Configuring a cloud-based secure multi-domain web and e-mail server


Configuring DKIM

See Steve Jenkins’ Installing OpenDKIM for CentOS guide for reference.

Domain Keys Identified Mail, or DKIM, is one of the latest technologies used to identify legitimate mail. In a nutshell, a public/private key pair are created. Information from this key pair is used to create a specially crafted DNS entry as well as to inject encrypted information into mail headers.

Mail servers that implement the DKIM protocol will use the information available in the DKIM DNS record to decrypt the encrypted header injection. This allows them to determine if the mail message really did originate from the mail server it claims to have originated from.

We’re going to use the OpenDKIM package to achieve our DKIM implementation – the open source DKIM implementation. OpenDKIM isn’t available in the default respositories. We’ll need to add the EPEL (Extra Packages for Enterprice Linux) repository first.

Log into your SSH shell:

[newuser@mail ~]$ sudo yum install epel-release

and then install OpenDKIM:

[newuser@mail ~]$ sudo yum install opendkim

We now need to generate the public and private keys for our domain. Since we’re creating a server to host multiple domains, we’ll want to generate a public/private key pair for each domain. DKIM lookups are performed based on a selector – an identifying string. Since my domain is, I’m going to use “example” as the selector.

[newuser@mail ~]$ sudo mkdir /etc/opendkim/keys/
[newuser@mail ~]$ sudo /usr/sbin/opendkim-genkey -D /etc/opendkim/keys/ -d -s example
[newuser@mail ~]$ sudo chown -R opendkim:opendkim /etc/opendkim/keys/
[newuser@mail ~]$ sudo mv /etc/opendkim/keys/ /etc/opendkim/keys/

We now need to edit /etc/opendkim.conf. Type:

[newuser@mail ~]$ sudo nano /etc/opendkim.conf

Make the following changes. The guide referenced at the top of this page has an example of how this file should appear after making the changes referenced below.

Change “Mode v” to “Mode sv”.
Change “Canonicalization relaxed/relaxed” to “Canonicalization relaxed/simple”.
Locate “#Domain” and enter beneath it “Domain” (obviously replacing with the domain for which we are configuring OpenDKIM).
Locate “Selector default” and comment the line by placing a “#” in front of it. Add beneath this line “Selector example”.
Locate “KeyFile /etc/opendkim/keys/default.private” and comment the line by placing a “#” in front of it.
Locate “#KeyTable /etc/opendkim/KeyTable” and remove the comment by deleting the “#”. Also, add “refile:” to the front of the path, such that the line now reads:
KeyTable refile:/etc/opendkim/KeyTable

Locate “#SigningTable refile:/etc/opendkim/SigningTable” and remove the comment by deleting the “#”.
Locate “#ExternalIgnoreList refile:/etc/opendkim/TrustedHosts” and remove the comment by deleting the “#”.
Locate “#InternalHosts refile:/etc/opendkim/TrustedHosts” and remove the comment by deleting the “#”.

Save your changes and exit nano.

We’ll now need to add an entry to the OpenDKIM KeyTable file.

[newuser@mail ~]$ sudo nano /etc/opendkim/KeyTable

Add an entry to the bottom of this file as such (just remember to replace with your domain, and example with your selector:

Save your changes and exit nano.

Now edit the /etc/opendkim/SigningTable file:

[newuser@mail ~]$ sudo nane /etc/opendkim/SigningTable

Locate the line “#*” and add beneath it:

Save your changes and exit nano.

Edit the /etc/opendkim/TrustedHosts file:

[newuser@mail ~]$ sudo nano /etc/opendkim/TrustedHosts

and add to the bottom:

Save your changes and exit nano.

Hash your shell:

[newuser@mail ~]$ hash -r

Start OpenDKIM:

[newuser@mail ~]$ sudo systemctl start opendkim
[newuser@mail ~]$ sudo systemctl status opendim
opendkim.service - DomainKeys Identified Mail (DKIM) Milter
   Loaded: loaded (/usr/lib/systemd/system/opendkim.service; enabled)
   Active: active (running) since Thu 2014-10-09 23:18:33 EDT; 30s ago

Assuming OpenDKIM started successfully (check the results of the “sudo systemctl status opendkim” command we issued above), we now should reload postfix:

[newuser@mail ~]$ sudo systemctl reload postfix

*NOTE* At this point, issuing “sudo systemctl status postfix” returned a failed message, with details pointing to postfix already running. So I issued “sudo systemctl stop postfix”, followed by “sudo systemctl start postfix”. This failed, and details pointed to something else listening on that port. So I installed htop (sudo yum install htop”), then used htop to kill the postfix service.

After I exited htop and issued “sudo systemctl start postfix” and “sudo systemctl status postfix”, I saw that postfix was active.

That completes the server-side configuration of DKIM. Now we need to add a DNS text record.

Adding DKIM DNS record

We’ll now add our public key to the DNS record for our server. We’ll create a TXT record with host value “example” (our selector) followed by “._domainkey”. The value assigned to this record will be the contents of the example.txt file, inside the quotation marks.

[newuser@mail ~]$ sudo cat /etc/opendkim/keys/
example._domainkey       IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=AiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGgAiqGg" )  ; ----- DKIM key example for

Again, remember to replace all instances of with your domain, and all instances of example with your selector.

You can test your DKIM configuration by logging into Roundcube webmail and sending an e-mail message to – which we’ll do once we’ve got Roundcube installed.

Now that we (hopefully) have the e-mail server in order, let’s setup a WordPress website!

2 thoughts on “Configuring a cloud-based secure multi-domain web and e-mail server

    • Awesome! To be perfectly honest, i went with postfix because it’s been the default I’ve seen installed with Virtualmin. Why did you choose to go with exim?

Leave a Reply

Your email address will not be published. Required fields are marked *