|
|
| Line 28: |
Line 28: |
|
| |
|
| They should be identical | | They should be identical |
|
| |
|
| |
| == OpenDKIM (on Ubuntu) ==
| |
| apt install opendkim opendkim-tools
| |
|
| |
| You might have to create:
| |
| mkdir -p /etc/opendkim/keys
| |
| chown -R opendkim.opendkim /etc/opendkim
| |
| chmod go-rw /etc/opendkim/keys/
| |
|
| |
|
| |
| Then
| |
| cd /etc/opendkim/keys
| |
| or
| |
| cd /etc/dkimkeys
| |
|
| |
| The 'selector' you choose here does not have to be the actual selector used in DNS. It is just the name used for storing the .txt and .private files
| |
|
| |
| opendkim-genkey -s selectorname -d domain.name
| |
|
| |
| Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so
| |
| chown -R opendkim.opendkim /etc/opendkim/keys
| |
|
| |
| == SigningTable ==
| |
|
| |
| somename is the first field in Keytable :
| |
|
| |
| *@domain.name somename
| |
|
| |
| == KeyTable ==
| |
|
| |
| Here the name of the selector (the part before ._domainkey) is the one you publish in dns
| |
|
| |
| somename domain.name:selectorname:/etc/opendkim/keys/somename.private
| |
|
| |
| ==Configuration file /etc/opendkim.conf==
| |
| Mode s
| |
| KeyTable /etc/opendkim/KeyTable
| |
| SigningTable refile:/etc/opendkim/SigningTable
| |
| Socket inet:8891@localhost
| |
|
| |
| == Postfix ==
| |
|
| |
| In /etc/postfix/main.cf:
| |
|
| |
|
| |
| milter_protocol = 2
| |
| milter_default_action = accept
| |
| smtpd_milters = inet:localhost:8891
| |
| non_smtpd_milters = inet:localhost:8891
| |
|
| |
| TODO using unix socket instead, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim :
| |
| blabla
| |
| usermod -a -G opendkim postfix
| |
|
| |
| = Checking =
| |
|
| |
| opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private
| |
|
| |
| This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.
| |
|
| |
| *[https://www.dmarcanalyzer.com/nl/dkim-record-validatie/ https://www.dmarcanalyzer.com/nl/dkim-record-validatie/]
| |
| Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC
| |
|
| |
| ==WARNING:Unsafe permissions==
| |
| make readable for user opendkim only
| |
|
| |
|
| |
| ==keys do not match==
| |
| Try
| |
| opendkim-testkey -d domain.name -s selectorname -vv
| |
|
| |
|
| = FAQ = | | = FAQ = |
| ==Opendkim==
| |
|
| |
| ===debugging opendkim===
| |
| journalctl --follow --unit postfix.service --unit opendkim.service
| |
|
| |
|
| |
| === opendkim: no signing table match for ===
| |
|
| |
| In opendkim.conf check:
| |
|
| |
| refile:/etc/opendkim/SigningTable
| |
|
| |
| it seems CRLF can also cause this problem.
| |
|
| |
|
| |
| ==opendkim-testkey==
| |
|
| |
| ===Usage===
| |
| opendkim-testkey -s myselector -d mydomain.com
| |
|
| |
| === opendkim-testkey key not secure ===
| |
|
| |
| Probably means you have no DNSSEC
| |
|
| |
| ===opendkim-testkey: keys do not match===
| |
| probably means double check Keytable
| |
|
| |
| ===opendkim-testkey: invalid data set type===
| |
| bad dns record?
| |
| ===opendkim-testkey: multiple DNS replies ===
| |
| bad dns record?
| |
|
| |
| ===opendkim: no signature data===
| |
| Maybe forgot to define KeyTable/SigningTable paths?
| |
|
| |
| == opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory ==
| |
|
| |
| Means it's defined in opendkim.conf, and you're not using KeyTable
| |
|
| |
|
| |
|
| |
| == This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode ==
| |
|
| |
| ??
| |
|
| |
| == opendkim.service: Start request repeated too quickly. ==
| |
| Probably rights somewhere, try
| |
| opendkim -v
| |
|
| |
|
| |
| ==OpenSSL error: data too small for key size==
| |
| This could mean it's using the wrong private key for signing
| |
|
| |
|
| |
| [[Category:Mail]] | | [[Category:Mail]] |
