Tag Archives: Ubuntu

Installing OpenDKIM

Follow these steps to install OpenDKIM on Ubuntu and Plesk.
I will use domain.tld (as the primary domain) and example.com as my domains, I have enabled subdomains so mail from the server mail.domain.tld gets signed too as in this case mail.domain.tld is also the Posfix hostname and mailname…

1. First login as root as run…

apt-get update
apt-get install opendkim opendkim-tools

2. Create the folder structure…

mkdir -p /etc/opendkim/keys/domain.tld
mkdir -p /etc/opendkim/keys/example.com

3. Create a key, I’ll use “dkim” as the selector and create 1024bit keys
You will have two files in the folder, dkim.private and dkim.txt, the latter contains the DNS record for you to add in Plesk or at your domains registrar.

cd /etc/opendkim/keys/domain.tld
opendkim-genkey -s dkim -d domain.tld
chown opendkim:opendkim dkim.private
chmod 600 dkim.private
cd /etc/opendkim/keys/example.com
opendkim-genkey -s dkim -d example.com
chown opendkim:opendkim dkim.private
chmod 600 dkim.private

4. Now we’ll create the SigningTable and the KeyTable…

nano /etc/opendkim/SigningTable

The contents should look like…

domain.tld dkim._domainkey.domain.tld
mail.domain.tld dkim._domainkey.domain.tld
example.com dkim._domainkey.example.com
mail.example.com dkim._domainkey.example.com

5. And the KeyTable…

nano /etc/opendkim/KeyTable

The contents should look like…

dkim._domainkey.domain.tld domain.tld:dkim:/etc/opendkim/keys/domain.tld/dkim.private
dkim._domainkey.domain.tld mail.domain.tld:dkim:/etc/opendkim/keys/domain.tld/dkim.private
dkim._domainkey.example.com example.com:dkim:/etc/opendkim/keys/example.com/dkim.private
dkim._domainkey.example.com mail.example.com:dkim:/etc/opendkim/keys/example.com/dkim.private

You can see the subdomains point to the same key as the domain.

6. Next we have to create the internal hosts file…

nano /etc/opendkim/dkim-InternalHosts

and add your IP and host names…

127.0.0.1/8
192.168.0.50/32 # where this is your Server IP
localhost
domain.tld
mail.domain.tld
example.com
mail.example.com

7. Now edit /etc/opendkim.conf

nano /etc/opendkim.conf

And define these settings…

Syslog			yes
UMask			002
Domain		        domain.tld
KeyFile		        /etc/opendkim/keys/domain.tld/dkim.private
Selector	        dkim
Canonicalization        relaxed/relaxed
Mode                    sv
SignatureAlgorithm      rsa-sha256
SubDomains              yes
LogWhy                  yes
UserID                  opendkim:opendkim
KeyTable                /etc/opendkim/KeyTable
SigningTable            /etc/opendkim/SigningTable
InternalHosts           /etc/opendkim/dkim-InternalHosts
Statistics              /var/log/opendkim/dkim-stats.log
OversignHeaders		From

8. Make sure you create the log directory, and the log file is owned by opendkim:opendkim

mkdir -p /var/log/opendkim/
touch /var/log/opendkim/dkim-stats.log
chown opendkim:opendkim /var/log/opendkim/dkim-stats.log

9. We now need to define the socket…

nano /etc/default/opendkim

And uncomment…

SOCKET="inet:12345@localhost" # listen on loopback on port 12345

10. And restart opendkim

service opendkim restart

11. Our last step is too add this milter to our postfix configuration file…

nano /etc/postfix/main.cf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:12768, inet:127.0.0.1:12345
non_smtpd_milters = inet:127.0.0.1:12345

Restart Postfix…

service postfix restart

And you should be good.

Creating ECC Certificates

Here’s a very quick guide on creating ECC 256Bit Self-Signed Certificates with OpenSSL and Ubuntu 12 and 14.

1. Firstly lets create a folder to hold the files..

mkdir /etc/ssl/ecc

2. Move to that directory…

cd /etc/ssl/ecc

3. Now lets create the key

openssl ecparam -genkey -name prime256v1 -out ecc.key

4. Create the request

openssl req -new -key ecc.key -out ecc.csr

5. Create the certificate

openssl x509 -req -days 365 -sha256 -in ecc.csr -signkey ecc.key -out ecc.crt

6. While we are here, lets combine the private key and certificate into a .pem file.

cat ecc.key ecc.crt > ecc.pem

You now have a Self-Signed ECC 256Bit SHA256 certificate for your domain, and a .csr file for use at your favourite CA.

Should you wish to have ECC 384 Bit, simply replace “prime256v1” in step three, with secp384r1,
and “-sha256” in step five with -sha384.

Enjoy!

Creating DH Parameters

By default DH Parameters are just 1024bits in Ubuntu 12.04.5 LTS which is considered weak by todays standards.
You will need to create a new one of either 2048Bit or 4096Bit depending on your certificates public key size.

1. Create a folder to hold the dhparams…

mkdir /etc/ssl/dh

2. Move to that directory

cd /etc/ssl/dh

3. Create the new DH Parameters, at 2048Bit

openssl dhparam -out RSA2048.pem -5 2048

And 4096Bit (this will take some time)

openssl dhparam -out RSA4096.pem -5 4096

5. You can also create DSA versions, at 2048Bit…

openssl dhparam -dsaparam -out DSA2048.pem 2048

And 4096Bit

openssl dhparam -dsaparam -out DSA4096.pem 4096

Now you can add the directives to your servers, Courier-Imap, Dovecot, Nginx and Postfix.

Courier-Imap

TLS_DHPARAMS=/etc/ssl/dh/RSA2048.pem

Dovecot (creates it’s own)

ssl_dh_parameters_length = 2048

Nginx

ssl_dhparam /etc/ssl/dh/RSA2048.pem;

Postfix

smtpd_tls_dh1024_param_file = /etc/ssl/dh/RSA2048.pem

Enjoy!