OpenDKIM: Difference between revisions
m (→FAQ) |
|||
(8 intermediate revisions by the same user not shown) | |||
Line 8: | Line 8: | ||
== OpenDKIM (on Ubuntu) == | == OpenDKIM (on Ubuntu) == | ||
===Installing opendkim=== | |||
apt install opendkim opendkim-tools | apt install opendkim opendkim-tools | ||
===Files/directories=== | |||
You might have to create: | You might have to create: | ||
mkdir -p /etc/opendkim/keys | mkdir -p /etc/opendkim/keys | ||
chown -R opendkim.opendkim /etc/opendkim | chown -R opendkim.opendkim /etc/opendkim | ||
chmod go- | chmod go-rxw /etc/opendkim/keys/ | ||
but these days package comes with /etc/dkimkeys | |||
===Create key=== | |||
cd /etc/opendkim/keys | cd /etc/opendkim/keys | ||
or | or | ||
cd /etc/dkimkeys | cd /etc/dkimkeys | ||
opendkim-genkey -s selectorname -d domain.name | opendkim-genkey -s selectorname -d domain.name | ||
Line 28: | Line 32: | ||
chown -R opendkim.opendkim /etc/opendkim/keys | chown -R opendkim.opendkim /etc/opendkim/keys | ||
== SigningTable == | ==Configuration file /etc/opendkim.conf== | ||
Mode s | |||
Socket inet:8891@localhost | |||
===Using SigningTable=== | |||
KeyTable /etc/opendkim/KeyTable | |||
SigningTable refile:/etc/opendkim/SigningTable | |||
===Not using SigningTable=== | |||
Domain your.domain | |||
Selector yourselector | |||
KeyFile /etc/opendkim/keys/intranet.private | |||
==Using signtable/keytable== | |||
=== SigningTable === | |||
somename is the first field in Keytable : | somename is the first field in Keytable : | ||
Line 34: | Line 53: | ||
*@domain.name somename | *@domain.name somename | ||
== KeyTable == | === KeyTable === | ||
Here the name of the selector (the part before ._domainkey) is the one you publish in dns | Here the name of the selector (the part before ._domainkey) is the one you publish in dns | ||
somename domain.name:selectorname:/etc/opendkim/keys/somename.private | somename domain.name:selectorname:/etc/opendkim/keys/somename.private | ||
== Postfix == | == Postfix == | ||
Line 76: | Line 89: | ||
Try | Try | ||
opendkim-testkey -d domain.name -s selectorname -vv | opendkim-testkey -d domain.name -s selectorname -vv | ||
==Check if keys match== | |||
<pre> | |||
#!/bin/bash | |||
PRIV=$1 | |||
PUB=$2 | |||
TEMP64=/tmp/public.key.b64 | |||
TEMP=/tmp/public.key | |||
cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64 | |||
openssl enc -base64 -d -in $TEMP64 -out $TEMP | |||
OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus` | |||
OUTPRIV=`openssl rsa -in $PRIV -noout -modulus` | |||
echo -n "Keys $PRIV and $PUB " | |||
if [ "$OUTPUB" == "$OUTPRIV" ] | |||
then | |||
echo "match" | |||
else | |||
echo "don't match" | |||
fi | |||
rm -f $TEMP $TEMP64 | |||
</pre> | |||
= FAQ = | = FAQ = |
Latest revision as of 14:03, 8 October 2024
Links
- Current location of OpenDKIM
- http://www.opendkim.org/opendkim-README
- https://wiki.debian.org/OpenDKIM
- DKIM on relay server
HOWTO
OpenDKIM (on Ubuntu)
Installing opendkim
apt install opendkim opendkim-tools
Files/directories
You might have to create:
mkdir -p /etc/opendkim/keys chown -R opendkim.opendkim /etc/opendkim chmod go-rxw /etc/opendkim/keys/
but these days package comes with /etc/dkimkeys
Create key
cd /etc/opendkim/keys
or
cd /etc/dkimkeys
opendkim-genkey -s selectorname -d domain.name
Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so
chown -R opendkim.opendkim /etc/opendkim/keys
Configuration file /etc/opendkim.conf
Mode s Socket inet:8891@localhost
Using SigningTable
KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable
Not using SigningTable
Domain your.domain Selector yourselector KeyFile /etc/opendkim/keys/intranet.private
Using signtable/keytable
SigningTable
somename is the first field in Keytable :
*@domain.name somename
KeyTable
Here the name of the selector (the part before ._domainkey) is the one you publish in dns
somename domain.name:selectorname:/etc/opendkim/keys/somename.private
Postfix
In /etc/postfix/main.cf:
milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
TODO using unix socket instead, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim :
blabla usermod -a -G opendkim postfix
Checking
opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.
Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC
WARNING:Unsafe permissions
make readable for user opendkim only
keys do not match
Try
opendkim-testkey -d domain.name -s selectorname -vv
Check if keys match
#!/bin/bash PRIV=$1 PUB=$2 TEMP64=/tmp/public.key.b64 TEMP=/tmp/public.key cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64 openssl enc -base64 -d -in $TEMP64 -out $TEMP OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus` OUTPRIV=`openssl rsa -in $PRIV -noout -modulus` echo -n "Keys $PRIV and $PUB " if [ "$OUTPUB" == "$OUTPRIV" ] then echo "match" else echo "don't match" fi rm -f $TEMP $TEMP64
FAQ
debugging opendkim
journalctl --follow --unit postfix.service --unit opendkim.service
opendkim: no signing table match for
In opendkim.conf check:
refile:/etc/opendkim/SigningTable
it seems CRLF can also cause this problem.
opendkim: signing table references unknown key
check keytable
opendkim-testkey
Usage
opendkim-testkey -s myselector -d mydomain.com
opendkim-testkey key not secure
Probably means you have no DNSSEC
opendkim-testkey: keys do not match
probably means double check Keytable
opendkim-testkey: invalid data set type
bad dns record?
opendkim-testkey: multiple DNS replies
bad dns record?
opendkim: no signature data
Maybe forgot to define KeyTable/SigningTable paths?
opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory
Means it's defined in opendkim.conf, and you're not using KeyTable
This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode
??
opendkim.service: Start request repeated too quickly.
Probably rights somewhere, try
opendkim -v
or check syslog