OpenDKIM: Difference between revisions
(Created page with "=Links= *[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README] *[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM] *[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/ DKIM on relay server] =HOWTO= == OpenDKIM (on Ubuntu) == apt install opendkim opendkim-tools You might have to create: mkdir -p /etc/opendkim/keys chown -R opendkim.opendkim /etc/opendkim chmod go-rw /etc/opendkim/keys/ Then cd /...") |
mNo edit summary |
||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Links= | =Links= | ||
*[https://github.com/trusteddomainproject/OpenDKIM Current location of OpenDKIM] | |||
*[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README] | *[http://www.opendkim.org/opendkim-README http://www.opendkim.org/opendkim-README] | ||
*[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM] | *[https://wiki.debian.org/OpenDKIM https://wiki.debian.org/OpenDKIM] | ||
*[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/ DKIM on relay server] | *[https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/ DKIM on relay server] | ||
=HOWTO= | =HOWTO= | ||
Line 22: | Line 20: | ||
or | or | ||
cd /etc/dkimkeys | cd /etc/dkimkeys | ||
opendkim-genkey -s selectorname -d domain.name | opendkim-genkey -s selectorname -d domain.name | ||
Line 78: | Line 74: | ||
Try | Try | ||
opendkim-testkey -d domain.name -s selectorname -vv | opendkim-testkey -d domain.name -s selectorname -vv | ||
==Check if keys match== | |||
<pre> | |||
#!/bin/bash | |||
PRIV=$1 | |||
PUB=$2 | |||
TEMP64=/tmp/public.key.b64 | |||
TEMP=/tmp/public.key | |||
cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64 | |||
openssl enc -base64 -d -in $TEMP64 -out $TEMP | |||
OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus` | |||
OUTPRIV=`openssl rsa -in $PRIV -noout -modulus` | |||
echo -n "Keys $PRIV and $PUB " | |||
if [ "$OUTPUB" == "$OUTPRIV" ] | |||
then | |||
echo "match" | |||
else | |||
echo "don't match" | |||
fi | |||
rm -f $TEMP $TEMP64 | |||
</pre> | |||
= FAQ = | = FAQ = | ||
Line 93: | Line 118: | ||
it seems CRLF can also cause this problem. | it seems CRLF can also cause this problem. | ||
== opendkim: signing table references unknown key == | |||
check keytable | |||
==opendkim-testkey== | ==opendkim-testkey== |
Latest revision as of 14:43, 22 March 2024
Links
- Current location of OpenDKIM
- http://www.opendkim.org/opendkim-README
- https://wiki.debian.org/OpenDKIM
- DKIM on relay server
HOWTO
OpenDKIM (on Ubuntu)
apt install opendkim opendkim-tools
You might have to create:
mkdir -p /etc/opendkim/keys chown -R opendkim.opendkim /etc/opendkim chmod go-rw /etc/opendkim/keys/
Then
cd /etc/opendkim/keys
or
cd /etc/dkimkeys
opendkim-genkey -s selectorname -d domain.name
Make sure the key ends up in /etc/opendkim/keys and is readable for user opendkim, so
chown -R opendkim.opendkim /etc/opendkim/keys
SigningTable
somename is the first field in Keytable :
*@domain.name somename
KeyTable
Here the name of the selector (the part before ._domainkey) is the one you publish in dns
somename domain.name:selectorname:/etc/opendkim/keys/somename.private
Configuration file /etc/opendkim.conf
Mode s KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable Socket inet:8891@localhost
Postfix
In /etc/postfix/main.cf:
milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
TODO using unix socket instead, see https://unix.stackexchange.com/questions/74477/postfix-smtpd-warning-connect-to-milter-service-unix-var-run-opendkim-opendkim :
blabla usermod -a -G opendkim postfix
Checking
opendkim-testkey -d domain.name -s selectorname -vv -k keys/keyname.private
This will try to fetch the key published in DNS, so "record not found" means DNS record not found. No output is good output.
Ignore "opendkim-testkey: key not secure", that just means you're not using DNSSEC
WARNING:Unsafe permissions
make readable for user opendkim only
keys do not match
Try
opendkim-testkey -d domain.name -s selectorname -vv
Check if keys match
#!/bin/bash PRIV=$1 PUB=$2 TEMP64=/tmp/public.key.b64 TEMP=/tmp/public.key cat $PUB |grep _domainkey |grep -v ^\;| sed 's/.*\"p=\(.*\)/\1/'| sed 's/[\" ]//g' > $TEMP64 openssl enc -base64 -d -in $TEMP64 -out $TEMP OUTPUB=`openssl rsa -pubin -inform DER -in $TEMP -noout -modulus` OUTPRIV=`openssl rsa -in $PRIV -noout -modulus` echo -n "Keys $PRIV and $PUB " if [ "$OUTPUB" == "$OUTPRIV" ] then echo "match" else echo "don't match" fi rm -f $TEMP $TEMP64
FAQ
debugging opendkim
journalctl --follow --unit postfix.service --unit opendkim.service
opendkim: no signing table match for
In opendkim.conf check:
refile:/etc/opendkim/SigningTable
it seems CRLF can also cause this problem.
opendkim: signing table references unknown key
check keytable
opendkim-testkey
Usage
opendkim-testkey -s myselector -d mydomain.com
opendkim-testkey key not secure
Probably means you have no DNSSEC
opendkim-testkey: keys do not match
probably means double check Keytable
opendkim-testkey: invalid data set type
bad dns record?
opendkim-testkey: multiple DNS replies
bad dns record?
opendkim: no signature data
Maybe forgot to define KeyTable/SigningTable paths?
opendkim: /etc/opendkim.conf: /etc/opendkim/keys/default.private: open(): No such file or directory
Means it's defined in opendkim.conf, and you're not using KeyTable
This doesn't seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode
??
opendkim.service: Start request repeated too quickly.
Probably rights somewhere, try
opendkim -v
or check syslog