Centos 7 + Postfix + Amavisd-new + Clamav + OpenDKIM + OpenDMARC

G1FEF

How to setup Postfix, Amavisd-new, Clamav, OpenDKIM & OpenDMARC on Centos 7

    1. Just in case, remove sendmail and install postfix:
yum remove sendmail
yum install postfix

Make sure it starts on reboot:

systemctl enable postfix

Install amavis and clamav and make sure it starts on reboot:

yum install amvisd-new clamav clamav-scanner-systemd
systemctl enable amavisd

Fix the issue with clamd not starting:

cd /usr/lib/systemd/system
cp clamd\@scan.service clamd\@amavisd.service

systemctl start clamd@amavisd
systemctl enable clamd@amavisd
systemctl restart amavisd

Install OpenDKIM:

yum install opendkim

Create keys and check:

opendkim-default-keygen
cd /etc/opendkim/keys/
ll

Edit the following files:
/etc/opendkim.conf (Main configuration file for opendkim)
/etc/opendkim/KeyTable (Defines the path of private key for the domain)
/etc/opendkim/SigningTable (Tells OpenDKIM how to apply the keys)
/etc/opendkim/TrustedHosts (Defines which hosts are allowed to use keys)

If you’re just verifying incoming mail you don’t actually need to edit any of the above files, the defaults are fine.

Start and enable on reboot:

systemctl start opendkim
systemctl enable opendkim

Next you need to add the following lines to your Postfix main.cf

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

and restart Postfix.

Now we can install OpenDMARC:

yum install opendmarc

Edit the file /etc/opendmarc.conf and uncomment the line
# AuthservID name
and set “name” to the hostname of your server.

Now enable it on reboot and fire it up:

systemctl enable opendmarc
systemctl start opendmarc

Now we need to hook it into Postfix, just add the port in main.cf as for opendkim above, i.e. the line in main.cf should now read:

smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893

This will pass incoming mail through OpenDKIM first, then OpenDMARC.

It’s a good idea to enable the PublicSuffixList in the opendmarc.conf file and create a weekly cronjob to keep the list up to date, so create the file /etc/cron.weekly/opendmarc

#!/bin/sh
#
#Get latest effective_tld_names for OpenDMARC
/usr/bin/wget --no-check-certificate -q -N -P /etc/opendmarc https://publicsuffix.org/list/effective_tld_names.dat

and restart Postfix.