 bytes. So one can easily understand that the default maximum allowed attachment size is about 7MB!

If we want to increase that -rather small number, all we have to do is login as root to our mail server and edit the Postfix main configuration file (main.cf), usually located in /etc/postfix

# vi /etc/postfix/main.cf

Then find the command message_size_limit and make it equal to a larger number. Maybe something like 100MB...

message_size_limit = 102400000

Save the file and exit. 
Oh, and don't forget to restart (or reload) Postfix!

This small adjustment of 100 Megabytes limit minus the MIME overhead, means that our server should now be able to accept messages up to 70MB! Not bad huh?

Enable EPEL Repository on CentOS or RHEL box

EPEL stands for "Extra Packages for Enterprise Linux" and is a yum repository.
It provides hight quality additional software to accompany your RedHat distribution, such as:

  • RedHat Enterprise Linux
  • CentOS
  • Fedora

Two methods are available to RedHat users for installing EPEL

YUM method

Use yum, the built-in command:

# yum install epel-release

 

RPM method

Mostly applicable to CentOS systems, we need to issue a command according to our distro.

 

CentOS 8

# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
# dnf config-manager --set-enabled PowerTools

 

CentOS 7

# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

 

CentOS 6

# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

 

Enable the EPEL repository

In order to activate and start using the newly installed EPEL repository issue the command below

# yum --disablerepo=* --enablerepo=epel list all

 

The above command will show a (pretty long) list of the available software, that looks something like this:

 ....................................

zimg-devel.x86_64          2.9.3-1.el8          epel          

zinnia.x86_64              0.06-46.el8          epel         

zinnia-devel.x86_64        0.06-46.el8          epel         

zinnia-doc.noarch          0.06-46.el8          epel         

zinnia-perl.x86_64         0.06-46.el8          epel         

zinnia-tomoe-ja.x86_64      0.06-46.el8         epel         

zinnia-tomoe-zh_CN.x86_64   0.06-46.el8         epel         

zinnia-utils.x86_64         0.06-46.el8         epel         

zip.x86_64                  3.0-23.el8          BaseOS       

zlib.i686                   1.2.11-16.el8_2     BaseOS       

zlib-devel.i686             1.2.11-16.el8_2     BaseOS       

zlib-devel.x86_64           1.2.11-16.el8_2     BaseOS       

znc.x86_64                  1.8.1-1.el8         epel                

znc-devel.x86_64            1.8.1-1.el8         epel         

znc-modperl.x86_64          1.8.1-1.el8         epel         

znc-modpython.x86_64        1.8.1-1.el8         epel         

znc-modtcl.x86_64           1.8.1-1.el8         epel         

zork.x86_64                 1.0.2-3.el8         epel         

zsh.x86_64                  5.5.1-6.el8_1.2     BaseOS       

zsh-html.noarch             5.5.1-6.el8_1.2     AppStream    

zsh-syntax-highlighting.noarch 0.7.1-1.el8      epel         

zstd.x86_64                 1.4.2-2.el8         AppStream    

zswap-cli.x86_64            0.4.1-1.el8         epel         

zvbi.x86_64                 0.2.35-9.el8        epel         

zvbi-devel.x86_64           0.2.35-9.el8        epel         

zvbi-fonts.noarch           0.2.35-9.el8        epel         

zziplib.i686                0.13.68-8.el8       AppStream    

zziplib.x86_64              0.13.68-8.el8       AppStream    

zziplib-utils.x86_64        0.13.68-8.el8       AppStream

 

 

Gallery

Copyright ©2024 ILUS Web Ltd. All rights reserverd.

Privacy policy | Terms of use