DKIM
DomainKeys Identified Mail
Links
- dkim check
- DKIM and postfix
- https://help.ubuntu.com/community/Postfix/dkim-milter Postfix and dkim-milter]
- DKIM Homepage
- http://www.opendkim.org/opendkim-README
- About DKIM
- DKIM with Sendmail
- https://wiki.debian.org/OpenDKIM
- http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test
- SPF and DKIM on Debian
- DKIM on relay server
- OpenDKIM
HOWTO
Check if keys match
dig myselector._domainkey.example.com
and save the bit from "p=" to public.key.b64
openssl enc -base64 -d -in public.key.b64 -out public.key openssl rsa -pubin -inform DER -in public.key -noout -modulus
and compare the shown modulus with
openssl rsa -in private.key -noout -modulus
They should be identical
OpenDKIM (on Ubuntu)
apt install opendkim opendkim-tools
You might have to create:
mkdir -p /etc/opendkim/keys chown -R opendkim.opendkim /etc/opendkim chmod go-rw /etc/opendkim/keys/
Then
cd /etc/opendkim/keys
or
cd /etc/dkimkeys
The 'selector' you choose here does not have to be the actual selector used in DNS. It is just the name used for storing the .txt and .private files
opendkim-genkey -s selectorname -d domain.name
Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so
chown -R opendkim.opendkim /etc/opendkim/keys
SigningTable
somename is the first field in Keytable :
*@domain.name somename
KeyTable
Here the name of the selector (the part before ._domainkey) is the one you publish in dns
somename domain.name:selectorname:/etc/opendkim/keys/somename.private
Configuration file /etc/opendkim.conf
Mode s KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable Socket inet:8891@localhost
Postfix
In /etc/postfix/main.cf:
milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
TODO using unix socket instead, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim :
blabla usermod -a -G opendkim postfix
Checking
opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.
Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC
WARNING:Unsafe permissions
make readable for user opendkim only
keys do not match
Try
opendkim-testkey -d domain.name -s selectorname -vv
FAQ
Opendkim
debugging opendkim
journalctl --follow --unit postfix.service --unit opendkim.service
opendkim: no signing table match for
In opendkim.conf check:
refile:/etc/opendkim/SigningTable
it seems CRLF can also cause this problem.
opendkim-testkey
Usage
opendkim-testkey -s myselector -d mydomain.com
opendkim-testkey key not secure
Probably means you have no DNSSEC
opendkim-testkey: keys do not match
probably means double check Keytable
opendkim-testkey: invalid data set type
bad dns record?
opendkim-testkey: multiple DNS replies
bad dns record?
opendkim: no signature data
Maybe forgot to define KeyTable/SigningTable paths?
opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory
Means it's defined in opendkim.conf, and you're not using KeyTable
This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode
??
opendkim.service: Start request repeated too quickly.
Probably rights somewhere, try
opendkim -v
OpenSSL error: data too small for key size
This could mean it's using the wrong private key for signing