Postfix dkim and spf filtering

Installing OpenDKIM:
yum install opendkim

Create private and public key:

mkdir /etc/opendkim/keys/myhostname.lt
/usr/sbin/opendkim-genkey -D /etc/opendkim/keys/myhostname.lt/ -d myhostname.lt -s default
chown -R root:opendkim /etc/opendkim/keys/myhostname.lt
chmod 640 /etc/opendkim/keys/myhostname.lt/default.private
chmod 644 /etc/opendkim/keys/myhostname.lt/default.txt

Configuring:
nano /etc/opendkim.conf

#Change

..
Mode    sv
#LogWhy yes
Canonicalization        relaxed/simple
Domain                  myhostname.lt
#KeyFile                 /etc/opendkim/keys/default.private
..
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts

Edit:
nano /etc/opendkim/TrustedHosts
Add:

myhostname.lt

Edit:
nano /etc/opendkim/KeyTable
Add:

default._dkim.myhostname.lt myhostname.lt:default:/etc/opendkim/keys/myhostname.lt/default.private

Edit:
nano /etc/opendkim/SigningTable
Add:

*@myhostname.lt default._dkim.myhostname.lt

Edit:
nano /etc/postfix/main.cf

Add or edit these lines:

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = inet:127.0.0.1:8891
milter_default_action   = accept

Restart servises:

service opendkim start
service postfix restart
systemctl enable opendkim

Adding DNS Records

cat /etc/opendkim/keys/myhostname.lt/default.txt

The output should look something like this:

default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAqUAA4GNgDCBiQKBgQW13c2ZT8rbPFpo6dxcEtMYO3oKHb3dIlHyiXCUMh05iXIPELjU+iD/wmggmGTmZMdGGrqbTJ/rOAjqI+V/djb+aBDpAENXYUbYn245SmBASjXkjh+owF1zb8l0UuxtNJaNLrP3N8mjiXwS8zY7m085LGLXHIeNFJF1ihaHS8HWUwISAQAB" )  ; ----- DKIM key default for myhostname.lt

If you’re using a web-based DNS interface (like GoDaddy or CloudFlare), the Name of the TXT record would default._dkim and the Value of the TXT record would be everything from the first quote to the last quote (starting with “v=). You can ignore the parentheses, semi-colon, and comments at the end.

Next. SPF filtering

Install:

yum install perl-Sys-Hostname-Long
yum install perl-Mail-SPF.noarch
wget https://launchpad.net/postfix-policyd-spf-perl/trunk/release2.010/+download/postfix-policyd-spf-perl-2.010.tar.gz
tar -xvf postfix-policyd-spf-perl-2.010.tar.gz
cd postfix-policyd-spf-perl-2.010 
cp postfix-policyd-spf-perl /usr/local/lib/

Edit:
nano /etc/postfix/master.cf
add following line

policy  unix  –       n       n       –       0       spawn
  user=nobody argv=/usr/bin/perl /usr/local/lib/policyd-spf-perl

Configure the Postfix policy service in /etc/postfix/main.cf:

smtpd_recipient_restrictions =

reject_unauth_destination
check_policy_service unix:private/policy

Add “policy_time_limit = 3600” to main.cf
NOTES:
Specify check_policy_service AFTER reject_unauth_destination or
else your system can become an open relay.

The user ‘nobody’ is used in this example. This is appropriate if you
do not have any other services running as nobody. If you do, create a
dedicated user for this service and use it instead.

Edit:
nano /etc/postfix/main.cf

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policy
policy_time_limit = 3600

Restart postfix:
service postfix restart

Add DNS Record:
@ TXT “v=spf1 a mx ptr -all”

or

The TXT records on domain:

v=spf1 a mx ptr include:spf.serveriai.lt ~all 

Validate spf settings: url.
Done!