DKIM signing with DKIMProxy in FreeBSD
Dfter we have our basic mail server up and running, we can integrate the DKIM signature to our messages. This is used to validate that the email message has indeed been sent by the server of our domain, since it is the only one that has the DKIM key that signs it. We will need on the one hand to add a record to our DNS zone with the signature that we will use. On the other hand, it will be necessary to sign the outgoing emails.
DKIM signature
We create the key pair that we will need to sign the messages.
cd /usr/local/etc/mail
openssl genrsa -out dkim.key 2048
openssl rsa -in dkim.private.key -pubout -out dkim.public.key
DNS record
It is necessary to publish from the DNS the DKIM key so that the mail servers that receive the messages, verify that indeed they have been sent from the origin that is indicated.
We create a TXT record with the following form:
_domainkey.correo.com TXT "v=DKIM1;h=sha256;p=<public key>"
The content between <> will be the content of the file we created earlier dkim.public.key.
Installation of DKIMProxy
pkg install dkimproxy
DKIMProxy configuration
Create and edit your file
cp /usr/local/etc/dkimproxy_out.conf.example /usr/local/etc/dkimproxy_out.conf
vi /usr/local/etc/dkimproxy_out.conf
Such that
# specify what address/port DKIMproxy should listen on
listen 127.0.0.1:10027
# specify what address/port DKIMproxy forwards mail to
relay 127.0.0.1:10028
# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain correo.com
# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)
# specify location of the private key
keyfile /usr/local/etc/mail/dkim.private.key
# specify the selector (i.e. the name of the key record put in DNS)
selector _domainkey
# control how many processes DKIMproxy uses
# - more information on these options (and others) can be found by
# running `perldoc Net::Server::PreFork'.
#min_servers 5
#min_spare_servers 2
We enable the service
sysrc dkimproxy_out_enable="YES"
Start it
service dkimproxy_out start
OpenSMTPd Forwarding Configuration
Now it is necessary to reroute the mail so that it is signed. For that you have to tell the MTA to send the outgoing mail to DKIMproxy, which will sign it and send it back to OpenSMTPd so that this time it sends it to the corresponding destination. For this we add the lines listen and relay in /usr/local/etc/dkimproxy_out.conf, and we modify the MTA rules in /usr/local/etc/mail/smtpd.conf.
# Mail destination signed by dkimproxy
listen on lo0 port 10025 tag dkim_out
# Forwarding to external MTA
action "relay_dkim" relay host smtp://127.0.0.1:10027
action "relay" relay helo mail.correo.com
# Delivery rules
match tag dkim_out for any action "relay"
match from any auth for any action "relay_dkim"