Coexistence MIMEDefang and OpenDKIM

circlingcycle.com.au was already using Sender Policy Framework (SPF) email validation system through specific TXT resource record in DNS. I created it several years ago.

As of May 2014, we decided to add support for Domain Keys Identified Mail (DKIM) to Mail Transfer Agent Sendmail on CentOS 6.5 server.

The simple details of installing OpenDKIM will be left out as they are trivial.

The important file to edit was /etc/opendkim.conf, and only a few lines need modification in standard setup. I highlight the ones that matter most:

# Selects operating modes. Valid modes are s (sign) and v (verify).
# Default is v. Must be changed to s (sign only) or sv
#(sign and verify)
# in order to sign outgoing messages.
Mode	sv

# Create a socket through which your MTA can communicate.
Socket	inet:8891@localhost

## SIGNING OPTIONS

# Selects the canonicalization method(s) to be used when signing
# messages.
Canonicalization	relaxed/relaxed

Domain	circlingcycle.com.au

# Defines the name of the selector to be used when signing messages.
Selector	vk2cot

# Specifies the minimum number of key bits for acceptable keys
# and signatures.
MinimumKeyBits 1024
To recompile sendmail MC file, because it already used MIMEDefang (which is outside the scopt of this little article), the following syntax had to be used (the other MTA directives are not listed for the sake of brevity). Line with mimedefang.sock was split into two for screen display convenince only.
define(`LOCAL_MAILER_PATH', `/usr/bin/procmail')dnl
MAIL_FILTER(`mimedefang',
`S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m')
MAIL_FILTER(`opendkim', `S=inet:8891@127.0.0.1')
define(`confINPUT_MAIL_FILTERS', `mimedefang,opendkim')
The next step was to install private and public DKIM keys for the domain in question. Without checking the return code of each instruction, the simplest setup in a Shell script sas follows:
MYDOM="circlingcycle.com.au"
DKIMCDIR="/etc/opendkim"
DKIMTDIR="${DKIMCDIR}/keys"

mkdir ${DKIMTDIR}/$MYDOM 
opendkim-genkey -D ${DKIMTDIR}/$MYDOM/ -d $MYDOM -s vk2cot
chown -R opendkim:opendkim ${DKIMTDIR}/${MYDOM}
mv ${DKIMTDIR}/${MYDOM}/default.private ${DKIMTDIR}/${MYDOM}/default

echo "vk2cot._domainkey.$MYDOM ${MYDOM}:default:${DKIMTDIR}/
${MYDOM}/default" >> ${DKIMCDIR}/KeyTable
echo "*@$MYDIR vk2cot._domainkey.$MYDIR" >> ${DKIMCDIR}/SigningTable
echo "$MYDIR" >> ${DKIMCDIR}/TrustedHosts
echo "mail.$MYDIR" >> ${DKIMCDIR}/TrustedHosts
Then, simply enable opendkim service, recompile MTA configuration and restart MTA daemons:
# vi /etc/opendkim/TrustedHosts  (add all local domains and hosts)
# chkconfig opendkim on
# service opendkim start
# service sendmail restart
Checking validity of DKIM is simple via DNS tools like nslookup or dig. In my case, the following result is easily obtained:
# dig vk2cot._domainkey.circlingcycle.com.au TXT

...

;; QUESTION SECTION:
;vk2cot._domainkey.circlingcycle.com.au. IN TXT

;; ANSWER SECTION:
vk2cot._domainkey.circlingcycle.com.au. 7100 IN TXT "v=DKIM1\;
k=rsa\; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxTOwKLs2yiZW87Yo5"
"r2HtgllNRxv/K5GV1V+1swRup89OemQzSw6jUaANA7w37vKspGZHmXz/rE"
"60Q0CHyroV9KeUDZqFjAUK+sHDEqofs7n5Ad/XWfK9aANvMzFRYU9+guPn"
"AnJE9wW0d1smAZFS20h2+u7dLzDcDQHjK1dfqwIDAQAB"