Links

• Current location of OpenDKIM
• http://www.opendkim.org/opendkim-README
• https://wiki.debian.org/OpenDKIM
• DKIM on relay server

HOWTO

OpenDKIM (on Ubuntu)

apt install opendkim opendkim-tools

You might have to create:

mkdir -p /etc/opendkim/keys
chown -R opendkim.opendkim /etc/opendkim
chmod go-rxw /etc/opendkim/keys/

but these days package comes with /etc/dkimkeys

Then

cd /etc/opendkim/keys

or

cd /etc/dkimkeys

opendkim-genkey -s selectorname -d domain.name

Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so

chown -R opendkim.opendkim /etc/opendkim/keys

Configuration file /etc/opendkim.conf

Mode    s
Socket                  inet:8891@localhost

Using SigningTable

KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable

Not using SigningTable

Domain your.domain
Selector yourselector
KeyFile  /etc/opendkim/keys/intranet.private

Using signtable/keytable

SigningTable

somename is the first field in Keytable :

*@domain.name somename

KeyTable

Here the name of the selector (the part before ._domainkey) is the one you publish in dns

somename domain.name:selectorname:/etc/opendkim/keys/somename.private

Postfix

In /etc/postfix/main.cf:

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

TODO using unix socket instead, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim :

blabla
usermod -a -G opendkim postfix

Checking

opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private

This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.

• https://www.dmarcanalyzer.com/nl/dkim-record-validatie/

Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC

WARNING:Unsafe permissions

make readable for user opendkim only

keys do not match

Try

opendkim-testkey -d domain.name -s selectorname -vv

Check if keys match

#!/bin/bash


PRIV=$1
PUB=$2
TEMP64=/tmp/public.key.b64
TEMP=/tmp/public.key

cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64

openssl enc -base64 -d -in $TEMP64 -out $TEMP
OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus`
OUTPRIV=`openssl rsa -in $PRIV -noout -modulus`


echo -n "Keys $PRIV and $PUB "
if [ "$OUTPUB" == "$OUTPRIV" ]
then
    echo "match"
else
    echo "don't match"
fi
rm -f $TEMP $TEMP64

FAQ

debugging opendkim

journalctl --follow --unit postfix.service --unit opendkim.service

opendkim: no signing table match for

In opendkim.conf check:

refile:/etc/opendkim/SigningTable

it seems CRLF can also cause this problem.

opendkim: signing table references unknown key

check keytable

opendkim-testkey

Usage

opendkim-testkey -s myselector -d mydomain.com

opendkim-testkey key not secure

Probably means you have no DNSSEC

opendkim-testkey: keys do not match

probably means double check Keytable

opendkim-testkey: invalid data set type

bad dns record?

opendkim-testkey: multiple DNS replies

bad dns record?

opendkim: no signature data

Maybe forgot to define KeyTable/SigningTable paths?

opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory

Means it's defined in opendkim.conf, and you're not using KeyTable

 

This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode

??

opendkim.service: Start request repeated too quickly.

Probably rights somewhere, try

opendkim -v

or check syslog