DKIM: Difference between revisions
From DWIKI
mNo edit summary |
m (→FAQ) |
||
| (15 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Links== | = DomainKeys Identified Mail = | ||
*[http://dkimcore.org/tools/keycheck.html dkim check] | |||
*[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM and postfix] | == Links == | ||
* | |||
*[http://dkim.org/ Homepage] | *[http://dkimcore.org/tools/keycheck.html dkim check] | ||
*http://www.opendkim.org/opendkim-README | *[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM and postfix] | ||
*[http://www.sendmail.com/sm/wp/dkim// About DKIM] | *[https://help.ubuntu.com/community/Postfix/dkim-milter https://help.ubuntu.com/community/Postfix/dkim-milter] Postfix and dkim-milter] | ||
*[[DKIM with Sendmail]] | *[http://dkim.org/ DKIM Homepage] | ||
*https://wiki.debian.org/OpenDKIM | *[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README] | ||
*http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test | *[http://www.sendmail.com/sm/wp/dkim// About DKIM] | ||
*[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-9/ SPF and DKIM on Debian] | *[[DKIM_with_Sendmail|DKIM with Sendmail]] | ||
*[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM] | |||
*[http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test] | |||
*[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-9/ SPF and DKIM on Debian] | |||
*[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/ DKIM on relay server] | |||
| |||
= OpenDKIM Howto = | = OpenDKIM Howto = | ||
On Ubuntu you might have to create: | |||
mkdir -p /etc/opendkim/keys | |||
chown -R opendkim.opendkim /etc/opendkim | |||
chmod go-rw /etc/opendkim/keys | |||
Then | |||
cd /etc/opendkim/keys | cd /etc/opendkim/keys | ||
| Line 22: | Line 32: | ||
opendkim-genkey -s somename -d domain.name | opendkim-genkey -s somename -d domain.name | ||
Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim | Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so | ||
chown -R opendkim.opendkim /etc/opendkim/keys | |||
== SigningTable == | == SigningTable == | ||
| Line 35: | Line 46: | ||
somename domain.name:selectorname:/path/to/somename.private | somename domain.name:selectorname:/path/to/somename.private | ||
==Configuration file /etc/opendkim.conf== | |||
Mode s | |||
KeyTable /etc/opendkim/KeyTable | |||
SigningTable refile:/etc/opendkim/SigningTable | |||
== Postfix == | == Postfix == | ||
| Line 40: | Line 57: | ||
In /etc/postfix/main.cf: | In /etc/postfix/main.cf: | ||
| |||
milter_protocol = 2 | milter_protocol = 2 | ||
| Line 45: | Line 63: | ||
smtpd_milters = inet:localhost:8891 | smtpd_milters = inet:localhost:8891 | ||
non_smtpd_milters = inet:localhost:8891 | non_smtpd_milters = inet:localhost:8891 | ||
| |||
= Checking = | = Checking = | ||
opendkim-testkey -d domain.name -s selectorname - | opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private | ||
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output. | This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output. | ||
=FAQ= | *[https://www.dmarcanalyzer.com/nl/dkim-record-validatie/ https://www.dmarcanalyzer.com/nl/dkim-record-validatie/] | ||
==opendkim: no signing table match for== | |||
==WARNING:Unsafe permissions== | |||
make readable for user opendkim only | |||
==keys do not match== | |||
Try | |||
opendkim-testkey -d domain.name -s selectorname -vv | |||
= FAQ = | |||
== opendkim: no signing table match for == | |||
In opendkim.conf use: | In opendkim.conf use: | ||
refile:/etc/opendkim/SigningTable | refile:/etc/opendkim/SigningTable | ||
==opendkim-testkey key not secure== | |||
==opendkim-testkey== | |||
=== opendkim-testkey key not secure === | |||
Probably means you have no DNSSEC | Probably means you have no DNSSEC | ||
===opendkim-testkey: keys do not match=== | |||
probably means double check Keytable | |||
===opendkim-testkey: invalid data set type=== | |||
bad dns record? | |||
===opendkim-testkey: multiple DNS replies === | |||
bad dns record? | |||
== opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory == | |||
Means it's defined in opendkim.conf, and you're not using KeyTable | Means it's defined in opendkim.conf, and you're not using KeyTable | ||
| |||
== This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode == | |||
?? | |||
== opendkim.service: Start request repeated too quickly. == | |||
Probably rights somewhere, try | |||
opendkim -v | |||
[[Category:Mail]] | |||
Revision as of 13:07, 15 August 2022
DomainKeys Identified Mail
Links
- dkim check
- DKIM and postfix
- https://help.ubuntu.com/community/Postfix/dkim-milter Postfix and dkim-milter]
- DKIM Homepage
- http://www.opendkim.org/opendkim-README
- About DKIM
- DKIM with Sendmail
- https://wiki.debian.org/OpenDKIM
- http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test
- SPF and DKIM on Debian
- DKIM on relay server
OpenDKIM Howto
On Ubuntu you might have to create:
mkdir -p /etc/opendkim/keys chown -R opendkim.opendkim /etc/opendkim chmod go-rw /etc/opendkim/keys
Then
cd /etc/opendkim/keys
The 'selector' you choose here does not have to be the actual selector used in DNS. It is just the name used for storing the .txt and .private files
opendkim-genkey -s somename -d domain.name
Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so
chown -R opendkim.opendkim /etc/opendkim/keys
SigningTable
- somename is the first field in Keytable
*@domain.name somename
KeyTable
Here the name of the selector (the part before ._domainkey) is the one you publish in dns
somename domain.name:selectorname:/path/to/somename.private
Configuration file /etc/opendkim.conf
Mode s KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable
Postfix
In /etc/postfix/main.cf:
milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
Checking
opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.
WARNING:Unsafe permissions
make readable for user opendkim only
keys do not match
Try
opendkim-testkey -d domain.name -s selectorname -vv
FAQ
opendkim: no signing table match for
In opendkim.conf use:
refile:/etc/opendkim/SigningTable
opendkim-testkey
opendkim-testkey key not secure
Probably means you have no DNSSEC
opendkim-testkey: keys do not match
probably means double check Keytable
opendkim-testkey: invalid data set type
bad dns record?
opendkim-testkey: multiple DNS replies
bad dns record?
opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory
Means it's defined in opendkim.conf, and you're not using KeyTable
This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode
??
opendkim.service: Start request repeated too quickly.
Probably rights somewhere, try
opendkim -v
