LoginSignup
0
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@junk168(junk)

AmazonLinux2023でOpenDKIMを使う

Last updated at Posted at 2024-12-18

はじめに

AmazonLinux2023用のOpenDKIMリポジトリがなく、epel、rpmも使用できない...
AWS SESを使わずにEC2内で完結したい場合はビルドするしかない!

opendkimをインストール

ビルドや動作に必要なパッケージをインストール
(この中にもリポジトリが存在しないパッケージがあったかも)

EC2
[root@ip-xx-xx-xx-xx etc]# dnf install sendmail-devel openssl-devel libbsd-devel autoconf automake libtool
[root@ip-xx-xx-xx-xx etc]# dnf install gcc make libmilter libmilter-devel zlib-devel openssl-devel

opendkimのソースをダウンロード&解凍

EC2
[root@ip-xx-xx-xx-xx etc]# cd /etc/
[root@ip-xx-xx-xx-xx etc]# wget https://downloads.sourceforge.net/project/opendkim/opendkim-2.10.3.tar.gz
[root@ip-xx-xx-xx-xx etc]# tar -xvf opendkim-2.10.3.tar.gz

ビルド作業

EC2
[root@ip-xx-xx-xx-xx etc]# cd opendkim-2.10.3
[root@ip-xx-xx-xx-xx opendkim-2.10.3]# mv configure configure.old
[root@ip-xx-xx-xx-xx opendkim-2.10.3]# cat configure.old | sed '16732,16862d' > configure
[root@ip-xx-xx-xx-xx opendkim-2.10.3]# chmod +x configure
[root@ip-xx-xx-xx-xx opendkim-2.10.3]# ./configure --prefix=/usr/local --sysconfdir=/etc --localstatedir=/var/run/opendkim
[root@ip-xx-xx-xx-xx opendkim-2.10.3]# make & make install

インストールできたか確認

EC2
[root@ip-xx-xx-xx-xx opendkim-2.10.3]# /usr/local/sbin/opendkim -V
opendkim: OpenDKIM Filter v2.10.3
        Compiled with OpenSSL 3.0.8 7 Feb 2023
        SMFI_VERSION 0x1000001
        libmilter version 1.0.1
        Supported signing algorithms:
                rsa-sha1
                rsa-sha256
        Supported canonicalization algorithms:
                relaxed
                simple
        libopendkim 2.10.3:

ユーザ・ディレクトリ・設定ファイルを作成

ビルドのため自分で作成する必要がある

opendkimユーザの作成

EC2
[root@ip-xx-xx-xx-xx etc]# useradd -r -s /sbin/nologin opendkim

/var/run/ にディレクトリ作成・権限変更

EC2
[root@ip-xx-xx-xx-xx etc]# mkdir -p /var/run/opendkim
[root@ip-xx-xx-xx-xx etc]# chmod 750 /var/run/opendkim
[root@ip-xx-xx-xx-xx etc]# chown -R opendkim:opendkim /var/run/opendkim

設定ファイル

/etc/opendkim.conf を作成

EC2
[root@ip-xx-xx-xx-xx etc]# cd /etc/
[root@ip-xx-xx-xx-xx etc]# touch opendkim.conf
[root@ip-xx-xx-xx-xx etc]# vi opendkim.conf

/etc/opendkim.conf

/etc/opendkim.conf
## BASIC OPENDKIM CONFIGURATION FILE
## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more

## BEFORE running OpenDKIM you must:

## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
## - generate keys for your domain (if signing)
## - edit your DNS records to publish your public keys (if signing)

## See /usr/share/doc/opendkim/INSTALL for detailed instructions.

## DEPRECATED CONFIGURATION OPTIONS
##
## The following configuration options are no longer valid.  They should be
## removed from your existing configuration file to prevent potential issues.
## Failure to do so may result in opendkim being unable to start.
##
## Removed in 2.10.0:
##   AddAllSignatureResults
##   ADSPAction
##   ADSPNoSuchDomain
##   BogusPolicy
##   DisableADSP
##   LDAPSoftStart
##   LocalADSP
##   NoDiscardableMailTo
##   On-PolicyError
##   SendADSPReports
##   UnprotectedPolicy

## CONFIGURATION OPTIONS

##  Specifies the path to the process ID file.
#PidFile        /run/opendkim/opendkim.pid

##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
##  messages.
Mode    s

##  Log activity to the system log.
Syslog  yes

##  Log additional entries indicating successful signing or verification of messages.
SyslogSuccess   yes

##  If logging is enabled, include detailed logging about why or why not a message was
##  signed or verified. This causes an increase in the amount of log data generated
##  for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy  yes

##  Attempt to become the specified user before starting operations.
UserID  opendkim:opendkim

##  Create a socket through which your MTA can communicate.
Socket  inet:8891@127.0.0.1
#Socket local:/run/opendkim/opendkim.sock

##  Required to use local socket with MTAs that access the socket as a non-
##  privileged user (e.g. Postfix)
Umask   002

##  This specifies a text file in which to store DKIM transaction statistics.
##  OpenDKIM must be manually compiled with --enable-stats to enable this feature.
# Statistics    /var/spool/opendkim/stats.dat

##  Specifies whether or not the filter should generate report mail back
##  to senders when verification fails and an address for such a purpose
##  is provided. See opendkim.conf(5) for details.
SendReports     yes

##  Specifies the sending address to be used on From: headers of outgoing
##  failure reports.  By default, the e-mail address of the user executing
##  the filter is used (executing_user@hostname).
# ReportAddress "Example.com Postmaster" <postmaster@example.com>

##  Add a DKIM-Filter header field to messages passing through this filter
##  to identify messages it has processed.
SoftwareHeader  no

## SIGNING OPTIONS

##  Selects the canonicalization method(s) to be used when signing messages.
Canonicalization        relaxed/relaxed

##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
##  be verified rather than being signed. Uncomment and use your domain name.
##  This parameter is not required if a SigningTable is in use.
# Domain        example.com

##  Defines the name of the selector to be used when signing messages.
Selector        default

##  Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits  1024

##  Gives the location of a private key to be used for signing ALL messages. This
##  directive is ignored if KeyTable is enabled.
KeyFile /etc/opendkim/keys/default.private

##  Gives the location of a file mapping key names to signing keys. In simple terms,
##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
##  directive in the configuration file. Requires SigningTable be enabled.
KeyTable        /etc/opendkim/KeyTable

##  Defines a table used to select one or more signatures to apply to a message based
##  on the address found in the From: header field. In simple terms, this tells
##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
SigningTable    refile:/etc/opendkim/SigningTable

##  Identifies a set of "external" hosts that may send mail through the server as one
##  of the signing domains without credentials as such.
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts

##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
InternalHosts   refile:/etc/opendkim/TrustedHosts

##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
##  whose mail should be neither signed nor verified by this filter.  See man
##  page for file format.
# PeerList      X.X.X.X

##  Always oversign From (sign using actual From and a null From to prevent
##  malicious signatures header fields (From and/or others) between the signer
##  and the verifier.  From is oversigned by default in the Fedora package
##  because it is often the identity key used by reputation systems and thus
##  somewhat security sensitive.
OversignHeaders From

##  Instructs the DKIM library to maintain its own local cache of keys and
##  policies retrieved from DNS, rather than relying on the nameserver for
##  caching service. Useful if the nameserver being used by the filter is
##  not local.
# QueryCache    yes

/etc/ にopendkimディレクトリを作成・権限変更

EC2
[root@ip-xx-xx-xx-xx etc]# cd /etc/
[root@ip-xx-xx-xx-xx etc]# mkdir opendkim
[root@ip-xx-xx-xx-xx etc]# chown -R opendkim:opendkim /etc/opendkim
[root@ip-xx-xx-xx-xx etc]# cd opendkim/
[root@ip-xx-xx-xx-xx opendkim]# mkdir keys
[root@ip-xx-xx-xx-xx opendkim]# chmod 750 keys/

鍵を作成

EC2
[root@ip-xxx-xx-xx-xx opendkim]# opendkim-genkey -D /etc/opendkim/keys/ -s hoge
[root@ip-xxx-xx-xx-xx opendkim]# cd keys/
[root@ip-xxx-xx-xx-xx keys]# ll
total 8
-rw-------. 1 opendkim opendkim 916 Dec 11 16:03 hoge.private
-rw-------. 1 opendkim opendkim 313 Dec 11 16:03 hoge.txt

KeyTableの作成

EC2
[root@ip-xx-xx-xx-xx opendkim]# cd /etc/opendkim/
[root@ip-xx-xx-xx-xx opendkim]# touch KeyTable
[root@ip-xx-xx-xx-xx opendkim]# vi KeyTable

作成した鍵の情報を記載

KeyTable
# OPENDKIM KEY TABLE
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

hoge._domainkey.example.com example.com:hoge:/etc/opendkim/keys/hoge.private

SigningTableの作成

EC2
[root@ip-xx-xx-xx-xx opendkim]# cd /etc/opendkim/
[root@ip-xx-xx-xx-xx opendkim]# touch SigningTable
[root@ip-xx-xx-xx-xx opendkim]# vi SigningTable

最下部に作成した鍵の情報を記載

SigningTable
# OPENDKIM SIGNING TABLE
# This table controls how to apply one or more signatures to outgoing messages based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM "how" to apply your keys.

# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
# then uncomment one of the usage examples below and replace example.com with your
# domain name, then restart OpenDKIM.

# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.

#*@example.com default._domainkey.example.com

# NON-WILDCARD EXAMPLE
# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
# wildcards will not work. Instead, full user@host is checked first, then simply host,
# then user@.domain (with all superdomains checked in sequence, so "foo.example.com" 
# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),
# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
# "SigningTable" for more details.

*@example.com hoge._domainkey.example.com

TrustedHostsの作成

EC2
[root@ip-xx-xx-xx-xx opendkim]# cd /etc/opendkim/
[root@ip-xx-xx-xx-xx opendkim]# touch TrustedHosts
[root@ip-xx-xx-xx-xx opendkim]# vi TrustedHosts

内容は変更なし

TrustedHosts
# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
::1
#host.example.com
#192.168.1.0/24

opendkimの起動と有効化

EC2
[root@ip-xx-xx-xx-xx etc]# systemctl daemon-reload
[root@ip-xx-xx-xx-xx etc]# systemctl enable opendkim
[root@ip-xx-xx-xx-xx etc]# systemctl restart opendkim
[root@ip-xx-xx-xx-xx etc]# systemctl status opendkim

DKIMのレコードを追加

AWS Route53など使用しているドメインサービスで該当ドメインにレコードを追加する

レコード名:hoge._domainkey.example.com
形式:TXT
値:/etc/opendkim/keys/hoge.txt

/etc/postfix/mail.cf に以下を追記

/etc/postfix/mail.cf
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
0
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?