OpenDKIM
Links
- Current location of OpenDKIM
- http://www.opendkim.org/opendkim-README
- https://wiki.debian.org/OpenDKIM
- DKIM on relay server
HOWTO
OpenDKIM (on Ubuntu)
apt install opendkim opendkim-tools
You might have to create:
mkdir -p /etc/opendkim/keys chown -R opendkim.opendkim /etc/opendkim chmod go-rxw /etc/opendkim/keys/
but these days package comes with /etc/dkimkeys
Then
cd /etc/opendkim/keys
or
cd /etc/dkimkeys
opendkim-genkey -s selectorname -d domain.name
Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so
chown -R opendkim.opendkim /etc/opendkim/keys
SigningTable
somename is the first field in Keytable :
*@domain.name somename
KeyTable
Here the name of the selector (the part before ._domainkey) is the one you publish in dns
somename domain.name:selectorname:/etc/opendkim/keys/somename.private
Configuration file /etc/opendkim.conf
Mode s Socket inet:8891@localhost
Using SigningTable
KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable
Not using SigningTable
Domain your.domain Selector yourselector KeyFile /etc/opendkim/keys/intranet.private
Postfix
In /etc/postfix/main.cf:
milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
TODO using unix socket instead, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim :
blabla usermod -a -G opendkim postfix
Checking
opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.
Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC
WARNING:Unsafe permissions
make readable for user opendkim only
keys do not match
Try
opendkim-testkey -d domain.name -s selectorname -vv
Check if keys match
#!/bin/bash PRIV=$1 PUB=$2 TEMP64=/tmp/public.key.b64 TEMP=/tmp/public.key cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64 openssl enc -base64 -d -in $TEMP64 -out $TEMP OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus` OUTPRIV=`openssl rsa -in $PRIV -noout -modulus` echo -n "Keys $PRIV and $PUB " if [ "$OUTPUB" == "$OUTPRIV" ] then echo "match" else echo "don't match" fi rm -f $TEMP $TEMP64
FAQ
debugging opendkim
journalctl --follow --unit postfix.service --unit opendkim.service
opendkim: no signing table match for
In opendkim.conf check:
refile:/etc/opendkim/SigningTable
it seems CRLF can also cause this problem.
opendkim: signing table references unknown key
check keytable
opendkim-testkey
Usage
opendkim-testkey -s myselector -d mydomain.com
opendkim-testkey key not secure
Probably means you have no DNSSEC
opendkim-testkey: keys do not match
probably means double check Keytable
opendkim-testkey: invalid data set type
bad dns record?
opendkim-testkey: multiple DNS replies
bad dns record?
opendkim: no signature data
Maybe forgot to define KeyTable/SigningTable paths?
opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory
Means it's defined in opendkim.conf, and you're not using KeyTable
This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode
??
opendkim.service: Start request repeated too quickly.
Probably rights somewhere, try
opendkim -v
or check syslog