2. Create a TXT record for each domain the server will be hosting that looks something like this:
selector1._domainkey v=DKIM1; k=rsa; p=KEY_GOES_HERE TXT 1800 TTL
3. Install dkimproxy from ports (no packages available for OpenBSD 5.6). It has no dependencies that aren't already pulled in from prior packages so it's an easy and quick build.
4. Edit /etc/dkimproxy_out.conf so it looks something like this (note that the default ports are different so they don't conflict with the earlier clamsmtpd setup):
# cat /etc/dkimproxy_out.conf # specify what address/port DKIMproxy should listen on #listen 127.0.0.1:10027 listen 127.0.0.1:10030 # specify what address/port DKIMproxy forwards mail to #relay 127.0.0.1:10028 relay 127.0.0.1:10029 # specify what domains DKIMproxy can sign for (comma-separated, no spaces) #domain example.org domain example.com,example.net # specify what signatures to add signature dkim(c=relaxed) signature domainkeys(c=nofws) # specify location of the private key #keyfile /full/path/to/private.key keyfile /etc/mail/dkim/private.key # specify the selector (i.e. the name of the key record put in DNS) selector selector1 ...
Since SpamAssassin already does DKIM checking for incoming mail, dkimproxy is only used for outgoing mail to add the DKIM keys etc. to outgoing headers.
5. Add "dkimproxy_out" to pkg_scripts in /etc/rc.conf.local and start it up. Again, check netstat -na -f inet to see if it's listening on port 10030.
6. Same drill as before. Edit /etc/mail/smtpd.conf so it looks something like this:
# cat /etc/mail/smtpd.conf pki mail.example.com certificate "/etc/ssl/mail.example.com.crt" pki mail.example.com key "/etc/ssl/private/mail.example.com.key" listen on lo0 listen on lo0 port 10026 tag CLAM_IN # incoming mail listen on lo0 port 10028 tag CLAM_OUT # outgoing mail listen on lo0 port 10036 tag SPAM_IN # incoming mail listen on lo0 port 10029 tag DKIM_OUT # outgoing mail listen on egress tls pki mail.example.com auth-optional listen on egress port submission tls-require pki mail.example.com auth table aliases db:/etc/mail/aliases.db table vusers file:/etc/mail/vusers table vdomains file:/etc/mail/vdomains accept for local alias <aliases> deliver to maildir # tagged mail returned from dkimproxy_out relay out accept tagged DKIM_OUT for any relay # tagged mail returned from spampd deliver to maildir accept tagged SPAM_IN for domain <vdomains> virtual <vusers> deliver to maildir # tagged mail returned from clamsmtpd either send to spampd or dkimproxy_out accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10035 # send to spampd accept tagged CLAM_OUT for any relay via smtp://127.0.0.1:10030 # send to dkimproxy_out # start here - untagged mail is sent to clamsmtpd accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail
7. So now here is what’s happening:
Incoming mail (unchanged from before since incoming mail is not using dkimproxy):
pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> -relay tagged CLAM_IN mail to spampd on port 10035 -> run it through SpamAssassin -> return to opensmtpd on lo0 port 10036 and tag it SPAM_IN -> deliver to maildir
opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay to dkimproxy on port 10030 -> add DKIM headers -> return to opensmtpd on lo0 port 10029 and tag it DKIM_OUT -> relay out
8. Send an email and look at the headers. There should be some DKIM headers for the domain like these:
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=example.com; h=from:date :message-id:to:subject; s=selector1; bh=[KEY HASH] DomainKey-Signature: a=rsa-sha1; c=nofws; d=example.com; h=from:date :message-id:to:subject; q=dns; s=selector1; b=[KEY HASH]