DKIM

From DWIKI
Revision as of 14:26, 28 November 2023 by Tony (talk | contribs) (→‎Postfix)

DomainKeys Identified Mail

Links

DKIMvalidator

 

HOWTO

Check if keys match

dig myselector._domainkey.example.com

and save the bit from "p=" to public.key.b64

openssl enc -base64 -d -in public.key.b64 -out public.key
openssl rsa -pubin -inform DER -in public.key -noout -modulus

and compare the shown modulus with

openssl rsa -in private.key -noout -modulus

They should be identical


OpenDKIM (on Ubuntu)

apt install opendkim opendkim-tools

You might have to create:

mkdir -p /etc/opendkim/keys
chown -R opendkim.opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keys/

Then

cd /etc/opendkim/keys

The 'selector' you choose here does not have to be the actual selector used in DNS. It is just the name used for storing the .txt and .private files

opendkim-genkey -s selectorname -d domain.name

Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so

chown -R opendkim.opendkim /etc/opendkim/keys

SigningTable

  1. somename is the first field in Keytable
*@domain.name somename

KeyTable

Here the name of the selector (the part before ._domainkey) is the one you publish in dns

somename domain.name:selectorname:/path/to/somename.private

Configuration file /etc/opendkim.conf

Mode    s
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable


Postfix

In /etc/postfix/main.cf:


milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

TODO using socket, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim

blabla 
usermod -a -G opendkim postfix

Checking

opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private

This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.

Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC

WARNING:Unsafe permissions

make readable for user opendkim only


keys do not match

Try

opendkim-testkey -d domain.name -s selectorname -vv

FAQ

Opendkim

debugging opendkim

journalctl --follow --unit postfix.service --unit opendkim.service


opendkim: no signing table match for

In opendkim.conf check:

refile:/etc/opendkim/SigningTable

it seems CRLF can also cause this problem.


opendkim-testkey

Usage

opendkim-testkey -s myselector -d mydomain.com

opendkim-testkey key not secure

Probably means you have no DNSSEC

opendkim-testkey: keys do not match

probably means double check Keytable

opendkim-testkey: invalid data set type

bad dns record?

opendkim-testkey: multiple DNS replies

bad dns record?

opendkim: no signature data

Maybe forgot to define KeyTable/SigningTable paths?

opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory

Means it's defined in opendkim.conf, and you're not using KeyTable

 

This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode

??

opendkim.service: Start request repeated too quickly.

Probably rights somewhere, try

opendkim -v


OpenSSL error: data too small for key size

This could mean it's using the wrong private key for signing