Difference between revisions of "DKIM"

From DWIKI
m
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
=DomainKeys Identified Mail=


==Links==
= DomainKeys Identified Mail =
*[http://dkimcore.org/tools/keycheck.html dkim check]
 
*[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM and postfix]
== Links ==
*{https://help.ubuntu.com/community/Postfix/dkim-milter Postfix and dkim-milter]
 
*[http://dkim.org/ Homepage]
*[http://dkimcore.org/tools/keycheck.html dkim check]  
*http://www.opendkim.org/opendkim-README
*[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM and postfix]  
*[http://www.sendmail.com/sm/wp/dkim// About DKIM]
*[https://help.ubuntu.com/community/Postfix/dkim-milter https://help.ubuntu.com/community/Postfix/dkim-milter] Postfix and dkim-milter]  
*[[DKIM with Sendmail]]
*[http://dkim.org/ DKIM Homepage]  
*https://wiki.debian.org/OpenDKIM
*[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README]
*http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test
*[http://www.sendmail.com/sm/wp/dkim// About DKIM]  
*[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-9/ SPF and DKIM on Debian]
*[[DKIM_with_Sendmail|DKIM with Sendmail]]  
*[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM]
*[http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test]
*[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-9/ SPF and DKIM on Debian]  
*[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/  DKIM on relay server]
 
 




= OpenDKIM Howto =
= OpenDKIM Howto =
On Ubuntu you might have to create:
mkdir -p /etc/opendkim/keys
chown -R opendkim.opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keys


Then
  cd /etc/opendkim/keys
  cd /etc/opendkim/keys


Line 22: Line 32:
  opendkim-genkey -s somename -d domain.name
  opendkim-genkey -s somename -d domain.name


Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim
Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so
chown -R opendkim.opendkim /etc/opendkim/keys


== SigningTable ==
== SigningTable ==
Line 35: Line 46:


  somename domain.name:selectorname:/path/to/somename.private
  somename domain.name:selectorname:/path/to/somename.private
==Configuration file /etc/opendkim.conf==
Mode    s
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable


== Postfix ==
== Postfix ==
Line 40: Line 57:
In /etc/postfix/main.cf:
In /etc/postfix/main.cf:


 


  milter_protocol = 2
  milter_protocol = 2
Line 45: Line 63:
  smtpd_milters = inet:localhost:8891
  smtpd_milters = inet:localhost:8891
  non_smtpd_milters = inet:localhost:8891
  non_smtpd_milters = inet:localhost:8891
 


= Checking =
= Checking =


  opendkim-testkey -d domain.name -s selectorname -v -k keys/keyname.private
  opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private


This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.


=FAQ=
*[https://www.dmarcanalyzer.com/nl/dkim-record-validatie/ https://www.dmarcanalyzer.com/nl/dkim-record-validatie/]
==opendkim: no signing table match for==
 
==WARNING:Unsafe permissions==
make readable for user opendkim only
 
 
==keys do not match==
Try
opendkim-testkey -d domain.name -s selectorname -vv
 
= FAQ =
 
== opendkim: no signing table match for ==
 
In opendkim.conf use:
In opendkim.conf use:
  refile:/etc/opendkim/SigningTable
  refile:/etc/opendkim/SigningTable


==opendkim-testkey key not secure==
 
==opendkim-testkey==
=== opendkim-testkey key not secure ===
 
Probably means you have no DNSSEC
Probably means you have no DNSSEC


===opendkim-testkey: keys do not match===
probably means double check Keytable
===opendkim-testkey: invalid data set type===
bad dns record?
===opendkim-testkey: multiple DNS replies ===
bad dns record?
== opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory ==


==opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory==
Means it's defined in opendkim.conf, and you're not using KeyTable
Means it's defined in opendkim.conf, and you're not using KeyTable
 
== This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode ==
??
== opendkim.service: Start request repeated too quickly. ==
Probably rights somewhere, try
opendkim -v
[[Category:Mail]]

Revision as of 12:07, 15 August 2022

DomainKeys Identified Mail

Links

 


OpenDKIM Howto

On Ubuntu you might have to create:

mkdir -p /etc/opendkim/keys
chown -R opendkim.opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keys

Then

cd /etc/opendkim/keys

The 'selector' you choose here does not have to be the actual selector used in DNS. It is just the name used for storing the .txt and .private files

opendkim-genkey -s somename -d domain.name

Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so

chown -R opendkim.opendkim /etc/opendkim/keys

SigningTable

  1. somename is the first field in Keytable
*@domain.name somename

KeyTable

Here the name of the selector (the part before ._domainkey) is the one you publish in dns

somename domain.name:selectorname:/path/to/somename.private

Configuration file /etc/opendkim.conf

Mode    s
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable


Postfix

In /etc/postfix/main.cf:

 

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

 

Checking

opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private

This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.

WARNING:Unsafe permissions

make readable for user opendkim only


keys do not match

Try

opendkim-testkey -d domain.name -s selectorname -vv

FAQ

opendkim: no signing table match for

In opendkim.conf use:

refile:/etc/opendkim/SigningTable


opendkim-testkey

opendkim-testkey key not secure

Probably means you have no DNSSEC

opendkim-testkey: keys do not match

probably means double check Keytable

opendkim-testkey: invalid data set type

bad dns record?

opendkim-testkey: multiple DNS replies

bad dns record?


opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory

Means it's defined in opendkim.conf, and you're not using KeyTable

 

This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode

??

opendkim.service: Start request repeated too quickly.

Probably rights somewhere, try

opendkim -v