OpenDKIM: Difference between revisions

From DWIKI
(Created page with "=Links= *[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README] *[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM] *[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/ DKIM on relay server] =HOWTO= == OpenDKIM (on Ubuntu) == apt install opendkim opendkim-tools You might have to create: mkdir -p /etc/opendkim/keys chown -R opendkim.opendkim /etc/opendkim chmod go-rw /etc/opendkim/keys/ Then cd /...")
 
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Links=
=Links=
 
*[https://github.com/trusteddomainproject/OpenDKIM Current location of OpenDKIM]
*[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README]
*[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README]
*[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM]
*[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM]
*[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/  DKIM on relay server]
*[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/  DKIM on relay server]


=HOWTO=
=HOWTO=


== OpenDKIM (on Ubuntu) ==
== OpenDKIM (on Ubuntu) ==
===Installing opendkim===
  apt install opendkim opendkim-tools
  apt install opendkim opendkim-tools


===Files/directories===
You might have to create:
You might have to create:
  mkdir -p /etc/opendkim/keys
  mkdir -p /etc/opendkim/keys
  chown -R opendkim.opendkim /etc/opendkim
  chown -R opendkim.opendkim /etc/opendkim
  chmod go-rw /etc/opendkim/keys/
  chmod go-rxw /etc/opendkim/keys/
 
but these days package comes with /etc/dkimkeys




Then
===Create key===
  cd /etc/opendkim/keys
  cd /etc/opendkim/keys
or
or
  cd /etc/dkimkeys
  cd /etc/dkimkeys


The 'selector' you choose here does not have to be the actual selector used in DNS. It is just the name used for storing the .txt and .private files
 


  opendkim-genkey -s selectorname -d domain.name
  opendkim-genkey -s selectorname -d domain.name
Line 30: Line 32:
  chown -R opendkim.opendkim /etc/opendkim/keys
  chown -R opendkim.opendkim /etc/opendkim/keys


== SigningTable ==
==Configuration file /etc/opendkim.conf==
Mode    s
Socket                  inet:8891@localhost
 
===Using SigningTable===
 
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
 
===Not using SigningTable===
Domain your.domain
Selector yourselector
KeyFile  /etc/opendkim/keys/intranet.private
 
==Using signtable/keytable==
=== SigningTable ===


somename is the first field in Keytable :
somename is the first field in Keytable :
Line 36: Line 53:
  *@domain.name somename
  *@domain.name somename


== KeyTable ==
=== KeyTable ===


Here the name of the selector (the part before ._domainkey) is the one you publish in dns
Here the name of the selector (the part before ._domainkey) is the one you publish in dns


  somename domain.name:selectorname:/etc/opendkim/keys/somename.private
  somename domain.name:selectorname:/etc/opendkim/keys/somename.private
==Configuration file /etc/opendkim.conf==
Mode    s
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
Socket                  inet:8891@localhost


== Postfix ==
== Postfix ==
Line 78: Line 89:
Try
Try
  opendkim-testkey -d domain.name -s selectorname -vv
  opendkim-testkey -d domain.name -s selectorname -vv
==Check if keys match==
<pre>
#!/bin/bash
PRIV=$1
PUB=$2
TEMP64=/tmp/public.key.b64
TEMP=/tmp/public.key
cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64
openssl enc -base64 -d -in $TEMP64 -out $TEMP
OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus`
OUTPRIV=`openssl rsa -in $PRIV -noout -modulus`
echo -n "Keys $PRIV and $PUB "
if [ "$OUTPUB" == "$OUTPRIV" ]
then
    echo "match"
else
    echo "don't match"
fi
rm -f $TEMP $TEMP64
</pre>


= FAQ =
= FAQ =
Line 93: Line 133:
it seems CRLF can also cause this problem.
it seems CRLF can also cause this problem.


== opendkim: signing table references unknown key ==
check keytable


==opendkim-testkey==
==opendkim-testkey==

Latest revision as of 14:03, 8 October 2024

Links

HOWTO

OpenDKIM (on Ubuntu)

Installing opendkim

apt install opendkim opendkim-tools

Files/directories

You might have to create:

mkdir -p /etc/opendkim/keys
chown -R opendkim.opendkim /etc/opendkim
chmod go-rxw /etc/opendkim/keys/

but these days package comes with /etc/dkimkeys


Create key

cd /etc/opendkim/keys

or

cd /etc/dkimkeys


opendkim-genkey -s selectorname -d domain.name

Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so

chown -R opendkim.opendkim /etc/opendkim/keys

Configuration file /etc/opendkim.conf

Mode    s
Socket                  inet:8891@localhost

Using SigningTable

KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable

Not using SigningTable

Domain your.domain
Selector yourselector
KeyFile  /etc/opendkim/keys/intranet.private

Using signtable/keytable

SigningTable

somename is the first field in Keytable :

*@domain.name somename

KeyTable

Here the name of the selector (the part before ._domainkey) is the one you publish in dns

somename domain.name:selectorname:/etc/opendkim/keys/somename.private

Postfix

In /etc/postfix/main.cf:


milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

TODO using unix socket instead, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim :

blabla
usermod -a -G opendkim postfix

Checking

opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private

This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.

Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC

WARNING:Unsafe permissions

make readable for user opendkim only


keys do not match

Try

opendkim-testkey -d domain.name -s selectorname -vv


Check if keys match

#!/bin/bash


PRIV=$1
PUB=$2
TEMP64=/tmp/public.key.b64
TEMP=/tmp/public.key

cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64

openssl enc -base64 -d -in $TEMP64 -out $TEMP
OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus`
OUTPRIV=`openssl rsa -in $PRIV -noout -modulus`


echo -n "Keys $PRIV and $PUB "
if [ "$OUTPUB" == "$OUTPRIV" ]
then
    echo "match"
else
    echo "don't match"
fi
rm -f $TEMP $TEMP64

FAQ

debugging opendkim

journalctl --follow --unit postfix.service --unit opendkim.service


opendkim: no signing table match for

In opendkim.conf check:

refile:/etc/opendkim/SigningTable

it seems CRLF can also cause this problem.


opendkim: signing table references unknown key

check keytable

opendkim-testkey

Usage

opendkim-testkey -s myselector -d mydomain.com

opendkim-testkey key not secure

Probably means you have no DNSSEC

opendkim-testkey: keys do not match

probably means double check Keytable

opendkim-testkey: invalid data set type

bad dns record?

opendkim-testkey: multiple DNS replies

bad dns record?

opendkim: no signature data

Maybe forgot to define KeyTable/SigningTable paths?

opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory

Means it's defined in opendkim.conf, and you're not using KeyTable

 

This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode

??

opendkim.service: Start request repeated too quickly.

Probably rights somewhere, try

opendkim -v

or check syslog