DKIM: Difference between revisions

From DWIKI
mNo edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:


= DomainKeys Identified Mail =
'''DomainKeys Identified Mail'''


== Links ==
 
= Links =
[https://dkimvalidator.com/ DKIMvalidator]
[https://dkimvalidator.com/ DKIMvalidator]
*[http://dkimcore.org/tools/keycheck.html dkim check]  
*[http://dkimcore.org/tools/keycheck.html dkim check]  
*[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM and postfix]  
*[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM and postfix]  
*[https://help.ubuntu.com/community/Postfix/dkim-milter https://help.ubuntu.com/community/Postfix/dkim-milter] Postfix and dkim-milter]  
*[https://help.ubuntu.com/community/Postfix/dkim-milter https://help.ubuntu.com/community/Postfix/dkim-milter] Postfix and dkim-milter]  
*[http://dkim.org/ DKIM Homepage]
*[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README]
*[http://www.sendmail.com/sm/wp/dkim// About DKIM]  
*[http://www.sendmail.com/sm/wp/dkim// About DKIM]  
*[[DKIM_with_Sendmail|DKIM with Sendmail]]  
*[[DKIM_with_Sendmail|DKIM with Sendmail]]  
Line 14: Line 13:
*[http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test]  
*[http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test http://www.myiptest.com/staticpages/index.php/DomainKeys-DKIM-SPF-Validator-test]  
*[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-9/ SPF and DKIM on Debian]  
*[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-9/ SPF and DKIM on Debian]  
*[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/  DKIM on relay server]
*[[OpenDKIM]]
*[[OpenDKIM]]


Line 20: Line 18:
=HOWTO=
=HOWTO=
==Check if keys match==
==Check if keys match==
  dig myselector._domainkey.example.com
  dig myselector._domainkey.example.com txt
 
and save the bit from "p=" to '''public.key.b64'''
and save the bit from "p=" to '''public.key.b64'''
  openssl enc -base64 -d -in public.key.b64 -out public.key
  openssl enc -base64 -d -in public.key.b64 -out public.key
Line 28: Line 27:


They should be identical
They should be identical
== OpenDKIM (on Ubuntu) ==
apt install opendkim opendkim-tools
You might have to create:
mkdir -p /etc/opendkim/keys
chown -R opendkim.opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keys/
Then
cd /etc/opendkim/keys
or
cd /etc/dkimkeys
The 'selector' you choose here does not have to be the actual selector used in DNS. It is just the name used for storing the .txt and .private files
opendkim-genkey -s selectorname -d domain.name
Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so
chown -R opendkim.opendkim /etc/opendkim/keys
== SigningTable ==
somename is the first field in Keytable :
*@domain.name somename
== KeyTable ==
Here the name of the selector (the part before ._domainkey) is the one you publish in dns
somename domain.name:selectorname:/etc/opendkim/keys/somename.private
==Configuration file /etc/opendkim.conf==
Mode    s
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
Socket                  inet:8891@localhost
== Postfix ==
In /etc/postfix/main.cf:
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
TODO using unix socket instead, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim :
blabla
usermod -a -G opendkim postfix
= Checking =
opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.
*[https://www.dmarcanalyzer.com/nl/dkim-record-validatie/ https://www.dmarcanalyzer.com/nl/dkim-record-validatie/]
Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC
==WARNING:Unsafe permissions==
make readable for user opendkim only
==keys do not match==
Try
opendkim-testkey -d domain.name -s selectorname -vv


= FAQ =
= FAQ =
==Opendkim==
===debugging opendkim===
journalctl --follow --unit postfix.service --unit opendkim.service
=== opendkim: no signing table match for ===
In opendkim.conf check:
refile:/etc/opendkim/SigningTable
it seems CRLF can also cause this problem.
==opendkim-testkey==
===Usage===
opendkim-testkey -s myselector -d mydomain.com
=== opendkim-testkey key not secure ===
Probably means you have no DNSSEC
===opendkim-testkey: keys do not match===
probably means double check Keytable
===opendkim-testkey: invalid data set type===
bad dns record?
===opendkim-testkey: multiple DNS replies ===
bad dns record?
===opendkim: no signature data===
Maybe forgot to define KeyTable/SigningTable paths?
== opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory ==
Means it's defined in opendkim.conf, and you're not using KeyTable
 
== This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode ==
??
== opendkim.service: Start request repeated too quickly. ==
Probably rights somewhere, try
opendkim -v
==OpenSSL error: data too small for key size==
This could mean it's using the wrong private key for signing
[[Category:Mail]]
[[Category:Mail]]

Latest revision as of 10:54, 23 January 2024

DomainKeys Identified Mail


Links

DKIMvalidator


HOWTO

Check if keys match

dig myselector._domainkey.example.com txt

and save the bit from "p=" to public.key.b64 

openssl enc -base64 -d -in public.key.b64 -out public.key
openssl rsa -pubin -inform DER -in public.key -noout -modulus

and compare the shown modulus with 

openssl rsa -in private.key -noout -modulus

They should be identical

FAQ

Retrieved from "https://wiki.dhits.nl/index.php?title=DKIM&oldid=8704"