Compiling opendkim on Amazon Linux 2023

While configuring a new server for sendmail, it is a good practice to install DKIM to sign outgoing messages. OPENDKIM is usually my choice, but on Amazon Linux 2023, opendkim is currently not available in the official distribution. After a bit of searching, I could not find an up-to-date guide that worked, so I had to work it out myself. Hopefully you will find these instructions useful. Please post a comment if you have trouble or need additional help.

First, try to install from the official distribution. Maybe it’s there now?

sudo yum install opendkim

If you’re like me, you got something that looks like this.

Detailed instructions will follow, but first some assumptions:

• You have a fresh vanilla Amazon Linux 2023 ec2 instance. If you don’t have one, get one! If you need help, contact me. These instructions will likely work on any ec2 instance, but no guarantees
• You have shell access to the ec2 instance either through SSH or some other means. The following commands will be entered into the command line shell. If you need help with this, contact me.

If you’re all set, here’s an outline of what we’re going to do.

  1. Install the prerequisites needed to compile. Any of these you already have installed will be skipped.
  2. Download source code for opendkim
  3. Modify ‘configure’ to skip past some outdated library checks
  4. configure/make/install as usual

1. Install the prerequisites

These should be all of the prerequisites for building opendkim. This includes all of the build tools and shared libraries needed for linking. We’re also starting a bash shell here as ‘root’, so all subsequent commands will have super user privilege.

sudo bash
yum install sendmail-devel openssl-devel libbsd-devel autoconf automake libtool

2. Download and unzip the code

opendkim hasn’t been updated in a while. The latest version I could find was 2.10.3 on sourceforge. If you use any other source distribution, these instructions will not help you. Download 2.10.3 from Sourceforge like this

wget https://downloads.sourceforge.net/project/opendkim/opendkim-2.10.3.tar.gz
tar -xvf opendkim-2.10.3.tar.gz

3. Modify configure

The existing ‘configure’ file includes some outdated checks for openssl shared libraries. Newer openssl libraries renamed some of the functions, so these checks no longer work, and if you installed the openssl prerequisites above, they’re really not necessary. Let’s just edit them out. NOTE…. We’re editing out specific line numbers from the configure file!!! If you find an opendkim source package OTHER than 2.10.3 above, you’ll probably end up with an unusable configure after you do this.

cd opendkim-2.10.3
mv configure configure.old
cat configure.old | sed '16732,16862d' > configure
chmod +x configure

4. Make and install

The usual

./configure
make
make install

You should now have a working opendkim!!! Instructions for configuring and running opendkim are outside the scope of this document, but should be the same as other instructions you find online. Now that you have it built and installed, you can find that information in the man page or by doing a bit of googling.

Confirming opendkim is built with OpenSSL:

man opendkim

6 thoughts on “Compiling opendkim on Amazon Linux 2023”

  1. Dear Brian,
    Thanks for this. The saga continues. Your step 1 now fails as Amazon have squirreled away sendmail-devel somewhere. I spent a deal of time trying to install sendmail-milter (which is also missing) as it is required but unfortunately the milter headers are still missing notably mfapi.h which blows out the ./configure stage of opendkim as it is mandatory. (AL1 and presumably AL2 still had sendmail-milter.x86_64 8.14.4-9.14.amzn1 @amzn-main).

    If I find a way round this I will let you know. Amazon seem to be making it so difficult to build secure mail servers that I am almost inclined to give up on them and use Ubuntu instead.

    Thanks for your efforts.
    Cheers, Les.

  2. Dear Brian,
    I had no sooner hit the Post comment on the previous mail when I dredged the following out of the internet which seemed to do the job. Your point 1. should now read

    sudo bash
    yum install openssl-devel libbsd-devel autoconf automake libtool

    To get the missing sendmail-devel, this appeared to have worked for me …

    wget https://mirror.stream.centos.org/9-stream/CRB/x86_64/os/Packages/sendmail-milter-devel-8.16.1-11.el9.x86_64.rpm
    yum localinstall sendmail-milter-devel-8.16.1-11.el9.x86_64.rpm

    Then your instructions 2-4 worked fine.

    Thanks again,
    Cheers, Les.

  3. Thanks for trying it out and for providing feedback..

    That’s very odd….
    I ran through the instructions again with a brand new Amazon Linux 2023 and didn’t have any problem at all.

    ‘yum install sendmail-devel’ installs sendmail-milter and sendmail-milter-devel:

    It’s possible your configuration is older and slightly different?

    Try:
    1. ‘yum update’ to get everything to the latest versions and try again
    2. ‘yum repolist all’ to see all repositories. I have TWO enabled: ‘amazonlinux’ and ‘kernel-livepatch’

    Try those and let me know what you find out.

    My output

    yum install sendmail-devel
    Last metadata expiration check: 0:04:43 ago on Thu Nov 14 01:18:29 2024.
    Dependencies resolved.
    ========================================================================================================
    Package Architecture Version Repository Size
    ========================================================================================================
    Installing:
    sendmail-milter-devel x86_64 8.17.1-5.amzn2023.0.4 amazonlinux 109 k
    Installing dependencies:
    sendmail-milter x86_64 8.17.1-5.amzn2023.0.4 amazonlinux 41 k

    Transaction Summary
    ========================================================================================================
    Install 2 Packages

    Total download size: 150 k
    Installed size: 337 k
    Is this ok [y/N]:

  4. Dear Brian,
    Thanks again for the feedback. Very odd. I checked today and yum list available | grep sendmail now reveals sendmail-devel. It definitely didn’t on mine a couple of days ago. Must be a movable feast. Ah yes, there is a new release, so upgraded and it now loads in the sendmail-devel which they must have just added. Now for configuring. I will drop you a line with whatever I have to do for completeness.

    Onwards and sideways …

    Cheers, Les.

  5. Dear Brian,
    As promised, an apparently working solution based on your compilation of opendkim. I couldn’t find a service for opendkim and AL2023 has moved towards systemV. In the end after suitably editing /etc/opendkim.conf for selector, pidfile and so on, I created the following file /usr/lib/systemd/system/opendkim.service

    ———————————————-
    [Unit]
    Description=Opendkim Service
    Documentation=man:opendkim(1)
    After=network.target

    # Note PIDfile is under /run now, (var/run/ has been deprecated and does not work)
    [Service]
    Type=simple
    ExecStart=/usr/local/sbin/opendkim -x /etc/opendkim.conf
    PIDFile=/run/opendkim/opendkim.pid
    Restart=on-failure
    RestartPreventExitStatus=0 255

    [Install]
    WantedBy=multi-user.target
    ———————————————-

    Then tell systemV that there is a new one
    # systemctl daemon-reload

    Then
    # systemctl status opendkim
    # systemctl start opendkim
    # systemctl stop opendkim

    all seem to function OK. Now to check that postfix will talk to it.

    Cheers, Les.

  6. Thanks Les.

    I ended up with a similar opendkim.service, though not exactly the same….. I intentionally left out any mention of opendkim.conf or opendkim.service in this guide, as there are plenty of online resources for those. The real trick is to get past the install hurdle…. But yes… next would be to get the service RUNNING, then to configure for your specific mail agent (postfix, sendmail), guidance on requirements for your domain, required DNS records, validation of DKIM, SPF, and DMARC setup, etc… All of which can be quite a large topic… 🙂

Leave a Comment

Your email address will not be published. Required fields are marked *