← Notes for DKIM setup on my OpenSMTP mail hosts

• Written: 2024-02-04T17:24:55+01:00

I have two servers that operate as the mail infrastructure behind unobtanium.de: surveyor (FreeBSD 14.0) and mariner (OpenBSD 7.4). Both run a similar setup:

• OpenSMTPd with a simple “deliver mail to local users to a maildir and allow outgoing mail from authenticated accounts” style setup
• I’m too lazy to set up Dovecot or anything on them so I just use rsync --delete to fetch the maildirs to my laptop on a regular basis
• SPF set up to notify but not quarantine so that I can be sure my outgoing mail gets delivered.

Just about the only provider I’ve had trouble sending mail to with this setup has been Deutsche Telekom who for some inane reason require operators of mail servers in Germany to have a proper “Impressum” on their site. Since I’m lazy (see above) and don’t want things like my home address publicly visible on my website, I haven’t set that up. Not much of a loss since the only person with a Deutsche Telekom mail address that I need to send stuff to from time to time is my landlord, and he’s pretty good at “picking up the phone”.

Google and Yahoo recently decided to require DKIM for delivering mail, so now I’ve gotta do that.

This is a bunch of notes on how I set up my mail servers, mostly following along a post on mastodon by Taylor R Campbell.

I’ll set this up on mariner first and then copy the setup over to surveyor (but I’ll probably generate new keys there).

mariner

Key generation

1# pkg_add opendkim opensmtpd-filter-dkimsign
2# opendkim-genkey --domain=unobtanium.de --selector mariner --append-domain

This will generate two files mariner.private and mariner.txt. mariner.txt is a DNS zone entry that you can use to tell the world which key is your’s.

OpenSMTPd setup

Configure a filter in /etc/mail/smptd.conf:

filter "dkimsign" proc-exec "filter-dkimsign -d unobtanium.de -s mariner \
                   -k /etc/mail/dkim/mariner.key" user _dkimsign group _dkimsign

and add a filter "dkimsign" at the end of each listen statement except for port 25 (since that is used for incoming mail).

Move mariner.key to the right place and update permissions:

1# mv mariner.private /etc/mail/dkim/mariner.key
2# chown _dkimsign:_dkimsign /etc/mail/dkim/mariner.key
3# chmod 0400 /etc/mail/dkim/mariner.key

Verify that things look good and restart OpenSMTPd

1# smtpd -n
2configuration OK
3# rccl restart smptd

DNS

Add the content of mariner.txt to DNS and wait for it to propagate, and verify that SPF is set up correctly.

Tools

These tools are helpful for diagnosing potential problems with DKIM:

• https://mxtoolbox.com/dkim.aspx
• https://www.appmaildev.com/en/dkim