Tag Archives: Ubuntu

Installing OpenDKIM

April 29, 2016 Lloyd Day AMP Version

Follow these steps to install OpenDKIM on Ubuntu and Plesk.
I will use domain.tld (as the primary domain) and example.com as my domains, I have enabled subdomains so mail from the server mail.domain.tld gets signed too as in this case mail.domain.tld is also the Posfix hostname and mailname…

1. First login as root as run…

# apt-get update
# apt-get install opendkim opendkim-tools

2. Create the folder structure…

# mkdir -p /etc/opendkim/keys/domain.tld
# mkdir -p /etc/opendkim/keys/example.com

3. Create a key, I’ll use “dkim” as the selector and create 1024bit keys
You will have two files in the folder, dkim.private and dkim.txt, the latter contains the DNS record for you to add in Plesk or at your domains registrar.

# cd /etc/opendkim/keys/domain.tld
# opendkim-genkey -s dkim -d domain.tld
# chown opendkim:opendkim dkim.private
# chmod 600 dkim.private

And example.com…

# cd /etc/opendkim/keys/example.com
# opendkim-genkey -s dkim -d example.com
# chown opendkim:opendkim dkim.private
# chmod 600 dkim.private

4. Now we’ll create the SigningTable and the KeyTable…

# nano /etc/opendkim/SigningTable

The contents should look like…

domain.tld dkim._domainkey.domain.tld
mail.domain.tld dkim._domainkey.domain.tld
example.com dkim._domainkey.example.com
mail.example.com dkim._domainkey.example.com

5. And the KeyTable…

# nano /etc/opendkim/KeyTable

The contents should look like…

dkim._domainkey.domain.tld domain.tld:dkim:/etc/opendkim/keys/domain.tld/dkim.private
dkim._domainkey.domain.tld mail.domain.tld:dkim:/etc/opendkim/keys/domain.tld/dkim.private
dkim._domainkey.example.com example.com:dkim:/etc/opendkim/keys/example.com/dkim.private
dkim._domainkey.example.com mail.example.com:dkim:/etc/opendkim/keys/example.com/dkim.private

You can see the subdomains point to the same key as the domain.

6. Next we have to create the internal hosts file…

# nano /etc/opendkim/dkim-InternalHosts

and add your IP and host names…

127.0.0.1/8
192.168.0.50/32 # where this is your Server IP
localhost
domain.tld
mail.domain.tld
example.com
mail.example.com

7. Now edit /etc/opendkim.conf

# nano /etc/opendkim.conf

And define these settings…

Syslog			yes
UMask			002
Domain		        domain.tld
KeyFile		        /etc/opendkim/keys/domain.tld/dkim.private
Selector	        dkim
Canonicalization        relaxed/relaxed
Mode                    sv
SignatureAlgorithm      rsa-sha256
SubDomains              yes
LogWhy                  yes
UserID                  opendkim:opendkim
KeyTable                /etc/opendkim/KeyTable
SigningTable            /etc/opendkim/SigningTable
InternalHosts           /etc/opendkim/dkim-InternalHosts
Statistics              /var/log/opendkim/dkim-stats.log
OversignHeaders		From

8. Make sure you create the log directory, and the log file is owned by opendkim:opendkim

# mkdir -p /var/log/opendkim/
# touch /var/log/opendkim/dkim-stats.log
# chown opendkim:opendkim /var/log/opendkim/dkim-stats.log

9. We now need to define the socket…

# nano /etc/default/opendkim

And uncomment…

SOCKET="inet:12345@localhost" # listen on loopback on port 12345

10. And restart opendkim

# service opendkim restart

11. Our last step is too add this milter to our postfix configuration file…

# nano /etc/postfix/main.cf

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:12768, inet:127.0.0.1:12345
non_smtpd_milters = inet:127.0.0.1:12345

Restart Postfix…

# service postfix restart

And you should be good.

Ubuntu

Creating ECC Certificates

January 28, 2015 Lloyd Day AMP Version

Here’s a very quick guide on creating ECC 256Bit Self-Signed Certificates with OpenSSL and Ubuntu 12 and 14.

1. Firstly lets create a folder to hold the files..

# mkdir /etc/ssl/ecc

2. Move to that directory…

# cd /etc/ssl/ecc

3. Now lets create the key

# openssl ecparam -genkey -name prime256v1 -out ecc.key

4. Create the request

# openssl req -new -key ecc.key -out ecc.csr

5. Create the certificate

# openssl x509 -req -days 365 -sha256 -in ecc.csr -signkey ecc.key -out ecc.crt

6. While we are here, lets combine the private key and certificate into a .pem file.

# cat ecc.key ecc.crt > ecc.pem

You now have a Self-Signed ECC 256Bit SHA256 certificate for your domain, and a .csr file for use at your favourite CA.

Should you wish to have ECC 384 Bit, simply replace “prime256v1” in step three, with secp384r1,
and “-sha256” in step five with -sha384.

Enjoy!

Ubuntu

Creating DH Parameters

December 26, 2014 Lloyd Day AMP Version

By default DH Parameters are just 1024bits in Ubuntu 12.04.5 LTS which is considered weak by todays standards.
You will need to create a new one of either 2048Bit or 4096Bit depending on your certificates public key size.

1. Create a folder to hold the dhparams…

# mkdir /etc/ssl/dh

2. Move to that directory

# cd /etc/ssl/dh

3. Create the new DH Parameters, at 2048Bit

# openssl dhparam -out RSA2048.pem -5 2048

And 4096Bit (this will take some time)

# openssl dhparam -out RSA4096.pem -5 4096

5. You can also create DSA versions, at 2048Bit…

# openssl dhparam -dsaparam -out DSA2048.pem 2048

And 4096Bit

# openssl dhparam -dsaparam -out DSA4096.pem 4096

The Directives

Now you can add the directives to your servers, Courier-Imap, Dovecot, Nginx and Postfix.

Courier-Imap

TLS_DHPARAMS=/etc/ssl/dh/RSA2048.pem

Dovecot (creates it’s own)

ssl_dh_parameters_length = 2048

Nginx

ssl_dhparam /etc/ssl/dh/RSA2048.pem;

Postfix

smtpd_tls_dh1024_param_file = /etc/ssl/dh/RSA2048.pem