21-Sep-2023 — This article was originally written about 6 years ago for Raspbian Jessie. It has been updated to work with current versions of packages.
I have a little Libre Computer Le Potato (basically a Raspberry Pi) that has recently become the host for pididu.com . It runs Raspberry Pi OS Bullseye, which is basically Debian linux. Here are the steps I followed to get Sendmail (v. 8.15.2-22) working with Domain Keys Identified Mail (OpenDKIM 2.11.0~beta2-4). I admit that this is something that most people will not need, so feel free to skip this article.
First, install sendmail:
sudo apt-get install sendmail
First easy test to make sure it’s working. Send mail to myself on the same server.
sendmail -v MyAccountName@pididu.com subject: testing sendmail here is the body .
The lone dot by itself on the last line closes and sends the message. The -v switch above prints in verbose mode. It’s important to watch the output carefully and note any errors or warnings. If there’s no trouble, try a more thorough test by sending mail to the internet:
sendmail -v MyAccountName@yahoo.com
subject: testing sendmail
here is the body
.
Note that Yahoo, as many other email providers, will give an “Unresolvable RFC.5321” error if your server does not have a hostname that matches your domain. In my case, I had to edit /etc/hostname to contain pididu.com . In the case of Yahoo, when you fail, the output will give you a link to explanations of the error messages. Here is the link.
Check Yahoo mail to see that the message was received. Note that I don’t use gmail for this test, which might reject mail from an unestablished source as spam. If Yahoo didn’t get the message, try doing tail /var/log/mail.log to look for errors.
Now install opendkim:
sudo apt-get install opendkim opendkim-tools sudo mkdir /etc/opendkim cd /etc/opendkim sudo opendkim-genkey -s k1 -d pididu.com
k1 is the name I chose for the selector. pididu.com is my domain, but of course, you would substitute your own in its place. Two files will be generated:k1.private – private key information which should never leave the server, andk1.txt – information to add to the zone file on my DNS server. The contents of this file are
k1._domainkey IN TXT "v=DKIM1\ ; k=rsa\ ;p=MIG ... IDAQAB"\;
A whole bunch of characters have been omitted above for brevity. k1._domainkey is the hostname for the record, and all the stuff between the quotation marks is the content of the record. You must add this record to your DNS server. With some hosts, you can enter this information yourself; with others, you must ask their technical support to enter it for you. To check that the record has been added correctly:
dig k1._domainkey.pididu.com txt +short
which should show the record previously entered.
The installation of opendkim should have created an opendkim user. Verify:
grep opendkim /etc/passwd
which should return something like
opendkim:x:129:129::/usr/run/opendkim:/bin/false
Make sure that the opendkim user can access the key file:
sudo chown opendkim:opendkim /etc/opendkim/k1.private
Test the domain key:
sudo opendkim-testkey -d pididu.com -s k1 -vvv -k /etc/opendkim/k1.private
Don’t worry if you get a warning that the key is not secure. That just means that you don’t have DNSSEC in place.
sudo vi /etc/default/opendkim
There may be a line starting with SOCKET= in there as the default. Comment that out, and uncomment the line of the form SOCKET=inet:12274@localhost . The port number does not have to be 12274 – choose one to suit yourself. Save and quit.
Set other configuration information for opendkim:
sudo vi /etc/opendkim.conf
and edit existing lines sure that it contains
Domain pididu.com Keyfile /etc/opendkim/k1.private Selector k1 Socket inet:12274@localhost
If there is some other socket enabled, comment that line out. Note that you don’t need to use 12274 – it could be 8891, or pretty much any relatively high number that you want. Some other settings that I use that might help:
LogWhy yes Mode sv
Now configure sendmail to use opendkim to sign outgoing mail.
sudo vi /etc/mail/sendmail.mc
and append this line to the end:
INPUT_MAIL_FILTER(`opendkim', `S=inet:12274@localhost')dnl
Note that in the above, a grave accent opens the quote, and an apostrophe closes it. Also, the port (12274 in the above case) must match the port previously chosen for opendkim.
In the same file, look for MASQUERADE section, and either comment out all lines, or edit the MASQUERADE_AS to name the actual domain of your sever like this:
dnl # Masquerading options dnl # Roderick 20-SEP-2023 either masquerade as pididu.com, dnl # or comment this stuff out entirely. FEATURE(`always_add_domain')dnl MASQUERADE_AS(`pididu.com')dnl FEATURE(`allmasquerade')dnl FEATURE(`masquerade_envelope')dnl
After saving the file, run
sudo su m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf exit
For some reason, I couldn’t run sudo m4 directly on my system, but the above worked. Now restart sendmail. It may take a minute or two:
sudo service sendmail restart
Then send another message to your Yahoo or other mail, as before. To confirm that things went well, look at the mail log for sendmail and opendkim activity:
tail /var/log/mail.log
Also, open the message under Yahoo mail, and view the “raw message” (it might be called “full headers” or something else, depending on your mail service). It should have a line something like this showing DKIM pass:
Authentication-Results: mta1319.mail.bf1.yahoo.com from=pididu.com; domainkeys=neutral (no sig); from=pididu.com; dkim=pass (ok)