OpenDKIMをインストールする

改めてマルチドメイン鍵仕様でインストールします。

前提

• OS: FreeBSD
• MTA: Sendmail
• メールドメイン: @example.net/@mail.example.net
• メールサーバー: mail.example.net

@mail.example.netのときはホスト固有鍵を使い、@example.netのときはデフォルト鍵を使うようにします。

Milterのインストール

pkg install -y opendkim
sysrc milteropendkim_enable=YES

/usr/local/etc/mail/opendkim.conf

--- opendkim.conf.sample        2026-01-17 00:20:21.000000000 +0900
+++ opendkim.conf       2026-02-23 02:57:04.833756208 +0900
@@ -159,7 +159,7 @@
 ##  Specify for which domain(s) signing should be done.  No default; must
 ##  be specified for signing.

-Domain                 example.com
+Domain                 example.net

 ##  DomainKeysCompat { yes | no }
 ##     default "no"
@@ -244,7 +244,7 @@
 ##  SigningTable and KeyTable are used.  No default; must be specified for
 ##  signing if SigningTable/KeyTable are not in use.

-KeyFile                        /var/db/dkim/example.private
+# KeyFile                      /var/db/dkim/example.private

 ##  KeyTable dataset
 ##     default (none)
@@ -255,7 +255,7 @@
 ##  a base64-encoded DER format private key, or a path to a file containing
 ##  one of those.

-# KeyTable             dataset
+KeyTable               refile:/usr/local/etc/mail/KeyTable

 ##  LogWhy { yes | no }
 ##     default "no"
@@ -501,7 +501,7 @@
 ##  failure reports.  By default, the e-mail address of the user executing
 ##  the filter is used.

-# ReportAddress                "DKIM Error Postmaster" <postmaster@example.com>
+ReportAddress          "DKIM Error Postmaster" <postmaster@example.net>

 ##  ReportBccAddress addr
 ##     default (none)
@@ -569,7 +569,7 @@
 ##  The name of the selector to use when signing.  No default; must be
 ##  specified for signing.

-Selector               my-selector-name
+Selector               mail

 ##  SenderHeaders      dataset
 ##     default (none)
@@ -629,7 +629,7 @@
 ##  is set, all possible lookup keys will be attempted which may result
 ##  in multiple signatures being applied.

-# SigningTable         filename
+SigningTable           refile:/usr/local/etc/mail/SigningTable

 ##  SingleAuthResult { yes | no}
 ##     default "no"
@@ -657,7 +657,7 @@
 ##  inet:port                  to listen on all interfaces
 ##  local:/path/to/socket      to listen on a UNIX domain socket

-Socket                 inet:port@localhost
+Socket                 local:/var/run/milteropendkim/socket

 ##  SoftwareHeader { yes | no }
 ##     default "no"
@@ -760,4 +760,4 @@
 ##  Change to user "userid" before starting normal operation?  May include
 ##  a group ID as well, separated from the userid by a colon.

-# UserID               userid
+UserID         mailnull:mailnull

鍵の作成

roles/freebsd/tasks/opendkim.yaml

- name: opendkim-genkey host selector
  command: |
    /usr/local/sbin/opendkim-genkey -b 2048 -D /var/db/dkim -d {{ inventory_hostname }} -s {{ inventory_hostname.split('.')[0] }}

- name: opendkim-genkey default selector
  command: |
    /usr/local/sbin/opendkim-genkey -b 2048 -D /var/db/dkim -d example.net -s default

鍵の設定

/usr/local/etc/mail/KeyTable

default._domainkey.example.net example.net:default:/var/db/dkim/default.private
mail._domainkey.example.net example.net:mail:/var/db/dkim/mail.private

/usr/local/etc/mail/SigningTable

*@example.net default._domainkey.example.net
*@mail.example.net mail._domainkey.example.net

Sendmailの設定

/etc/mail/sendmail.cf

+ O InputMailFilters=dkim-milter
+ Xdkim-milter, S=local:/var/run/milteropendkim/socket, F=T, T=R:2m

DNSの設定

/usr/local/etc/namedb/primary/example.net.zone

+ $INCLUDE /var/db/dkim/default.txt
+ $INCLUDE /var/db/dkim/mail.txt