View Issue Details

IDProjectCategoryView StatusLast Update
0000545Main CAcert Websitemiscpublic2014-04-21 18:32
ReporterDaniel Black Assigned To 
Status newResolutionopen 
Summary0000545: dkim deployment
DescriptionThe following setups are to deploy DKIM on all mail sending servers of CAcert.

scp (to XXXX machine)

dpkg -i dkim-filter_2.5.5-1_i386.deb

check user and group dkim-filter exists. create otherwise

check the following directory with permissions/ownership
drwxr-xr-x 2 dkim-filter dkim-filter 4096 May 4 12:35 /var/run/dkim-filter

create the following file with the SOCKET contents

create the following directory with permissions/ownership
drwxr-xr-x 2 dkim-filter root 4096 May 4 12:01 /var/spool/postfix/milter/

create the following directory with permissions/ownership
drwx------ 3 dkim-filter root 4096 May 4 12:00 /etc/mail/dkim-filter/

cd /etc/mail/dkim-filter/
# dkim-genkey -s XXXX

XXXX is something meaningful and unique for each server. I'm going with
a servername convention.
e.g. mail, cert, backup, mainweb, wiki

create the following file with the following contents
Background Yes
Mode s
Canonicalization relaxed/simple
KeyFile /etc/mail/dkim-filter/XXXX.private
Selector XXXX
Syslog Yes
SyslogSuccess Yes
Umask 0000

/etc/init.d/dkim-filter start

update-rc.d dkim-filter defaults

add the following to the postfix configuration file- /etc/postfix/
# DKIM filter
smtpd_milters = unix:/milter/dkim-filter.sock
non_smtpd_milters = $smtpd_milters
# what to do if the dkim filter fails
milter_default_action = accept
milter_command_timeout = 5s
milter_connect_timeout = $milter_command_timeout
milter_content_timeout = 60s

add XXXX.txt as a DNS record replacing 'g=*' with t=y (test mode)

please also add the following as it seems to have been lost
mail._domainkey IN TXT "v=DKIM1; t=y; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOZV5h3rm18QRiNfNnwXadX8jeSC3zjpU7GFNTfZk1ifjLxrlVrSsfAvlVfFvR2/uQXegwEkiNV5bd57d989T+VVLZZbSv+OAXX4ZwihsLkf3huDszKtJTvsybqUNh97OE00THSyJCrcowFDcLv5IN2ULCOlMjTqbZxZuaNW0S6wIDAQAB" ; ----- DKIM mail for

all DNS records should exist under

dig -t txt should show the above DNS entry.

send email to / to see if the DKIM signing works.

TagsNo tags attached.
Reviewed by
Test Instructions


related to 0000679 new Infrastructure request email are DKIM signed 
related to 0001274 new Infrastructure DMARC for 


Daniel Black

2008-05-31 03:40

reporter   ~0001091

note 1: dkim-filter_2.5.5.dfsg-1_i386.deb - is now the official deb-src upstream package generated on lists. This no longer 1/2 installs like my previous hack job..

note 2:
the dkim key for is:
lists._domainkey IN TXT "v=DKIM1; g=*; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs2Hu5HQpT5FWj2TrqHZwFM/h0Tc35idlBvia
JYA+QIDAQAB" ; ----- DKIM default for

note 3: key generation revised:
dkim-genkey -s {selector} -d -t -D /etc/mail

Daniel Black

2009-02-22 00:42

reporter   ~0001278

dkim-filter is a debian package.

recommend using inet sockets rather than unix ones and it doesn't require all the fiddling with file permissions.

could also deploy it for

Daniel Black

2009-09-12 09:37

reporter   ~0001479


Would be a lot easier though. Just need to call it with a $body, $subject, and $header and it will return a header to add.

From doco:

$sender='' ;
$headers="From: \"Fresh DKIM Manager\" <$sender>>\r\n".
        "To: $to\r\n".
        "Reply-To: $sender\r\n".
        "Content-Type: text/html\r\n".
        "MIME-Version: 1.0" ;
$headers = AddDKIM($headers,$subject,$body) . $headers;

$result=mail($to,$subject,$body,$headers,"-f $sender") ;


2012-08-16 09:28

reporter   ~0003142

Last edited: 2012-08-16 09:31

Not recommended practice. The MTA should bear sole responsibility for signing outgoing electronic mail, which is why OpenDKIM is implemented as a milter (noting that dkim-filter has been abandoned for many years now, and that OpenDKIM is its replacement).

[Edit: php-dkim has also not been updated since 2009]
[Edit 0000002: There is no need for unique DKIM selectors for each server per se, merely that the private keys utilised by each selector are shared. Thus, it may save significant effort to share a selector for particular boxes.]


2014-04-21 18:30

reporter   ~0004749

Has anyone given thought to key rotation?

Issue History

Date Modified Username Field Change
2008-05-04 12:46 Daniel Black New Issue
2008-05-31 03:40 Daniel Black Note Added: 0001091
2009-02-22 00:42 Daniel Black Note Added: 0001278
2009-09-12 09:37 Daniel Black Note Added: 0001479
2012-08-16 09:28 DavidMcIlwraith Note Added: 0003142
2012-08-16 09:29 DavidMcIlwraith Note Edited: 0003142
2012-08-16 09:31 DavidMcIlwraith Note Edited: 0003142
2012-12-18 19:11 Werner Dworak Relationship added related to 0000679
2014-04-21 18:30 LordMike Note Added: 0004749
2014-04-21 18:31 LordMike Relationship added related to 0001274