Alright, I was able to generate a 1024-bit DKIM key on my MiaB server! Here’s how:
Creating the key
SSH into your MiaB server and go into your /etc/opendkim/ directory:
cd /etc/opendkim
Create a directory for your new key:
sudo mkdir keys && cd keys
sudo mkdir example.com && cd example.com
(Obviously, replace example.com with your domain)
Generate the new public/private key pair:
sudo opendkim-genkey --bits=1024 -s mail -d example.com
Notice that we’ve used the --bits flag to specify that we want a 1024-bit key! The -s tells us the “selector” to use, which is basically like a subdomain specially used by DKIM. I believe the convention is to just set this to mail. -d specifies our domain (again, replace with your domain).
This should create two files, mail.private and mail.txt in the directory.
Next, we need to update opendkim’s KeyTable to point to the private key, mail.private. Simply go back into your opendkim directory and edit the KeyTable file:
cd /etc/opendkim
sudo nano KeyTable
Each line in this file maps a domain to a path that contains the private key for that domain’s DKIM. Look for your domain. If it’s already there, update it, otherwise, create a new mapping. The mapping should look like:
example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private
As you can see, this tells DKIM the location of the private key we just generated.
Now, we need to restart postfix and opendkim:
sudo service postfix restart
sudo service opendkim restart
Configuring the DNS record
You can grab the public key from /etc/opendkim/keys/example.com/mail.txt, which you will use to create your TXT record in your DNS provider (in my case, Namecheap). If you sudo cat /etc/opendkim/keys/example.com/mail.txt, you’ll see something like this:
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=<some really long string>" ) ; ----- DKIM key mail for example.com
This will need some cleanup before we can enter it into our DNS record. All we need are the three pieces v=DKIM1, k=rsa, and p=.... Put this all into one line:
v=DKIM1; k=rsa; p=<some really long string>
Now, add this as a TXT record in your provider’s DNS editing interface, with the host mail._domainkey:
Should be good to go! We can test with a few services:
- http://dkimcore.org/c/keycheck (will check that your DNS record is valid)
- http://dkimvalidator.com (will check that your mail server is successfully authenticating the DKIM check)
Caveat: Mail-in-a-Box currently overwrites the KeyTable and SigningTable any time you fiddle with the Custom DNS settings. I have opened an issue about this, but it seems that in the meantime the workaround is to simply go back and fix your KeyTable after each time you mess with the Custom DNS settings.