Dkimproxy and postfix on suse

From PrgmrWiki

note, originally by Chris, I'm putting it here to clear out my mailbox:

How to set up SUSE as a mail server:

1. Install SUSE. I downloaded a CD and kept all the defaults. Reboot when prompted.

2. Patch SUSE. This should happen automatically after the reboot, right after you've set up the root password and that kind of stuff. Reboot again.

3. After patches are done, you'll be logged into your desktop. Start yast2, click "community repositories", and make sure that the "Main Repository (OSS) has a checkmark by it. Postfix should be installed by default. (If it's not, download a package.) If anything seems to be missing at any point, try to install an appropriate package through yast2.

Edit the firewall to allow the mail server access to the outside world.

 Start yast2, click "firewall", click "allowed services", select "mail

server" from the service to allow dropdown, and click "add." Then click next, verify that this is what you want.

Confirm that Postfix is running by telnetting from another box:

 # telnet <mailserver> 25
 Trying <IP of mailserver>...
 Connected to mailserver
 Escape character is '^]'
 220 <mailserver.domain.tld> ESMTP Postfix

You'll probably want to edit the /etc/postfix/ file if any of those values look incorrect. In particular, the myhostname, mydomain, and mydestination parameters. If you change the config file, restart postfix:

 # rcpostfix restart

Configure postfix further as desired.

4. Install DKIMproxy

First you'll need some perl modules. Fire up cpan.

 # cpan

Answer the configuration script's questions, then type:

 > install Mail::DKIM

Answer "yes" to everything about missing dependencies. CPAN will download and install the DKIM module and its prerequisites. You will have to build some stuff, so make sure make, gcc, and libopenssl-devel are installed. If the DKIM tests seem to fail erratically, try "force install Mail::DKIM". Also install Net::Server and Error:

 > install Net::Server
 > install Error

Exit CPAN. Next, create a user and group to run the DKIM filter:

 # groupadd dkim
 # useradd -g dkim dkim

5. Set up DKIMproxy

Download the DKIMproxy distribution from . Untar it somewhere convenient, thus:

 # tar xzvf dkimproxy-1.0.1.tar.gz
 # cd dkimproxy-1.0.1

Install dkimproxy to an appropriate location. We're using the default:

 # ./configure --prefix=/usr/local/dkimproxy

Set up the init script so that DKIMproxy will run at boot:

 # cp /etc/init.d/dkimproxy
 # ln -s ../dkimproxy /etc/init.d/rc5.d/S11dkimproxy
 # ln -s ../dkimproxy /etc/init.d/rc5.d/K11dkimproxy

Substitute the appropriate runlevel directory where it says "rc5.d". For example, a text-only system will likely default to rc3.d

Generate a keypair

 # cd /usr/local/dkimproxy/etc
 # openssl genrsa -out dkim-private.key 1024
 # openssl rsa -in dkim-private.key -out dkim-public.key
 # chown dkim dkim-private.key
 # chmod 400 dkim-private.key

Edit the dkimproxy config files:

 # cd /usr/local/dkimproxy/etc
 # cp dkimproxy_out.conf.example dkimproxy_out.conf
 # cp dkimproxy_in.conf.example dkimproxy_in.conf

Edit /usr/local/dkimproxy/etc/dkimproxy_out.conf.

Make sure that the domain is correct (for example we set and the keyfile location is correct. If you're following along precisely, the keyfile should be /usr/local/dkimproxy/etc/dkim-private.key If you opt to use a different selector, set that here and in the next step. (The particular selector isn't important. It's just a text identifier.)

6. Configure DNS

The entire point of DomainKeys is to match cryptographic signatures on mail to txt records in DNS. Create an appropriate record on your DNS server, in the appropriate zone file.

 selector1._domainkey IN TXT "k=rsa t=s p=<public key>"

Note the <public key> in this record. This should be the full contents of the dkim-public.key file, minus the two framing lines (the ones that begin with dashes and say BEGIN or END.) All on one long line.

7. Start dkimproxy:

 # /etc/init.d/dkimproxy start

8. Set up Postfix to use DKIMproxy

Edit /etc/postfix/

Anywhere in the file, add lines that look like the following. (Taken from the howto at


  1. modify the default submission service to specify a content filter
  2. and restrict it to local clients and SASL authenticated clients only

submission inet n - n - - smtpd

    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[]:10027
    -o receive_override_options=no_address_mappings


  1. specify the location of the DKIM signing proxy
  2. Note: the smtp_discard_ehlo_keywords option requires a recent version of
  3. Postfix. Leave it off if your version does not support it.

dksign unix - - n - 10 smtp

    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls
  1. service for accepting messages FROM the DKIM signing proxy inet n - n - 10 smtpd

    -o content_filter=


    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=
    -o smtpd_authorized_xforward_hosts=


Reload postfix so that it notices the change:

 # postfix reload

9. Test the mail server

Note that we've set up postfix to accept outgoing mail using the submission service, which runs on port 587. Configure the mail-sending program to send mail via that port.

Test outgoing mail by sending some mail to This address will send back a message indicating whether the mail wasor was not correctly signed.