Postfix + opendkim install but dkim not signed out mail

Hi, I've install postfix + opendkim.

I follow some blog I found to configure everything.

Example: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy

Well in fact I've got 2 domains that i have generate keys for each.

The TXT for the domain i put on my dns record TXT by default.

In fact when i test send an email to my @gmail, my spf and dmarc just pass. But the dkim never appear on my mail so it take like a junk mail.

How should I correct the situation ?

If someone could have an idea i am ready to take it.

Postfix:

I put those lines

DKIM

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Opendkim:

/etc/opendkim/
create those files KeyTable SigningTable TrustedHosts
There an folder name "keys" inside where I put the private and public key of my 2 domains. Each are in a folder with there name( domain1.com and domain2.com for example)

KeyTable
default._domainkey.domain1.com domain1.com:/etc/opendkim/keys/domain1.com/mail.private

default._domainkey.domain2.com domain2.com:/etc/opendkim/keys/domain2.com/mail.private

SigningTable
*@domain1.com default._domainkey.domain1.com
*@domain2.com default._domainkey.domain2.com

TrustedHost (I tried put localhost at first but it seem not working so i removed it)
*.domain1.com
*.domain2.com

10 Replies

@spaceham007 writes:

DKIM
 
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
 
Opendkim:
 
/etc/opendkim/

Reading your post, it sounds like you only did half the job…that your configuration in /etc/opendkim/opendkim.conf is not correct. For example, does the Socket directive in /etc/opendkim/opendkim.conf match what's in the postfix(8) smtpd_milters parameter? e.g.;

Socket inet:localhost:8891

Also, do you have more than one domain/selector specified in the non-keys portion of /etc/opendkim/opendkim.conf?

I'll bet you didn't make any changes at all to /etc/opendkim/opendkim.conf (if you did, you don't mention them)…that's the glue that binds all this together. See:

https://askubuntu.com/questions/438756/using-dkim-in-my-server-for-multiple-domains-websites

and

man 5 opendkim.conf

-- sw

First the opendkim.conf is on the folder /etc/…. so maybe i have to change for /etc/opendkim/

Second this is what i add at the end of this file

AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes

Canonicalization relaxed/simple

ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable

Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256

UserID opendkim:opendkim

Socket inet:localhost:8891

For more information I've ot that in /etc/postfix/main.cf

DKIM

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
mynetworks_style = subnet
mailbox_command = procmail -a "$EXTENSION"

@spaceham007 --

You write

First the opendkim.conf is on the folder /etc/…. so maybe i have to change for /etc/opendkim/

So is mine…a senior moment…my bad…

I'm assuming the opendkim(8) milter is running:

[email protected]:~$ ps -ef | grep opendkim
opendkim  1023  1  0 Dec05 ?  00:00:15 /usr/sbin/opendkim -x /etc/opendkim.conf

If not, you have to start it:

#      makes it start at system boot (only do this once)
#
sudo systemctl enable opendkim 
#
#  
sudo systemctl start opendkim
#    
#       errors reported here

What I don't see is any configuration that connects your domains to signing keys (this is from my opendkim(8) configuration):

Domain    mydomain.net
Selector  mailkey

The DNS TXT record specified by Selector (mailkey.domainkey.mydomain.net) tells postfix(1)/opendkim(8) where to find the public signing key. Caveat: I only have one domain so you might have another mechanism to do this because you have more than one…

You write:

home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
mynetworks_style = subnet
mailbox_command = procmail -a "$EXTENSION"

None of this has anything to do with opendkim(8)… I'm not saying it that you don't need it for other stuff but you don't need it for opendkim(8).

In particular:

mailbox_command = procmail -a "$EXTENSION"

procmail is obsolete… It had it's last stable release in 2001. It doesn't work with MIME messages. See:

https://en.wikipedia.org/wiki/Procmail

You should be using dovecot(1) pigeonhole instead… pigeonhole is the dovecot(1) implementation of the sieve mail filtering language:

http://sieve.info

sieve is standard and procmail has a number of security deficiencies that will never be fixed.

Also, since postfix(1) runs chrooted to (typically) /var/spool/postfix, your reference to procmail really means /var/spool/postfix/procmail. I'll bet you a month's pay that's not where procmail lives…

-- sw

In fact i've see that when I do your command

[email protected]:/etc# ps -ef | grep opendkim
opendkim 127900 1 0 22:32 ? 00:00:00 /usr/sbin/opendkim -x /etc/opendkim.conf
opendkim 127901 127900 0 22:32 ? 00:00:00 /usr/sbin/opendkim -x /etc/opendkim.conf
root 128851 127104 0 22:35 pts/0 00:00:00 grep --color=auto opendkim

In other word I just got my ubuntu 20.04 to be use to send output mail only with dkim.

But it seem not workin properly. I try diffents thing but maybe I just forgot something.

What about this?

What I don't see is any configuration that connects your domains to signing keys (this is from my opendkim(8) configuration):
 
Domain mydomain.net
Selector mailkey
 
The DNS TXT record specified by Selector (mailkey.domainkey.mydomain.net) tells postfix(1)/opendkim(8) where to find the public signing key.

-- sw

Domain spacehamagent.com
Selector default

Domain domain2.com
Selector default

*** Because I have multiple domain I need to do like this on the opendkim.conf ? (Right!?)

I create TXT record with what I've got and put it like this
Is that suppose to work with "default._domainkey.spacehamagent.com"

I create this one too if i use your logic

mail.domainkey.spacehamagent.com

Is there something I can do just to be sure that I have everything… really i am lost.

here the full file opendkim.conf i've got

================

This is a basic configuration that can easily be adapted to suit a standard

installation. For more advanced options, see opendkim.conf(5) and/or

/usr/share/doc/opendkim/examples/opendkim.conf.sample.

Log to syslog

Syslog yes

Required to use local socket with MTAs that access the socket as a non-

privileged user (e.g. Postfix)

UMask 007

Sign for example.com with key in /etc/dkimkeys/dkim.key using

selector '2007' (e.g. 2007._domainkey.example.com)

Domain example.com

KeyFile /etc/dkimkeys/dkim.key

Selector 2007

Commonly-used options; the commented-out versions show the defaults.

Canonicalization simple

Mode sv

SubDomains no

Socket smtp://localhost

#

## Socket socketspec

#

## Names the socket where this filter should listen for milter connections

## from the MTA. Required. Should be in one of these forms:

#

## inet:[email protected] to listen on a specific interface

## inet:port to listen on all interfaces

## local:/path/to/socket to listen on a UNIX domain socket

#

Socket inet:[email protected]

Socket local:/run/opendkim/opendkim.sock

Socket inet:[email protected]

PidFile filename

default (none)

#

Name of the file where the filter should write its pid before beginning

normal operations.

#
PidFile /run/opendkim/opendkim.pid

Always oversign From (sign using actual From and a null From to prevent

malicious signatures header fields (From and/or others) between the signer

and the verifier. From is oversigned by default in the Debian pacakge

because it is often the identity key used by reputation systems and thus

somewhat security sensitive.

OversignHeaders From

ResolverConfiguration filename

default (none)

#

Specifies a configuration file to be passed to the Unbound library that

performs DNS queries applying the DNSSEC protocol. See the Unbound

documentation at http://unbound.net for the expected content of this file.

The results of using this and the TrustAnchorFile setting at the same

time are undefined.

In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested

unbound package

ResolverConfiguration /etc/unbound/unbound.conf

TrustAnchorFile filename

default (none)

#

Specifies a file from which trust anchor data should be read when doing

DNS queries and applying the DNSSEC protocol. See the Unbound documentation

at http://unbound.net for the expected format of this file.

TrustAnchorFile /usr/share/dns/root.key

Userid userid

default (none)

#

Change to user "userid" before starting normal operation? May include

a group ID as well, separated from the userid by a colon.

#

AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes

Canonicalization relaxed/simple

ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable

Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256

UserID opendkim:opendkim

Socket inet:[email protected]

#

Domain spacehamagent.com
Selector mail

================

You write:

I create TXT record with what I've got and put it like this. Is that suppose to work with "default._domainkey.spacehamagent.com"
 
I create this one too if i use your logic
 
mail.domainkey.spacehamagent.com

I decided to use mail.domainkey.mydomain.net as the selector for the TXT record containing single public signing key for my single domain. Since you have more than one domain, your configuration WILL be different.

RE: your configuration file post

What do you expect me to do with this? First, it's unreadable. Second, postfix(1) is a mighty and complex beast and I can't diagnose your problem based on the (poorly formatted) content of a configuration file and nothing else. There are at least 3 moving parts in this particular machine (DNS, postfix(1) and opendkim(1) )…

I can only tell you that I think your configuration is wrong/deficient and what I think you should look for. The rest is up to you. Because I don't know what you've done and I don't have access to your system (nor do I want it), I can't give you any more than that.

-- sw

P.S. Have you looked in postfix(1)'s log destination (/var/log/mail.log) for any clues? Have you increased opendkim(8)'s verbosity in logging it's actions (using the LogResults and LogWhy configuration directives)? Have you tested your configuration with

opendkim-testkey -d spacehamagent.com -s mail -vvv

Yeap we are here to learn… it's true.

Well officially a good part of what i done seem to be wrong.

I will continue searching how it suppose to work..

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct