Latest revision as of 14:03, 8 October 2024

Links

HOWTO

OpenDKIM (on Ubuntu)

Installing opendkim

apt install opendkim opendkim-tools

Files/directories

You might have to create:

mkdir -p /etc/opendkim/keys
chown -R opendkim.opendkim /etc/opendkim
chmod go-rxw /etc/opendkim/keys/

but these days package comes with /etc/dkimkeys

Create key

cd /etc/opendkim/keys

or

cd /etc/dkimkeys

opendkim-genkey -s selectorname -d domain.name

Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so

chown -R opendkim.opendkim /etc/opendkim/keys

Configuration file /etc/opendkim.conf

Mode    s
Socket                  inet:8891@localhost

Using SigningTable

KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable

Not using SigningTable

Domain your.domain
Selector yourselector
KeyFile  /etc/opendkim/keys/intranet.private

Using signtable/keytable

SigningTable

somename is the first field in Keytable :

*@domain.name somename

KeyTable

Here the name of the selector (the part before ._domainkey) is the one you publish in dns

somename domain.name:selectorname:/etc/opendkim/keys/somename.private

Postfix

In /etc/postfix/main.cf:

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

TODO using unix socket instead, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim :

blabla
usermod -a -G opendkim postfix

Checking

opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private

This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.

https://www.dmarcanalyzer.com/nl/dkim-record-validatie/

Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC

WARNING:Unsafe permissions

make readable for user opendkim only

keys do not match

Try

opendkim-testkey -d domain.name -s selectorname -vv

Check if keys match

#!/bin/bash


PRIV=$1
PUB=$2
TEMP64=/tmp/public.key.b64
TEMP=/tmp/public.key

cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64

openssl enc -base64 -d -in $TEMP64 -out $TEMP
OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus`
OUTPRIV=`openssl rsa -in $PRIV -noout -modulus`


echo -n "Keys $PRIV and $PUB "
if [ "$OUTPUB" == "$OUTPRIV" ]
then
    echo "match"
else
    echo "don't match"
fi
rm -f $TEMP $TEMP64

FAQ

debugging opendkim

journalctl --follow --unit postfix.service --unit opendkim.service

opendkim: no signing table match for

In opendkim.conf check:

refile:/etc/opendkim/SigningTable

it seems CRLF can also cause this problem.

opendkim: signing table references unknown key

check keytable

opendkim-testkey

Usage

opendkim-testkey -s myselector -d mydomain.com

opendkim-testkey key not secure

Probably means you have no DNSSEC

opendkim-testkey: keys do not match

probably means double check Keytable

opendkim-testkey: invalid data set type

bad dns record?

opendkim-testkey: multiple DNS replies

bad dns record?

opendkim: no signature data

Maybe forgot to define KeyTable/SigningTable paths?

opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory

Means it's defined in opendkim.conf, and you're not using KeyTable

This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode

??

opendkim.service: Start request repeated too quickly.

Probably rights somewhere, try

opendkim -v

or check syslog

@@ Line 8: / Line 8: @@
 == OpenDKIM (on Ubuntu) ==
+===Installing opendkim===
   apt install opendkim opendkim-tools
+===Files/directories===
 You might have to create:
   mkdir -p /etc/opendkim/keys
   chown -R opendkim.opendkim /etc/opendkim
-  chmod go-rw /etc/opendkim/keys/
+  chmod go-rxw /etc/opendkim/keys/
+but these days package comes with /etc/dkimkeys
-Then
+===Create key===
   cd /etc/opendkim/keys
 or
   cd /etc/dkimkeys
-The 'selector' you choose here does not have to be the actual selector used in DNS. It is just the name used for storing the .txt and .private files
   opendkim-genkey -s selectorname -d domain.name
@@ Line 28: / Line 32: @@
   chown -R opendkim.opendkim /etc/opendkim/keys
-== SigningTable ==
+==Configuration file /etc/opendkim.conf==
+ Mode    s
+ Socket                  inet:8891@localhost
+===Using SigningTable===
+ KeyTable        /etc/opendkim/KeyTable
+ SigningTable    refile:/etc/opendkim/SigningTable
+===Not using SigningTable===
+ Domain your.domain
+ Selector yourselector
+ KeyFile  /etc/opendkim/keys/intranet.private
+==Using signtable/keytable==
+=== SigningTable ===
 somename is the first field in Keytable :
@@ Line 34: / Line 53: @@
   *@domain.name somename
-== KeyTable ==
+=== KeyTable ===
 Here the name of the selector (the part before ._domainkey) is the one you publish in dns
   somename domain.name:selectorname:/etc/opendkim/keys/somename.private
-==Configuration file /etc/opendkim.conf==
- Mode    s
- KeyTable        /etc/opendkim/KeyTable
- SigningTable    refile:/etc/opendkim/SigningTable
- Socket                  inet:8891@localhost
 == Postfix ==
@@ Line 76: / Line 89: @@
 Try
   opendkim-testkey -d domain.name -s selectorname -vv
+==Check if keys match==
+<pre>
+#!/bin/bash
+PRIV=$1
+PUB=$2
+TEMP64=/tmp/public.key.b64
+TEMP=/tmp/public.key
+cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64
+openssl enc -base64 -d -in $TEMP64 -out $TEMP
+OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus`
+OUTPRIV=`openssl rsa -in $PRIV -noout -modulus`
+echo -n "Keys $PRIV and $PUB "
+if [ "$OUTPUB" == "$OUTPRIV" ]
+then
+    echo "match"
+else
+    echo "don't match"
+fi
+rm -f $TEMP $TEMP64
+</pre>
 = FAQ =
@@ Line 91: / Line 133: @@
 it seems CRLF can also cause this problem.
+== opendkim: signing table references unknown key ==
+check keytable
 ==opendkim-testkey==

Anonymous

Search

OpenDKIM: Difference between revisions