1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
opensmtpd-filter-dkimsign for Debian
------------------------------------
The instructions below are based on the README file included in the OpenBSD
opensmtpd-filter-dkimsign port [0]. These instructions assume that the openssl
package is installed. The opensmtpd-filter-dkimsign package has already created
the _dkimsign user and group for your convenience.
Debian users should note the following changes from OpenBSD:
* The instructions assume that dkim keys will be stored in /etc/mail/dkim, but
you may use a different directory. If you would like to use /etc/mail/dkim,
you will need to create it. It should be owned by _dkimsign:_dkimsign and
have mode 770:
sudo install -d -m 770 -o _dkimsign -g _dkimsign /etc/mail/dkim
[0] https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/mail/opensmtpd-filters/dkimsign/pkg/README
-- Ryan Kavanagh <rak@debian.org> Thu, 10 Jun 2021 09:43:35 -0400
$OpenBSD: README,v 1.2 2021/06/10 10:58:51 martijn Exp $
+-----------------------------------------------------------------------
| Running opensmtpd-filter-dkimsign on OpenBSD
+-----------------------------------------------------------------------
To use filter-dkimsign, you must first generate a private key:
sudo -u _dkimsign openssl genrsa -out /etc/mail/dkim/private.rsa.key 2048
To generate the public key ready for dns:
openssl rsa -in /etc/mail/dkim/private.rsa.key -pubout | \
sed '1s/.*/v=DKIM1;p=/;:nl;${s/-----.*//;q;};N;s/\n//g;b nl;'
This value needs to be placed in a DNS txt record with the following syntax:
<selector>._domainkey.<domain>
Edit the /etc/smtpd.conf file to declare the filter:
filter dkimsign_rsa proc-exec "filter-dkimsign -d <domain> -s <selector> -k /etc/mail/dkim/private.rsa.key" user _dkimsign group _dkimsign
Then add the filter to each listener that should be signed:
listen on all filter dkimsign_rsa
To use Ed25519 similar steps must be taken.
Make sure the ed25519 flavor of opensmtpd-filter-dkimsign is installed.
To generate the private key:
sudo -u _dkimsign openssl genpkey -algorithm ed25519 -outform PEM -out /etc/mail/dkim/private.ed25519.key
To generate the public key ready for dns:
printf "v=DKIM1;k=ed25519;p=%s" "$(openssl pkey -outform DER -pubout -in /etc/mail/dkim/private.ed25519.key | tail -c +13 | openssl base64)"
Edit the /etc/smtpd.conf file to declare the filter:
filter dkimsign_ed25519 proc-exec "filter-dkimsign -a ed25519-sha256 -d <domain> -s <selector> -k /etc/mail/dkim/private.ed25519.key" user _dkimsign group _dkimsign
To add both filters to each listener that should be signed:
filter dkimsign chain { dkimsign_rsa, dkimsign_ed25519 }
listen on all filter dkimsign
For a full list of options see filter-dkimsign(8).
|
