Tag Archives: debian

Install Sendmail with DKIM on Rasbios Bullseye

21-Sep-2023 — This article was originally written about 6 years ago for Raspbian Jessie. It has been updated to work with current versions of packages.

I have a little Libre Computer Le Potato (basically a Raspberry Pi) that has recently become the host for pididu.com . It runs Raspberry Pi OS Bullseye, which is basically Debian linux. Here are the steps I followed to get Sendmail (v. 8.15.2-22) working with Domain Keys Identified Mail (OpenDKIM 2.11.0~beta2-4). I admit that this is something that most people will not need, so feel free to skip this article.

First, install sendmail:

sudo apt-get install sendmail

First easy test to make sure it’s working. Send mail to myself on the same server.

sendmail -v MyAccountName@pididu.com
subject: testing sendmail
here is the body
.

The lone dot by itself on the last line closes and sends the message. The -v switch above prints in verbose mode. It’s important to watch the output carefully and note any errors or warnings. If there’s no trouble, try a more thorough test by sending mail to the internet:

sendmail -v MyAccountName@yahoo.com
subject: testing sendmail
here is the body
.

Note that Yahoo, as many other email providers, will give an “Unresolvable RFC.5321” error if your server does not have a hostname that matches your domain. In my case, I had to edit /etc/hostname to contain pididu.com . In the case of Yahoo, when you fail, the output will give you a link to explanations of the error messages. Here is the link.

Check Yahoo mail to see that the message was received.  Note that I don’t use gmail for this test, which might reject mail from an unestablished source as spam. If Yahoo didn’t get the message, try doing tail /var/log/mail.log to look for errors.

Now install opendkim:

sudo apt-get install opendkim opendkim-tools
sudo mkdir /etc/opendkim
cd /etc/opendkim
sudo opendkim-genkey -s k1 -d pididu.com

k1 is the name I chose for the selector. pididu.com is my domain, but of course, you would substitute your own in its place. Two files will be generated:
k1.private – private key information which should never leave the server, and
k1.txt – information to add to the zone file on my DNS server. The contents of this file are

k1._domainkey IN TXT "v=DKIM1\ ; k=rsa\ ;p=MIG ... IDAQAB"\;

A whole bunch of characters have been omitted above for brevity. k1._domainkey is the hostname for the record, and all the stuff between the quotation marks is the content of the record. You must add this record to your DNS server.  With some hosts, you can enter this information yourself; with others, you must ask their technical support to enter it for you. To check that the record has been added correctly:

dig k1._domainkey.pididu.com txt +short

which should show the record previously entered.

The installation of opendkim should have created an opendkim user. Verify:

grep opendkim /etc/passwd

which should return something like

opendkim:x:129:129::/usr/run/opendkim:/bin/false

Make sure that the opendkim user can access the key file:

sudo chown opendkim:opendkim /etc/opendkim/k1.private

Test the domain key:

sudo opendkim-testkey -d pididu.com -s k1 -vvv -k /etc/opendkim/k1.private

Don’t worry if you get a warning that the key is not secure. That just means that you don’t have DNSSEC in place.

sudo vi /etc/default/opendkim

There may be a line starting with SOCKET= in there as the default. Comment that out, and uncomment the line of the form SOCKET=inet:12274@localhost . The port number does not have to be 12274 – choose one to suit yourself.  Save and quit.

Set other configuration information for opendkim:

sudo vi /etc/opendkim.conf

and edit existing lines sure that it contains

Domain pididu.com
Keyfile /etc/opendkim/k1.private
Selector k1

Socket   inet:12274@localhost

If there is some other socket enabled, comment that line out. Note that you don’t need to use 12274 – it could be 8891, or pretty much any relatively high number that you want. Some other settings that I use that might help:

LogWhy    yes
Mode      sv

Now configure sendmail to use opendkim to sign outgoing mail.

sudo vi /etc/mail/sendmail.mc

and append this line to the end:

INPUT_MAIL_FILTER(`opendkim', `S=inet:12274@localhost')dnl

Note that in the above, a grave accent opens the quote, and an apostrophe closes it. Also, the port (12274 in the above case) must match the port previously chosen for opendkim.

In the same file, look for MASQUERADE section, and either comment out all lines, or edit the MASQUERADE_AS to name the actual domain of your sever like this:

dnl # Masquerading options
dnl # Roderick 20-SEP-2023 either masquerade as pididu.com,
dnl # or comment this stuff out entirely.
FEATURE(`always_add_domain')dnl
MASQUERADE_AS(`pididu.com')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl

After saving the file, run

sudo su
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
exit

For some reason, I couldn’t run sudo m4 directly on my system, but the above worked. Now restart sendmail. It may take a minute or two:

sudo service sendmail restart

Then send another message to your Yahoo or other mail, as before. To confirm that things went well, look at the mail log for sendmail and opendkim activity:

tail /var/log/mail.log

Also, open the message under Yahoo mail, and view the “raw message” (it might be called “full headers” or something else, depending on your mail service). It should have a line something like this showing DKIM pass:

Authentication-Results: mta1319.mail.bf1.yahoo.com  from=pididu.com; domainkeys=neutral (no sig);  from=pididu.com; dkim=pass (ok)