DKIM signing with DKIMProxy in FreeBSD

Dfter we have our basic mail server up and running, we can integrate the DKIM signature to our messages. This is used to validate that the email message has indeed been sent by the server of our domain, since it is the only one that has the DKIM key that signs it. We will need on the one hand to add a record to our DNS zone with the signature that we will use. On the other hand, it will be necessary to sign the outgoing emails.

DKIM signature

We create the key pair that we will need to sign the messages.

cd /usr/local/etc/mail
openssl genrsa -out dkim.key 2048
openssl rsa -in dkim.private.key -pubout -out dkim.public.key

DNS record

It is necessary to publish from the DNS the DKIM key so that the mail servers that receive the messages, verify that indeed they have been sent from the origin that is indicated.

We create a TXT record with the following form:

_domainkey.correo.com TXT "v=DKIM1;h=sha256;p=<public key>"

The content between <> will be the content of the file we created earlier dkim.public.key.

Installation of DKIMProxy

pkg install dkimproxy

DKIMProxy configuration

Create and edit your file

cp /usr/local/etc/dkimproxy_out.conf.example /usr/local/etc/dkimproxy_out.conf
vi /usr/local/etc/dkimproxy_out.conf

Such that

# specify what address/port DKIMproxy should listen on
listen    127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to
relay     127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain    correo.com

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile   /usr/local/etc/mail/dkim.private.key

# specify the selector (i.e. the name of the key record put in DNS)
selector  _domainkey

# control how many processes DKIMproxy uses
#  - more information on these options (and others) can be found by
#    running `perldoc Net::Server::PreFork'.
#min_servers 5
#min_spare_servers 2

We enable the service

sysrc dkimproxy_out_enable="YES"

Start it

service dkimproxy_out start

OpenSMTPd Forwarding Configuration

Now it is necessary to reroute the mail so that it is signed. For that you have to tell the MTA to send the outgoing mail to DKIMproxy, which will sign it and send it back to OpenSMTPd so that this time it sends it to the corresponding destination. For this we add the lines listen and relay in /usr/local/etc/dkimproxy_out.conf, and we modify the MTA rules in /usr/local/etc/mail/smtpd.conf.

# Mail destination signed by dkimproxy
listen on lo0 port 10025 tag dkim_out

# Forwarding to external MTA
action "relay_dkim" relay host smtp://127.0.0.1:10027
action "relay" relay helo mail.correo.com

# Delivery rules
match tag dkim_out for any action "relay"
match from any auth for any action "relay_dkim"