Table of content
  1. Configuration
    1. Signing key
  2. Integration
    1. Postfix

As a way to fight spam outgoing email are digitally signed, this allow receiver to verify that the message was actually sent from the domain in question and is not forged or modified.

Build information

Ensure the following options:

mail/opendkim
1

[x] FILTER             OpenDKIM filter, requires libmilter/Sendmail

Configuration

The following configuration will allow signing of outgoing mail for the domain example.com using the mail selector (signing mail for multiple domains will not be detailed here).

mail/opendkim.conf
1
2
3

Domain                  example.com
KeyFile                 /var/db/dkim/mail.private
Selector                mail

On FreeBSD opendkim run by default as mailnull:mailnull (user/group) so for the unix socket creation it is necessary to use the directory /var/run/milteropendkim/ created by the startup script which has the necessary write permission for that user. It is always possible to use an inet socket with an associated IP address instead.

mail/opendkim.conf
1
2

Socket                  local:/var/run/milteropendkim/sock
UMask                   002

Signing key

Now the key is generated using the opendkim-genkey command, this will create 2 files, one with the private key, and one with a DNS record containing the public key. Generated files are named according to the chosen selector (here: main): mail.private and main.txt.

DKIM Key Generation
1

opendkim-genkey -t -s mail -d example.com

The file main.private must be moved to the location specified in the KeyFile entry of the opendkim.conf

Moving generated key to its opendkim.conf location
1

mv mail.private /var/db/dkim/mail.private

The content of the main.txt must be place in the DNS domain zone used for sending our email, this will look as follow:

named/master/example.com
1
2

mail._domainkey IN      TXT     ( "v=DKIM1; k=rsa; "
                                  "p=............" )

Integration

Postfix

Now that DKIM is configured, will still need to indicate to our mail server that it needs to sign the outgoing mail, this is done by having our mail server talking to OpenDKIM through the milter protocol

postfix/main.cf
1
2
3
4

# Milter
milter_default_action   = accept
smtpd_milters           = unix:/var/run/milteropendkim/sock  # From smtpd daemon
non_smtpd_milters       = unix:/var/run/milteropendkim/sock  # From submission

Due to the selected configuration, it is necessary to add the postfix user to the mailnull group to allow communication with the exported unix socket (umask: 002):

Add `postfix` user to `mailnull` group
1

pw group mod mailnull -m postfix