I have a little Raspberry Pi that I hope will be the home of the future pididu.com . It runs Raspbian Linux, which is basically Debian. Here are the steps I followed to get Sendmail working with DomainKeys Identified Mail (DKIM). I admit that this is something that most people will not need, so feel free to skip this article.
First, install sendmail:
sudo apt-get install sendmail
Test to make sure it’s working:
sendmail MyAccountName@yahoo.com subject: testing sendmail here is the body .
The lone dot at the beginning of the last line closes and sends the message. Check Yahoo mail to see that the message was received. Note that I don’t use gmail for this test, which might reject mail from an unknown source as spam.
Now install opendkim:
sudo apt-get install opendkim opendkim-tools sudo mkdir /etc/opendkim cd /etc/opendkim sudo opendkim-genkey -s k1 -d pididu.com
k1 is the name I chose for the selector.
pididu.com is my domain, but of course, you would substitute your own in its place. Two files will be generated:
k1.private – private key information which should never leave the server, and
k1.txt – information to add to the zone file on my DNS server. The contents of this file are
k1._domainkey IN TXT "v=DKIM1\ ; k=rsa\ ;p=MIG ... IDAQAB"\;
A whole bunch of characters have been omitted above for brevity.
k1._domainkey is the hostname for the record, and all the stuff between the quotation marks is the content of the record. You must add this record to your DNS server. With some hosts, you can enter this information yourself; with others, you must ask their technical support to enter it for you. To check that the record has been added correctly:
dig k1._domainkey.pididu.com txt +short
which should show the record previously entered.
The installation of opendkim should have created an opendkim user. Verify:
grep opendkim /etc/passwd
which should return something like
Make sure that the opendkim user can access the key file:
sudo chown opendkim:opendkim /etc/opendkim/k1.private
Test the domain key:
opendkim-testkey -d pididu.com -s k1 -v -k /etc/opendkim/k1.private
If that silently returns to the prompt, the key is okay. Now set up opendkim to listen on a socket. This is not the only way to do this, just one way:
sudo vi /etc/default/opendkim
There may be a line starting with
SOCKET= in there as the default. Comment that out, and uncomment the line of the form
SOCKET=inet:12274@localhost . The port number does not have to be
12274 – choose one to suit yourself. Save and quit.
Set other configuration information for opendkim:
sudo vi /etc/opendkim.conf
and make sure that it contains
Domain pididu.com Keyfile /etc/opendkim/k1.private Selector k1 InternalHosts /etc/opendkim/TrustedHosts
Now edit the Trusted Hosts file:
sudo vi /etc/opendkim/TrustedHosts
Add at least
localhost, but it doesn’t hurt to have every other possible address you can think of for the machine:
localhost 127.0.0.1 pididu.com 22.214.171.124 #internet 192.168.1.100 #intranet
With the recent version (v2.11.0) of opendkim that I installed, I had to do the following to regenerate the service startup:
sudo /lib/opendkim/opendkim.service.generate sudo systemctl daemon-reload sudo service opendkim restart
Note that the above must be done again any time the file
/etc/default/opendkim is changed. This may no longer be required in future versions of opendkim. I hear a bug report has already been filed.
Now configure sendmail to use opendkim to sign outgoing mail.
sudo vi /etc/mail/sendmail.mc
and append this line to the end:
Note that in the above, a grave accent opens the quote, and an apostrophe closes it. Also, the port (
12274 in the above case) must match the port previously chosen for opendkim. After saving the file, run
sudo m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
For some reason, the above did not work on the Raspberry Pi that I had set up with a non-default administrator account, saying I didn’t have permission to write the output file. So what I did was:
sudo su m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf exit
sudo service sendmail restart
Then send another message to your Yahoo or other mail, as before. To confirm that things went well, look at the system log for sendmail and opendkim activity:
Also, open the message under Yahoo mail, and view the “raw message” (it might be called “full headers” or something else, depending on your mail service). It should have a line something like this showing DKIM pass:
Authentication-Results: mta1319.mail.bf1.yahoo.com from=pididu.com; domainkeys=neutral (no sig); from=pididu.com; dkim=pass (ok)