RockyLinux 9.5に、OpenDKIMをソースからインストールする方法をご紹介します。
残念ながら現在は、メンテナンスが行われていないようで、「2.10.3」から長い間バージョンアップがなされていないようです。
OpenSSLライブラリが新しいものを見つけられないので一部configureファイルを編集して対応します。
dnf install libbsd-devel
ユーザー追加
useradd opendkim
フォルダ追加
mkdir -p /usr/local/etc/opendkim/keys
mkdir -p /usr/local/var/run/opendkim
chown -R opendkim:opendkim /usr/local/etc/opendkim/
chown -R opendkim:opendkim /usr/local/var/run/opendkim
Sendmailのmilterを入れる
cd /usr/local/src
wget https://ftp.sendmail.org/sendmail.8.18.1.tar.gz
tar xvzf sendmail.8.18.1.tar.gz
cd sendmail-8.18.1/libmilter/
./Build
./Build install
cd /usr/local/src
wget
tar xvzf opendkim-2.10.3.tar.gz
cd opendkim-2.10.3
#OpenSSLのチェックが古いので削除する
#https://www.celestialsoftware.net/compiling-opendkim-on-amazon-linux-2023/
mv configure configure.old
cat configure.old | sed '16732,16862d' > configure
chmod +x configure
./configure \
--with-openssl=/usr/local/ssl/include \
--enable-shared \
--with-milter \
--with-libcurl \
--with-db
make
make install
起動スクリプト
cat > /usr/lib/systemd/system/opendkim.service << EOF
# If you are using OpenDKIM with SQL datasets it might be necessary to start OpenDKIM after the database servers.
# For example, if using both MariaDB and PostgreSQL, change "After=" in the "[Unit]" section to:
# After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service
[Unit]
Description=DomainKeys Identified Mail (DKIM) Milter
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target syslog.target
[Service]
Type=simple
EnvironmentFile=-/usr/local/etc/opendkim
ExecStart=/usr/local/sbin/opendkim -f \$OPTIONS
ExecReload=/bin/kill -USR1 $MAINPID
User=opendkim
Group=opendkim
Restart=on-failure
RuntimeDirectory=opendkim
RuntimeDirectoryMode=0750
[Install]
WantedBy=multi-user.target
EOF
秘密鍵と公開鍵を設定する
/usr/local/sbin/opendkim-genkey -b 2048 -D /usr/local/etc/opendkim/keys/ -d example.com -s examplecom202412
#権限設定を行う
chown -R opendkim:opendkim /usr/local/etc/opendkim
設定ファイルを配置する
pkgs.orgより、EL9用の設定ファイル等を持ってくる
https://rhel.pkgs.org/9/epel-aarch64/opendkim-2.11.0-0.36.el9.aarch64.rpm.html
/usr/local/etc/opendkim.conf
cat > /usr/local/etc/opendkim/opendkim.conf << EOF
## BASIC OPENDKIM CONFIGURATION FILE
## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more
## BEFORE running OpenDKIM you must:
## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
## - generate keys for your domain (if signing)
## - edit your DNS records to publish your public keys (if signing)
## See /usr/share/doc/opendkim/INSTALL for detailed instructions.
## DEPRECATED CONFIGURATION OPTIONS
##
## The following configuration options are no longer valid. They should be
## removed from your existing configuration file to prevent potential issues.
## Failure to do so may result in opendkim being unable to start.
##
## Removed in 2.10.0:
## AddAllSignatureResults
## ADSPAction
## ADSPNoSuchDomain
## BogusPolicy
## DisableADSP
## LDAPSoftStart
## LocalADSP
## NoDiscardableMailTo
## On-PolicyError
## SendADSPReports
## UnprotectedPolicy
## CONFIGURATION OPTIONS
## Specifies the path to the process ID file.
PidFile /usr/local/var/run/opendkim/opendkim.pid
## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
## messages.
Mode v
## Log activity to the system log.
Syslog yes
## Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes
## If logging is enabled, include detailed logging about why or why not a message was
## signed or verified. This causes an increase in the amount of log data generated
## for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy yes
## Attempt to become the specified user before starting operations.
UserID opendkim:opendkim
## Create a socket through which your MTA can communicate.
Socket inet:8891@localhost
#Socket local:/run/opendkim/opendkim.sock
## Required to use local socket with MTAs that access the socket as a non-
## privileged user (e.g. Postfix)
Umask 002
## This specifies a text file in which to store DKIM transaction statistics.
## OpenDKIM must be manually compiled with --enable-stats to enable this feature.
# Statistics /var/spool/opendkim/stats.dat
## Specifies whether or not the filter should generate report mail back
## to senders when verification fails and an address for such a purpose
## is provided. See opendkim.conf(5) for details.
SendReports yes
## Specifies the sending address to be used on From: headers of outgoing
## failure reports. By default, the e-mail address of the user executing
## the filter is used (executing_user@hostname).
# ReportAddress "Example.com Postmaster" <postmaster@example.com>
## Add a DKIM-Filter header field to messages passing through this filter
## to identify messages it has processed.
SoftwareHeader yes
## SIGNING OPTIONS
## Selects the canonicalization method(s) to be used when signing messages.
Canonicalization relaxed/relaxed
## Domain(s) whose mail should be signed by this filter. Mail from other domains will
## be verified rather than being signed. Uncomment and use your domain name.
## This parameter is not required if a SigningTable is in use.
# Domain example.com
## Defines the name of the selector to be used when signing messages.
Selector default
## Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits 1024
## Gives the location of a private key to be used for signing ALL messages. This
## directive is ignored if KeyTable is enabled.
#↓変更する
KeyFile /usr/local/etc/opendkim/keys/default.private
## Gives the location of a file mapping key names to signing keys. In simple terms,
## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
## directive in the configuration file. Requires SigningTable be enabled.
KeyTable /usr/local/etc/opendkim/KeyTable
## Defines a table used to select one or more signatures to apply to a message based
## on the address found in the From: header field. In simple terms, this tells
## OpenDKIM how to use your keys. Requires KeyTable be enabled.
SigningTable refile:/usr/local/etc/opendkim/SigningTable
## Identifies a set of "external" hosts that may send mail through the server as one
## of the signing domains without credentials as such.
# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
## Identifies a set "internal" hosts whose mail should be signed rather than verified.
# InternalHosts refile:/etc/opendkim/TrustedHosts
## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
## whose mail should be neither signed nor verified by this filter. See man
## page for file format.
# PeerList X.X.X.X
## Always oversign From (sign using actual From and a null From to prevent
## malicious signatures header fields (From and/or others) between the signer
## and the verifier. From is oversigned by default in the Fedora package
## because it is often the identity key used by reputation systems and thus
## somewhat security sensitive.
OversignHeaders From
## Instructs the DKIM library to maintain its own local cache of keys and
## policies retrieved from DNS, rather than relying on the nameserver for
## caching service. Useful if the nameserver being used by the filter is
## not local.
# QueryCache yes
EOF
/usr/local/etc/opendkim/SigningTable
cat > /usr/local/etc/opendkim/SigningTable << EOF
# OPENDKIM SIGNING TABLE
# This table controls how to apply one or more signatures to outgoing messages based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM "how" to apply your keys.
# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
# then uncomment one of the usage examples below and replace example.com with your
# domain name, then restart OpenDKIM.
# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.
#複数ドメイン時は、以下を編集
*@example.com default._domainkey.example.com
# NON-WILDCARD EXAMPLE
# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
# wildcards will not work. Instead, full user@host is checked first, then simply host,
# then user@.domain (with all superdomains checked in sequence, so "foo.example.com"
# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),
# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
# "SigningTable" for more details.
#デフォルト値を編集
example.com default._domainkey.example.com
EOF
/usr/local/etc/opendkim/KeyTable
cat > /usr/local/etc/opendkim/KeyTable << EOF
# OPENDKIM KEY TABLE
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.
default._domainkey.example.com example.com:default:/usr/local/etc/opendkim/keys/default.private
EOF
設定ファイルを調整・編集する
SigningTable
SigningTableは、以下の初期で記入する。複数ドメインある場合は、1行1ドメインで記載する。
*@[ドメイン名] [セレクタ]._domainkey.[ドメイン名]
KeyTable
KeyTableは、以下の初期で記入する。複数ドメインある場合は、1行1ドメインで記載する。
[セレクタ名]._domainkey.[ドメイン名] [ドメイン名]:[セレクタ名]:[秘密鍵へのパス]
設定ファイルをみえるようにする
ln -s /usr/local/etc/opendkim/opendkim.conf /usr/local/etc/opendkim.conf
権限設定変更する
chown -R opendkim:opendkim /usr/local/etc/opendkim
OpenDKImを起動する+自動起動設定
systemctl enable opendkim
systemctl start opendkim
systemctl status opendkim
参考
https://baremail.jp/blog/2024/03/25/3739/
https://exfield.jp/View/pid:4521/
https://www.celestialsoftware.net/compiling-opendkim-on-amazon-linux-2023/