1. Postfix Banner

,Before starting this post I want to thanks Ilija from matoski.com as this post is based on his work on SPF / DKIM for Debian.Let’s start with a very short description of DKIM. DomainKeys Identified Mail is a mechanism designated to detect email spoofing (i.e. Be sure that the original email content is the same as the received). It works with signatures. The public key is available on a DNS entry of the sender domain zone and the private key used to generate this signature is stored on the mail server.This post will show how to configure DKIM on a Debian server with Postfix and automatize the configuration with Plesk. I assume you have sufficient permission to run these commands.

Runing configurationDebian wheezy 3.2.0-4-amd64Postfix 2.9.6Plesk 12.0OpenDKIM 2.6.8After a great disscussion with M. Lieske who did a new install in August 2016, I can confirm it works with Debian jessie 8.5, OpenDKIM 2.9.2 (with some adjustements in the script below, see notes) and Plesk 12.5 InstallationLet’s start with the installation of the OpenDKIM package. # Log to syslogSyslog yesSyslogSuccess yesLogWhy yes# Required to use local socket with MTAs that access the socket as a non-# privileged user (e.g. Postfix)UMask 002# Commonly-used options; the commented-out versions show the defaults.Canonicalizationrelaxed/simpleMode svPidFile /var/run/opendkim/opendkim.pid# Always oversign From (sign using actual From and a null From to prevent# malicious signatures header fields (From and/or others) between the signer# and the verifier. From is oversigned by default in the Debian pacakge# because it is often the identity key used by reputation systems and thus# somewhat security sensitive.OversignHeaders From# Our KeyTable and SigningTableKeyTable refile:/etc/opendkim/KeyTableSigningTable refile:/etc/opendkim/SigningTable# Trusted HostsExternalIgnoreList /etc/opendkim/TrustedHostsInternalHosts /etc/opendkim/TrustedHosts# Hashing AlgorithmSignatureAlgorithm rsa-sha256# Auto restart when the failure occurs.

CAUTION: This may cause a tight fork loopsAutoRestart YesAutoRestartRate 10/1h# Set the user and group to opendkim userUserID opendkim:opendkim# Specify the working socketSocket inet:8891@localhost. Service opendkim restartPostfix configurationThe base setup of OpenDKIM is done we have now to setup Postfix to use it as milter. Open the /etc/postfix/main.cf and add the “inet:127.0.0.1:8891” value to the smtpdmilters and nonsmtpdmilters configuration values. There should already have other milters configured (psa-pc-remote / OpenDMARC / SPF), it depends from your actual configuration of Postfix. The order of the milters are important, especially for OpenDMARC that should be the last one as it depends of SPF and OpenDKIM.

Service postfix restartOpenDKIM domain scriptsAt this point OpenDKIM is configured and active in Postfix, last step is to generate Keys for every domains. Here is the full script that will enable DKIM for a specific domain. This script will:. Create the Keys.

Warning: any customization made in Postfix configuration can be overwritten by Plesk update (for example, in case of bug fix, when configuration files are updated), Plesk upgrade or by mchk utility, which resets default mail server configuration.

Setup the Signing Table to enable the DKIM signature for all addresses of this domain. Add the domain to the trusted hosts file. Create the DNS record on the Plesk Database. Update DNS configuration via a Plesk CLI command. Reload services to apply the changes.

Postfix Banner

Be sure to enable SPF signing for this domain. Echo 'Warning: DNS record is not automatically removed';Plesk automationWhen a domain is created or removed from Plesk it would be fun to automatize DKIM activation or deactivation. Fist we have to create another custom script to handle every action for a domain creation and another one when the domain is removed. Even if Plesk events handler can have multiple command lines it’s better to only do a call to an external script.For the example let’s have a script folder at the system root /scripts/ that will contain every scripts. The first one is “openDKIMDomGen.sh”.

It contains every lines of the OpenDKIM creation script shown above. The second one is “openDKIMDomRemove.sh” and contain the removal script above.

These scripts can be executed only from the root user (chmod 700).Let’s create the script “pleskDomainCreatedEvent.sh” that will be called when a new domain is created. / scripts / postSRSDomainRemove.sh $ 1Next phase is to configure Plesk Event Manager. Log on to Plesk with administrator account an go to Server Management - Tools & Settings - Tools & Ressources - Event Manager.Create a new Event Handler for the domain creation:Then create a new Event Handler for the domain removal:Configure OpenDKIM for every active domains on the Plesk serverThe Plesk Event Handler doesn’t help to configure OpenDKIM of all already active domains on the Plesk Server. A little command that call the openDKIMDomGen.sh script for every domain can be used.

# / usr / local / psa / admin / sbin / autoinstaller -select-release-current -install-component postfixBoth Postfix and qmail use the same root directory to store incomingmail. This directory is defined by the variable $PLESKMAILNAMESDin the /etc/psa/psa.conf configuration file.

By default, it is/var/qmail/mailnames. Storing incoming mail in the same directoryallows the messages remain available after switching between mailagents.Unlike incoming mail, the mail queue is lost while switching between themail agents. Therefore, before switching, we recommend you stop the SMTPservice to prevent the acceptance of email and the delivery of allqueued mail.

To stop the SMTP service, run the following command.